Abstract: Aiming at the problem that the single sandbox detection mode is fixed and there are many malicious samples escaping the detection of sandbox, this paper analyzes the details of the current malware escaping sandbox detection, and then proposes an analytical framework for monitoring the escape behavior of malicious samples. The system records the file operations, network communications, process operations, registry operations and other behaviors generated in a number of sandboxes at different levels and the real environment, and then processes the selection of features and regularization. This paper uses the Jaccard similarity algorithm to compare the similarity difference between the behavior, then divides the hierarchies and determines whether there is escape behavior of malicious samples. Experimental results show that the overall accuracy rate can reach 95.6%, the recall can reach 90.1%, and the false positive is less than 5%. The system can detect multiple types and unknown escape behaviors, and further analysis of the sample can be targeted to specific escape behaviors.

Key words: sandbox detection, dynamic analysis, behavioral escape, hierarchical differences

摘要： 针对单一沙箱检测模式较为固定、易被恶意样本逃逸的问题，分析了当前恶意软件沙箱逃逸典型技术，提出了一种恶意样本逃逸行为检测框架。对恶意样本在不同层次的沙箱以及真实环境中生成的文件操作、网络通信、进程操作、注册表操作等行为进行记录，进行特征筛选以及标准化处理，通过Jaccard相似度算法来比较行为之间的相似度差异，进行层次划分并判定恶意样本逃逸行为。实验结果显示，整体准确率为95.6%，检出率为90.1%，同时误报率低于5%，可以检测多种已知和未知逃逸行为，通过进一步分析可定位到样本具体逃逸行为。

关键词: 沙箱检测, 动态分析, 行为逃逸, 层次差异