Using Anticipative Malware Analysis to Support Decision Making

Abstract

A software tool allowing the safe monitoring of the execution of malicious software (malware), or more generally, programs that cannot be trusted is commonly referred to as a sandbox. Most of the time, a sandbox is implemented in a virtual machine or a simulated operating system and allows the behaviour of the program to be studied from the host's point of view. We are investigating the usefulness of a sandbox in the context of decision making. More specifically, we have designed and implemented a network sandbox, i.e. a sandbox that allows us to study malware behaviour from the network perspective. We plan to use this sandbox to generate malware-sample profiles that can be used by decision making algorithms to help network administrators and security officers decide on a course of action to be followed upon detection of a malware threat. This paper focuses on the implementation details of the sandbox. It is flexible enough to allow the study of malware behaviour in the presence of any given configuration of software and operating system. It also allows the user to specify the network topology to be used.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Nov 01, 2010
Accession Number
ADA584045

Entities

People

  • Frederic Massicotte
  • Mathieu Couture

Organizations

  • Communications Research Centre Canada

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Computer Networks
  • Computers
  • Computing System Architectures
  • Cyber Defense Techniques
  • Cybersecurity
  • Databases
  • Detection
  • Electronic Mail
  • Internet
  • Intrusion Detectors
  • Malware
  • Network Architecture
  • Network Protocols
  • Network Topology
  • Operating Systems
  • Security
  • Virtual Machines

Fields of Study

  • Computer science

Readers

  • Computer Science.
  • Cybersecurity.
  • Mathematical Modeling and Probability Theory.

Technology Areas

  • Cyber