Survey and Analysis on ATT&CK Mapping Function of Online Sandbox for Understanding and Efficient Using

Dynamic analysis that automatically analyzes malware has become the defacto standard for coping with the huge amount of current malware types. One analysis support is a function that maps the malware behavior to each element of the MITRE ATT&CK® Technique. This function has been adopted in many online sandboxes and contributes to the efficiency of analysis. On the other hand, this function depends on the implementation of the mapping rules, which may affect the analysis results. Therefore, we investigated the actual situation of online sandboxes that have a function for mapping to the attack technique. In this study, we analyzed a total of 26,078 malware analysis results from three online sandboxes, found that the characteristics for matching to each technique differed among the sandboxes, and clarified the ease of matching each technique. We also compared the mapping characteristics of techniques with those of static analysis-based techniques and manually written reports and showed that the mapping characteristics differed among the techniques. Furthermore, we derived best practices for utilization on the basis of each survey. We believe that these results will lead to a better understanding of online sandboxes and to more efficient malware analysis using online sandboxes.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.30(2022) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.30.807------------------------------

Dynamic analysis that automatically analyzes malware has become the defacto standard for coping with the huge amount of current malware types. One analysis support is a function that maps the malware behavior to each element of the MITRE ATT&CK® Technique. This function has been adopted in many online sandboxes and contributes to the efficiency of analysis. On the other hand, this function depends on the implementation of the mapping rules, which may affect the analysis results. Therefore, we investigated the actual situation of online sandboxes that have a function for mapping to the attack technique. In this study, we analyzed a total of 26,078 malware analysis results from three online sandboxes, found that the characteristics for matching to each technique differed among the sandboxes, and clarified the ease of matching each technique. We also compared the mapping characteristics of techniques with those of static analysis-based techniques and manually written reports and showed that the mapping characteristics differed among the techniques. Furthermore, we derived best practices for utilization on the basis of each survey. We believe that these results will lead to a better understanding of online sandboxes and to more efficient malware analysis using online sandboxes.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.30(2022) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.30.807------------------------------