Survey and Analysis on ATT&CK Mapping Function of Online Sandbox for Understanding and Efficient Using

  • Fujii Shota
    Yokohama Research Laboratory, Hitachi, Ltd. Graduate School of Natural Science and Technology, Okayama University
  • Yamagishi Rei
    Yokohama Research Laboratory, Hitachi, Ltd.
  • Yamauchi Toshihiro
    Faculty of Natural Science and Technology, Okayama University

抄録

<p>Dynamic analysis that automatically analyzes malware has become the defacto standard for coping with the huge amount of current malware types. One analysis support is a function that maps the malware behavior to each element of the MITRE ATT&CK® Technique. This function has been adopted in many online sandboxes and contributes to the efficiency of analysis. On the other hand, this function depends on the implementation of the mapping rules, which may affect the analysis results. Therefore, we investigated the actual situation of online sandboxes that have a function for mapping to the attack technique. In this study, we analyzed a total of 26,078 malware analysis results from three online sandboxes, found that the characteristics for matching to each technique differed among the sandboxes, and clarified the ease of matching each technique. We also compared the mapping characteristics of techniques with those of static analysis-based techniques and manually written reports and showed that the mapping characteristics differed among the techniques. Furthermore, we derived best practices for utilization on the basis of each survey. We believe that these results will lead to a better understanding of online sandboxes and to more efficient malware analysis using online sandboxes.</p>

収録刊行物

参考文献 (7)*注記

もっと見る

詳細情報 詳細情報について

問題の指摘

ページトップへ