Survey and Analysis on ATT&CK Mapping Function of Online Sandbox for Understanding and Efficient Using
-
- Fujii Shota
- Yokohama Research Laboratory, Hitachi, Ltd. Graduate School of Natural Science and Technology, Okayama University
-
- Yamagishi Rei
- Yokohama Research Laboratory, Hitachi, Ltd.
-
- Yamauchi Toshihiro
- Faculty of Natural Science and Technology, Okayama University
抄録
<p>Dynamic analysis that automatically analyzes malware has become the defacto standard for coping with the huge amount of current malware types. One analysis support is a function that maps the malware behavior to each element of the MITRE ATT&CK® Technique. This function has been adopted in many online sandboxes and contributes to the efficiency of analysis. On the other hand, this function depends on the implementation of the mapping rules, which may affect the analysis results. Therefore, we investigated the actual situation of online sandboxes that have a function for mapping to the attack technique. In this study, we analyzed a total of 26,078 malware analysis results from three online sandboxes, found that the characteristics for matching to each technique differed among the sandboxes, and clarified the ease of matching each technique. We also compared the mapping characteristics of techniques with those of static analysis-based techniques and manually written reports and showed that the mapping characteristics differed among the techniques. Furthermore, we derived best practices for utilization on the basis of each survey. We believe that these results will lead to a better understanding of online sandboxes and to more efficient malware analysis using online sandboxes.</p>
収録刊行物
-
- Journal of Information Processing
-
Journal of Information Processing 30 (0), 807-821, 2022
一般社団法人 情報処理学会
- Tweet
詳細情報 詳細情報について
-
- CRID
- 1390012954685529984
-
- ISSN
- 18826652
-
- 本文言語コード
- en
-
- データソース種別
-
- JaLC
- Crossref
-
- 抄録ライセンスフラグ
- 使用不可