Dynamic Malware Analysis through a Custom Network Topology
Authors
Khurshid, Adil ; Hawwash, Omar Nabil
Term
4. semester
Education
Publication year
2022
Pages
106
Abstract
This project develops a virtual, configurable platform for safely and dynamically analyzing malware in a sandbox (an isolated test environment). We build a virtual network topology with EVE-NG that hosts a sandbox machine and several virtual machines. These machines have different levels of hardening (security measures) and anti-evasion techniques to help prevent malware from detecting the analysis, and they are dynamically infected with malware samples. We also deploy honeypots (decoy systems) that offer services such as FTP and web services to observe attack patterns. The topology is configurable, so the network architecture, virtual machines, and services can be modified. This setup lets researchers monitor malware behavior and capture its network activity in a controlled environment. Preliminary results indicate that when malware infects a more hardened machine, it behaves more actively and triggers more detection signatures.
Dette projekt udvikler en virtuel, konfigurerbar platform til sikker og dynamisk analyse af malware i en sandbox (et isoleret testmiljø). Vi opbygger en virtuel netværkstopologi med EVE-NG, som rummer en sandbox-maskine og flere virtuelle maskiner. Maskinerne har forskellige grader af hærdning (sikkerhedsforanstaltninger) og anti-evasion-teknikker, som skal hindre malware i at opdage analysen, og de inficeres dynamisk med malwareprøver. Derudover indgår honeypots (lokkesystemer) med tjenester som FTP og webtjenester for at observere angrebsmønstre. Topologien kan tilpasses, så både netværksarkitektur, maskiner og tjenester kan ændres. Denne opsætning gør det muligt at overvåge malwares adfærd og indfange dets netværksaktivitet i et kontrolleret miljø. Foreløbige resultater viser, at når malware inficerer en mere hærdet maskine, udviser det mere aktiv adfærd og udløser flere detektionssignaturer.
[This apstract has been rewritten with the help of AI based on the project's original abstract]
Keywords
sandboxing ; malware ; network topology ; cuckoo ; eve-ng ; analysis ; dynamic malware analysis ; honeypots ; FOG ; scalable ; scalability