Sandboxing Technology in Cyber Security

VIRUS (Vital information resource under seize) is a well known word worldwide due to the hazard it creates when it infiltrates the computer system. There are many ways to prevent and avoid the different forms of viruses so that the data can be protected.

Dynamic Malware analysis can be done in two broad ways:

Analyzing the Difference between defined points- Malware sample is executed for a certain period of time and afterwards the modifications made to the system are analyzed by comparison to the initial system state.

Observing runtime behaviour- Malicious activities launched by the malicious application are monitored during runtime using a specialized tool. 

Dynamic malware analysis takes into account API hooking which follows the following procedure:

•         To observe a given malware sample’s control flow, we need to access the API functions.

•         One possible way to achieve this is by hooking intercepting a call to a function. When an application calls a function, it’s rerouted to a different location where customized code, hook function resides.

•         The hook then performs its own operations and transfers control back to the original API function or prevents its execution completely.

•         If hooking is done properly, it’s hard for the calling application to detect the hooked API function.

In cyber security, a sandbox is an isolated environment on a network that mimics end-user operating environments. Sandboxes are used to safely execute suspicious code without risking harm to the host device or network. Using a sandbox for advanced malware detection provides another layer of protection against new security threats—zero-day malware and stealthy attacks, in particular and what happens in the Sandbox, stays in the sandbox—avoiding system failures and keeping software vulnerabilities from spreading. Sandbox testing proactively detects malware by executing, or detonating, code in a safe and isolated environment to observe that code’s behaviour and output activity. The CW sandbox outputs a behavior-based analysis; that is, it executes the malware binary in a controlled environment so that we can observe all relevant function calls to the Windows API as a result the report contains scan summary, file and registry changes, network activity and technical details. IT also generates a high-level summarized report from the monitored API calls. The report provides data for each process and its associated actions—one subsection for all accesses to the file system and another for all network operations. Traditional security measures are reactive and based on signature detection—which works by looking for patterns identified in known instances of malware because that detects only previously identified threats, sandboxes add another important layer of security.

Moreover, even if an initial security defence utilize artificial intelligence or machine learning (signature less detection), these defences are only as good as the models powering these solutions – there is still a need to complement these solution with an advanced malware detection.

Ms. Sonali Sharma

(Assistant professor-IT)