Using Anticipative Malware Analysis to Support Decision Making

A software tool allowing the safe monitoring of the execution of malicious software (malware), or more generally, programs that cannot be trusted is commonly referred to as a sandbox. Most of the time, a sandbox is implemented in a virtual machine or a simulated operating system and allows the behaviour of the program to be studied from the host's point of view. We are investigating the usefulness of a sandbox in the context of decision making. More specifically, we have designed and implemented a network sandbox, i.e. a sandbox that allows us to study malware behaviour from the network perspective. We plan to use this sandbox to generate malware-sample profiles that can be used by decision making algorithms to help network administrators and security officers decide on a course of action to be followed upon detection of a malware threat. This paper focuses on the implementation details of the sandbox. It is flexible enough to allow the study of malware behaviour in the presence of any given configuration of software and operating system. It also allows the user to specify the network topology to be used.