| 2 | 0 | 6 |
| 下载次数 | 被引频次 | 阅读次数 |
传统沙箱在应对高级持续性威胁(APT)攻击时存在局限,主要体现在代理指纹易被识别、虚拟化特征明显,以及难以捕获内核级行为。基于此,提出了一种基于全系统虚拟机模拟器QEMU、虚拟机内省(VMI)与动态运行时分析框架(DRAKVUF)的无代理动态分析沙箱系统设计。该设计方案在虚拟机监控器(hypervisor)层构建外部监控架构,利用硬件虚拟化扩展实现系统调用与内存事件的透明截获。系统融合了无代理注入、语义重建及多维抗规避策略,显著提升了环境隐蔽性与行为可见性,在对抗性样本检出率和行为触发效率方面均优于主流开源沙箱。
Abstract:Conventional sandbox systems face inherent limitations when analyzing APT(advanced persistent threat), as agent-based fingerprints are easily identified, virtualization artifacts are readily detectable, and kernel-level behaviors remain difficult to capture. To address these challenges, this paper proposes an agentless dynamic analysis sandbox based on QEMU(quick emulator), VMI(virtual machine introspection), and DRAKVUF(dynamic runtime analysis kernel user-mode framework). The system establishes an external monitoring architecture at the hypervisor layer, leveraging hardware-assisted virtualization extensions to transparently intercept system calls and memory events. Core mechanisms integrate agentless sample injection, semantic reconstruction, and multi-dimensional anti-evasion strategies, thereby enhancing environmental stealth and behavioral visibility. It outperforms mainstream open-source sandboxes in terms of detection rate of adversarial samples and efficiency of behavior triggering.
[1]360高级威胁研究院. 2024年全球高级持续性威胁(APT)研究报告[R/OL].(2025-02-08)[2026-05-25].https://pub1-bjyt.s3.360.cn/bcms/2024年全球高级持续性威胁(APT)研究报告.pdf.
[2]孙增,施勇,薛质.基于沙箱回避的APT研究[J].信息安全与通信保密, 2015(3):92-96.
[3]杨珂,王栋,玄佳兴,等.基于环境自动进化的恶意代码沙箱检测技术研究[J].计算机应用与软件,2025, 42(1):319-327.
[4]文伟平,张世琛,王晗,等.基于虚拟机自省的Linux恶意软件检测方案[J].信息网络安全, 2024, 24(5):657-666.
[5]Lengyel T K, Maresca S, Payne B D, et al. Scalability,fidelity and stealth in the DRAKVUF dynamic malware analysis system[C]//Proceedings of the 30th Annual Computer Security Applications Conference, 2014:386-395.
[6]张威武,朱江,马峥巍,等.基于沙箱的恶意文件与APT攻击检测方法改进研究[J].智能物联技术,2022, 54(5):23-31, 42.
[7]梁光辉,庞建民,单征.基于代码进化的恶意代码沙箱规避检测技术研究[J].电子与信息学报, 2019,41(2):341-347.
[8]邹睿,徐宁,易仙福.基于恶意样本分析检测的沙箱技术研究[J].江西通信科技, 2023(2):45-47.
[9]Bellard F. QEMU, a fast and portable dynamic translator[C]//Proceedings of the Annual Conference on USENIX Annual Technical Conference, ACM, 2005:41.
[10]Dovgalyuk P, Fursova N, Vasiliev I, et al. QEMUbased framework for non-intrusive virtual machine instrumentation and introspection[C]//Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ACM, 2017:944-948.
[11]Lengyel T K, Neumann J, Maresca S, et al. Towards hybrid honeynets via virtual machine introspection and cloning[C]//Network and System Security, 2013:164-177.
[12]Dinaburg A, Royal P, Sharif M, et al. Ether:Malware analysis via hardware virtualization extensions[C]//Proceedings of the 15th ACM Conference on Computer and Communications Security, ACM, 2008:51-62.
[13]吉庆兵,陈江涛,潘炜.基于深度学习的加密网络流量识别方法研究[J].通信技术, 2021, 54(1):152-157.
[14]刁铭智,周渊,李舟军,等.基于Wine的Windows安全机制模拟及沙箱系统实现[J].计算机科学,2017, 44(11):246-252, 267.
[15]Kolbitsch C, Kirda E, Kruegel C. The power of procrastination:Detection and mitigation of executionstalling malicious code[C]//Proceedings of the 18th ACM Conference on Computer and Communications Security,ACM, 2011:285-296.
基本信息:
中图分类号:TP393.08
引用信息:
[1]张译,高子东,苟宝,等.基于多维抗规避机制的无代理沙箱设计[J].通信技术,2026,59(05):590-599.
2026-05-20
2026-05-20