Cuckoo Sandbox and Process Monitor (Procmon) Performance Evaluation in Large-Scale Malware Detection and Analysis.
Publication Date: 04/10/2024
Author(s): Umoh Enoima Essien, Sylvester I. Ele.
Volume/Issue: Volume 7 , Issue 4 (2024)
Abstract:
Malware has grown to be an intricate and dynamic threat to cybersecurity. Researchers and cybersecurity specialists use a range of methods to analyze and comprehend malware in order to effectively counter this threat. The malware sandbox is one of the most crucial instruments in this battle. Insights gained by evaluating malware in a sandbox aid in the creation of effective detection. Finding a sandbox that is both highly precise, efficient and affordable is a challenging task. This study compares the effectiveness of Cuckoo Sandbox and Procmon, two of the most popular sandboxes, in the efficient implementation of malware analysis and detection. A Windows 10 Pro window-based computer with a 4 GHz CPU, 16 GB RAM, 8 cores, and a 320 GB hard drive (HDD) was set up. An Oracle virtual machine (VM) for guests was set up and launched. Using the Oracle VM, a virtual operating system (Windows 10 Pro). Furthermore, Yara-Python was deployed and JSON reports, a system built on Python was created. The results show that Cuckoo consistently outperforms Procmon in terms of execution time, completing much more quickly and steadily over each of the ten process runs. Procmon has significantly longer and more fluctuating execution times, peaking at 989 seconds, while Cuckoo maintains execution durations around 530 seconds, suggesting superior efficiency and consistency. Six (6) machine learning-based methods for classifying and detecting malware that used Cuckoo sandbox and process monitor were surveyed. Different performance indicators were found in the six-machine learning-based malware detection and classification studies that Process Monitor was used to survey. A review of six machine learning-based malware detection and classification studies using both Process Monitor and Cuckoo Sandbox indicated that Cuckoo Sandbox consistently delivered better performance. The findings show that machine learning-based malware detection conducted with Cuckoo attained a higher average accuracy of 99.35% compared to 94.48% with Procmon, along with a superior ROC value of 0.97 (97%) versus 0.91 (91%) for Procmon.
Keywords:
Cuckoo sandbox process monitor; Sandboxing; Malware analysis.
