Cybersecurity and, in particular, network security is a rapidly developing field. Generally, cybersecurity techniques attempt to identify malicious activity by analyzing as much information as possible in order to identify patterns, signatures, and other such identifiers. Sandboxing is currently one tool used in network security to obtain information regarding network threats, such as malicious executable files and programs (collectively referred to herein as executables). Sandboxes run suspicious (e.g., potentially dangerous) executables in a controlled software and hardware environment and observe and/or record various effects caused by the executables, such as generated network traffic, system calls, and/or created artifacts. Based on these observations, executables can often be reliably classified as malicious or benign.
Sandboxing is, however, costly. To be effective against a quickly evolving threat landscape, a sandbox must manage to evaluate tens or hundreds of thousands of executables per day. Evaluations need to be limited in time and, as such, the typical length of a network traffic capture is about 5 minutes during sandboxing. Sandboxes also require extensive maintenance in order to remain up to date with the evolving threat landscape and to combat malware with new sandbox detection techniques.