Sandboxing is a widely used method for detecting and preventing various undesired actions on a computer system. Broadly speaking, sandboxing consists of running a program or testing an action in an instrumented environment in order to measure, test and discover undesired consequences.
Sandboxes are a longstanding paradigm. Sandboxes have been used in malware detection at the OS level (for example FireEye is an advanced type of sandbox) as well as in other applications such as browsers (Chrome) or computing languages (such as Java).
Typically, sandboxes are well instrumented. Such measurements can include, memory use (for example overflows, access of unallocated memory etc.), disk usage, CPU usage and many other metrics.
Use of Heuristics in Sandboxing
Currently, sandboxes use many heuristics to define a score for a program or activity. Such as score is known as a badness score since it measures how likely a program is to be bad. These heuristics include:                File Emulation: file emulation allows the file to run in a controlled virtual system (or “sandbox”) to see what it does.        File Analysis: File analysis involves the software taking an in-depth look at the file and trying to determine its intent, destination, and purpose.        Generic Signature Detection: This technique is particularly designed to locate variations of viruses. Several viruses are re-created and make themselves known by a variety of names, but essentially come from the same family (or classification). Genetic detection uses previous antivirus definitions to locate these similar “cousins” even if they use a slightly different name or include some unusual characters.        
Many of these systems are created to be as general as possible in order to detect variations on attacks (e.g., a variant of a previously detected virus). However, even these general methods are extremely lacking in context. For example, given different versions of software (e.g., Adobe) a general sandbox does not know which version is actually installed on the system it is trying to defend. As such it is harder to optimize the sandbox to deal with the actual programs used by the system.
In addition the severity and uniqueness is unclear. Static deployments are often lacking of context. For example, it is useful to know whether a given event is a common occurrence on the system or this is the first time such an event happens. Such knowledge allows for better ranking of threats and reduction of false positives.
Thus, the current sandboxes are not adapted to the individual system which they are protecting, the sandboxes do not learn and modify their rules based on actual behavior in the network and are not tailored to the individual system.
Even such advances sandboxes such as FireEye do not tailor their sandboxes to individual systems. For example, FireEye states “The FireEye® Dynamic Threat Intelligence™ (DTI) cloud is a global network that connects FireEye threat prevention platforms to provide a real-time exchange of threat data on today's cyber attacks . . . . The FireEye DTI cloud serves as a global distribution hub to efficiently share auto-generated threat intelligence such as new malware profiles, vulnerability exploits, and obfuscation tactics, as well as new threat findings from the FireEye APT Discovery Center and verified third-party security feeds.”
(http://www.threatprotectworks.com/datasheets/fireeye-dynamic-threat-intelligence-cloud.pdf, last accessed Dec. 16, 2016).
However, in order to optimize threat analysis and detection, it is important to actually restrict the network to subset of computers which share common software and potentially even hardware. Such restriction while limiting the amount of data available can enable higher quality threat detection.
Thus there is a need for sandboxes which are tailored to the actual system which is being protected. This includes use of the programs on the system and the way in which the programs are used in order to calibrate the system.