Abstract: The increasing of computer malware criminal leads researchers to pay attention on the effective detection of malware. The dynamic analysis detection method based on sandbox technology becomes the research spot. This paper proposed a behavior analysis algorithm based on improved attack tree which uses the improved QEML1 process virtual machine to obtain a shorter response time and a complete API sequences flow. And the experiment results demonstrate effective and feasible of this detection method.

Key words: Sandbox, Malware detection, Dynamic analysis