Zero-Day Exploit Detection Using Behavior-Based Sandboxing and Threat Intelligence Fusion

Abstract

Zero-day exploits pose one of the most persistent and damaging threats in modern cybersecurity due to their ability to evade traditional, signature-based detection mechanisms. These exploits take advantage of unknown vulnerabilities, often going undetected until significant damage has occurred. In this paper, we present a hybrid detection framework that integrates behavior-based sandbox analysis with external threat intelligence feeds to enhance the identification of zero-day malware. Using a virtualized Windows-based sandbox environment, we observe system-level behaviours such as registry modifications, file operations, process injections, and outbound network connections. A rule-based engine assigns severity scores to these activities, while a fusion module cross-reference extracted indicators of compromise (IOCs) with curated threat intelligence repositories including AlienVault OTX and Abuse.ch. Our dataset comprises 2,000 diverse malware samples, including advanced persistent threats (APTs) and ransomware variants, along with 500 clean executables for baseline comparison. The system achieves a 94.8% detection rate on previously unseen malware, outperforming multiple commercial antivirus engines. We present two case studies—one involving a zero-day ransomware strain and another a stealthy backdoor—to illustrate real-world detection failures by static methods and how our system successfully identifies the threats. This work underscores the necessity of behavior-driven detection combined with continuously updated threat intelligence and highlights a pathway toward resilient, next-generation threat defence platforms.