Dione: A Flexible Disk Monitoring and Analysis Framework

The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present Dione, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since Dione resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation, Dione maintains a ground truth of the state of the file system which is always up-to-date--even as new files are created, deleted, moved, or altered. Dione is the first disk monitoring infrastructure to provide rich, up-to-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by Dione's live-updating capability to a static disk scan, we demonstrate that Dione provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability, Dione has a minimal effect on the performance of the system. For most tests, Dione results in a performance overhead of less than 10%--in many cases less than 3%--even when processing complex sequences of file system operations.

[1]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[2]  Patrick D. McDaniel,et al.  Rootkit-resistant disks , 2008, CCS.

[3]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[4]  Salvatore J. Stolfo,et al.  Anomaly Detection in Computer Security and an Application to File System Accesses , 2005, ISMIS.

[5]  KaeliDavid,et al.  Virtual machine monitor-based lightweight intrusion detection , 2011 .

[6]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[7]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[8]  Golden G. Richard,et al.  Dynamic recreation of kernel data structures for live forensics , 2010, Digit. Investig..

[9]  David Kaeli,et al.  Virtual machine monitor-based lightweight intrusion detection , 2011, OPSR.

[10]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[11]  Fabian Monrose,et al.  Trail of bytes: efficient support for forensic analysis , 2010, CCS '10.

[12]  Dongsheng Wang,et al.  Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage , 2006, 2006 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD'06).

[13]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[14]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[15]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[16]  Rachit Mathur,et al.  PREDICTING THE FUTURE OF STEALTH ATTACKS , 2011 .

[17]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[18]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[19]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[20]  Kazuhiko Kato,et al.  Hypervisor-based prevention of persistent rootkits , 2010, SAC '10.

[21]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[22]  JoshiAshlesha,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005 .

[23]  Shusaku Tsumoto,et al.  Foundations of Intelligent Systems, 15th International Symposium, ISMIS 2005, Saratoga Springs, NY, USA, May 25-28, 2005, Proceedings , 2005, ISMIS.

[24]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[25]  Mark Russinovich,et al.  Microsoft Windows Internals : Microsoft Windows Server 2003, Windows XP, and Windows 2000 , 2005 .

[26]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.