Skip to main content

Dione: A Flexible Disk Monitoring and Analysis Framework

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7462)

Abstract

The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present Dione, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since Dione resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation, Dione maintains a ground truth of the state of the file system which is always up-to-date—even as new files are created, deleted, moved, or altered.

Dione is the first disk monitoring infrastructure to provide rich, up-to-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by Dione’s live-updating capability to a static disk scan, we demonstrate that Dione provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability, Dione has a minimal effect on the performance of the system. For most tests, Dione results in a performance overhead of less than 10%—in many cases less than 3%—even when processing complex sequences of file system operations.

Keywords

  • Malware Analysis
  • Instrumentation
  • File System
  • Digital Forensics

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Azmandian, F., Moffie, M., Alshawabkeh, M., Dy, J., Aslam, J., Kaeli, D.: Virtual machine monitor-based lightweight intrusion detection. SIGOPS Operating Systems Review 45 (July 2011)

    Google Scholar 

  2. Virus profile: Generic backdoor!68a521cd1d46., http://home.glb.mcafee.com/virusinfo/VirusProfile.aspx?key=199638 (accessed on December 11, 2011)

  3. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Network and Distributed System Security Symposium, NDSS (2010)

    Google Scholar 

  4. Butler, K.R., McLaughlin, S., McDaniel, P.D.: Rootkit-resistant disks. In: Computer and Communications Security (CCS), pp. 403–416. ACM (2008)

    Google Scholar 

  5. Cantrill, B.M., Shapiro, M.W., Leventhal, A.H.: Dynamic instrumentation of production systems. In: USENIX Annual Technical Conference, ATEC 2004. USENIX Association (2004)

    Google Scholar 

  6. Carrier, B. The Sleuth Kit (TSK), http://www.sleuthkit.org (accessed on October 1, 2011)

  7. Case, A., Marziale, L., Richard III, G.G.: Dynamic recreation of kernel data structures for live forensics. Digital Investigation 7(suppl. 1) (2010); The Proceedings of the Tenth Annual DFRWS Conference

    Google Scholar 

  8. Chen, X., Andersen, J., Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Dependable Systems and Networks (DSN), pp. 177–186 (2008)

    Google Scholar 

  9. Chubachi, Y., Shinagawa, T., Kato, K.: Hypervisor-based prevention of persistent rootkits. In: Symposium on Applied Computing (SAC). ACM (2010)

    Google Scholar 

  10. Mcafee labs thread advisory: Fakealert system defender. White-Paper, McAfee Inc. (June 2011)

    Google Scholar 

  11. Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A secure environment for untrusted helper applications: Confining the wily hacker. In: USENIX Security Symposium. USENIX Association (1996)

    Google Scholar 

  12. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction. In: Computer and Communications Security (CCS), pp. 128–138. ACM (2007)

    Google Scholar 

  13. Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting past and present intrusions through vulnerability-specific predicates. In: ACM Symposium on Operating Systems Principles (SOSP 2005), pp. 91–104 (2005)

    Google Scholar 

  14. Kapoor, A., Mathur, R.: Predicting the future of stealth attacks. In: Proceedings of the Virus Bulletin Conference (October 2011)

    Google Scholar 

  15. Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: Computer and Communications Security (CCS), pp. 18–29. ACM (1994)

    Google Scholar 

  16. King, S.T., Chen, P.M.: Backtracking intrusions. In: Symposium on Operating Systems Principles (SOSP). ACM (2003)

    Google Scholar 

  17. Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In: Computer and Communications Security. ACM (2010)

    Google Scholar 

  18. Kruegel, C., Kirda, E., Bayer, U.: TTAnalyze: A tool for analyzing malware. In: European Institute for Computer Antivirus Research, EICAR (2006)

    Google Scholar 

  19. Lindorfer, M., Kolbitsch, C., Comparetti, P.M.: Detecting Environment-Sensitive Malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  20. Payne, B.D., de, A., Carbone, M.D.P., Lee, W.: Secure and flexible monitoring of virtual machines. In: Annual Computer Security Applications Conference, ACSAC (2007)

    Google Scholar 

  21. Pennington, A.G., Strunk, J.D., Griffin, J.L., Soules, C.A.N., Goodson, G.R., Ganger, G.R.: Storage-based intrusion detection: Watching storage activity for suspicious behavior. In: USENIX Security Symposium (2003)

    Google Scholar 

  22. Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: USENIX Security Symposium. USENIX Assoc. (2004)

    Google Scholar 

  23. Provos, N.: Improving host security with system call policies. In: USENIX Security Symposium, Berkeley, CA, USA. USENIX Association (2003)

    Google Scholar 

  24. Russinovich, M.: DiskMon for Windows v2.01, http://technet.microsoft.com/en-us/sysinternals/bb896646 (accessed on November 24, 2011)

  25. Russinovich, M.E., Solomon, D.A.: Microsoft Windows Internals, 4th edn. Microsoft Press (2005)

    Google Scholar 

  26. Russon, R., Fledel, Y.: NTFS documentation. Tech. rep., Linux NTFS (2004)

    Google Scholar 

  27. Stolfo, S.J., Hershkop, S., Bui, L.H., Ferster, R., Wang, K.: Anomaly Detection in Computer Security and an Application to File System Accesses. In: Hacid, M.-S., Murray, N.V., Raś, Z.W., Tsumoto, S. (eds.) ISMIS 2005. LNCS (LNAI), vol. 3488, pp. 14–28. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  28. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Security Privacy 5(2) (March-April 2007)

    Google Scholar 

  29. Zhang, Y., Gu, Y., Wang, H., Wang, D.: Virtual-machine-based intrusion detection on file-aware block level storage. In: Symposium on Computer Architecture and High Performance Computing. IEEE Computer Society (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mankin, J., Kaeli, D. (2012). Dione: A Flexible Disk Monitoring and Analysis Framework. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)