Dione: A Flexible Disk Monitoring and Analysis Framework

The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present

Dione

, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior.

Dione

interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since

Dione

resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation,

Dione

maintains a ground truth of the state of the file system which is always up-to-date—even as new files are created, deleted, moved, or altered.

Dione

is the first disk monitoring infrastructure to provide rich, up-to-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by

Dione

’s

live-updating

capability to a static disk scan, we demonstrate that

Dione

provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability,

Dione

has a minimal effect on the performance of the system. For most tests,

Dione

results in a performance overhead of less than 10%—in many cases less than 3%—even when processing complex sequences of file system operations.