2012 | OriginalPaper | Buchkapitel
Dione: A Flexible Disk Monitoring and Analysis Framework
verfasst von : Jennifer Mankin, David Kaeli
Erschienen in: Research in Attacks, Intrusions, and Defenses
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present
Dione
, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior.
Dione
interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since
Dione
resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation,
Dione
maintains a ground truth of the state of the file system which is always up-to-date—even as new files are created, deleted, moved, or altered.
Dione
is the first disk monitoring infrastructure to provide rich, up-to-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by
Dione
’s
live-updating
capability to a static disk scan, we demonstrate that
Dione
provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability,
Dione
has a minimal effect on the performance of the system. For most tests,
Dione
results in a performance overhead of less than 10%—in many cases less than 3%—even when processing complex sequences of file system operations.