Disk-Level Behavioral Virus Detection

David Evans
Computer Science Seminar
North Carolina State University
Raleigh, NC
5 March, 2007

Abstract

Current techniques for virus detection are doomed to forever play catch-up against increasingly sophisticated malware: they detect viruses as the level of the host OS, so can be circumvented by lower-level attacks; they rely on lists of known static signatures so no new viruses can be caught; and they attempt to detect viruses based on analyzing their code, which can easily be changed, rather than observing their behavior. Our work explores the possibility of taking advantage of the processing power now available on disk drives to overcome these problems. We use the disk processor to monitor disk requests and identify viruses based on properties of sequences of requests the viruses make. Disk-level behavioral virus detection offers several advantages over traditional approaches since the disk processor can perform computation without burdening the host processor, can observe all disk traffic with little overhead, and can manipulate and control disk accesses directly before they reach the physical medium. In this talk, I will present two instances of our approach: one uses a simple, generic infection signature to reliably detect parasitic file-infecting viruses with a low false positive rate; the other illustrates how our approach can be used to develop virus-specific signatures that recognize and thwart known viruses.

Bio: David Evans is an Associate Professor at the University of Virginia and Director of the Arts & Sciences Major in Computer Science. He has SB, SM and PhD degrees in Computer Science from MIT. His other research interests include program analysis, exploiting properties of the physical world for security, and applications of cryptography. For more information, see http://www.cs.virginia.edu/evans/

This talk describes joint work with Nate Paul, Adrienne Felt, and Sudhanva Gurumurthi.

Slides: [PPT] [PDF (6 up)]