Disk-Level Malware Detection

A Dissertation
Presented to
the faculty of the School of Engineering and Applied Science
University of Virginia


In Partial Fullment
of the requirements of the Degree
Doctor of Philosophy
Computer Science

by
Nathanael R. Paul

May 2008

Approved:

David E. Evans (Advisor)
Jack W. Davidson
Sudhanva Gurumurthi
Nina Mishra
Ronald D. Williams

Accepted by the School of Engineering and Applied Science:

James H. Aylor (Dean)

May 2008

Abstract

We present a new malware detection method that takes advantage of the processing power now available on disk drives. Our method uses the disk processor to monitor disk requests and identifies malicious programs based on characteristic properties of the disk requests they make. Disk-level behavioral detection offers several advantages over traditional approaches since the disk processor can perform computation without burdening the host processor and can mediate disk accesses before they reach the physical medium. This dissertation describes and evaluates two instances of our approach: one uses a simple, general infection signature to reliably detect a class of file-infecting viruses; the other illustrates how our approach can be used with behavior-specific signatures to recognize known malware.

By identifying a large class of common disk-level virus behavior, we develop simple rules that can be enforced by the disk processor. These rules are able to detect unknown viruses by recognizing their characteristic file-infecting behavior. Two of the rules are able to detect all but two types of the file-infecting viruses in our test set. From our testing based on traces of disk activity collected from eight different users, we identify a small set of activities that generate false positives. We present mechanisms to mitigate or avoid these false positives.

Some malware performs other malicious actions besides the recognized file-infecting behavior. We develop a process for finding behavior-specific signatures to precisely identify disk-based malware using a candidate set of three viruses and one worm. We can detect a family of malware (i.e., its variants) using a single disk-level behavior-specific signature.

We present the design of a disk-level malware detector that can enforce these rules and signatures. The disk infers high-level file system activity from disk-level events and is able to map disk blocks to files. Based on this design, we implemented a prototype disk-level detector that demonstrates the feasibility of disk-level virus detection.

Our detection is resilient to many traditional obfuscation techniques, because our approach is behavior-based. It is more difficult to change a program's behavior than it is to change a few bytes to generate a new variant. Further, by using the disk processor to recognize disk-based malware, a disk-level detector can use general behavioral rules to detect unknown malware and use behavior-specific signatures to precisely identify other more sophisticated malware. Since the detector is running below the host level, it cannot be circumvented even if the host is compromised.

Complete Dissertation: PDF (155 pages)