DIONE: A flexible disk monitoring and analysis framework

Abstract

The proliferation of malware in recent years has motivated the need for tools to detect, analyze, and understand intrusions. Though analysis and detection can be difficult, malware fortunately leaves artifacts of its presence on disk. In this paper, we present Dione, a flexible policy-based disk I/O monitoring and analysis infrastructure that can be used to analyze and understand malware behavior. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing a high-level semantic view of the disk and all operations on it. Since Dione resides outside the host it is analyzing, it is resilient to attacks and misdirections by malware that attempts to mislead or hide from analyzers. By performing on-the-fly reconstruction of every operation, Dione maintains a ground truth of the state of the file system which is always up-to-date - even as new files are created, deleted, moved, or altered. Dione is the first disk monitoring infrastructure to provide rich, up-to-date, low-level monitoring and analysis for NTFS: the notoriously complex, closed-source file system used by modern Microsoft Windows computing systems. By comparing a snapshot obtained by Dione's live-updating capability to a static disk scan, we demonstrate that Dione provides 100% accuracy in reconstructing file system operations. Despite this powerful instrumentation capability, Dione has a minimal effect on the performance of the system. For most tests, Dione results in a performance overhead of less than 10% - in many cases less than 3% - even when processing complex sequences of file system operations. © 2012 Springer-Verlag.