Dione: A Flexible Disk Monitoring and Analysis Framework

Mankin, J.B.; Kaeli, David

doi:10.1007/978-3-642-33338-5_7

Cited by 6 publications

(6 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Jain et al [41] provide an excellent overview of this area of research. However, introspection techniques have very limited access to the semantic meaning of the data that they are acquiring, which led to the development of numerous techniques for bridging this semantic gap in both memory [9], [27], [33], [42], [48] and disk [18], [45], [50] accesses. All VM-based techniques thus far have nevertheless been shown to reveal some detectable artifacts [20], [57], [59], [60] that could still be used to subvert analysis [31], [57].…”

Section: Background and Threat Modelmentioning

confidence: 99%

“…LO-PHI also necessitated the development of novel introspection techniques. While numerous techniques exist for memory acquisition [19], [28], [72] of bare-metal systems, passively monitoring disk activity has only recently begun to be explored [50]. In this work we present a hardware sensor capable of passively sniffing the disk activity of a live machine while introducing minimal artifacts.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis

Spensky¹,

Hu²,

Leach³

2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Dynamic-analysis techniques have become the linchpins of modern malware analysis. However, software-based methods have been shown to expose numerous artifacts, which can either be detected and subverted, or potentially interfere with the analysis altogether, making their results untrustworthy. The need for less-intrusive methods of analysis has led many researchers to utilize introspection in place of instrumenting the software itself. While most current introspection technologies have focused on virtual-machine introspection, we present a novel system, LO-PHI, which is capable of physical-machine introspection of both non-volatile and volatile memory, i.e., hard disk and system memory. We demonstrate that we are able to provide analysis capabilities comparable to existing solutions, whilst exposing zero software-based artifacts and minimal hardware artifacts. To demonstrate the usefulness of our system, we have developed a framework for performing automated binary analysis. We employ this framework to analyze numerous potentially malicious binaries using both traditional virtual-machine introspection and our new hardware-based instrumentation. Our results show that not only is our analysis on-par with existing software-based counterparts, but that our physical instrumentation is capable of successfully analyzing far more binaries, as it is not foiled by popular anti-analysis techniques. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Background and Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis

Spensky¹,

Hu²,

Leach³

2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…This ultimately eliminates the need to install malware detection software on the guest machine and could enable further research into system state analysis in virtual environments. Tags Mankin and Kaeli [97] propose a similar disk monitoring system: Their implementation, the Disk I/O analysis engine (DIONE), intercepts and interprets disk access operations using a sensor that resides in the Xen hypervisor outside the guest OS. Thanks to this design, DIONE is more resilient against many conventional attacks and various obfuscation techniques.…”

Section: Malware Analysis Solutionsmentioning

confidence: 99%

Semantics-aware detection of targeted attacks: a survey

Luh

Marschalek

Kaiser

et al. 2016

J Comput Virol Hack Tech

View full text Add to dashboard Cite

In today's interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats or similarly sophisticated multi-stage attacks. This turns finding domainappropriate methodologies or developing new approaches into a major research challenge. To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham's guidelines for systematic literature reviews. In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.

show abstract

“…This limitation is known as the semantic gap problem. There is significant work in the semantic gap problem as it relates to memory [20,75,98,130,152] and disk [50,145,156] accesses.…”

Section: Malware Analysismentioning

confidence: 99%

“…This entire process is visualized in Figure 3.6a. Unlike previous work [156] was designed for NTFS, our approach is generalizable to any filesystem supported by tools similar to Sleuthkit. An example output from creating the file LO-PHI.txt on the desktop is shown in Figure 3.7:…”

Section: Diskmentioning

confidence: 99%

Transparent System Introspection in Support of Analyzing Stealthy Malware

Leach

View full text Add to dashboard Cite

The proliferation of malware has increased dramatically and seriously degraded the privacy of users and the integrity of hosts. Millions of unique malware samples appear every year, which has driven the development of a vast array of analysis tools. Malware analysis is often performed with the assistance of virtualization or emulation for rapid deployment.Malware samples are run in an instrumented virtual machine or analysis tool, and existing introspection techniques help an analyst determine its behavior. Unfortunately, a growing body of malware samples has begun employing anti-debugging, anti-virtualization, and antiemulation techniques to escape or otherwise subvert these analysis mechanisms.These anti-analysis techniques often require measuring differences between the analysis environment and the native environment (e.g., executing more slowly in a debugger). We call these measurable differences artifacts. Malware samples that use artifacts to exhibit stealthy behavior have increased the effort required to analyze and understand each stealthy sample. Additionally, traditional automated techniques fail against such samples because they produce measurable artifacts. We desire a transparent approach that produces no artifacts, thereby admitting the analysis of stealthy malware. We refer to this challenge as the debugging transparency problem. Solving this problem is thus concerned with reducing artifacts or permitting reliable analysis in the presence of artifacts.We present a system consisting of two approaches to address the debugging transparency problem and then demonstrate how these components can apply to currently available computer systems. We present two techniques capable of transparently acquiring snapshots of memory and disk activity that can be used to analyze stealthy malware. First, we discuss a novel use of a custom Field-Programmable Gate Array that provides snapshots of memory and disk activity with no measurable timing artifacts. Second, we present a novel use of System Management Mode on x86 platforms that produces no functional artifacts at the expense of producing timing artifacts. Finally, we present an approach to evaluating the i tradeoff space that exists between analysis transparency and the fidelity of introspection data provided by such an analysis system. Together, these approaches form a cohesive solution to the debugging transparency problem that admits analyzing stealthy malware.ii DedicationThe graduate school experience has been a long endurance test. There are several people to whom I owe a tremendous amount of gratitude.

show abstract

Dione: A Flexible Disk Monitoring and Analysis Framework

Cited by 6 publications

References 17 publications

LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis

LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis

Semantics-aware detection of targeted attacks: a survey

Transparent System Introspection in Support of Analyzing Stealthy Malware

Contact Info

Product

Resources

About