Disk-Level Behavioral Malware Detection

We present a new malware detection method that takes advantage of the processing power now available on disk drives. Our method uses the disk processor to monitor disk requests and identifies malicious programs based on characteristic properties of the disk requests they make. Disk-level behavioral detection offers several advantages over traditional approaches since the disk processor can perform computation without burdening the host processor and can mediate disk accesses before they reach the physical medium. This dissertation describes and evaluates two instances of our approach: one uses a simple, general infection signature to reliably detect a class of file-infecting viruses; the other illustrates how our approach can be used with behavior-specific signatures to recognize known malware. By identifying a large class of common disk-level virus behavior, we develop simple rules that can be enforced by the disk processor. These rules are able to detect unknown viruses by recognizing their characteristic file-infecting behavior. Two of the rules are able to detect all but two types of the file-infecting viruses in our test set. From our testing based on traces of disk activity collected from eight different users, we identify a small set of activities that generate false positives. We present mechanisms to mitigate or avoid these false positives. Some malware performs other malicious actions besides the recognized file-infecting behavior. We develop a process for finding behavior-specific signatures to precisely identify disk-based malware using a candidate set of three viruses and one worm. We can detect a family of malware (i.e., its variants) using a single disk-level behavior-specific