Towards Disk-Level Malware Detection

Nathanael Paul, Sudhanva Gurumurthi, David Evans
Workshop on Code Based Software Security Assessments
Pittsburgh, Pennsylvania
7 November 2005

Disk drive capabilities and processing power are steadily increasing, and this power gives us the possibility of using disks as data processing devices rather than merely for data transfers. In the area of malicious code (malware) detection, anti-virus (AV) engines are slow and have trouble correctly identifying many types of malware. Our goal is to help make malware detection more reliable and more efficient by using the disk drive's processor. Using the extra processing power available on modern disk drives can provide significant advantages in detecting malware including reducing the traditional AV engine's workload on the host CPU by partitioning the workload between the host AV engine and the disk drive, improving the detection of stealth malware by providing a low-level view of the system, and recognizing virus behavior by observing disk I/O traffic directly. Several research questions must be addressed before these benefits can be realized: how to correctly partition work between the AV engine and the disk drive processor, how to design interfaces between the operating system (OS) or host AV engine and the disk drive that provide satisfactory performance without compromising security, and how to recognize malicious behavior based on the dynamic analysis of low-level data accesses.

Keywords: dynamic analysis, malware detection, virus detection, disk drive processor.

Complete Paper (4 pages) [PDF]

Physicrypt Research Group Page