This project explores ways to improve the efficiency and effectiveness of malware detection and response by using the disk drive processor. Disk drive processing power and memory capacity are steadily increasing which presents the possibility of using disks as data processing devices rather than merely for storing and transferring data. Current anti-virus engines are limited by computational constraints and by their inability to closely observe the behavior of running processes efficiently. The behavioral detection techniques this project is developing detect malware based on observing disk I/O activity. The research develops methods for expressing disk-level behavioral malware signatures, explores ways to incorporate various levels of semantic information into those signatures, and invents techniques for automatically generating these signatures using dynamic inference. Since the disk can mediate all I/O requests, detectors for checking disk-level I/O signatures can be efficiently and securely implemented using the disk processor. This project is also researching opportunities for using the disk processor to improve response to viruses that evade detection and infect the host. The disk processor can be used to limit the damage that these viruses can do by protecting critical disk blocks, and can improve recovery by tracking questionable updates and automatically backing up disk blocks. In addition, this project is developing techniques to aid rootkit detection by providing low-level access to data on the disk. Our work offers the promise to provide practical results that will improve virus detection and response on commodity systems with little overhead.
