Method and system for malware detection

US 10,025,931 B1
Filed: 12/30/2015
Issued: 07/17/2018
Est. Priority Date: 12/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malware on a computing system comprising:

receiving a host-level I/O (input/output) log on a computing system;

receiving a storage-level I/O log on the computing system;

performing an analysis of the host-level I/O log and the storage-level I/O log; and

detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log,wherein the detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log comprises detecting evidence of malware operational in a storage host,wherein the detecting evidence of malware operational in the storage host comprises detecting differences between the host-level I/O log and the storage-level I/O log,wherein the detecting differences between the host-level I/O log and the storage-level I/O log comprises identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log; and

wherein the identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between write I/O requests, detecting any difference between the host-level I/O log and the storage-level I/O log.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments of the present invention relate to methods, systems, and a computer program product for detecting and responding to the presence of persistently executing malware. The method includes receiving a host-level I/O log and receiving a storage-level I/O log. An analysis may be performed on the host-level I/O log and the storage-level I/O log and evidence of malware may be detected according thereto.

35 Citations

View as Search Results

18 Claims

1. A computer-implemented method for detecting malware on a computing system comprising:
- receiving a host-level I/O (input/output) log on a computing system;
  
  receiving a storage-level I/O log on the computing system;
  
  performing an analysis of the host-level I/O log and the storage-level I/O log; and
  
  detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log,wherein the detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log comprises detecting evidence of malware operational in a storage host,wherein the detecting evidence of malware operational in the storage host comprises detecting differences between the host-level I/O log and the storage-level I/O log,wherein the detecting differences between the host-level I/O log and the storage-level I/O log comprises identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log; and
  
  wherein the identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between write I/O requests, detecting any difference between the host-level I/O log and the storage-level I/O log.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1wherein receiving a host-level I/O log comprises receiving the host-level I/O log from a first splitter operational in a storage host;
    - andwherein receiving a storage-level I/O log comprises receiving the storage-level I/O log from a second splitter in a data path from the storage host to a storage device.
  - 3. The method of claim 2 wherein receiving the storage-level I/O log from a second splitter in a data path from the storage host to a storage device comprises receiving the storage-level I/O log from the second splitter operating in a data storage system.
  - 4. The method of claim 1 wherein one or more of receiving a host-level I/O log and receiving a storage-level I/O log comprises:
    - receiving metadata for read I/O requests; and
      
      receiving metadata for write I/O requests.
  - 5. The method of claim 1 wherein one or more of receiving a host-level I/O log and receiving a storage-level I/O log comprises receiving I/O metadata selected from a group consisting of:
    - a timestamp, an I/O type, a start address, an offset, an address, and an I/O length.
  - 6. The method of claim 1 wherein identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between read I/O requests, determining whether differences between the host-level I/O log and the storage-level I/O exceed a threshold of acceptable differences between the host-level I/O log and the storage-level I/O log.

7. A computing system for detecting malware comprising:
- one or more processors; and
  
  memory storing computer program code that when executed on the one or more processorscauses the system to;
  
  a first risk agent configured to receive a host-level I/O (input/output) log;
  
  a second risk agent configured to receive a storage-level I/O log; and
  
  a risk engine configured to perform an analysis of the host-level I/O log and the storage-level I/O log and detect evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log,wherein the risk engine is further configured to detect evidence of malware operational in a storage host,wherein the risk engine is further configured to detect differences between the host-level I/O log and the storage-level I/O log,wherein the risk engine is further configured to identify I/O requests logged at the storage-level I/O log and not logged at the host-level I/O log, andwherein the risk engine is further configured to, for differences between write I/O requests, detect any difference between the host-level I/O log and the storage-level I/O log.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7wherein the first risk agent is a first splitter operational in a storage host;
    - andwherein the second risk agent is a second splitter in a data path from the storage host to a storage device.
  - 9. The system of claim 8 wherein the second splitter is configured to operate in a data storage system.
  - 10. The system of claim 7 wherein one or more of the first risk agent and the second risk agent is configured to receive metadata for read I/O requests and receive metadata for write I/O requests.
  - 11. The system of claim 7 wherein one or more of the first risk agent and the second risk agent is configured to receive metadata selected from a group consisting of:
    - a timestamp, an I/O type, a start address, an offset, an address, and an I/O length.
  - 12. The system of claim 7 wherein the risk engine is further configured to, for differences between read I/O requests, determining whether differences between the host-level I/O log and the storage-level I/O exceed a threshold of acceptable differences between the host-level I/O log and the storage-level I/O log.

13. A computer program product including a non-transitory computer readable storage medium having computer program code encoded thereon that, when executed by a processor of a computer, causes the computer to detect evidence of malware, comprising:
- computer program code for receiving a host-level I/O (input/output) log;
  
  computer program code for receiving a storage-level I/O log;
  
  computer program code for performing an analysis of the host-level I/O log and the storage-level I/O log; and
  
  computer program code for detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log,wherein the computer program code for detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log comprises detecting evidence of malware operational in a storage host,wherein the computer program code for detecting evidence of malware operational in the storage host comprises detecting differences between the host-level I/O log and the storage-level I/O log,wherein the computer program code for detecting differences between the host-level I/O log and the storage-level I/O log comprises identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log; and
  
  wherein the computer program code for identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between write I/O requests, detecting any difference between the host-level I/O log and the storage-level I/O log.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13wherein receiving a host-level I/O log comprises receiving the host-level I/O log from a firsts litter operational in a storage host;
    - andwherein receiving a storage-level I/O log comprises receiving the storage-level I/O log from a second splitter in a data path from the storage host to a storage device.
  - 15. The computer program product of claim 14 wherein receiving the storage-level I/O log from a second splitter in a data path from the storage host to a storage device comprises receiving the storage-level I/O log from the second splitter operating in a data storage system.
  - 16. The computer program product of claim 13 wherein one or more of receiving a host-level I/O log and receiving a storage-level I/O log comprises:
    - receiving metadata for read I/O requests; and
      
      receiving metadata for write I/O requests.
  - 17. The computer program product of claim 13 wherein one or more of receiving a host-level I/O log and receiving a storage-level I/O log comprises receiving I/O metadata selected from a group consisting of:
    - a timestamp, an I/O type, a start address, an offset, an address, and an I/O length.
  - 18. The computer program product of claim 13 wherein identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between read I/O requests, determining whether differences between the host-level I/O log and the storage-level I/O exceed a threshold of acceptable differences between the host-level I/O log and the storage-level I/O log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Natanzon, Assaf, Derbeko, Philip
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/984,317
Time in Patent Office

930 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/567   using dedicated hardware

G06F 21/78   to assure secure storage of...

G06F 2221/034   Test or assess a computer o...

Method and system for malware detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for malware detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links