Method and system for malware detection
First Claim
Patent Images
1. A computer-implemented method for detecting malware on a computing system comprising:
- receiving a host-level I/O (input/output) log on a computing system;
receiving a storage-level I/O log on the computing system;
performing an analysis of the host-level I/O log and the storage-level I/O log; and
detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log,wherein the detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log comprises detecting evidence of malware operational in a storage host,wherein the detecting evidence of malware operational in the storage host comprises detecting differences between the host-level I/O log and the storage-level I/O log,wherein the detecting differences between the host-level I/O log and the storage-level I/O log comprises identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log; and
wherein the identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between write I/O requests, detecting any difference between the host-level I/O log and the storage-level I/O log.
9 Assignments
0 Petitions
Accused Products
Abstract
Example embodiments of the present invention relate to methods, systems, and a computer program product for detecting and responding to the presence of persistently executing malware. The method includes receiving a host-level I/O log and receiving a storage-level I/O log. An analysis may be performed on the host-level I/O log and the storage-level I/O log and evidence of malware may be detected according thereto.
35 Citations
18 Claims
-
1. A computer-implemented method for detecting malware on a computing system comprising:
-
receiving a host-level I/O (input/output) log on a computing system; receiving a storage-level I/O log on the computing system; performing an analysis of the host-level I/O log and the storage-level I/O log; and detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log, wherein the detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log comprises detecting evidence of malware operational in a storage host, wherein the detecting evidence of malware operational in the storage host comprises detecting differences between the host-level I/O log and the storage-level I/O log, wherein the detecting differences between the host-level I/O log and the storage-level I/O log comprises identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log; and wherein the identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between write I/O requests, detecting any difference between the host-level I/O log and the storage-level I/O log. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computing system for detecting malware comprising:
-
one or more processors; and memory storing computer program code that when executed on the one or more processors causes the system to; a first risk agent configured to receive a host-level I/O (input/output) log; a second risk agent configured to receive a storage-level I/O log; and a risk engine configured to perform an analysis of the host-level I/O log and the storage-level I/O log and detect evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log, wherein the risk engine is further configured to detect evidence of malware operational in a storage host, wherein the risk engine is further configured to detect differences between the host-level I/O log and the storage-level I/O log, wherein the risk engine is further configured to identify I/O requests logged at the storage-level I/O log and not logged at the host-level I/O log, and wherein the risk engine is further configured to, for differences between write I/O requests, detect any difference between the host-level I/O log and the storage-level I/O log. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product including a non-transitory computer readable storage medium having computer program code encoded thereon that, when executed by a processor of a computer, causes the computer to detect evidence of malware, comprising:
-
computer program code for receiving a host-level I/O (input/output) log; computer program code for receiving a storage-level I/O log; computer program code for performing an analysis of the host-level I/O log and the storage-level I/O log; and computer program code for detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log, wherein the computer program code for detecting evidence of malware according to the analysis of the host-level I/O log and the storage-level I/O log comprises detecting evidence of malware operational in a storage host, wherein the computer program code for detecting evidence of malware operational in the storage host comprises detecting differences between the host-level I/O log and the storage-level I/O log, wherein the computer program code for detecting differences between the host-level I/O log and the storage-level I/O log comprises identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log; and wherein the computer program code for identifying I/O requests logged at the storage-level I/O log and not logged in the host-level I/O log comprises, for differences between write I/O requests, detecting any difference between the host-level I/O log and the storage-level I/O log. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification