Ransomware detection using I/O patterns
First Claim
Patent Images
1. A method comprising:
- receiving an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage;
adding metadata about the I/O request to recent I/O activity data structures associated with the LU;
generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU;
if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host; and
if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value;
wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer program product, system, and method for generating coded fragments comprises initializing historical I/O activity data structures and recent I/O activity data structures associated with a logical unit (LU) of storage; receiving an I/O request from a host, the I/O request associated with one or more chunks within the LU; adding metadata about the I/O request to the recent I/O activity data structures; generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures; and if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host.
-
Citations
18 Claims
-
1. A method comprising:
-
receiving an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage; adding metadata about the I/O request to recent I/O activity data structures associated with the LU; generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU; if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host; and if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value; wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
one or more processors; a volatile memory; and a non-volatile memory storing computer program code that when executed on the processor causes execution across the one or more processors of a process operable to perform the operations of; receiving an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage; adding metadata about the I/O request to the recent I/O activity data structures associated with the LU; generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU; if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host; and if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value; wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product tangibly embodied in a non-transitory computer-readable medium, the computer-readable medium storing program instructions that are executable to:
-
receive an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage; add metadata about the I/O request to the recent I/O activity data structures associated with the LU; generate a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU; if the ransomware probability exceeds a first threshold value, take one or more first actions to mitigate the effects of ransomware within the host; and if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value; wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification