Ransomware detection using I/O patterns

US 10,078,459 B1
Filed: 09/26/2016
Issued: 09/18/2018
Est. Priority Date: 09/26/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage;

adding metadata about the I/O request to recent I/O activity data structures associated with the LU;

generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU;

if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host; and

if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value;

wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer program product, system, and method for generating coded fragments comprises initializing historical I/O activity data structures and recent I/O activity data structures associated with a logical unit (LU) of storage; receiving an I/O request from a host, the I/O request associated with one or more chunks within the LU; adding metadata about the I/O request to the recent I/O activity data structures; generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures; and if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host.

Citations

18 Claims

1. A method comprising:
- receiving an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage;
  
  adding metadata about the I/O request to recent I/O activity data structures associated with the LU;
  
  generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU;
  
  if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host; and
  
  if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value;
  
  wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein generating a ransomware probability comprises using at least one of the following heuristics:
    - the number of times the chunks have been recently accessed according to the recent I/O activity data structures;
      
      the probability of the chunks being accessed according to the historical I/O activity data structures;
      
      whether the chunks have been recently read from and then overwritten according to the recent I/O activity data structures;
      
      the probability of the chunks being read from and then overwritten according to the historical I/O activity data structures;
      
      whether the chunks are within a range of chunks that have been recently accessed according to the recent I/O activity data structures; and
      
      the probability of the chunks being accessed sequentially according to the historical I/O activity data structures.
  - 3. The method of claim 1 further comprising:
    - if the ransomware probability is less than a third threshold value, wherein the third threshold value is less than or equal to the first threshold value, ending copy-on-write for the LU.
  - 4. The method of claim 3 wherein ending copy-on-write for the LU includes erasing copy-on-write chunk versions from the storage.
  - 5. The method of claim 1 wherein commencing COW for the LU comprises creating a snapshot of the LU.
  - 6. The method of claim 1 wherein commencing COW for the LU comprises making a copy, in storage, of any data that will be overwritten by subsequent I/O requests.

7. A system comprising:
- one or more processors;
  
  a volatile memory; and
  
  a non-volatile memory storing computer program code that when executed on the processor causes execution across the one or more processors of a process operable to perform the operations of;
  
  receiving an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage;
  
  adding metadata about the I/O request to the recent I/O activity data structures associated with the LU;
  
  generating a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU;
  
  if the ransomware probability exceeds a first threshold value, taking one or more first actions to mitigate the effects of ransomware within the host; and
  
  if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value;
  
  wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7 wherein the computer program code causes execution of a process to generate a ransomware probability comprises using at least one of the following heuristics:
    - the number of times the chunks have been recently accessed according to the recent I/O activity data structures;
      
      the probability of the chunks being accessed according to the historical I/O activity data structures;
      
      whether the chunks have been recently read from and then overwritten according to the recent I/O activity data structures;
      
      the probability of the chunks being read from and then overwritten according to the historical I/O activity data structures;
      
      whether the chunks are within a range of chunks that have been recently accessed according to the recent I/O activity data structures; and
      
      the probability of the chunks being accessed sequentially according to the historical I/O activity data structures.
  - 9. The system of claim 7 wherein the computer program code causes execution of a process further operable to perform the operations of:
    - if the ransomware probability is less than a third threshold value, wherein the third threshold value is less than or equal to the first threshold value, ending copy-on-write for the LU.
  - 10. The system of claim 9 wherein ending copy-on-write for the LU includes erasing copy-on-write chunk versions from the storage.
  - 11. The system of claim 7 wherein commencing COW for the LU comprises creating a snapshot of the LU.
  - 12. The system of claim 7 wherein commencing COW for the LU comprises making a copy, in storage, of any data that will be overwritten by subsequent I/O requests.

13. A computer program product tangibly embodied in a non-transitory computer-readable medium, the computer-readable medium storing program instructions that are executable to:
- receive an I/O request from a host, the I/O request associated with one or more chunks within a logical unit (LU) of storage;
  
  add metadata about the I/O request to the recent I/O activity data structures associated with the LU;
  
  generate a ransomware probability by comparing the recent I/O activity data structures to the historical I/O activity data structures associated with the LU;
  
  if the ransomware probability exceeds a first threshold value, take one or more first actions to mitigate the effects of ransomware within the host; and
  
  if the ransomware probability exceeds a second threshold value, taking one or more second actions to mitigate the effects of ransomware within the host, wherein the second threshold value is greater than the first threshold value;
  
  wherein the one or more first actions include commencing copy-on-write (COW) for the LU and wherein the one or more second actions include generating a notification of suspected ransomware.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13 further storing program instructions that are generating a ransomware probability comprising using at least one of the following heuristics:
    - the number of times the chunks have been recently accessed according to the recent I/O activity data structures;
      
      the probability of the chunks being accessed according to the historical I/O activity data structures;
      
      whether the chunks have been recently read from and then overwritten according to the recent I/O activity data structures;
      
      the probability of the chunks being read from and then overwritten according to the historical I/O activity data structures;
      
      whether the chunks are within a range of chunks that have been recently accessed according to the recent I/O activity data structures; and
      
      the probability of the chunks being accessed sequentially according to the historical I/O activity data structures.
  - 15. The computer program product of claim 13 further storing program instructions that are executable to:
    - if the ransomware probability is less than a third threshold value, wherein the third threshold value is less than or equal to the first threshold value, ending copy-on-write for the LU.
  - 16. The computer program product of claim 15 wherein ending copy-on-write for the LU includes erasing copy-on-write chunk versions from the storage.
  - 17. The computer program product of claim 13 wherein commencing COW for the LU comprises creating a snapshot of the LU.
  - 18. The computer program product of claim 13 wherein commencing COW for the LU comprises making a copy, in storage, of any data that will be overwritten by subsequent I/O requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Natanzon, Assaf, Derbeko, Philip, Stern, Uriya, Bakshi, Maya, Manusov, Yuri
Primary Examiner(s)
Dudek, Jr., Edward
Assistant Examiner(s)
Li, Sidney

Application Number

US15/275,759
Time in Patent Office

722 Days
Field of Search

711162
US Class Current
CPC Class Codes

G06F 11/2071   using a plurality of contro...

G06F 11/34   Recording or statistical ev...

G06F 11/3485   for I/O devices

G06F 21/554   involving event detection a...

G06F 21/80   in storage media based on m...

G06F 3/0614   Improving the reliability o...

G06F 3/0619   in relation to data integri...

G06F 3/0622   in relation to access

G06F 3/0623   in relation to content

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

Ransomware detection using I/O patterns

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Ransomware detection using I/O patterns

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links