SYSTEMS AND METHODS FOR AUTOMATIC DETECTION OF MALICIOUS ACTIVITY VIA COMMON FILES
First Claim
1. A method for detection of corruption of common files by an online backup system, comprising:
- receiving, by a backup manager executed by a first device from a second device, an identification of a file to be backed up;
identifying, by the backup manager from a backup data table, that a plurality of other devices have backed up the file;
determining, by the backup manager, that the file of the second device is different than the file backed up by the plurality of other devices; and
flagging, by the backup manager, the file of the second device as illegitimate, responsive to the determination.
7 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure describes systems and methods for detection and mitigation of malicious activity regarding user data by a network backup system. In a first aspect, a backup system receiving and deduplicating backup data from a plurality of computing devices may detect, based on changes in uniqueness or shared rates for files, atypical modifications to common files, and may take steps to mitigate any potential attack by maintaining versions of the common files prior to the modifications or locking backup snapshots. In a second aspect, the backup system may monitor file modification behaviors on a single device, relative to practices of an aggregated plurality of devices. Upon detection of potentially malicious modification activity, a previously backed up or synchronized store of data may be locked and/or duplicated, preventing any of the malicious modifications from being transferred to the backup system.
-
Citations
20 Claims
-
1. A method for detection of corruption of common files by an online backup system, comprising:
-
receiving, by a backup manager executed by a first device from a second device, an identification of a file to be backed up; identifying, by the backup manager from a backup data table, that a plurality of other devices have backed up the file; determining, by the backup manager, that the file of the second device is different than the file backed up by the plurality of other devices; and flagging, by the backup manager, the file of the second device as illegitimate, responsive to the determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detection of corruption of common files by an online backup system, comprising:
a first device comprising a processor executing a backup manager in communication with a second device and a plurality of other devices, and a storage device storing files received from the plurality of devices, the backup manager configured for; receiving, from the second device, an identification of a file to be backed up, identifying, from a backup data table, that the plurality of other devices have backed up the file, determining that the file of the second device is different than the file backed up by the plurality of other devices, and flagging the file of the second device as illegitimate, responsive to the determination. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
19. A method for detection of corruption of common files by an online backup system, comprising:
-
detecting, by a backup agent executed by a client device, a modification to a file from a first version to a second version; calculating, by the backup agent, a hash result of the second version of the file; transmitting, by the backup agent to a backup server, a request to backup the second version of the file, the request comprising the hash result of the second version of the file and a previously calculated hash result of the first version of the file; and receiving, by the backup agent from the backup server, a notification that the second version of the file is illegitimate, responsive to the backup server determining that a first plurality of other client devices exceeding a threshold have a copy of the first version of the file, and determining that less than a second plurality of other client devices exceeding the threshold have a copy of the second version of the file. - View Dependent Claims (20)
-
Specification