SYSTEMS AND METHODS FOR AUTOMATIC DETECTION OF MALICIOUS ACTIVITY VIA COMMON FILES

US 20170180394A1
Filed: 12/16/2015
Published: 06/22/2017
Est. Priority Date: 12/16/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detection of corruption of common files by an online backup system, comprising:

receiving, by a backup manager executed by a first device from a second device, an identification of a file to be backed up;

identifying, by the backup manager from a backup data table, that a plurality of other devices have backed up the file;

determining, by the backup manager, that the file of the second device is different than the file backed up by the plurality of other devices; and

flagging, by the backup manager, the file of the second device as illegitimate, responsive to the determination.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure describes systems and methods for detection and mitigation of malicious activity regarding user data by a network backup system. In a first aspect, a backup system receiving and deduplicating backup data from a plurality of computing devices may detect, based on changes in uniqueness or shared rates for files, atypical modifications to common files, and may take steps to mitigate any potential attack by maintaining versions of the common files prior to the modifications or locking backup snapshots. In a second aspect, the backup system may monitor file modification behaviors on a single device, relative to practices of an aggregated plurality of devices. Upon detection of potentially malicious modification activity, a previously backed up or synchronized store of data may be locked and/or duplicated, preventing any of the malicious modifications from being transferred to the backup system.

101 Citations

View as Search Results

20 Claims

1. A method for detection of corruption of common files by an online backup system, comprising:
- receiving, by a backup manager executed by a first device from a second device, an identification of a file to be backed up;
  
  identifying, by the backup manager from a backup data table, that a plurality of other devices have backed up the file;
  
  determining, by the backup manager, that the file of the second device is different than the file backed up by the plurality of other devices; and
  
  flagging, by the backup manager, the file of the second device as illegitimate, responsive to the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein receiving the identification of the file to be backed up further comprises receiving a first result of a hash calculation on the file of the second device;
    - andwherein determining that the file of the second device is different than the file backed up by the plurality of other devices further comprises;
      
      comparing, by the backup manager, the first result of the hash calculation on the file of the second device to a second result of a hash calculation on the file backed up by the plurality of other devices; and
      
      determining that the file of the second device is different than the file backed up by the plurality of other devices, responsive to the first result not matching the second result.
  - 3. The method of claim 2, wherein receiving the identification of the file to be backed up further comprises receiving, from the second device, the second result of the hash calculation identified as performed on a prior version of the file.
  - 4. The method of claim 3, wherein identifying that a plurality of other devices have backed up the file further comprises retrieving a backup record associated with the second result of the hash calculation, the backup record comprising device identifiers of each of the plurality of other devices, each device identifier added to the record responsive to the corresponding other device transmitting a request to back up the file.
  - 5. The method of claim 1, wherein identifying that a plurality of other devices have backed up the file further comprises identifying that a number of other devices exceeding a first threshold have backed up the file.
  - 6. The method of claim 1, wherein identifying that a plurality of other devices have backed up the file further comprises retrieving a backup record associated with the file, the backup record comprising device identifiers of each of the plurality of other devices, each device identifier added to the record responsive to the corresponding other device transmitting a request to back up the file.
  - 7. The method of claim 1, further comprising preventing modification or deletion of the file backed up by the plurality of other devices.
  - 8. The method of claim 1, further comprising:
    - receiving, by the backup manager, from a third device, an identification of the file for backup;
      
      determining that the file of the third device is identical to the file of the second device; and
      
      increasing a shared rate for the file of the second device, responsive to the determination.
  - 9. The method of claim 8, further comprising determining that the shared rate for the file of the second device exceeds a first threshold, responsive to increasing the shared rate for the file;
    - andremoving the flag from the file of the second device, responsive to the determination.
  - 10. The method of claim 8, further comprising:
    - determining that the shared rate for the file of the second device does not exceed a first threshold;
      
      determining that an age of the file of the second device exceeds a second threshold, responsive to the determination that the shared rate for the file of the second device does not exceed the first threshold; and
      
      transmitting, by the backup manager to each of the second device and third device, a notification that the file of the second device is illegitimate.

11. A system for detection of corruption of common files by an online backup system, comprising:
- a first device comprising a processor executing a backup manager in communication with a second device and a plurality of other devices, and a storage device storing files received from the plurality of devices, the backup manager configured for;
  
  receiving, from the second device, an identification of a file to be backed up,identifying, from a backup data table, that the plurality of other devices have backed up the file,determining that the file of the second device is different than the file backed up by the plurality of other devices, andflagging the file of the second device as illegitimate, responsive to the determination.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the backup manager is further configured for:
    - receiving a first result of a hash calculation on the file of the second device,comparing the first result of the hash calculation on the file of the second device to a second result of a hash calculation on the file backed up by the plurality of other devices, anddetermining that the file of the second device is different than the file backed up by the plurality of other devices, responsive to the first result not matching the second result.
  - 13. The system of claim 12, wherein the backup manager is further configured for receiving, from the second device, the second result of the hash calculation identified as performed on a prior version of the file.
  - 14. The system of claim 13, wherein the backup manager is further configured for retrieving a backup record associated with the second result of the hash calculation, the backup record comprising device identifiers of each of the plurality of other devices, each device identifier added to the record responsive to the corresponding other device transmitting a request to back up the file.
  - 15. The system of claim 11, wherein the backup manager is further configured for preventing modification or deletion of the file backed up by the plurality of other devices.
  - 16. The system of claim 11, wherein the backup manager is further configured for:
    - receiving, by the backup manager, from a third device, an identification of the file for backup,determining that the file of the third device is identical to the file of the second device; and
      
      increasing a shared rate for the file of the second device, responsive to the determination.
  - 17. The system of claim 16, wherein the backup manager is further configured for:
    - determining that the shared rate for the file of the second device exceeds a first threshold, responsive to increasing the shared rate for the file, andremoving the flag from the file of the second device, responsive to the determination.
  - 18. The system of claim 16, wherein the backup manager is further configured for:
    - determining that the shared rate for the file of the second device does not exceed a first threshold,determining that an age of the file of the second device exceeds a second threshold, responsive to the determination that the shared rate for the file of the second device does not exceed the first threshold, andtransmitting, by the backup manager to each of the second device and third device, a notification that the file of the second device is illegitimate.

19. A method for detection of corruption of common files by an online backup system, comprising:
- detecting, by a backup agent executed by a client device, a modification to a file from a first version to a second version;
  
  calculating, by the backup agent, a hash result of the second version of the file;
  
  transmitting, by the backup agent to a backup server, a request to backup the second version of the file, the request comprising the hash result of the second version of the file and a previously calculated hash result of the first version of the file; and
  
  receiving, by the backup agent from the backup server, a notification that the second version of the file is illegitimate, responsive to the backup server determining that a first plurality of other client devices exceeding a threshold have a copy of the first version of the file, and determining that less than a second plurality of other client devices exceeding the threshold have a copy of the second version of the file.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising transmitting a request to restore the first version of the file, by the backup agent to the backup server, responsive to receipt of the notification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Carbonite Incorporated (Open Text Corporation)
Inventors
Crofton, Teo Winton, Baker, Clark Marshall

Granted Patent

US 9,935,973 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/64   Protecting data integrity, ...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

SYSTEMS AND METHODS FOR AUTOMATIC DETECTION OF MALICIOUS ACTIVITY VIA COMMON FILES

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR AUTOMATIC DETECTION OF MALICIOUS ACTIVITY VIA COMMON FILES

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links