Obtaining file system view in block-level data storage systems
First Claim
1. A computer implemented method for obtaining file-level information from block level information of files stored on a storage medium, the method comprising:
- intercepting block-level commands initiated by a host to access data blocks on a data storage medium connected to the host over a data communication network, wherein an inverse block-to-file map of files stored on the data storage medium is constructed to provide an association between a first data block in th data storage medium and a file name having a respective inode, wherein a file identified in a file directory by said file name and inode includes first data stored in the first data block;
parsing the incoming block-level commands initiated by the host, independent of arrival order of the block-level commands, to determine transitions between valid and invalid states in at least one of a first state machine and a second state machine,wherein the first state machine tracks a first plurality of related incoming block-level commands to determine if a data block has been created or deleted, andwherein the second state machine tracks a second plurality of related incoming block-level commands to determine if an inode associated with a filename is to be registered to indicate the creation or deletion of a file directory;
inferring file-level information from the parsed block level commands to detect unauthorized access to the data storage medium based on identifying modifications to data or metadata, stored on the data storage medium, that are expected to remain unchanged; and
updating the inverse block-to-file map.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer implemented method is disclosed for obtaining file-level information from block level information of files stored on a storage medium. The method includes accessing the storage medium to obtain metadata available in block level on the storage medium and building an inverse block-to-file map of the files stored on the storage medium. The method also includes listening online to incoming block-level commands communicated from a host to the storage medium, parsing the incoming block-level commands, inferring file-level information from the parsed block level commands; and updating the inverse file-level map. Also disclosed are corresponding computer program product and processing system.
57 Citations
6 Claims
-
1. A computer implemented method for obtaining file-level information from block level information of files stored on a storage medium, the method comprising:
-
intercepting block-level commands initiated by a host to access data blocks on a data storage medium connected to the host over a data communication network, wherein an inverse block-to-file map of files stored on the data storage medium is constructed to provide an association between a first data block in th data storage medium and a file name having a respective inode, wherein a file identified in a file directory by said file name and inode includes first data stored in the first data block; parsing the incoming block-level commands initiated by the host, independent of arrival order of the block-level commands, to determine transitions between valid and invalid states in at least one of a first state machine and a second state machine, wherein the first state machine tracks a first plurality of related incoming block-level commands to determine if a data block has been created or deleted, and wherein the second state machine tracks a second plurality of related incoming block-level commands to determine if an inode associated with a filename is to be registered to indicate the creation or deletion of a file directory; inferring file-level information from the parsed block level commands to detect unauthorized access to the data storage medium based on identifying modifications to data or metadata, stored on the data storage medium, that are expected to remain unchanged; and updating the inverse block-to-file map. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification