Profiling backup activity
First Claim
Patent Images
1. A method for mitigating a network security threat comprising:
- receiving at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data;
storing at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data;
evaluating, using a processor of the first device, the received backup metadata for an indication of a network security threat at the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;
determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;
detecting an absence of an expected indication of a modification in the received backup metadata;
identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;
an expected change in a size of a file modification;
a modification to a file not expected to be modified;
identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;
determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and
determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; and
performing one or more remedial actions if a network security threat is detected.
7 Assignments
0 Petitions
Accused Products
Abstract
Mitigating a network security threat is disclosed. Information associated with a data protection event is received. The received information is evaluated for an indication of a network security threat. One or more remedial actions are performed if it is determined that a potential threat has been indicated. Optionally, the received information is stored.
-
Citations
15 Claims
-
1. A method for mitigating a network security threat comprising:
-
receiving at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data; storing at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data; evaluating, using a processor of the first device, the received backup metadata for an indication of a network security threat at the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;
determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;
detecting an absence of an expected indication of a modification in the received backup metadata;
identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;
an expected change in a size of a file modification;
a modification to a file not expected to be modified;
identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;
determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and
determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; andperforming one or more remedial actions if a network security threat is detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for mitigating a network security threat, including:
-
a processor; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to; receive at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data; store at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data; evaluate, at the first device, the received backup metadata for an indication of a network security threat at the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;
determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;
detecting an absence of an expected indication of a modification in the received backup metadata;
identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;
an expected change in a size of a file modification;
a modification to a file not expected to be modified;
identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;
determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and
determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; andperform one or more remedial actions if a network security threat is detected. - View Dependent Claims (12, 13, 14)
-
-
15. A non-transitory computer readable storage medium having embodied thereon computer instructions which when executed by a computer cause the computer to perform a method comprising:
-
receiving at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data; storing at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data; evaluating, at the first device, the received backup metadata for an indication of a network security threat on the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;
determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;
detecting an absence of an expected indication of a modification in the received backup metadata;
identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;
an expected change in a size of a file modification;
a modification to a file not expected to be modified;
identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;
determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and
determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; andperforming one or more remedial actions if a network security threat is detected.
-
Specification