Profiling backup activity

US 8,533,818 B1
Filed: 06/30/2006
Issued: 09/10/2013
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method for mitigating a network security threat comprising:

receiving at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data;

storing at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data;

evaluating, using a processor of the first device, the received backup metadata for an indication of a network security threat at the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;

determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;

detecting an absence of an expected indication of a modification in the received backup metadata;

identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;

an expected change in a size of a file modification;

a modification to a file not expected to be modified;

identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;

determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and

determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; and

performing one or more remedial actions if a network security threat is detected.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mitigating a network security threat is disclosed. Information associated with a data protection event is received. The received information is evaluated for an indication of a network security threat. One or more remedial actions are performed if it is determined that a potential threat has been indicated. Optionally, the received information is stored.

Citations

15 Claims

1. A method for mitigating a network security threat comprising:
- receiving at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data;
  
  storing at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data;
  
  evaluating, using a processor of the first device, the received backup metadata for an indication of a network security threat at the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;
  
  determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;
  
  detecting an absence of an expected indication of a modification in the received backup metadata;
  
  identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;
  
  an expected change in a size of a file modification;
  
  a modification to a file not expected to be modified;
  
  identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;
  
  determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and
  
  determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; and
  
  performing one or more remedial actions if a network security threat is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising storing the received backup metadata.
  - 3. The method of claim 2 further comprising aggregating the received backup metadata with previously stored backup metadata.
  - 4. The method of claim 1 further comprising issuing an alert if a network security threat is detected.
  - 5. The method of claim 4 wherein the alert is issued to at least one of:
    - an administrator and a security appliance.
  - 6. The method of claim 1 wherein evaluating the received backup metadata includes evaluating for a pattern of backup activity.
  - 7. The method of claim 1 wherein evaluating the received backup metadata includes evaluating metadata received from a plurality of sources.
  - 8. The method of claim 1 wherein evaluating the received backup metadata includes concluding with respect to a first host that an observed change to data is not a network security threat and determining based at least in part on the conclusion reached with respect to the first host that a corresponding observed change to corresponding data on a second host is not a network security threat.
  - 9. The method of claim 1 wherein the data protection event comprises at least one of:
    - a continuous data protection event and a near continuous data protection event.
  - 10. The method of claim 1 wherein the data protection event is a traditional backup event.

11. A system for mitigating a network security threat, including:
- a processor; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
  
  receive at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data;
  
  store at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data;
  
  evaluate, at the first device, the received backup metadata for an indication of a network security threat at the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;
  
  determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;
  
  detecting an absence of an expected indication of a modification in the received backup metadata;
  
  identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;
  
  an expected change in a size of a file modification;
  
  a modification to a file not expected to be modified;
  
  identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;
  
  determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and
  
  determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; and
  
  perform one or more remedial actions if a network security threat is detected.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11 wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to store the received backup metadata.
  - 13. The system of claim 12 wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to aggregate the received backup metadata with previously stored backup metadata.
  - 14. The system of claim 11 wherein evaluating the received backup metadata includes concluding with respect to a first host that an observed change to data is not a network security threat and determining based at least in part on the conclusion reached with respect to the first host that a corresponding observed change to corresponding data on a second host is not a network security threat.

15. A non-transitory computer readable storage medium having embodied thereon computer instructions which when executed by a computer cause the computer to perform a method comprising:
- receiving at a first device, from a backup agent on a client device, backup metadata associated with a data protection event, wherein the received backup metadata is indicative of a change in data of the client device to be backed up, and wherein the first device is configured to receive metadata separate from client backup data;
  
  storing at the first device backup metadata, wherein the backup metadata is stored in a memory location separate from client backup data;
  
  evaluating, at the first device, the received backup metadata for an indication of a network security threat on the client device, wherein evaluating the received backup metadata for an indication of a network security threat at the client device includes at least one of;
  
  determining whether a host is making more frequent changes to data, wherein the host has previously made less frequent changes to data;
  
  detecting an absence of an expected indication of a modification in the received backup metadata;
  
  identifying based on backup metadata from a plurality of client devices an indication of copies of an identical file created within a specified period of time;
  
  an expected change in a size of a file modification;
  
  a modification to a file not expected to be modified;
  
  identifying based on backup metadata from a plurality of client devices a modification to a same file across several client devices;
  
  determining that a current backup activity deviates by more than a threshold amount from a corresponding previously-observed backup activity; and
  
  determining that a host that in the past has made only few changes to data has begun to make more frequent changes to data; and
  
  performing one or more remedial actions if a network security threat is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Ketterhagen, Thomas R., Hartmann, Alfred C.
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US11/479,921
Time in Patent Office

2,629 Days
Field of Search

726 1- 7, 726/10, 726/14, 726/21, 726 22- 33, 713182-185, 380/59
US Class Current

726/22
CPC Class Codes

G06F 21/567 using dedicated hardware

Profiling backup activity

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Profiling backup activity

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links