KR101850650B1 - Portable storage device perfoming a ransomeware detection and method for the same - Google Patents

Abstract

The present invention relates to a mobile storage device detecting ransomware and a method therefor. An aspect of the present invention provides a mobile storage device interlinking with a host device. The mobile storage device comprises: a memory storing an original file; a conversion unit obtaining block unit data based on block unit command data generated by the host device and converting the block unit data into file unit data; and a ransomware detection unit performing a ransomware detection operation detecting ransomware based on the file unit data, wherein the ransomware detection operation includes a substitution operation check which is performed by the ransomware detection unit to check whether an operation for substituting the original file is performed by the command data based on the file unit data. The present invention can alleviate a ransomware detection load of the host device.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a removable storage device for performing a random-

The present invention relates to a portable storage device for performing Ransomware detection and a method for the same, and more particularly to a Ransomware detection unit and a conversion unit for converting the unit of data contained in the removable storage device, To a removable storage device for performing detection and a method for the same.

Ransomware is a program that encrypts a stored file, and then requests payment of a bit coin or the like to decrypt the encrypted file.

The Raman software is propagated to an electronic device such as a PC / mobile and performs malicious operation in the electronic device, thereby causing a great damage to the user of the electronic device. Therefore, a Rangumware detection algorithm for detecting the Rangemeware and processing the detected Rangemeware has been installed on the operating system of the electronic device.

However, when the above-described Ramsomeware detection algorithm is installed on the operating system of the electronic device, the operation burden of the electronic device due to the execution of the algorithm increases. The performance of the electronic device with the increased operational burden is significantly lowered. Accordingly, in recent years, in order to alleviate the operational burden of the electronic device, there is an increasing demand for a medium equipped with a function of detecting the RAN cellware separately from the electronic device.

One aspect of the present invention is to provide a portable storage device provided separately from a host device so as to reduce the burden of detection of the RANSIWARE of the host device and equipped with the RANAMWARE detection function.

The problems to be solved by the present application are not limited to the above-described problems, and the matters not mentioned in the present specification can be clearly understood by those skilled in the art from the present specification and the accompanying drawings .

According to an aspect of the present application, there is provided a removable storage device interlocked with a host device, comprising: a memory in which an original file is stored; A conversion unit for acquiring block-based data based on block-based command data generated by the host device and converting the block-by-block data into file data on a file basis; And a Ransomware detection unit that performs a Ransomware detection operation to detect Ransomware based on the file data, wherein the Ransomware detection operation includes an alternate operation check, Unit is performed by checking whether or not an operation of replacing the original file with the command data is performed based on the file data.

According to another aspect of the present application, there is provided a method of detecting a random access in a portable storage device interlocked with a host device, the method comprising: acquiring block-based data based on command data in units of blocks generated from the host device; Converting the unit of data of the block unit to generate file data of a file unit; And a step of acquiring file data of the file unit and performing a random access detection operation, wherein the step of performing the random access detection operation comprises the steps of: And detecting whether the file is replaced with a similar file.

The solution of the problem of the present application is not limited to the above-mentioned solutions, and the solutions which are not mentioned are to be clearly understood by those skilled in the art to which the present invention belongs It will be possible.

According to the present invention, a removable storage device provided separately from the host device and equipped with a function of detecting a random access may be provided so as to reduce the burden of detecting the random access of the host device.

The effects of the present application are not limited to the effects described above, and effects not mentioned can be clearly understood by those skilled in the art from the present specification and the accompanying drawings.

1 is a diagram illustrating a system environment in which a removable storage device according to one embodiment of the present application is utilized.
2 is a diagram illustrating a host device and a removable storage device according to one embodiment of the present application.
FIG. 3 is a flowchart showing an Ransomware inspection operation according to an embodiment of the present application.
FIG. 4 is a diagram illustrating data transfer for a first Ramsome inspection operation according to an embodiment of the present invention.
5 is a diagram illustrating a step of detecting a Ramsomeware according to an embodiment of the present application.
6 is a diagram illustrating an Ramsomeware-based operation based on a weight according to an embodiment of the present application.
FIG. 7 is a diagram showing an operation of controlling and cutting off output of operation data according to an embodiment of the present application. FIG.
8 is a diagram showing a communication disconnection processing operation with a host device according to an embodiment of the present application.
9 is a diagram showing an alert file generation processing operation according to an embodiment of the present application.
10 is a diagram illustrating a host device and a removable storage device according to one embodiment of the present application.
11 is a diagram illustrating data transmission in a second Ramsome inspection operation according to an embodiment of the present application.
12 is a diagram illustrating a host device and a removable storage device according to one embodiment of the present application.
13 is a diagram illustrating data transmission during a third Ramsome inspection operation according to an embodiment of the present application.
FIG. 14 is a flow chart illustrating a selection procedure of the Ransomware inspection operation of the mobile storage device according to an embodiment of the present application.
15 is a weight setting flowchart of a mobile storage device according to an embodiment of the present application.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to be illustrative of the present invention and not to limit the scope of the invention. Should be interpreted to include modifications or variations that do not depart from the spirit of the invention.

Although the terms used in the present invention have been selected in consideration of the functions of the present invention, they are generally used in general terms. However, the present invention is not limited to the intention of the person skilled in the art to which the present invention belongs . However, if a specific term is defined as an arbitrary meaning, the meaning of the term will be described separately. Accordingly, the terms used herein should be interpreted based on the actual meaning of the term rather than on the name of the term, and on the content throughout the description.

The drawings attached hereto are intended to illustrate the present invention easily, and the shapes shown in the drawings may be exaggerated and displayed as necessary in order to facilitate understanding of the present invention, and thus the present invention is not limited to the drawings.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a detailed description of known configurations or functions related to the present invention will be omitted when it is determined that the gist of the present invention may be obscured.

According to an aspect of the present application, there is provided a removable storage device interlocked with a host device, comprising: a memory in which an original file is stored; A conversion unit for acquiring block-based data based on block-based command data generated by the host device and converting the block-by-block data into file data on a file basis; And a Ransomware detection unit that performs a Ransomware detection operation to detect Ransomware based on the file data, wherein the Ransomware detection operation includes an alternate operation check, Unit is performed by checking whether or not an operation of replacing the original file with the command data is performed based on the file data.

In addition, the Ramsome detection operation includes a similarity check. The Ramsome detection unit compares the file name included in the file data with the file name of the original file, and the file included in the file data And checking the similarity between the name and the file name of the original file.

The Raman-ware detection operation may include an encryption check. If there is the similarity, the Raman-ware unit compares the size of the file data with the size of the original file, And the file data is judged to be encrypted when the size of the original file is equal to or larger than the size of the original file.

The encryption check is performed by checking the rule of the pattern included in the file data by the random access unit and judging that the file data is encrypted when the rule of the pattern is disordered. May be provided.

In addition, when the file data is judged to be encrypted, the portable storage unit may perform the replacement operation check.

In addition, if the similarity is not present, the Ramsomeware detection unit may stop the Ramsome detection operation.

The portable storage device may further include a controller memory including a file list in which the weight of the original file is recorded, wherein the weight is set based on a random access detection operation.

When the similarity is confirmed, the weight is set based on the first weight, and when only the similarity and the encryption are confirmed, the weight is set based on the second weight, and the similarity, And when the substitute operation is confirmed, the weight is set based on a third weight.

In addition, the Ramsomeware detection unit performs an Ransomware operation based on the weight value, and when the weight value is equal to or greater than the threshold weight value, the Ransomware operation is regarded as a file based on Ransomware Is performed on the basis of the result of the comparison.

In addition, when the original file is regarded as a file by the RAN firmware, the operation by the command data in the unit of block is blocked, but the blocking of the operation is different for each time point considered as a file by the RAN firmware Lt; / RTI > may be provided.

In addition, if the original file is a file based on the random software, a portable storage device may be provided for causing the host device to generate a warning file.

The portable storage device may further include a portable storage device that performs the random access detection based on the block-by-block data.

And a data filter for filtering the command data in units of blocks and outputting filtering data in units of blocks which are command data in units of blocks suspected to be Ramsumware, And the portable storage device performs the random access detection based on the data.

In addition, the Ramsome detection unit may change the Ramsome detection operation according to the mode of the portable storage device, wherein the mode includes a first mode and a second mode, and when the mode of the removable storage device is the first mode , The Ransomware detection unit performs the Ransomware detection operation based on the file data of the file unit, and when the mode of the removable storage device is the second mode, the Ransomware detection unit And the portable storage device performs the random access detection operation.

According to another aspect of the present application, there is provided a method of detecting a random access in a portable storage device interlocked with a host device, the method comprising: acquiring block-based data based on command data in units of blocks generated from the host device; Converting the unit of data of the block unit to generate file data of a file unit; And a step of acquiring file data of the file unit and performing a random access detection operation, wherein the step of performing the random access detection operation comprises the steps of: And detecting whether the file is replaced with a similar file.

In the present specification, the Raman software can be predetermined data.

The data herein may include patterns. The pattern may be defined as a minimal concept of data constituting the data. The pattern may be classified into an operation pattern related to an operation, and a content pattern related to information.

The data herein may have predetermined units. The unit of basic data may include a block unit, a page unit, and a file unit. The file unit may be a block unit or a unit of data larger than a page unit.

The units of the data can be mutually converted. That is, the data of the plurality of block units or the data of a plurality of page units may be merged to generate the file unit data. Alternatively, the data of the file unit may be divided to generate data of a plurality of blocks or data of a plurality of pages.

Hereinafter, for ease of explanation, it is assumed that the unit of data is block unit or file unit. That is, the present invention is not limited to the following description, and the block units described in the following description may be understood on a page basis.

In this specification, a pattern may be defined as a minimal concept of data constituting the data. The pattern may be classified into an operation pattern related to an operation, and a content pattern related to information. That is, the data may include an operation pattern and a content pattern.

The operations herein may include writing, reading, overwriting, deleting, and the like. The writing may be defined as storing predetermined data in the removable storage device. The reading may be defined as obtaining data stored in the removable storage device. The overwriting may be defined as replacing data previously stored in the removable storage device with predetermined data. The deletion may be defined as deleting data stored in the removable storage device.

Hereinafter, a portable storage device equipped with a random software detection function will be described.

≪ Embodiment 1 >

1 is a diagram illustrating a system environment in which a removable storage device according to one embodiment of the present application is utilized.

Referring to FIG. 1, a system 1 environment in accordance with one embodiment of the present application may include a server 100, a host device 300, and a removable storage device 500.

The server 100 may communicate with the host device 300. The server 100 may exchange data with the host device 300. The server 100 may transmit data to the host device 300 and the server 100 may receive data from the host device 300.

The server 100 may store predetermined data. The data may be data related to detection of the Ramsomew.

That is, the server 100 can receive data requesting the data related to the detection of the RANomeware from the host device 300, and the server 100 can receive the data related to the detection of the RANomeware To the host device (300).

The host device 300 may perform operations through the removable storage device 500.

The host device 300 may transmit predetermined data to the mobile storage device 500. The host device 300 may transmit predetermined data to perform operations in the portable storage device 500. [

The portable storage device 500 may store predetermined data. The data may be data transmitted from the host device 300.

The mobile storage device 500 may perform certain operations. The mobile storage device 500 may perform an operation based on data transmitted from the host device 300. The removable storage device 500 may perform different operations according to modes of the removable storage device 500. The mode may include an active mode in which data exchange with the host device 300 is performed and an idle mode in which data exchange with the host device 300 is not performed. The mobile storage device 500 may perform all operations such as writing, reading, substitution, deletion, etc. in the active mode. The mobile storage device 500 can only perform reading, substitution, and deletion in the idle mode.

Hereinafter, the host device 300 and the portable storage device 500 will be described in detail.

2 is a diagram illustrating a host device and a removable storage device according to one embodiment of the present application. The following description will be made with reference to Fig.

First, components of the host device 300 will be described.

The host device 300 may include an application 310 and an operating system 330. However, a host device 300 having more components than the components of the host device 300 shown in Fig. 2 may be implemented.

The application 310 may be software executed in the host device 300. [ The application 310 may be executed by a user of the host device 300.

The application 310 may be i) user software produced directly by the user, or ii) separately created application software. The application software includes multimedia software including a suite of office products including a word processor, a web browser, a media player, analysis software including Matlab, collaboration software including an office management system 1, office software for customer management , Or a database.

The operating system 330 may control the application 310. The operating system 330 may execute the application 310. The operating system 330 may cause the application 310 to be executed by a user of the host device 300.

The operating system 330 may control the data of the host device 300. The operating system 330 may change units of data. The operating system 330 may convert a unit of data output from the host device 300.

Hereinafter, the components of the portable storage device 500 will be described.

The portable storage device 500 may include a host interface 510, a random access memory 530, a buffer 550, a memory 570, and a controller 590. However, the components of the portable storage device 500 shown in FIG. 2 are not essential, and a removable storage device 500 having more or fewer components may be implemented.

The host interface 510 may allow the portable storage device 500 to communicate with an external device. The host interface 510 may exchange data with an external device. The external device may be the host device 300.

The host interface 510 may be implemented as a physical interface including a USB port, a PS / 2 port, U.2, PCE-Express, SAS, ATA, SATA, Alternatively, the host interface 510 may be implemented by software including NVME, AHCI, or UASP. Alternatively, the host interface 510 may be implemented as a combination of the physical interface and the logical interface described above.

The RAN searchware unit 530 may detect the RAN cellware. The RAN cellware detection unit 530 may detect the RAN cellware in the mobile storage device 500. The RAN cellware detection unit 530 may detect the RAN cellware included in the data transmitted to the mobile storage device 500.

Since the portable memory 500 is provided with the random access detecting unit 530, the operating burden of the operating system 330 can be alleviated. The operating system 330 may include a Ransomware detection application 310 for detecting Ransomware in the mobile storage device 500 if the Ransomware detection unit 530 is not included in the removable storage device 500 do. Since the operating system 330 must execute the Ramsome detection application 310, the operating system 330 has a burden of operating the application 310. On the other hand, when the RAN cellware detection unit 530 is provided in the mobile storage device 500, the operating system 330 may not have a separate RAN cellware detection application 310. The operating system 330 may reduce the operational burden of the RAN cellware detection application 310. Accordingly, when the portable memory 500 is provided in the portable storage 500, the operating system 330 can be efficiently operated as compared with the case where the portable storage 500 is not provided.

 The Ramsomeware detection unit 530 may include a conversion unit 531, and a Ransomware detection unit 533. [

The conversion unit 531 can convert the unit of data. The conversion unit 531 may change the unit of data transferred to the conversion unit 531. [ The conversion unit 531 can convert data of a plurality of block units into data of file units or data of file units into data of a plurality of blocks.

The Ransomware detection unit 533 may detect Ransomware in the removable storage device 500 based on the data delivered to the Ransomware detection unit 533. The random access detection unit 533 may detect the random access based on the data of the file stored in the memory unit 570.

The buffer 550 may temporarily store data. The buffer 550 may temporarily store data transmitted to the buffer 550. [ The buffer 550 can output the stored data at a specific point in time. For example, the buffer 550 may be a memory controller 590.

The buffer 550 may control data transmitted to the memory unit 570. The buffer 550 may output only specific data among the data stored in the buffer 550. The specific data may be data not detected as randomware.

The memory unit 570 may be configured to perform data operation. In the memory unit 570, data can be written, read, replaced, deleted, and the like.

The memory unit 570 may include a plurality of cells and a plurality of blocks. One block may be composed of a plurality of cells.

Data may be calculated for each cell and each block.

The plurality of cells and the plurality of blocks may be assigned data addresses. And calculation of data may be performed for each cell and each block based on the data address.

The controller 590 can control overall operation of the portable storage device 500. The controller 590 may control the operation of the host interface 510, the configuration of the random access detector 530, the buffer 550, and the memory unit 570.

The controller 590 may control data transmission between the host interface 510, each configuration of the random access detection unit 530, the buffer 550, and the memory unit 570. That is, in the following, when the A configuration transmits data in the B configuration, the data transmission may be controlled by the controller 590 unless otherwise stated.

 The controller 590 may be implemented as a computer or similar device in accordance with hardware, software, or a combination thereof. The controller 590 may be provided in the form of an electronic circuit that processes the electrical signal to perform a control function, and may be provided in the form of a program that drives the controller 590 as a software in terms of hardware.

The controller 590 may store data related to the detection of the Ramsome. The data associated with the detection of the risk may include a file list, and a randomware list. The file list may be a list related to files stored in the memory unit 570. The file list may include a weight record set for each file. The RAN firmware list may include information about at least one RAN firmware and a priority set for each RAN firmware.

Meanwhile, the data related to the detection of the Ramsome software is stored in the controller 590, but the data related to the detection of the Ramsome software may be stored in a predetermined memory separately from the Ramsome detection unit 530. The predetermined memory may be a controller 590 memory.

Although the operation and data transmission of each configuration of the mobile storage device 500 are controlled by the controller 590 in the mobile storage device 500, they may be controlled by the host device 300. For example, the operating system 330 of the host device 300 may enable command block data to be transmitted to the controller 590 via the host interface 510. [

The configurations of the host device 300 and the portable storage device 500 and the functions of the respective components have been described above. Hereinafter, the data transfer relationship between the host device 300 and the mobile storage device 500 will be described.

Each configuration of the host device 300 may transmit data.

Each configuration of the host device 300 can exchange host data F-D on a file basis. The application 310 may transmit host data (F-D) in units of files to the operating system 330. The operating system 330 may transmit host data (F-D) in units of files to the application 310. [

The operating system 330 can output command data (B-CD) (B-CD) of a plurality of blocks. The operating system 330 may convert the host data F-D of the file unit into the command data B-CD of a plurality of blocks. The operating system 330 may cause the mobile storage device 500 to perform an operation on the plurality of blocks of command data (B-CD). That is, the command data (B-CD) in units of blocks may include a predetermined operation pattern.

The host device 300 and the portable storage device 500 may exchange data.

The exchange of data between the host device 300 and the portable storage device 500 may be defined as interworking.

The operating system 330 of the host device 300 and the host interface 510 of the portable storage device 500 may communicate with each other. The operating system 330 may transmit command data (B-CD) of a plurality of blocks to the host interface 510.

Each configuration of the portable storage device 500 may exchange data.

The host interface 510 may receive the command data (B-CD) of the block unit.

The host interface 510 may transmit the command data (B-CD) of the block unit to the conversion unit 531 of the random access detection unit 530. Alternatively, the host interface 510 may transmit the command data (B-CD) to the buffer 550.

The buffer 550 may exchange data with each configuration of the portable storage device 500.

The buffer 550 may transmit the operation data (B-OPD) in units of blocks to the memory unit 570. The calculation data (B-OPD) may be defined as data for an operation performed in the memory unit 570. The calculation data (B-OPD) may include an address assigned to the cell and the block, an operation pattern associated with the operation, or a content pattern related to the information to be computed.

The respective components of the random access detection unit 530 may exchange data. Each configuration of the random access detection unit 530 can transmit and receive data.

The conversion unit 531 can receive the command data (B-CD) of the block unit from the host interface 510. [ However, the present invention is not limited thereto. The conversion unit 531 can receive the command data (B-CD) from the controller 590.

The conversion unit 531 may exchange data with the Ramsome detection unit 533. The conversion unit 531 may transmit the command data (F-CD) in units of files to the RAN cellware detection unit 533. [ The conversion unit 531 may convert the units of the command data (B-CD) in units of a plurality of blocks and transmit the command data (F-CD) in units of files to the random access detection unit 533.

The conversion unit 531 can receive the detection data (F-FD) in units of files from the RAN cellware detection unit 533. [ The detection data (F-FD) of the file unit may be defined as data including the result of detection of the randomisation of the random access detection unit 533.

The conversion unit 531 can transmit the detection data (B-FD) of a plurality of blocks to the buffer 550. The conversion unit 531 can convert the units of the detection data (F-FD) in units of files and transmit the detection data (B-FD) in units of blocks to the buffer 550. The plurality of block-based detection data (B-FD) may be data including a random access detection result included in the detection data (F-FD) on a file basis.

On the other hand, the detection data (B-FD) of the plurality of blocks can define the above-described calculation data (B-OPD). The buffer 550 can define the calculation data (B-OPD) based on the detection data (B-FD) of the plurality of blocks. The calculation data (B-OPD) may be data in which the suspect data as Ransomware is removed based on the detection data (B-FD).

The RAN cellware detection unit 533 can receive the command data (F-CD) in units of files. The RAN cellware detection unit 533 may call the file list from the detection memory. The RAN cellware detection unit 533 may perform the RAN cellware detection operation based on the file data of the file unit (F-CD) and the file list.

The controller 590 may exchange data with each configuration of the portable storage device 500.

The controller 590 may exchange data with each configuration of the portable storage device 500.

The controller 590 may transmit data for controlling each configuration of the mobile storage device 500. For example, the controller 590 may transmit data for controlling the data output time of the buffer 550 to the buffer 550.

The controller 590 can receive predetermined data from each configuration of the mobile storage device 500. For example, a plurality of block-based detection data (B-FD) can be received from the RAN cellware detection unit 533. [

Also, the controller 590 may acquire data of a file stored in the memory unit 570 and transmit the acquired data to the random access detection unit 533.

Further, the controller 590 may transmit the command data (B-CD) in units of blocks to the conversion unit 531. [

In addition, the controller 590 may request predetermined update data to the host device 300 through the host interface 510 for update of the random access list stored in the detection memory, and may receive the update data.

The data transfer relationship between the host device 300 and the mobile storage device 500 has been described above. Hereinafter, the operation of the portable storage 500 will be described.

FIG. 3 is a flowchart showing an Ransomware inspection operation according to an embodiment of the present application.

FIG. 4 is a diagram illustrating data transfer for a first Ramsome inspection operation according to an embodiment of the present invention.

5 is a diagram illustrating a step of detecting a Ramsomeware according to an embodiment of the present application.

6 is a diagram illustrating an Ramsomeware-based operation based on a weight according to an embodiment of the present application.

Referring to FIG. 3, the Ramsome inspection operation of the portable storage device 500 may include a file data acquisition step S1000, a Ramsome detection step S2000, and a Ransomware processing step S3000.

In the file data acquisition (S1000) step, the Ramsome detection unit 533 may obtain command data (F-CD) on a file basis. The command data (F-CD) of the file unit may be subjected to a predetermined operation in the memory unit 570 based on the operation pattern and the content pattern included in the command data.

In the Ransomware detection (S2000), the Ransomware detection unit 533 may detect Ransomware in the removable storage device 500 based on a predetermined Ransomware detection algorithm. The RAN searchware algorithm will be described later in detail.

The Ransomware detection unit 533 may generate file-based detection data (F-FD) as a result of the Ransomware detection algorithm.

Based on the file-based detection data (F-FD), the removable storage device 500 can detect the Ransomware in the device. The portable storage device 500 can detect whether or not the command data (B-CD) of a plurality of block units is data based on Ransomware. The portable storage device 500 may transmit the detection data (F-FD) of the file unit to the conversion unit 531. [ The conversion unit 531 may transmit the detection data (B-FD) of the plurality of blocks to the controller 590 or the buffer 550. The controller 590 or the buffer 550 detects whether or not the command data B-CD of a plurality of block units on the basis of the detected data (B-FD) can do.

If a randomware is detected, the controller 590 may generate result data. The result data may be a Ramsome detection signal.

In step S3000, the portable storage device 500 may perform a process operation so that the random software can be processed. The controller 590 of the portable storage device 500 may transfer predetermined data to each configuration of the portable storage device 500 so that the processing operation is performed.

The processing operation of the portable storage device 500 by the predetermined data and the predetermined data will be described later in detail.

Predetermined data may be transmitted in the mobile storage device 500 for performing the RAN search.

Referring to FIG. 4, the data for the Ramsome detection operation may be transmitted in the order of the host interface 510, the conversion unit 531, and the Ramsome detection unit 533.

Hereinafter, a description will be given with reference to FIG.

The host interface 510 may transmit predetermined data from the host device 300 to the random access detection unit 530.

The host interface 510 can acquire a plurality of command data (B-CD) in units of blocks from the host device 300 (S2011). The host interface 510 may output the acquired command data (B-CD) of a plurality of blocks to the conversion unit 531 (S2012).

The conversion unit 531 may convert the units of the filtered data of a plurality of blocks and transmit the converted units of data to the random access detection unit 533.

The conversion unit 531 may acquire a plurality of block-based command data (B-CD) from the host interface 510 (S2013). In the data conversion (S2014), the conversion unit 531 can convert the command data (B-CD) of the plurality of blocks. The conversion unit 531 may output the host data F-D of the file unit to the random-access detection unit 533 (S2015).

The RAN cellware detection unit 533 may acquire file data of a file unit and perform a RAN cellware detection operation for detecting the RAN cellware.

The RAN searchware unit 533 may acquire command data (F-CD) in units of files from the conversion unit 531 (S2016). In the Ransomware detection (S2017), the Ransomware detection unit 533 can detect the Ransomware based on the command data (F-CD) on a file basis. In the detection of the RamsomeWare, the Ransomware detection unit 533 may perform the Ransomware detection operation based on the predetermined Ransomware algorithm described above.

As described above, the Ransomware inspection operation in which data is transferred in the order of the conversion unit 531 and the Ransomware detection unit 533 can be defined as the first Ransomware inspection operation. The first Ramsome inspection operation may be a Ramsome inspection operation on a file basis.

Hereinafter, a description will be given in detail of a detection algorithm of the RANomeware.

Referring to FIG. 5, the Ramsome detection algorithm according to one embodiment of the present application includes a file name similarity check step S2100, an encryption check step S2300, a delete / overwrite operation check step S2500, and weight setting steps S2310 and S2530 , S2550).

The RAN searchware unit 533 may check the similarity of the file names (S2100).

The RAN cellware detection unit 533 can extract the name of the file included in the acquired command data (F-CD) of the file unit. The RAN searchware unit 533 may analyze a content pattern including a file name of the file unit.

The RAN cellware detection unit 533 may check the similarity by comparing the file name included in the command data (F-CD) of the file unit with the file name stored in the mobile storage device 500.

In this case, the RAN searchware unit 533 may call the file list. The RAN searchware unit 533 may compare the file name recorded in the file list with the file name extracted from the command data (F-CD) of the file unit.

Alternatively, the random access detection unit 533 may obtain a file name of a file (hereinafter referred to as a memory file) stored in the memory unit 570. The file name of the memory file may be extracted from the controller 590 and the controller 590 may transmit the file name to the RANCOME detection unit 533. [

The similarity check of the file name may be performed based on a predetermined algorithm. The predetermined algorithm may be Levesnshtein distance, Edit distnacem Jaro-Winelr dsitnace.

The Ramsomeware detection unit 533 can check whether the similarity degree is similar (S2110). If the similarity of the file name is not present (N), the RAN searchware unit 533 may stop performing the RAN search detection algorithm. If there is a similarity between file names (Y), the RAN searchware unit may check whether the file is encrypted (S2300).

A file stored in the portable storage device 500 having a similar file name may be defined as a similar file.

The RAN searchware unit 533 may check whether the data is encrypted (S2300).

The Ransomware detection unit 533 may check the encryption based on the normal nature of the cipher text.

The RAN searchware unit 533 may check the encryption by comparing the file sizes.

The encryption check may include a file size comparison operation, a random string detection operation, and a file data compression operation.

The RAN cellware detection unit 533 may extract the file size of the file data. The RAN searchware unit 533 may compare the file size and the file size of the similar file. If the file size of the file data is larger than the file size, the file data may be determined to perform encryption.

The RAN cellware detection unit 533 may detect the random string and check the encryption.

The RAN cellware detection unit 533 can check whether the file data is encrypted by checking the rule of the pattern in the file data. If the rule of the pattern is disordered, the RAN cellware detection unit 533 can regard the file data as performing an encryption operation.

The RAN cellware detection unit 533 may compress the file data. If the file data is not compressed, the RAN searchware unit 533 can regard the file data as performing an encryption operation.

The RAN searchware unit 533 can perform the RAN search detection algorithm according to the encryption (S2310). If the encryption operation is not included in the file data (N), the random access detection unit 533 may set the first weight to the similar file (S2330).

If the file data includes the encryption operation (Y), the RAN searchware unit 533 may check whether the delete / overwrite operation is performed (S2510).

The RAN searchware unit may check whether deletion / overwriting of the original file is performed according to the file data (S2510).

The RAN searchware unit may check whether the similar file is deleted / overwritten by the file data. The RAN searchware unit 533 can check whether the operation pattern for deleting / overwriting a similar file is included in the file data.

The Ransomware detection unit may set the second weight (S2530) if the delete / replace operation is not checked (N), set the third weight (Y) when the delete / replace operation is checked (Y) can do.

As described above, the detection of the Ramsomeware can be performed by performing the detection of the Ramsomeware in stages. If there is no such similarity, the subsequent detection of the Ramsomware may not be performed, so that the Ramsomware detection burden of the portable storage device 500 may be reduced.

The detection algorithm of Ransomware has been described above.

Hereinafter, the operation of setting the weight of the portable storage device 500 and the operation of considering the Raman software will be described. The weight setting operation may be defined as setting an weight for each similar file based on the above-described algorithm. The Ransomware operation may be defined as an operation that considers the presence of Ransomware in the mobile storage device 500.

Referring to FIG. 6, the portable storage device 500 may set a weight for each similar file.

In the file list, weights may be recorded for each file. The weight for each file may be changed by setting a weight for the file.

The random access detection unit 533 may set a weight for each similar file. The Ransomware detection unit 533 may output file-based detection data (F-FD) as a result of the Ransomware detection algorithm. The detection data (F-FD) on a file basis can be converted by the conversion unit 531 and converted into detection data (B-FD) on a block basis. The controller 590 can acquire the detection data (B-FD) of the block unit and set a weight value. The controller 590 may set weights on similar files included in the file list.

Referring to FIG. 6, when the similar file is file A, the file A may have a weight added by the first detection data so that only the first weight is added at the original weight. Alternatively, when the similar file is file D, the file D may have a weight added by the first weight and the second weight at the original weight by the second detection data.

Meanwhile, the first weight, the second weight, and the third weight may have different values. The size of the weight may be larger in order of the third weight, the second weight, and the first weight.

The portable storage device 500 according to an embodiment of the present application may consider Ransomware based on the set weights.

Referring again to FIG. 6, the removable storage device 500 may consider Ransomware based on the threshold weight K. FIG. The controller 590 may regard a similar file having a weight value equal to or greater than the critical weight K as a file based on Ransomware.

The threshold weight K may be set by the mobile storage device 500. The threshold weight K may be set based on the mode of the portable storage device 500. [ The critical weight K in the idle mode may be smaller than the critical weight K in the active mode.

The threshold weight K may be set directly by the user.

The controller 590 may output predetermined result data when the Raman software file is considered. The predetermined result data may be a random access detection signal, blocking data, and warning data.

Hereinafter, the process of processing the random firmware will be described in detail.

In the randomware processing step, the removable storage device 500 may perform processing operations to process the detected randomware.

7 to 9 are views showing a processing operation of the mobile storage device according to an embodiment of the present application.

7 is a diagram showing an operation of controlling and cutting off the output of the calculation data (B-OPD) according to the embodiment of the present application.

8 is a diagram showing a communication disconnection processing operation with a host device according to an embodiment of the present application.

9 is a diagram showing an alert file generation processing operation according to an embodiment of the present application.

7 to 9, the processing operation is performed by i) controlling the output of the operational data B-OPD, ii) blocking the output of the operational data B-OPD, iii) communicating with the host device 300 Disconnection, and iv) generation of a warning file. The processing operation can be performed by transferring the data of the controller 590. [ The predetermined data may be a Ramsome detection signal, blocking data, or warning data.

Referring to FIG. 7, the controller 590 may control the output of the operational data (B-OPD) of the buffer 550. The controller 590 may transmit a random access detection signal to the buffer 550. The controller 590 may control the output of the calculation data (B-OPD) according to the time of acquisition of the Ramsome detection signal of the buffer 550.

Referring to FIG. 7A, the buffer 550 may acquire a Ramsome detection signal related to the calculation data (B-OPD) (S3130) after the calculation data (B-OPD) .

The controller 590 may control the operation data (B-OPD) output from the buffer 550 (S3150) after the time of acquiring the Ramsome detection signal. The controller 590 may exponentially delay the output of the operational data (B-OPD) of the buffer 550. The controller 590 may stop the output of the calculation data (B-OPD) of the buffer 550.

Alternatively, the controller 590 can repair the operation performed by the already-outputted operation data (B-OPD). The controller 590 may invert the address of the cell or block of the memory unit 570 which has been operated on by the already outputted operation data (B-OPD). The controller 590 may control the buffer 550 or the memory unit 570 to delete data existing in a cell of the address or a block of the address.

Referring to FIG. 7B, the buffer 550 may acquire a Ramsome detection signal related to the calculation data (B-OPD) (S3310) before the output of the calculation data (B-OPD).

In this case, the controller 590 may block the output of the calculation data (B-OPD).

As described above, when the processing operation is performed according to the detection timing of the RAN search, unnecessary RAN search processing is not performed. It is possible to check whether or not the arithmetic operation by the arithmetic operation data (B-OPD) is performed unnecessarily even though the arithmetic operation data (B-OPD) is not outputted. Alternatively, when the processing operation is performed for each of the viewpoints, it may not be checked whether the operation by the operation data (B-OPD) is performed unless the operation data (B-OPD) is outputted. Accordingly, when the processing operation is performed for each viewpoint, there may be an effect that the Raman software processing operation is efficiently performed.

Referring to FIG. 8, the controller 590 may block communication between the host interface 510 and the host device 300.

The controller 590 may transmit the blocking data to the host interface 510. The controller 590 may generate the blocking data (S3530) when the Raman software is detected (S3510). The blocking data may be a control signal that can block communication between the host interface 510 and the host device 300. The blocking data may be data of a plurality of blocks. The controller 590 transmits the generated blocking data to the host interface 510 (S3550).

The host interface 510 may obtain the blocking data from the controller 590 (S3570). In this case, the host interface 510 may intercept communication with the host device 300 (S3590). The blocking may be to block transmission of data of the host device 300 in a software manner. The host interface 510 may block all data transmission from the operating system 330.

Referring to FIG. 9, the controller 590 may give a warning to the user of the host device 300 about the alarm. The controller 590 may cause the host device 300 to generate a warning file. The controller 590 may generate alert data to allow the alert data to be delivered to the operating system 330.

The controller 590 may generate alert data in a plurality of block units (S3720) when the random software is detected (S3710). The warning data may include data for generating a warning file. The warning data may be data of a plurality of blocks. The controller 590 may transmit the generated alert data to the host interface 510 (S3730).

The host interface 510 may acquire warning data from the controller 590 (S3740). The host interface 510 may transmit the obtained alert data to the operating system 330 of the host device 300 (S3750).

The operating system 330 may acquire a plurality of alert data in units of blocks from the host interface 510 (S3760). The operating system 330 may convert the obtained warning data in units of blocks (S3770). In step S 3770, the operating system 330 may convert the unit of the warning data, and logically analyze the warning data so that the operation included in the alert data may be performed. Based on the layer conversion result, the operating system 330 may generate a warning file (S3770). The warning file may give a user of the host device 300 a RAN firmware warning notice.

Alternatively, the controller 590 may generate a detection history of the detected Ransomware.

The controller 590 may record the detected Ransomware in the portable device in the Ransomware list. The controller 590 may assign different weights to the similar files on the basis of the Raman software in which the detection history exists.

The controller 590 may generate the RAN firmware history in which the detected RAN firmware is recorded. The number of detections detected for each RAN firmware can be recorded in the RAN firmware history.

The weight, and the number of detections, may be used to detect Ransomware. The portable storage device 500 may perform a random access detection in order of the priority of the random software. The mobile storage device 500 can perform the Ransomware detection operation in the order of the number of detection of the Ransomware based on the detection history of the Ransomware.

≪ Embodiment 2 >

Hereinafter, the second embodiment, which is a modification of the first embodiment, will be described. In the following description, unless otherwise stated, the first embodiment described above can be applied.

10 is a diagram illustrating a host device and a removable storage device according to one embodiment of the present application.

11 is a diagram illustrating data transmission in a second Ramsome inspection operation according to an embodiment of the present application.

The mobile storage device 500 according to an embodiment of the present application can perform a plurality of block-by-block Ramsomware inspection operations. The Raman-software testing operation on the plurality of block units may be defined as a second Raman-ware testing operation.

Referring to FIGS. 10 and 11, the Ramsome detecting unit 530 may perform a Ramsome inspection operation on the basis of a plurality of blocks of command data (B-CD).

The host interface 510 obtains command data B-CD of a plurality of blocks from the host device 300 (S2031), and supplies the command data (B-CD) of the block unit to the random- 533 (2033).

The RAN cellware detection unit 533 may acquire the command data (B-CD) in units of blocks from the host interface 510 (S2035). The RAN cellware detection unit 533 can detect the RAN cellware based on the data of a plurality of blocks (S2037).

In the Ramsomeware detection (S2037), the Ramsome detection unit 533 may perform a Ramsome detection algorithm based on the data of the plurality of blocks. Rangumware may be considered based on the execution result of the Rangumware detection algorithm.

The RAN cellware detection unit 533 can analyze only specific data that is a part of the data of the plurality of blocks in accordance with the RANMO detection detection algorithm. The specific data may be data that is mainly damaged by the random software. For example, the specific data may be header data related to a header of a file.

The specific data may include first specific data and second specific data.

The RAN cellware detection unit 533 may define the specific data for each RAN cellware. The RAN cellware detection unit 533 may define first specific data based on the first Ransomware and second specific data based on the second Ransomware.

The RAN cellware detection unit 533 can set the order of performing the RAN cellware detection according to the priority of the RAN cellware. If the first random software has a higher priority than the second random software, the random software detection unit 533 may analyze the first specific data before the second specific data.

By the second Ramsome inspection operation, it is possible to have an effect that the detection of the Ramsome can be precise. In the case where the Ramsome inspection operation is performed on a file unit basis but not on the block basis, the block-level data transmitted to the Ramsome detection unit 530 includes a data filter 535, a conversion unit 531, a Ramsome detection unit 533 ). Accordingly, the block-by-block data may be omitted in the transmission process, and the missing data may not be detected. When the RamsomeWare inspection operation is performed on the block-by-block basis, the transmission path of the block-by-block data may be shorter than the Ramsomewire inspection operation on a file basis. Accordingly, the missing data of the block unit can be reduced, and the detection of the Raman-software can be precisely performed.

Alternatively, by the second Ramsome inspection operation, rapid Ransomware detection can be effected. If the block-by-block Ransomware check operation is not performed, the pattern of all the block data included in the file unit data must be analyzed in order to detect the Ransomware. On the other hand, when performing the Ramsomware inspection operation on a block basis, the Ramsumware detection can perform the Ramsomware inspection only on a part of data of a plurality of block units of data, so that the detection of Ramsumware can be speeded up.

Meanwhile, the second Ramsome inspection operation may be performed in combination with the first Ramsome inspection operation.

≪ Third Embodiment >

Hereinafter, a third embodiment, which is a modification of the first embodiment or the second embodiment, will be described. In the following description, unless otherwise specified, the first or second embodiment described above can be applied.

12 is a diagram illustrating a host device and a removable storage device according to one embodiment of the present application.

13 is a diagram illustrating data transmission during a third Ramsome inspection operation according to an embodiment of the present application.

The portable storage device 500 according to an exemplary embodiment of the present invention may perform a random access testing operation in which predetermined data filtering is performed. In this case, the Rangemouse inspection operation may be defined as a third Raman software inspection operation.

Referring to FIG. 12, the Ramsome detection unit 530 may further include a data filter.

The data filter may filter the data. The data filter can classify and output a plurality of original data transmitted to the data filter. The data filter may classify the plurality of original data into a first data group and a second data group, and output only the first data group. The data filter may generate filtering data that is the first data.

For example, when the data filter is a Bloom filter, the data filter may classify a plurality of original data into a data group suspected to be Ransomware and a data group not Ransomware. The data filter can output only data groups suspect to be Ransomware.

In addition, when the data filter is a Bloom filter, the data suspected to be Ransomware or Ransomware can be classified as Ransomware data. However, the Bloom filter does not classify the data as the Raman software as non-Raman software. Therefore, in the case where the data filter is a Bloom filter, even if the data filter malfunctions, it is possible that the data having the possibility of Ransomware is not classified as non-Ransomware data. Thus, the probability of false positives in detection of Ransomware can be lowered.

Meanwhile, the data filter 531 may output the classified first data group and the second data group in different configurations. For example, the data filter 531 may transmit the suspected data group of the Ransomware to the configuration within the Ransomware detection unit, and the data group that is not the Ransomware may include the buffer 550, the memory unit 570, (590).

Referring to FIG. 13, the Ramsome detection unit 530 may perform Ransomware inspection based on the filtered data of the file unit.

The data filter can acquire command data (B-CD) in units of a plurality of blocks (S2051). The data filter may generate the filtering data (S2052) on a block-by-block basis by filtering the command data (B-CD) in the unit of the number of blocks. The filtering data of the block unit may be defined as command data (B-CD) of block unit suspected to be a random software. The data filter may transmit the filtering data of the block unit to the conversion unit 531 (S2053).

The conversion unit 531 can acquire filtering data of a plurality of blocks (S2054). The conversion unit 531 may convert the filtering data of the plurality of blocks (S2055) to generate filtering data in units of files. The conversion unit 531 may transmit the generated filtering data in units of files to the random access detection unit 533 (S2056).

The RAN cellware detection unit 533 may acquire the filtering data of the file unit from the conversion unit 531 (S2057). The RAN cellware detection unit 533 may detect the RAN cellware based on the filtering data in units of files (S2058).

By the third Ramsome inspection operation, the Ramsome detection operation can be simplified. And the data filter is not provided. The RAN searchware unit 530 may perform RAN search detection on all data transmitted to the RAN scan detection unit 530. On the other hand, when the data filter is provided, the Ramsome detection unit 530 can detect the Ramsumware only for a part of the data. Therefore, the Ransomware detection algorithm may be simplified. Alternatively, the size of the random firmware pattern table for detecting the random firmware may be reduced and the operation load of the random firmware detection unit 530 may be reduced.

Meanwhile, the third Ramsome inspection operation may be performed in combination with the first and second Ramsome inspection operations.

<Fourth Embodiment>

FIG. 14 is a flow chart illustrating a selection procedure of the Ransomware inspection operation of the mobile storage device according to an embodiment of the present application.

15 is a weight setting flowchart of a mobile storage device according to an embodiment of the present application.

Referring to FIG. 14, the portable storage device 500 according to an embodiment of the present application can selectively perform the RAN search.

The removable storage device 500 may selectively perform a random access check operation based on the accuracy, speed, and the like of the random access detection. Hereinafter, the portable storage device 500 selects the Ramsome inspection operation based on the accuracy of the detection.

The mobile storage device 500 may set the detection accuracy of the RAN cellware (S3100). The precision may include HIGH, MIDDLE, LOW.

The removable storage device 500 may set the precision based on the mode of the removable storage device 500. If the removable storage device 500 is in the active mode, the removable storage device 500 may set the accuracy of the detection of the risk to LOW. If the mode is active or the amount of data in the removable storage device 500 is below a threshold, the removable storage device 500 may set the accuracy of the detection of the randomisation to MIDDLE. When the mode is the idle mode, the portable storage device 500 may set the accuracy of the detection of the RAN cellware to LOW.

The accuracy of the detection of the risk may be stored in the controller 590 memory.

The mobile storage device 500 may determine the accuracy of the detected Ramsomeware (S3300). The controller 590 of the mobile storage device 500 may obtain data related to the accuracy stored in the controller 590 memory. The controller 590 can obtain the accuracy of the block-level data before the data is transmitted to the random-number detecting unit 530.

The controller 590 can perform the third detection when the precision is HIHG, the second detection when the precision is MIDDLE, and the first detection when the precision is LOW .

In this case, the first detection may be a first Ramsome inspection operation (S2010) and the second detection may be a second Ramsome inspection operation (S2030), wherein the third detection is a third Ramsome inspection operation (S2050).

However, this is merely an example, and the Raman-software inspection operation selected by precision is not limited to this.

Thus, the detection of the Raman-software can be efficiently performed. If the RAN scan check operation is not selected for each mode of the mobile storage device, the RAN scan check operation can be performed even in the active mode. Since the operation is actively performed in the active mode, when the Raman -Software detection operation is performed precisely, the operation can not be performed properly, and the Raman -Software detection operation may not be performed at the same time. On the other hand, when the Raman-software inspection operation is selected for each mode, an environment in which the Raman-software inspection operation can be performed properly can be provided. Since a simple Ransomware scan operation can be performed in the active mode, the operation of the mobile storage device 500 and the Ransomware detection can be efficiently performed.

Meanwhile, the first through third Ramsome inspection operations may be performed in stages of the Ramsome detection algorithm. For example, the file name similarity check may be performed by a first random access check operation, and a random string check and a delete / replace operation check may be performed by second to third random access check operations .

Referring to FIG. 15, the portable storage device 500 according to an embodiment of the present application may vary the weight according to the selected RamanSweeper checking operation.

In step S4310, the controller 590 may acquire detection data (B-FD) on a block-by-block basis. The controller 590 can determine the kind of the Rangemore inspection operation performed based on the block-based detection data (B-FD).

The controller 590 may determine whether the Ramsome inspection operation is the first detection (S4320), and may assign a weight to the similar file based on the weight X (S4330) in the case of the first detection (Y).

It is possible to check whether the second detection is not the first detection (S4340), and to assign a weight to the similar file based on the weight Y (S) when the second detection is Y (S4350).

(N) and whether or not the detection is the second detection (S4360). If it is the second detection (Y), the similarity file can be weighted based on the weight Z (S4370).

That is, the first through third weights given in the first Ramsome inspection operation, the first through third weights given in the second Ramsome inspection operation, and the first through third weights May be different.

On the other hand, the criteria of the weights may be different according to the step of the Ramsome detection algorithm. A weight can be set based on the type of the Rangemouse inspection operation performed in each step of the Ramsomeware detection algorithm. For example, the first weight may be based on the weight X, and the second weight may be based on a weight Y. [

Alternatively, the above-mentioned weight X, weight Y, and weight Z may be used as a criterion for setting the threshold weight K. For example, if the weight setting is performed based on X, Y, the threshold weight K may be set based on X, Y.

In the creating method and browsing method according to the present invention described above, the steps constituting each embodiment are not essential, and therefore, each embodiment can selectively include the above-described steps. Moreover, each step constituting each embodiment is not necessarily performed according to the order described, and the step described later may be performed before the step described earlier. It is also possible that each step is repeatedly performed during operation.

While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be apparent to those skilled in the art that changes or modifications may fall within the scope of the appended claims.

1: System
100: Server
300: Host device
310: Application
330: Operating system
500: Removable Storage
510: Host interface
530:
531: conversion unit
533: Ransomware detection unit
535: Data filter
550: buffer
570:
590: Controller

Claims (15)

A removable storage device operatively associated with a host device,
A memory in which the original file is stored;
A conversion unit for acquiring block-based data based on block-based command data generated by the host device and converting the block-by-block data into file data on a file basis; And
And a Ransomware detection unit for performing a Ransomware detection operation for detecting Ransomware based on the file data,
Wherein the Ramsomware detection operation includes an alternate operation check,
The alternate operation check
And checking whether the operation of replacing the original file with the command data is performed based on the file data.
Removable storage.
The method according to claim 1,
Wherein the Ransomware detection operation includes a similarity check,
The similarity check
The random number detection unit compares the file name included in the file data with the file name of the original file and checking the similarity between the file name included in the file data and the file name of the original file. doing,
Removable storage.
3. The method of claim 2,
Wherein the Ransomware detection operation includes an encryption check,
The encryption check
If the degree of similarity exists, the RAN searchware unit compares the size of the file data with the size of the original file. If the size of the file data is greater than or equal to the size of the original file, it is determined that the file data is encrypted Characterized in that
Removable storage.
The method of claim 3,
The encryption check
The random number detection unit checks the rules of the patterns included in the file data and if the rules of the pattern are disordered, the file data is determined to be encrypted
Removable storage.
The method of claim 3,
If it is determined that the file data is encrypted,
Characterized in that the Ransomware detection unit performs the replacement operation check
Removable storage.
6. The method of claim 5,
And the Ramsomeware detection unit stops the Ramsomew detection operation when there is no similarity.
Removable storage.
The method according to claim 6,
And a controller memory including a file list in which the weight of the original file is recorded,
Characterized in that the weight is set based on a random-access detection operation
Removable storage.
8. The method of claim 7,
When only the similarity is confirmed, the weight is set based on the first weight
When only the degree of similarity and the encryption are confirmed, the weight is set based on a second weight,
Wherein if the similarity, the encryption, and the alternative operation are confirmed, the weight is set based on a third weight
Removable storage.
8. The method of claim 7,
Wherein the Ransomware detection unit performs an Ransomware-based operation based on the weight,
The RANemware operation
And when the weight value is equal to or greater than the threshold weight value, the original file is regarded as a file based on the random software.
Removable storage.
10. The method of claim 9,
When the original file is regarded as a file based on the random software, an operation based on the block data is blocked,
And the blocking of the computation is changed according to the time point at which the file is regarded as the file by the Raman software.
Removable storage.
10. The method of claim 9,
If the original file is a file based on the Raman software,
To cause the host device to generate an alert file
Removable storage.
9. The method of claim 8,
Wherein the random access detection unit performs the random access detection based on the block-by-block data.
Removable storage.
13. The method of claim 12,
Further comprising: a data filter for filtering the command data in units of blocks and outputting filtering data for each block, which is instruction data in units of blocks suspected to be Ramsumware,
Wherein the Ramsomeware detection unit performs the Ramsome detection operation on the basis of the block pipeline data.
Removable storage.
13. The method of claim 12,
Wherein the Ransomware detection unit changes the Ransomware detection operation according to the mode of the portable storage device,
Wherein the mode includes a first mode and a second mode,
When the mode of the portable storage device is the first mode, the Ramsome detection unit performs the Ramsome detection operation based on the file data of the file unit,
Wherein when the mode of the portable storage device is the second mode, the Ramsome detection unit performs the Ramsome detection operation based on the data of the block unit.
Removable storage.
A method for detecting a random access in a removable storage device associated with a host device,
Obtaining data on a block-by-block basis based on command data in units of blocks generated from the host device;
Converting the unit of data of the block unit to generate file data of a file unit; And
And acquiring file data of the file unit and performing a random access detection operation,
The step of performing the random access detection operation
And detects whether or not an original file stored in the removable storage device is replaced with a similar file by the command data of the block unit
Ransomware detection method.

Images