WO2018225070A1 - A system and method for continuous monitoring and control of file-system content and access activity - Google Patents
A system and method for continuous monitoring and control of file-system content and access activity Download PDFInfo
- Publication number
- WO2018225070A1 WO2018225070A1 PCT/IL2018/050619 IL2018050619W WO2018225070A1 WO 2018225070 A1 WO2018225070 A1 WO 2018225070A1 IL 2018050619 W IL2018050619 W IL 2018050619W WO 2018225070 A1 WO2018225070 A1 WO 2018225070A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- operational
- filesystem
- files
- storage medium
- module
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1458—Management of the backup or restore process
- G06F11/1469—Backup restoration techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3041—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is an input/output interface
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Definitions
- the presented invention generally relates to the field of computer system security, and specifically to the analysis and verification of actions applied to computer file systems.
- OS Operating System
- a system for continuous monitoring and controlling of file content and read/write access activity of an operational OS comprising:
- a splitter module configured to maintain a duplicate of the operational OS files on a monitored storage medium, invisible to the operational OS
- a file-system detector module running an independent, trusted OS.
- the said system is configured to
- the present invention provides a system for continuous monitoring and controlling of an operational operating system's (OS) read/write access requests, and contents of files related to said operational OS.
- the system comprising at least one of:
- a splitter module configured to perform the said operational OS read / write access requests so as to maintain a duplicate of the operational OS's filesystem (FS) on a monitored storage medium, invisible to the operational OS; a file-system detector module, running an independent trusted OS, completely detached from the operational OS and from the operational FS; and a safe backup storage of the operational OS files, completely detached from the operational OS; wherein said file- system detector module is configured to monitor all operational OS read / write access requests that reach the splitter; wherein said file-system detector module is configured to compare the content operational OS related files to equivalent files of the backup storage; wherein said file-system detector module is configured to analyze said comparison and identify cyber security threats to the operational OS and operational FS.
- FS filesystem
- the system further comprising :
- a communication module designed to facilitate wired or wireless communication between components of the secured system and the file system detector module , which is external to the secured system.
- the filesystem detector module interfaces several peripheral modules, and applies a plurality of security measures to protect the operational file system, stored on the operational storage medium , wherein the filesystem detector module is invisible to the OS , accordingly neither external users, nor applications that are run on the OS machine can change anything on the filesystem detector module and its peripherals.
- the filesystem detector module monitors the content of the monitored storage medium according to a predefined policy, and compares the said monitored content, stored on the monitored storage medium , to data stored on the filesystem detector database .
- the filesystem detector storage module 56 stores safe back-up copies of files stored on the operational storage medium 40A, including filesystem files and registry files, wherein the filesystem detector module 50 will invoke comparisons of important files stored on the monitored storage medium 40B.
- the filesystem detector module further facilitates the capability to restore corrupted content on the operational storage medium 40A and / or on the monitored storage medium from the backup storage, stored on the filesystem detector storage module.
- the system further comprising an anomaly detection module 80 detects anomalies in the contents of the operational storage medium 40A, and in the operational OS read/write access request patterns to it, wherein the anomaly detection module 80 notifies suspected anomalies to the filesystem detector module 50, which in turn may take security measures, wherein the security measures include at least one of : disabling specific applications' access to the operational FS, or emitting a notification message to system administrators
- the filesystem detector module is located on the same machine as that of the secured system.
- the filesystem detector module is external to the secured system and is associated to the secured system through a communication network via communications module.
- the system the storage device splitter applies the following steps:
- [0015] receives read/write access requests, originating from the operational OS, via the storage device controller;
- the filesystem detector obtains its configuration from an administrator via the administrative interface, wherein the configuration include at least one of : Configuration of the anomaly detection module , in relation to the filesystem content and access policy, Configuration of the rule based action module in relation to suspected identified anomalies.
- the filesystem detector manages the anomaly detection module according to the configuration obtained from the administrative interface , to produce at least one of the indication types.
- the system of claim 1 wherein the Indication of unauthorized write access include at least one of;
- the filesystem detector commands the anomaly detection module 80 to compare the content of important files stored on the monitored storage medium with the content of equivalent files of the backup storage, safely stored on the filesystem detector storage
- the Filesystem detector applies further analysis to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium , to produce higher-level indications of specific suspected threats.
- the Filesystem detector acts on recommendations from the rule based action module , such that the recommendations include, at least one of : Changing file security properties ; restricting access of specific users and / or applications to the operational storage medium, Storing copies of files that are suspected as being tampered with; and restoring files in the operational storage medium.
- the filesystem detector module accumulates operative information in the file system detector database , including at least one of :Events of file content change, Events of file properties' change, User access details; and Details regarding suspected encountered threats.
- the present invention provides a method for continuous monitoring and controlling of an operational operating system's (OS) read/write access requests, and contents of files related to said operational OS.
- the method comprising at least one of:
- said operational OS read / write access requests so as to maintain a duplicate of the operational OS's filesystem (FS) on a monitored storage medium, invisible to the operational OS;
- FS filesystem
- file-system detector module is running an independent trusted OS, completely detached from the operational OS and from the operational FS;
- the method further comprising the step of storing safe back-up copies of files stored on the operational storage medium , including filesystem files and registry files, wherein the filesystem detector module is invoking comparisons of important files stored on the monitored storage medium 40B.
- the method further comprising the step of facilitating the capability to restore corrupted content on the operational storage medium and / or on the monitored storage medium from the backup storage, stored on the filesystem detector storage module
- the method further comprising the step of detecting anomalies in the contents of the operational storage medium , and in the operational OS read/write access request patterns to it, wherein the anomaly detection module 80 notifies suspected anomalies to the filesystem detector module 50, which in turn may take security measures, wherein the security measures include at least one of : disabling specific applications' access to the operational FS, or emitting a notification message to system administrators
- the method further the following steps:
- the method further comprising the step of obtaining its configuration from an administrator via the administrative interface, wherein the configuration include at least one of : Configuration of the anomaly detection module 80, in relation to the filesystem content and access policy, Configuration of the rule based action module , in relation to suspected identified anomalies.
- the method further comprising the step of managing the anomaly detection module 80 according to the configuration obtained from the administrative interface to produce at least one of the indication types.
- the Indication of unauthorized write access include at least one of:
- the method further comprising the step of comparing the content of important files root filesystem files, stored on the monitored storage medium with the content of equivalent files of the backup storage, safely stored on the filesystem detector storage module.
- the method further comprising the step of analyzing to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium , to produce higher-level indications of specific suspected threats.
- the method further comprising the step of accumulating operative information in the file system detector database including at least one of :Events of file content change, Events of file properties' change, User access details; and Details regarding suspected encountered threats
- Figure 1A presents an overall view of the filesystem access monitoring and control system 1000 and its components according to one embodiment of the present invention.
- Figure IB presents an overall view of the filesystem access monitoring and control system 1000 and its components according to another embodiment of the present invention.
- Figure 2 presents a flow diagram depicting the normal functionality of the storage device splitter 30.
- Figures 3A and 3B jointly present a flow diagram depicting the functionality of the File system detector 50 during normal work mode, according to one embodiment of the present invention.
- Figure 4 presents a flow diagram depicting the functionality of the rule- based action module 70, according to one embodiment of the present invention.
- Figure 5 presents a flow diagram depicting the functionality of the anomaly detection module 80 according to one embodiment of the present invention.
- Figure 1A presents an overall view of the filesystem access monitoring and control system 1000 and its components according to one embodiment of the present invention.
- the system 1000 encompasses the secured 100 system, upon which filesystem access monitoring is applied.
- the secured 100 system is comprised of at least one of the following:
- An operational operating system (OS) 10 accommodating the execution of a software application, and implementing write and read actions to an operational storage medium 40A
- a storage device controller 20 transferring the OS 10 read / write access requests to the operational storage medium 40A.
- An operational storage medium 40A (e.g. a hard disk), which stores the OS 10 operational filesystem, as well as data written during OS 10 write access cycles.
- the operational storage medium 40A also retrieves stored data during read access cycles upon request of the OS 10.
- a monitored storage medium 40B (e.g. a hard disk), which holds a duplicated copy of the data stored on the operational storage medium 40A.
- a storage device splitter which:
- a communication module 90 designed to facilitate wired or wireless communication between components of the secured system (e.g. the monitored storage medium 40B and the splitter 30) and the file system detector module 50, which is external to the secured system 100.
- the filesystem detector module 50 is the hub of the filesystem access monitoring and control system 1000. It runs an independent, trusted operating system 51, completely detached from the operational OS 10 and from the operational filesystem stored on the operational storage medium 40A.
- the filesystems detector 50 is external to the secured system and is associated to the secured systems through a communication network via communications module 90.
- the filesystem detector module 50 interfaces several peripheral modules, and applies a plurality of security measures to protect the operational file system, stored on the operational storage medium 40A.
- the filesystem detector module 50 is invisible to the OS 10, and hence neither external users, nor applications that are run on the OS 10 machine may change anything on the filesystem detector module 50 and its peripherals.
- the filesystem detector module 50 is configurable via a secure administrative interface 60. It subsequently configures the rule based action 70 and anomaly detection 80 modules.
- the filesystem detector module 50 monitors the content of the monitored storage medium 40B according to a predefined policy, dictated by the administrative interface 60. It compares the said monitored content, stored on the monitored storage medium 40B, to data stored on the filesystem detector database 55.
- the filesystem detector module 50 follows the read / write actions applied to the operational storage medium 40A, according to a predefined policy, dictated by the administrative interface 60.
- the filesystem detector storage module 56 stores safe back-up copies of files stored on the operational storage medium 40A, including for example filesystem files, registry files, BIOS files etc. This safe copy is henceforth referred to as the "Backup storage”.
- the filesystem detector module 50 will invoke comparisons of important files stored on the monitored storage medium 40B (which are duplicates of the operational storage medium 40A) with equivalent files of the backup storage, stored on the filesystem detector storage module 56, to detect anomalies.
- the filesystem detector module 50 further facilitates the capability to restore corrupted content on the operational storage medium 40A and / or on the monitored storage medium 40B from the backup storage, stored on the filesystem detector storage module 56.
- the anomaly detection module 80 detects anomalies in the contents of the operational storage medium 40A, and in the operational OS read/write access request patterns to it.
- the anomaly detection module 80 notifies suspected anomalies to the filesystem detector module 50, which in turn may take security measures. Examples for such security measures are: disabling specific applications' access to the operational FS, or emitting a notification message to system administrators.
- Figure IB presents an overall view of the filesystem access monitoring and control system 1000 and its components according to another embodiment of the present invention.
- the difference between the two embodiments depicted in figures 1A and IB is in the location of the filesystem detector module 50 and its peripherals:
- Figure IB depicts a special case in which the filesystem detector module 50 is located on the same machine as that of the secured system 100.
- FIG. 1B The embodiment depicted in figure IB renders the communication module 90 redundant. It also raises certain requirements for security configurations, in order to keep the filesystem detector module 50 and its peripherals (51, 55, 56, 60, 70 and 80) invisible to the OS 10 and the applications it runs.
- Figure 2 presents a flow diagram depicting the functionality of the storage device splitter 30.
- the storage device splitter 30 receives read/write access requests, originating from the operational OS 10, via the storage device controller 20 (step 310).
- the storage device splitter 30 reports each such read/write access request from the storage device controller 20 to the file system detector 50 (step 320).
- the storage device splitter 30 propagates write access requests to both the operational storage medium 40A and to the monitored storage medium 40B, thus maintaining a duplicate, redundant storage, similar to RAID hard drives (step 330).
- the storage device splitter 30 propagates read access requests only to the operational storage medium 40A (step 340), and returns read replies from the operational storage medium 40A to the storage device controller 20 (step 350).
- Figures 3A and 3B jointly present a flow diagram depicting the functionality of the filesystem detector module 50 during normal work mode, according to one embodiment of the present invention.
- the filesystem detector 50 obtains its configuration from an administrator via the administrative interface 60 (step 510).
- This configuration includes at least one of the following: Configuration of the anomaly detection module 80, in relation to the filesystem content and access policy.
- the administrator may set rules relating to serial read actions from specific directories on the operational storage medium 40A. This would detect systematic file scanning of the operational FS, characteristic of attempts to perform industrial espionage.
- Configuration of the rule based action module 70 in relation to suspected identified anomalies.
- the administrator may set a rule to dictate that upon detection of a file scanning attempt, specific users and applications should be restricted from accessing the operational file system on the operational storage medium 40 A.
- the filesystem detector module 50 receives activity indications (i.e. operational OS read / write access requests) from the storage device splitter 30. It propagates the said indications to the anomaly detection module 80 for analysis (step 515).
- activity indications i.e. operational OS read / write access requests
- the filesystem detector 50 manages the anomaly detection module 80 according to the configuration obtained from the administrative interface 60 (step
- Indications of unauthorized read access (step 525), e.g.:
- Suspected information theft for example when specific files are copied to another storage module, uploaded onto a remote server or sent via email.
- Suspected file scanning i.e. when a user or an application systematically accesses specific files, for malicious purpose (e.g. industrial espionage).
- Indication of unauthorized write access (step 530), e.g.:
- the filesystem detector 50 commands the anomaly detection module 80 to compare the content of important files (e.g. root filesystem files, registry files, BIOS etc) stored on the monitored storage medium 40B with the content of equivalent files of the backup storage, safely stored on the filesystem detector storage 56 module (step 535). This comparison may be invoked periodically, or triggered by a write action, as dictated by the administrator's configuration.
- important files e.g. root filesystem files, registry files, BIOS etc
- the filesystem detector module 50 accesses the monitored storage medium 40B, rather than the operational storage medium 40A for the said comparison. This method is beneficial in two aspects:
- the operational OS 10 performance is not hindered by read cycles of the operational storage medium 40A, and
- the OS 10, as well as the applications and users who employ it are unaware of the comparison process, as the monitored storage medium 40B is invisible to them.
- the Filesystem detector 50 applies further analysis to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium 40B, to produce higher- level indications of specific suspected threats.
- suspected threats include for example, Advanced Persistent Threats (APT) and Root-kit malware.
- the Filesystem detector 50 manages the rule based action module 70 according to the configuration obtained from the administrative interface 60 (step 545).
- the Filesystem detector 50 acts on recommendations from the rule based action module 70 (step 550).
- recommendations include, for example:
- the Filesystem detector 50 provides online indications (e.g. alerts, warnings, and notifications) to system administrators over the administrative interface 60 (step 555). For example, it may indicate that an important file on the operational storage medium 40A is suspected of being corrupted, and suggest restoring it from the backup storage on the file system detector storage 56.
- online indications e.g. alerts, warnings, and notifications
- the filesystem detector module 50 accumulates operative information in the file system detector database 55 (step 560).
- This information includes, for example: Events of file content change; Events of file properties' (e.g. authorization, encryption) change;
- suspected encountered threats e.g.: suspected malicious users or applications.
- the filesystem detector module 50 keeps dedicated logs files, elaborating the different actions and occurrences performed on the operational file system 40A.
- Figure 4 presents a flow diagram depicting the functionality of the rule- based action module 70, according to one embodiment of the present invention.
- the rule-based action module 70 obtains its configuration from the administrative interface 60 via the file system detector 50 module (step 710).
- the rule-based action module 70 obtains indications of suspected anomalies from the Anomaly detection module 80 (step 720).
- the rule-based action module 70 produces recommendations for actions to the file system detector 50, in respect to the indicated suspected anomalies (step 730).
- rule-based action module 70 may recommend to:
- Figure 5 presents a flow diagram depicting the functionality of the anomaly detection module 80 according to one embodiment of the present invention.
- the anomaly detection module 80 obtains its configuration from the administrative interface 60 via the file system detector module 50 (step 810). It analyzes changes made to the system registry by reading files (e.g. FS files, registry files and BIOS) on the monitored storage medium 40B (step 820). It may perform a comparison with equivalent files of the back-up storage, stored on the file system detector storage module 56 to assist in this analysis. This comparison may be invoked periodically, or triggered by a write action, as dictated by the administrator's configuration. Accessing the monitored storage medium 40B, rather than the operational storage medium 40A for the said comparison is beneficial in two aspects: The system's performance is not hindered by read cycles of the operational storage medium 40A, and
- the OS 10, as well as the applications and users who employ it are unaware of the comparison process, as the monitored storage medium 40B is invisible to them.
- the anomaly detection module 80 analyzes changes made to important files, e.g.: root filesystem files (step 830). It may perform a comparison with equivalent files of the backup storage, stored on the file system detector Storage module 56 to assist in this analysis, as described above. Following are several examples to scenarios in which this comparison facilitates the maintenance of the system's cyber security: The activity of drivers and executable files is monitored to detect malicious software that creates intermediate drivers on the NTFS file system, designed to hide the malicious software's files and activities.
- Malicious changes in a network driver may cause the exfiltration of communication packets, without being detected by any system utility.
- Hiding of malicious content on the file system may be accomplished, for example, by adding malicious add-ons to the explorer.exe process, designed to hide specific malicious files from the user or the OS. Comparing the contents of the two file systems serves to detect such malicious add-ons, and subsequently reveal files that are hidden from the OS 10.
- Identifying hidden malicious tools designed to alter the boot process For example: an infected BIOS which injects malicious code through the Master Boot Record (MBR) to a Windows OS kernel during the boot process.
- MLR Master Boot Record
- file partitioning a common activity of ransomware type malware is to partition the file before encryption
- the anomaly detection module 80 analyzes the read and write access activity patterns of specific users (step 840) and applications (step 850). Specific read / write patterns may be consistent with forms of malware, or malicious user behavior. For example, systematic reading of specific files may indicate file scanning for the purpose of industrial espionage.
- the anomaly detection module 80 analyzes activity on the OS 10 level (step 860), including at least part of:
- the anomaly detection module 80 produces anomaly indications according to the said analyzed information (step 870).
- these indications may include:
- the anomaly detection module 80 propagates the said indications to the filesystem detector module 50 and the rule based action 70 module.
- the anomaly detection module 80 further analyzes suspected anomalies (step 880). This analysis may produce higher-layer indications of specific threats, e.g.:
- the anomaly detection module 80 propagates the said indications to the filesystem detector module 50 and to the rule based action 70 module, to act upon the suspected threats.
- the system of the present invention may include, according to certain embodiments of the invention, machine readable memory containing or otherwise storing a program of instructions which, when executed by the machine, implements some or all of the apparatus, methods, features and functionalities of the invention shown and described herein.
- the apparatus of the present invention may include, according to certain embodiments of the invention, a program as above which may be written in any conventional programming language, and optionally a machine for executing the program such as but not limited to a general purpose computer which may optionally be configured or activated in accordance with the teachings of the present invention. Any of the teachings incorporated herein may wherever suitable operate on signals representative of physical objects or substances.
- the term "computer” should be broadly construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, personal computers, servers, computing system, communication devices, processors (e.g. digital signal processor (DSP), microcontrollers, field programmable gate array (FPGA), application specific integrated circuit (ASIC), etc.) and other electronic computing devices.
- processors e.g. digital signal processor (DSP), microcontrollers, field programmable gate array (FPGA), application specific integrated circuit (ASIC), etc.
- DSP digital signal processor
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- Any computer-readable or machine-readable media described herein is intended to include non-transitory computer- or machine-readable media.
- Any computations or other forms of analysis described herein may be performed by a suitable computerized method. Any step described herein may be computer-implemented.
- the invention shown and described herein may include (a) using a computerized method to identify a solution to any of the problems or for any of the objectives described herein, the solution optionally include at least one of a decision, an action, a product, a service or any other information described herein that impacts, in a positive manner, a problem or objectives described herein; and (b) outputting the solution.
- the scope of the present invention is not limited to structures and functions specifically described herein and is also intended to include devices which have the capacity to yield a structure, or perform a function, described herein, such that even though users of the device may not use the capacity, they are, if they so desire, able to modify the device to obtain the structure or function.
- a system embodiment is intended to include a corresponding process embodiment.
- each system embodiment is intended to include a server-centered "view” or client centered “view”, or “view” from any other node of the system, of the entire functionality of the system, computer-readable medium, apparatus, including only those functionalities performed at that server or client or node.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
A system for continuous monitoring and controlling of file content and read/write access activity of an operational OS, comprising: • a splitter module, configured to maintain a duplicate of the operational OS files on a monitored storage medium, invisible to the operational OS; • a file-system detector module, running an independent, trusted OS. • a safe backup storage of the operational OS files. wherein both trusted OS and backup storage are completely detached from the operational OS and FS. [00101] The said system is configured to • monitor all operational OS read / write access requests that reach the splitter; • compare the content of the monitored storage medium to that of the backup storage; and • analyze said comparison to identify possible cyber security threats to the operational OS and FS.
Description
A SYSTEM AND METHOD FOR CONTINUOUS MONITORING AND CONTROL OF FILE-SYSTEM CONTENT AND ACCESS ACTIVITY
FIELD OF THE INVENTION
[0001] The presented invention generally relates to the field of computer system security, and specifically to the analysis and verification of actions applied to computer file systems.
DISCUSSION OF RELATED ART
[0002] The abundance of cyber threats is a well established fact that requires continuous effort from private computer users as well as from organizations, just to keep up with the ever evolving sophistication of computer hackers. The introduction of new types of malware, facilitating data theft and extortion calls for a new method of dealing with such relentless criminal acts.
[0003] Current security measures rely mainly on software-based tools for recognizing malware. Restoration of lost data is dependent on reliable backup that may or may not be employed by the targeted client.
[0004] A solution based on a combined hardware and software approach is required in order to:
monitor the functionality of the operational Operating System (OS);
identify and act in real time to suspected threats;
facilitate quick restoration of data; and
deny attackers any access to the OS files,
and to do so in a manner that does not constrain the operational OS in any way.
SUMMARY OF THE INVENTION
[0005] A system for continuous monitoring and controlling of file content and read/write access activity of an operational OS, comprising:
a splitter module, configured to maintain a duplicate of the operational OS files on a monitored storage medium, invisible to the operational OS;
a file-system detector module, running an independent, trusted OS.
a safe backup storage of the operational OS files.
wherein both trusted OS and backup storage are completely detached from the operational OS and FS.
[0006] The said system is configured to
monitor all operational OS read / write access requests that reach the splitter;
• compare the content of the monitored storage medium to that of the backup storage; and
• analyze said comparison to identify possible cyber security threats to the operational OS and FS.
The present invention provides a system for continuous monitoring and controlling of an operational operating system's (OS) read/write access requests, and contents of files related to said operational OS. The system comprising at least one of:
a splitter module, configured to perform the said operational OS read / write access requests so as to maintain a duplicate of the operational OS's filesystem (FS) on a monitored storage medium, invisible to the operational OS; a file-system detector module, running an independent trusted OS, completely detached from the operational OS and from the operational FS; and a safe backup storage of the operational OS files, completely detached from the operational OS; wherein said file- system detector module is configured to monitor all operational OS read / write access requests that reach the splitter; wherein said file-system detector module is configured to compare the content operational OS related files to equivalent files of the backup storage; wherein said file-system detector module is configured to analyze said comparison and identify cyber security threats to the operational OS and operational FS.
According to some embodiments of the present invention, the system further comprising :
a communication module designed to facilitate wired or wireless communication between components of the secured system and the file system detector module , which is external to the secured system.
[0007] According to some embodiments of the present invention the filesystem detector module interfaces several peripheral modules, and applies a plurality of security measures to protect the operational file system, stored on the operational
storage medium , wherein the filesystem detector module is invisible to the OS , accordingly neither external users, nor applications that are run on the OS machine can change anything on the filesystem detector module and its peripherals.
[0008] wherein the filesystem detector module monitors the content of the monitored storage medium according to a predefined policy, and compares the said monitored content, stored on the monitored storage medium , to data stored on the filesystem detector database .
[0009] According to some embodiments of the present invention the filesystem detector storage module 56 stores safe back-up copies of files stored on the operational storage medium 40A, including filesystem files and registry files, wherein the filesystem detector module 50 will invoke comparisons of important files stored on the monitored storage medium 40B.
[0010] According to some embodiments of the present invention the filesystem detector module further facilitates the capability to restore corrupted content on the operational storage medium 40A and / or on the monitored storage medium from the backup storage, stored on the filesystem detector storage module.
[0011] According to some embodiments of the present invention the system further comprising an anomaly detection module 80 detects anomalies in the contents of the operational storage medium 40A, and in the operational OS read/write access request patterns to it, wherein the anomaly detection module 80 notifies suspected anomalies to the filesystem detector module 50, which in turn may take security measures, wherein the security measures include at least one of : disabling specific applications' access to the operational FS, or emitting a notification message to system administrators
[0012] According to some embodiments of the present invention the filesystem detector module is located on the same machine as that of the secured system.
[0013] According to some embodiments of the present invention the filesystem detector module is external to the secured system and is associated to the secured system through a communication network via communications module.
[0014] According to some embodiments of the present invention the system the storage device splitter applies the following steps:
[0015] receives read/write access requests, originating from the operational OS, via the storage device controller;
[0016] reporting each such read/write access request from the storage device controller to the file system detector).
[0017] propagating write access requests to both the operational storage medium and to the monitored storage medium , thus maintaining a duplicate, redundant storage, similar to RAID hard drives;
[0018] propagating read access requests only to the operational storage medium , and returns read replies from the operational storage medium to the storage device controller.
[0019] According to some embodiments of the present inventionthe filesystem detector obtains its configuration from an administrator via the administrative interface, wherein the configuration include at least one of : Configuration of the anomaly detection module , in relation to the filesystem content and access policy, Configuration of the rule based action module in relation to suspected identified anomalies.
[0020] According to some embodiments of the present invention the filesystem detector manages the anomaly detection module according to the configuration obtained from the administrative interface , to produce at least one of the indication types.
[0021] the system of claim 1 wherein the Indication of unauthorized write access include at least one of;
[0022] Suspected unauthorized file encryption, as in the case of ransomeware , wherein a malware covertly encrypts files on a victim's machine, for the purpose of demanding payment to restore the affected files).
[0023] Suspected malicious changes made to important files in the filesystem, e.g. files of the root filesystem.
[0024] According to some embodiments of the present invention the filesystem detector commands the anomaly detection module 80 to compare the content of important files stored on the monitored storage medium with the content of equivalent files of the backup storage, safely stored on the filesystem detector storage
56 module.
[0025] According to some embodiments of the present invention the Filesystem detector applies further analysis to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium , to produce higher-level indications of specific suspected threats.
[0026] According to some embodiments of the present invention the Filesystem detector acts on recommendations from the rule based action module , such that the recommendations include, at least one of : Changing file security properties ; restricting access of specific users and / or applications to the operational storage
medium, Storing copies of files that are suspected as being tampered with; and restoring files in the operational storage medium.
[0027] According to some embodiments of the present invention the filesystem detector module accumulates operative information in the file system detector database , including at least one of :Events of file content change, Events of file properties' change, User access details; and Details regarding suspected encountered threats.
[0028] The present invention provides a method for continuous monitoring and controlling of an operational operating system's (OS) read/write access requests, and contents of files related to said operational OS. The method comprising at least one of:
a. Performing by a splitter module, said operational OS read / write access requests so as to maintain a duplicate of the operational OS's filesystem (FS) on a monitored storage medium, invisible to the operational OS;
b. a safe backup storage of the operational OS files, completely detached from the operational OS; c. monitoring by a file-system detector module, all operational OS read / write access requests that reach the splitter d. comparing a file-system detector module the content operational OS related files to equivalent files of the backup storage; e. analyzing s a file-system detector module aid comparison and identify cyber security threats to the operational OS and operational FS
f. wherein file-system detector module is running an independent trusted OS, completely detached from the operational OS and from the operational FS;.
[0029] According to some embodiments of the present invention the method further comprising the step of storing safe back-up copies of files stored on the operational
storage medium , including filesystem files and registry files, wherein the filesystem detector module is invoking comparisons of important files stored on the monitored storage medium 40B.
[0030] According to some embodiments of the present invention the method further comprising the step of facilitating the capability to restore corrupted content on the operational storage medium and / or on the monitored storage medium from the backup storage, stored on the filesystem detector storage module
[0031] According to some embodiments of the present invention the method further comprising the step of detecting anomalies in the contents of the operational storage medium , and in the operational OS read/write access request patterns to it, wherein the anomaly detection module 80 notifies suspected anomalies to the filesystem detector module 50, which in turn may take security measures, wherein the security measures include at least one of : disabling specific applications' access to the operational FS, or emitting a notification message to system administrators
[0032] According to some embodiments of the present invention the method further the following steps:
[0033] receiving read/write access requests, originating from the operational OS, via the storage device controller.
[0034] reporting each such read/write access request from the storage device controller to the file system detector;
[0035] propagating write access requests to both the operational storage medium and to the monitored storage medium , thus maintaining a duplicate, redundant storage, similar to RAID hard drives;
[0036] propagating read access requests only to the operational storage medium and returns read replies from the operational storage medium to the storage device controller.
[0037] According to some embodiments of the present invention the method further comprising the step of obtaining its configuration from an administrator via the administrative interface, wherein the configuration include at least one of : Configuration of the anomaly detection module 80, in relation to the filesystem content and access policy, Configuration of the rule based action module , in relation to suspected identified anomalies.
[0038] According to some embodiments of the present invention the method further comprising the step of managing the anomaly detection module 80 according to the configuration obtained from the administrative interface to produce at least one of the indication types.
[0039] According to some embodiments of the present invention the Indication of unauthorized write access include at least one of:
[0040] Suspected unauthorized file encryption, as in the case of ransomeware wherein a malware covertly encrypts files on a victim's machine, for the purpose of demanding payment to restore the affected files.
[0041] Suspected malicious changes made to important files in the filesystem, e.g. files of the root filesystem.
[0042] According to some embodiments of the present invention the method further comprising the step of comparing the content of important files root filesystem files, stored on the monitored storage medium with the content of equivalent files of the backup storage, safely stored on the filesystem detector storage module.
[0043] According to some embodiments of the present invention the method further comprising the step of analyzing to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium , to produce higher-level indications of specific suspected threats.
[0044] According to some embodiments of the present invention the method further comprising the step of accumulating operative information in the file system detector database including at least one of :Events of file content change, Events of file properties' change, User access details; and Details regarding suspected encountered threats
BRIEF DESCRIPTION OF THE DRAWINGS
[0045] Figure 1A presents an overall view of the filesystem access monitoring and control system 1000 and its components according to one embodiment of the present invention.
[0046] Figure IB presents an overall view of the filesystem access monitoring and control system 1000 and its components according to another embodiment of the present invention.
[0047] Figure 2 presents a flow diagram depicting the normal functionality of the storage device splitter 30.
[0048] Figures 3A and 3B jointly present a flow diagram depicting the functionality of the File system detector 50 during normal work mode, according to one embodiment of the present invention.
[0049] Figure 4 presents a flow diagram depicting the functionality of the rule- based action module 70, according to one embodiment of the present invention.
[0050] Figure 5 presents a flow diagram depicting the functionality of the anomaly detection module 80 according to one embodiment of the present invention.
DETAILED DESCRIPTION OF SOME EMBODIMENTS OF THE INVENTION
[0051] Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and the arrangement of the components set forth in the following description or illustrated in the drawings. The invention is applicable to other embodiments or of being practiced or carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein is for the purpose of description and should not be regarded as limiting.
[0052] Following is a table of definitions of the terms used throughout this application.
DESCRIPTION OF THE DRAWINGS
[0053] Figure 1A presents an overall view of the filesystem access monitoring and control system 1000 and its components according to one embodiment of the present invention.
[0054] The system 1000 encompasses the secured 100 system, upon which filesystem access monitoring is applied. The secured 100 system is comprised of at least one of the following:
An operational operating system (OS) 10, accommodating the execution of a software application, and implementing write and read actions to an operational storage medium 40A
A storage device controller 20, transferring the OS 10 read / write access requests to the operational storage medium 40A.
An operational storage medium 40A (e.g. a hard disk), which stores the OS 10 operational filesystem, as well as data written during OS 10 write access cycles. The operational storage medium 40A also retrieves stored data during read access cycles upon request of the OS 10.
A monitored storage medium 40B (e.g. a hard disk), which holds a duplicated copy of the data stored on the operational storage medium 40A.
A storage device splitter, which:
Applies write actions on both storage media 40A and 40B, effectively duplicating the written data onto the two storage devices, and
Retrieves read information from the operational storage medium 40A towards the OS 10.
A communication module 90, designed to facilitate wired or wireless communication between components of the secured system (e.g. the monitored storage medium 40B and the splitter 30) and the file system detector module 50, which is external to the secured system 100.
[0055] The filesystem detector module 50 is the hub of the filesystem access monitoring and control system 1000. It runs an independent, trusted operating system
51, completely detached from the operational OS 10 and from the operational filesystem stored on the operational storage medium 40A.
[0056] According this embodiment the filesystems detector 50 is external to the secured system and is associated to the secured systems through a communication network via communications module 90.
[0057] The filesystem detector module 50 interfaces several peripheral modules, and applies a plurality of security measures to protect the operational file system, stored on the operational storage medium 40A.
The filesystem detector module 50 is invisible to the OS 10, and hence neither external users, nor applications that are run on the OS 10 machine may change anything on the filesystem detector module 50 and its peripherals.
The filesystem detector module 50 is configurable via a secure administrative interface 60. It subsequently configures the rule based action 70 and anomaly detection 80 modules.
The filesystem detector module 50 monitors the content of the monitored storage medium 40B according to a predefined policy, dictated by the administrative interface 60. It compares the said monitored content, stored on the monitored storage medium 40B, to data stored on the filesystem detector database 55.
The filesystem detector module 50 follows the read / write actions applied to the operational storage medium 40A, according to a predefined policy, dictated by the administrative interface 60.
[0058] According to some embodiments, the filesystem detector storage module 56 stores safe back-up copies of files stored on the operational storage medium 40A, including for example filesystem files, registry files, BIOS files etc. This safe copy is henceforth referred to as the "Backup storage". During system operation, the filesystem detector module 50 will invoke comparisons of important files stored on the monitored storage medium 40B (which are duplicates of the operational storage medium 40A) with equivalent files of the backup storage, stored on the filesystem detector storage module 56, to detect anomalies.
[0059] According to some embodiments, the filesystem detector module 50 further facilitates the capability to restore corrupted content on the operational storage medium 40A and / or on the monitored storage medium 40B from the backup storage, stored on the filesystem detector storage module 56.
[0060] The anomaly detection module 80 detects anomalies in the contents of the operational storage medium 40A, and in the operational OS read/write access request patterns to it. The anomaly detection module 80 notifies suspected anomalies to the filesystem detector module 50, which in turn may take security measures. Examples for such security measures are: disabling specific applications' access to the operational FS, or emitting a notification message to system administrators.
[0061] Figure IB presents an overall view of the filesystem access monitoring and control system 1000 and its components according to another embodiment of the present invention. The difference between the two embodiments depicted in figures 1A and IB is in the location of the filesystem detector module 50 and its peripherals: Figure IB depicts a special case in which the filesystem detector module 50 is located on the same machine as that of the secured system 100.
[0062] The embodiment depicted in figure IB renders the communication module 90 redundant. It also raises certain requirements for security configurations, in order to keep the filesystem detector module 50 and its peripherals (51, 55, 56, 60, 70 and 80) invisible to the OS 10 and the applications it runs.
[0063] Figure 2 presents a flow diagram depicting the functionality of the storage device splitter 30.
[0064] The storage device splitter 30 receives read/write access requests, originating from the operational OS 10, via the storage device controller 20 (step 310).
[0065] The storage device splitter 30 reports each such read/write access request from the storage device controller 20 to the file system detector 50 (step 320).
[0066] The storage device splitter 30 propagates write access requests to both the operational storage medium 40A and to the monitored storage medium 40B, thus maintaining a duplicate, redundant storage, similar to RAID hard drives (step 330).
[0067] The storage device splitter 30 propagates read access requests only to the operational storage medium 40A (step 340), and returns read replies from the operational storage medium 40A to the storage device controller 20 (step 350).
[0068] Figures 3A and 3B jointly present a flow diagram depicting the functionality of the filesystem detector module 50 during normal work mode, according to one embodiment of the present invention.
[0069] The filesystem detector 50 obtains its configuration from an administrator via the administrative interface 60 (step 510). This configuration includes at least one of the following:
Configuration of the anomaly detection module 80, in relation to the filesystem content and access policy. For example, the administrator may set rules relating to serial read actions from specific directories on the operational storage medium 40A. This would detect systematic file scanning of the operational FS, characteristic of attempts to perform industrial espionage.
Configuration of the rule based action module 70, in relation to suspected identified anomalies. Pertaining to the same example, the administrator may set a rule to dictate that upon detection of a file scanning attempt, specific users and applications should be restricted from accessing the operational file system on the operational storage medium 40 A.
[0070] The filesystem detector module 50 receives activity indications (i.e. operational OS read / write access requests) from the storage device splitter 30. It propagates the said indications to the anomaly detection module 80 for analysis (step 515).
[0071] The filesystem detector 50 manages the anomaly detection module 80 according to the configuration obtained from the administrative interface 60 (step
520), to produce at least one of the indication types elaborated below:
[0072] Indications of unauthorized read access (step 525), e.g.:
Suspected information theft; for example when specific files are copied to another storage module, uploaded onto a remote server or sent via email.
Suspected file scanning, i.e. when a user or an application systematically accesses specific files, for malicious purpose (e.g. industrial espionage).
[0073] Indication of unauthorized write access (step 530), e.g.:
Suspected unauthorized file encryption, as in the case of ransomeware (i.e. malware that covertly encrypts files on a victim's machine, for the purpose of demanding payment to restore the affected files).
Suspected malicious changes made to important files in the filesystem, e.g. files of the root filesystem.
Suspected malicious changes made to the system registry.
[0074] According to some embodiments, the filesystem detector 50 commands the anomaly detection module 80 to compare the content of important files (e.g. root filesystem files, registry files, BIOS etc) stored on the monitored storage medium 40B with the content of equivalent files of the backup storage, safely stored on the
filesystem detector storage 56 module (step 535). This comparison may be invoked periodically, or triggered by a write action, as dictated by the administrator's configuration.
[0075] As described above, the filesystem detector module 50 accesses the monitored storage medium 40B, rather than the operational storage medium 40A for the said comparison. This method is beneficial in two aspects:
The operational OS 10 performance is not hindered by read cycles of the operational storage medium 40A, and
The OS 10, as well as the applications and users who employ it are unaware of the comparison process, as the monitored storage medium 40B is invisible to them.
[0076] Indication of Malware activity (step 540):
The Filesystem detector 50 applies further analysis to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium 40B, to produce higher- level indications of specific suspected threats. Such suspected threats include for example, Advanced Persistent Threats (APT) and Root-kit malware.
[0077] The Filesystem detector 50 manages the rule based action module 70 according to the configuration obtained from the administrative interface 60 (step 545).
[0078] The Filesystem detector 50 acts on recommendations from the rule based action module 70 (step 550). Such recommendations include, for example:
Changing file security properties;
Restricting access of specific users and / or applications to the operational storage medium 40 A;
Storing copies of files that are suspected as being tampered with; and
Restoring files in the operational storage medium 40A.
[0079] The Filesystem detector 50 provides online indications (e.g. alerts, warnings, and notifications) to system administrators over the administrative interface 60 (step 555). For example, it may indicate that an important file on the operational storage medium 40A is suspected of being corrupted, and suggest restoring it from the backup storage on the file system detector storage 56.
[0080] The filesystem detector module 50 accumulates operative information in the file system detector database 55 (step 560). This information includes, for example: Events of file content change;
Events of file properties' (e.g. authorization, encryption) change;
User access details; and
Details regarding suspected encountered threats (e.g.: suspected malicious users or applications).
According to one embodiment, the filesystem detector module 50 keeps dedicated logs files, elaborating the different actions and occurrences performed on the operational file system 40A.
[0081] Figure 4 presents a flow diagram depicting the functionality of the rule- based action module 70, according to one embodiment of the present invention.
[0082] The rule-based action module 70 obtains its configuration from the administrative interface 60 via the file system detector 50 module (step 710).
[0083] The rule-based action module 70 obtains indications of suspected anomalies from the Anomaly detection module 80 (step 720).
[0084] The rule-based action module 70 produces recommendations for actions to the file system detector 50, in respect to the indicated suspected anomalies (step 730).
For example, the rule-based action module 70 may recommend to:
Restrict the access of specific users and/or applications to the Storage medium 40A filesystem;
Restore specific files in the operational storage medium 40A;
Restore the entire content of the Operational Storage medium 40A; and
Do nothing, to mislead hackers to think they have got the best of the system.
[0085] Figure 5 presents a flow diagram depicting the functionality of the anomaly detection module 80 according to one embodiment of the present invention.
[0086] The anomaly detection module 80 obtains its configuration from the administrative interface 60 via the file system detector module 50 (step 810). It analyzes changes made to the system registry by reading files (e.g. FS files, registry files and BIOS) on the monitored storage medium 40B (step 820). It may perform a comparison with equivalent files of the back-up storage, stored on the file system detector storage module 56 to assist in this analysis. This comparison may be invoked periodically, or triggered by a write action, as dictated by the administrator's
configuration. Accessing the monitored storage medium 40B, rather than the operational storage medium 40A for the said comparison is beneficial in two aspects: The system's performance is not hindered by read cycles of the operational storage medium 40A, and
The OS 10, as well as the applications and users who employ it are unaware of the comparison process, as the monitored storage medium 40B is invisible to them.
[0087] The anomaly detection module 80 analyzes changes made to important files, e.g.: root filesystem files (step 830). It may perform a comparison with equivalent files of the backup storage, stored on the file system detector Storage module 56 to assist in this analysis, as described above. Following are several examples to scenarios in which this comparison facilitates the maintenance of the system's cyber security: The activity of drivers and executable files is monitored to detect malicious software that creates intermediate drivers on the NTFS file system, designed to hide the malicious software's files and activities.
Malicious changes in a network driver may cause the exfiltration of communication packets, without being detected by any system utility.
Hiding of malicious content on the file system may be accomplished, for example, by adding malicious add-ons to the explorer.exe process, designed to hide specific malicious files from the user or the OS. Comparing the contents of the two file systems serves to detect such malicious add-ons, and subsequently reveal files that are hidden from the OS 10.
Identifying hidden malicious tools designed to alter the boot process. For example: an infected BIOS which injects malicious code through the Master Boot Record (MBR) to a Windows OS kernel during the boot process.
Protection against ransomware (e.g. CryptoLocker) attacks by:
identifying the heuristics of file encryption activity, including file partitioning (a common activity of ransomware type malware is to partition the file before encryption), and
Identifying files that have been purged, or have had their data altered (e.g. by writing O's)
Recommending to the Filesystem detector 50 to perform an immediate back-up of all unencrypted files .
[0088] The anomaly detection module 80 analyzes the read and write access activity patterns of specific users (step 840) and applications (step 850). Specific read / write patterns may be consistent with forms of malware, or malicious user behavior. For example, systematic reading of specific files may indicate file scanning for the purpose of industrial espionage.
[0089] The anomaly detection module 80 analyzes activity on the OS 10 level (step 860), including at least part of:
Firmware changes,
System logins,
Software installation, updates and file changes, and
Connection of external mass storage devices (which creates records on the operating system, which can be detected on the file system).
It does so in a non intrusive manner, i.e. without requiring any installation of software, or change in the original OS 10 software.
[0090] The anomaly detection module 80 produces anomaly indications according to the said analyzed information (step 870). For example, these indications may include:
Suspicious conduct of specific applications or users
Suspicious content of important files
[0091] The anomaly detection module 80 propagates the said indications to the filesystem detector module 50 and the rule based action 70 module.
[0092] According to some embodiments, the anomaly detection module 80 further analyzes suspected anomalies (step 880). This analysis may produce higher-layer indications of specific threats, e.g.:
Suspected information theft;
Suspected File system scanning; and
Suspected unauthorized encryption of files in the operational file system.
The anomaly detection module 80 propagates the said indications to the filesystem detector module 50 and to the rule based action 70 module, to act upon the suspected threats.
[0093] The system of the present invention may include, according to certain embodiments of the invention, machine readable memory containing or otherwise storing a program of instructions which, when executed by the machine, implements
some or all of the apparatus, methods, features and functionalities of the invention shown and described herein. Alternatively or in addition, the apparatus of the present invention may include, according to certain embodiments of the invention, a program as above which may be written in any conventional programming language, and optionally a machine for executing the program such as but not limited to a general purpose computer which may optionally be configured or activated in accordance with the teachings of the present invention. Any of the teachings incorporated herein may wherever suitable operate on signals representative of physical objects or substances.
[0094] Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions, utilizing terms such as, "processing", "computing", "estimating", "selecting", "ranking", "grading", "calculating", "determining", "generating", "reassessing", "classifying", "generating", "producing", "stereo-matching", "registering", "detecting", "associating", "superimposing", "obtaining" or the like, refer to the action and/or processes of a computer or computing system, or processor or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories, into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices. The term "computer" should be broadly construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, personal computers, servers, computing system, communication devices, processors (e.g. digital signal processor (DSP), microcontrollers, field programmable gate array (FPGA), application specific integrated circuit (ASIC), etc.) and other electronic computing devices.
[0095] The present invention may be described, merely for clarity, in terms of terminology specific to particular programming languages, operating systems, browsers, system versions, individual products, and the like. It will be appreciated that this terminology is intended to convey general principles of operation clearly and briefly, by way of example, and is not intended to limit the scope of the invention to any particular programming language, operating system, browser, system version, or individual product.
[0096] It is appreciated that software components of the present invention including programs and data may, if desired, be implemented in ROM (read only memory) form including CD-ROMs, EPROMs and EEPROMs, or may be stored in any other suitable typically non-transitory computer-readable medium such as but not limited to disks of various kinds, cards of various kinds and RAMs. Components described herein as software may, alternatively, be implemented wholly or partly in hardware, if desired, using conventional techniques. Conversely, components described herein as hardware may, alternatively, be implemented wholly or partly in software, if desired, using conventional techniques.
[0097] Included in the scope of the present invention, inter alia, are electromagnetic signals carrying computer-readable instructions for performing any or all of the steps of any of the methods shown and described herein, in any suitable order; machine- readable instructions for performing any or all of the steps of any of the methods shown and described herein, in any suitable order; program storage devices readable by machine, tangibly embodying a program of instructions executable by the machine to perform any or all of the steps of any of the methods shown and described herein, in any suitable order; a computer program product comprising a computer useable medium having computer readable program code, such as executable code, having embodied therein, and/or including computer readable program code for performing, any or all of the steps of any of the methods shown and described herein, in any suitable order; any technical effects brought about by any or all of the steps of any of the methods shown and described herein, when performed in any suitable order; any suitable apparatus or device or combination of such, programmed to perform, alone or in combination, any or all of the steps of any of the methods shown and described herein, in any suitable order; electronic devices each including a processor and a cooperating input device and/or output device and operative to perform in software any steps shown and described herein; information storage devices or physical records, such as disks or hard drives, causing a computer or other device to be configured so as to carry out any or all of the steps of any of the methods shown and described herein, in any suitable order; a program pre-stored e.g. in memory or on an information network such as the Internet, before or after being downloaded, which embodies any or all of the steps of any of the methods shown and described herein, in any suitable order, and the method of uploading or downloading such, and a system including server/s and/or client/s for using such; and hardware which performs any or
all of the steps of any of the methods shown and described herein, in any suitable order, either alone or in conjunction with software. Any computer-readable or machine-readable media described herein is intended to include non-transitory computer- or machine-readable media.
[0098] Any computations or other forms of analysis described herein may be performed by a suitable computerized method. Any step described herein may be computer-implemented. The invention shown and described herein may include (a) using a computerized method to identify a solution to any of the problems or for any of the objectives described herein, the solution optionally include at least one of a decision, an action, a product, a service or any other information described herein that impacts, in a positive manner, a problem or objectives described herein; and (b) outputting the solution.
[0099] The scope of the present invention is not limited to structures and functions specifically described herein and is also intended to include devices which have the capacity to yield a structure, or perform a function, described herein, such that even though users of the device may not use the capacity, they are, if they so desire, able to modify the device to obtain the structure or function.
[00100] Features of the present invention which are described in the context of separate embodiments may also be provided in combination in a single embodiment. For example, a system embodiment is intended to include a corresponding process embodiment. Also, each system embodiment is intended to include a server-centered "view" or client centered "view", or "view" from any other node of the system, of the entire functionality of the system, computer-readable medium, apparatus, including only those functionalities performed at that server or client or node.
Claims
1. A system for continuous monitoring and controlling of an operational operating system's (OS) read/write access requests, and contents of files related to said operational OS, said system comprising at least one of:
a splitter module, configured to perform the said operational OS read / write access requests so as to maintain a duplicate of the operational OS's filesystem (FS) on a monitored storage medium, invisible to the operational OS; a file-system detector module, running an independent trusted OS, completely detached from the operational OS and from the operational FS; and a safe backup storage of the operational OS files, completely detached from the operational OS; wherein said file- system detector module is configured to monitor all operational OS read / write access requests that reach the splitter; wherein said file-system detector module is configured to compare the content operational OS related files to equivalent files of the backup storage; wherein said file-system detector module is configured to analyze said comparison and identify cyber security threats to the operational OS and operational FS.
2. The system of claim 1 further comprising :
a communication module designed to facilitate wired or wireless communication between components of the secured system and the file system detector module , which is external to the secured system.
3. The system of claim wherein the filesystem detector module interfaces several peripheral modules, and applies a plurality of security measures to protect the operational file system, stored on the operational storage medium , wherein the filesystem detector module is invisible to the OS , accordingly neither external users,
nor applications that are run on the OS machine can change anything on the filesystem detector module and its peripherals.
wherein the filesystem detector module monitors the content of the monitored storage medium according to a predefined policy, and compares the said monitored content, stored on the monitored storage medium , to data stored on the filesystem detector database .
4. The system of claim 1 wherein the filesystem detector storage module 56 stores safe back-up copies of files stored on the operational storage medium 40A, including filesystem files and registry files, wherein the filesystem detector module will invoke comparisons of important files stored on the monitored storage medium 40B.
5. The system of claiml wherein the filesystem detector module further facilitates the capability to restore corrupted content on the operational storage medium and / or on the monitored storage medium from the backup storage, stored on the filesystem detector storage module.
6. The system of claim 1 further comprising an anomaly detection module 80 detects anomalies in the contents of the operational storage medium , and in the operational OS read/write access request patterns to it, wherein the anomaly detection module 80 notifies suspected anomalies to the filesystem detector module which in turn may take security measures, wherein the security measures include at least one of : disabling specific applications' access to the operational FS, or emitting a notification message to system administrators.
7. The system of claim 1 wherein the filesystem detector module is located on the same machine as that of the secured system.
8. The system of claim 1 wherein the filesystem detector module is external to the secured system and is associated to the secured system through a communication network via communications module.
9. The system of claim 1 wherein the storage device splitter applies the following steps:
receives read/write access requests, originating from the operational OS, via the storage device controller;
reporting each such read/write access request from the storage device controller to the file system detector).
propagating write access requests to both the operational storage medium and to the monitored storage medium , thus maintaining a duplicate, redundant storage, similar to RAID hard drives;
propagating read access requests only to the operational storage medium , and returns read replies from the operational storage medium to the storage device controller.
10. The system of claim 1 wherein the filesystem detector obtains its configuration from an administrator via the administrative interface, wherein the configuration include at least one of : Configuration of the anomaly detection module , in relation to the filesystem content and access policy, Configuration of the rule based action module in relation to suspected identified anomalies.
11. The system of claim 1 wherein the filesystem detector manages the anomaly detection module according to the configuration obtained from the administrative interface , to produce at least one of the indication types.
12. The system of claim 1 wherein the Indication of unauthorized write access include at least one of
Suspected unauthorized file encryption, as in the case of ransomeware, wherein a malware covertly encrypts files on a victim's machine, for the purpose of demanding payment to restore the affected files).
Suspected malicious changes made to important files in the filesystem, e.g. files of the root filesystem.
13. The system of claim 1 wherein the filesystem detector commands the anomaly detection module 80 to compare the content of important files stored on the monitored storage medium with the content of equivalent files of the backup storage, safely stored on the filesystem detector storage 56 module.
14. The systems of claim 1 wherein the Filesystem detector applies further analysis to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium , to produce higher-level indications of specific suspected threats.
15. The system of claim 1 wherein the Filesystem detector acts on recommendations from the rule based action module, such that the recommendations include, at least one of : Changing file security properties ; restricting access of specific users and / or applications to the operational storage medium, Storing copies of files that are suspected as being tampered with; and restoring files in the operational storage medium.
16. The system of claim 1 wherein the filesystem detector module accumulates operative information in the file system detector database, including at least one of :Events of file content change, Events of file properties' change, User access details; and Details regarding suspected encountered threats.
17. A method for continuous monitoring and controlling of an operational operating system's (OS) read/write access requests, and contents of files related to said operational OS, said method comprising at least one of:
Performing by a splitter module, said operational OS read / write access requests so as to maintain a duplicate of the operational OS's filesystem (FS) on a monitored storage medium, invisible to the operational OS; a safe backup storage of the operational OS files, completely detached from the operational OS; monitoring by a file-system detector module, all operational OS read / write access requests that reach the splitter comparing a file-system detector module the content operational OS related files to equivalent files of the backup storage; analyzing s a file- system detector module aid comparison and identify cyber security threats to the operational OS and operational FS
wherein file-system detector module is running an independent trusted OS, completely detached from the operational OS and from the operational FS;.
18. The method of claim 17 further comprising the step of storing safe back-up copies of files stored on the operational storage medium , including filesystem files and registry files, wherein the filesystem detector module is invoking comparisons of important files stored on the monitored storage medium 40B.
19. The method of claim 17 further comprising the step of facilitating the capability to restore corrupted content on the operational storage medium and / or on the monitored storage medium from the backup storage, stored on the filesystem detector storage module.
20. The method of claim 17 further comprising the step of detecting anomalies in the contents of the operational storage medium , and in the operational OS read/write access request patterns to it, wherein the anomaly detection module 80 notifies suspected anomalies to the filesystem detector module which in turn may take security measures, wherein the security measures include at least one of : disabling specific applications' access to the operational FS, or emitting a notification message to system administrators.
21. The method of claim 17 further the following steps:
receiving read/write access requests, originating from the operational OS, via the storage device controller.
reporting each such read/write access request from the storage device controller to the file system detector;
propagating write access requests to both the operational storage medium and to the monitored storage medium , thus maintaining a duplicate, redundant storage, similar to RAID hard drives;
propagating read access requests only to the operational storage medium and returns read replies from the operational storage medium to the storage device controller.
22. The method of claim 17 further comprising the step of obtaining its configuration from an administrator via the administrative interface, wherein the configuration
include at least one of : Configuration of the anomaly detection module 80, in relation to the filesystem content and access policy, Configuration of the rule based action module , in relation to suspected identified anomalies.
23. The method of claim 1 further comprising the step of managing the anomaly detection module 80 according to the configuration obtained from the administrative interface to produce at least one of the indication types.
24 The method of claim 17 wherein the Indication of unauthorized write access include at least one of:
Suspected unauthorized file encryption, as in the case of ransomeware wherein a malware covertly encrypts files on a victim's machine, for the purpose of demanding payment to restore the affected files.
Suspected malicious changes made to important files in the filesystem, e.g. files of the root filesystem.
25. The method of claim 17 further comprising the step of comparing the content of important files root filesystem files, stored on the monitored storage medium with the content of equivalent files of the backup storage, safely stored on the filesystem detector storage module.
26. The method of claim 17 further comprising the step of analyzing to the patterns of filesystem access, and to the contents of files stored on the monitored storage medium, to produce higher-level indications of specific suspected threats.
27. The method of claim 17 further comprising the step of accumulating operative information in the file system detector database including at least one of: Events of file content change, Events of file properties' change, User access details; and Details regarding suspected encountered threats.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201762516788P | 2017-06-08 | 2017-06-08 | |
US62/516,788 | 2017-06-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018225070A1 true WO2018225070A1 (en) | 2018-12-13 |
Family
ID=64567273
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL2018/050619 WO2018225070A1 (en) | 2017-06-08 | 2018-06-07 | A system and method for continuous monitoring and control of file-system content and access activity |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2018225070A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US12093414B1 (en) * | 2019-12-09 | 2024-09-17 | Amazon Technologies, Inc. | Efficient detection of in-memory data accesses and context information |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150113662A1 (en) * | 2013-10-17 | 2015-04-23 | MB connect line GmbH Fernwartungssysteme | Backup System for enhancing the security of information technological control facilities |
US9672117B1 (en) * | 2014-12-29 | 2017-06-06 | EMC IP Holding Company LLC | Method and system for star replication using multiple replication technologies |
-
2018
- 2018-06-07 WO PCT/IL2018/050619 patent/WO2018225070A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150113662A1 (en) * | 2013-10-17 | 2015-04-23 | MB connect line GmbH Fernwartungssysteme | Backup System for enhancing the security of information technological control facilities |
US9672117B1 (en) * | 2014-12-29 | 2017-06-06 | EMC IP Holding Company LLC | Method and system for star replication using multiple replication technologies |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US12093414B1 (en) * | 2019-12-09 | 2024-09-17 | Amazon Technologies, Inc. | Efficient detection of in-memory data accesses and context information |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11562089B2 (en) | Interface for network security marketplace | |
US11797684B2 (en) | Methods and systems for hardware and firmware security monitoring | |
Kharraz et al. | Redemption: Real-time protection against ransomware at end-hosts | |
US10397230B2 (en) | Service processor and system with secure booting and monitoring of service processor integrity | |
US10528740B2 (en) | Securely booting a service processor and monitoring service processor integrity | |
US10430591B1 (en) | Using threat model to monitor host execution in a virtualized environment | |
US12041067B2 (en) | Behavior detection and verification | |
US11290492B2 (en) | Malicious data manipulation detection using markers and the data protection layer | |
US9455955B2 (en) | Customizable storage controller with integrated F+ storage firewall protection | |
Hirano et al. | RanSAP: An open dataset of ransomware storage access patterns for training machine learning models | |
US8533818B1 (en) | Profiling backup activity | |
US11625488B2 (en) | Continuous risk assessment for electronic protected health information | |
US20090144545A1 (en) | Computer system security using file system access pattern heuristics | |
EP3501158B1 (en) | Interrupt synchronization of content between client device and cloud-based storage service | |
CA2874489A1 (en) | Methods and apparatus for identifying and removing malicious applications | |
US8910283B1 (en) | Firmware-level security agent supporting operating system-level security in computer system | |
Pennington et al. | Storage-based intrusion detection | |
Roy et al. | Secure the cloud: From the perspective of a service-oriented organization | |
Kardile | Crypto ransomware analysis and detection using process monitor | |
Alzahrani et al. | Ransomware in windows and android platforms | |
RU2583714C2 (en) | Security agent, operating at embedded software level with support of operating system security level | |
WO2018225070A1 (en) | A system and method for continuous monitoring and control of file-system content and access activity | |
Karanam | Ransomware Detection Using Windows API Calls and Machine Learning | |
Flatley | Rootkit Detection Using a Cross-View Clean Boot Method | |
US20230229792A1 (en) | Runtime risk assessment to protect storage systems from data loss |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18813849 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18813849 Country of ref document: EP Kind code of ref document: A1 |