WO2021066257A1 - Procédé et système de détection efficace de rançongiciel utilisant un filtre de bloom - Google Patents

Procédé et système de détection efficace de rançongiciel utilisant un filtre de bloom Download PDF

Info

Publication number
WO2021066257A1
WO2021066257A1 PCT/KR2019/018794 KR2019018794W WO2021066257A1 WO 2021066257 A1 WO2021066257 A1 WO 2021066257A1 KR 2019018794 W KR2019018794 W KR 2019018794W WO 2021066257 A1 WO2021066257 A1 WO 2021066257A1
Authority
WO
WIPO (PCT)
Prior art keywords
ransomware
read request
bloom
logical block
block address
Prior art date
Application number
PCT/KR2019/018794
Other languages
English (en)
Korean (ko)
Inventor
양대헌
김정현
정창훈
Original Assignee
인하대학교 산학협력단
이화여자대학교 산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 인하대학교 산학협력단, 이화여자대학교 산학협력단 filed Critical 인하대학교 산학협력단
Publication of WO2021066257A1 publication Critical patent/WO2021066257A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the description below relates to a technology for efficiently detecting ransomware, which has been a problem continuously.
  • Ransomware is a malicious program that encrypts and renders valuable files such as photos, programs, and business data existing on the user's desktop unusable, and then demands a cost for decryption. It first appeared in 1989 and began to appear again in 2005. Recently, as time passes, the types of ransomware increase and attack methods are diversified, and the number of victims and damage continues to increase. Since it can attack not only individuals and companies, but also public institutions and countries, it can cause great social confusion, so it is necessary to prevent ransomware through thorough management and a rapid detection and recovery system.
  • a ransomware that collects read and write request information for the logical block address (LBA) at the block layer, and detects ransomware using the frequency of overwrites written to the same LBA after reading a specific LBA.
  • Wear detection technology has been proposed.
  • all read LBAs are stored using one hash table per second, and when a write LBA request is received, all n hash tables are checked.
  • six characteristic values such as the frequency of overwrite occurrence and the average of the number of writes, are collected every second, and based on the binary decision tree, it is determined whether or not ransomware is suspected in the second. If suspicion is accumulated and exceeds a certain threshold, it is finally determined that the ransomware is running.
  • the conventional technology is guaranteed to be safe from attacks by LAN software, it has a disadvantage in that the memory usage is large and the execution time is long.
  • the ransomware detection method performed by the ransomware detection system includes: storing a logical block address for a read request generated from a NAND flash memory in a bloom filter; Checking whether an overwrite has occurred in the bloom filter in which the logical block address for the read request is stored as a write request occurs in the NAND flash memory; And detecting whether ransomware is active by using a feature value used to detect ransomware as it is determined that the overwrite has occurred in the bloom filter.
  • the storing step includes generating a plurality of bloom filters having a bit arrangement, wherein the plurality of bloom filters include the plurality of bloom filters in order to add an element related to a logical block address to the read request.
  • k hash values are calculated using the same k hash functions, all bits corresponding to each calculated hash value are set to 1, and k to check the elements related to the logical block address for the write request.
  • the k hash values may be calculated using a hash function, and it may be checked in each of the plurality of bloom filters whether all bits corresponding to each calculated hash value are 1.
  • the ransomware detection method stores a logical block address for the read request in the bloom filter, and performs a specific process on the bloom filter in order to control an execution speed of checking whether the overwrite has occurred.
  • the step of performing an element check is performed at the same k bit positions of each of the plurality of bloom filters, and a logical block address is added to an integer two-dimensional array having a size of k * block length. It may include storing the hash value calculated by the block length with k hash functions.
  • the performing step is Non-Cryptographic Hashing of obtaining k hash functions using a non-cryptographic hash function with k hash functions when adding an element to the Bloom filter and performing an element check. It may include the step of performing.
  • the storing may include collecting time information, start address, and size information at which the read request occurs as a read request occurs in the NAND flash memory, and a logical block address for the read request based on the collected time information. It may include storing (LBA) in the bloom filter.
  • the storing may include storing a logical block address for the read request in the bloom filter based on a preset time range, and when the read request exceeds the preset time range, a logical block for the read request It may include storing an address in a block filter following the block filter.
  • the step of checking whether the overwrite has occurred may include collecting information on the start address and size of the write request, as a write request is generated in the NAND flash memory, and responding to the read request from a plurality of bloom filters. It may include examining a bloom filter including a logical block address.
  • the detecting whether the ransomware is active may include determining that overwriting has occurred in the bloom filter including the logical block address for the read request when there is a bloom filter including a logical block address for the read request. It may include steps.
  • the characteristic value is OWIO indicating the number of overwrites occurring during a predefined time slice, and the total number of write requests occurring during a time window based on the time slice.
  • OWST which indicates the ratio of overwrites to the number of blocks
  • PWIO which indicates the number of overwrites that occurred during the time window, and the average length of continuously overwritten blocks in the current time window.
  • AVGWIO representing (length)
  • OWSLOPE representing the ratio between the number of average overwrites in the previous time window versus the number of overwrites in the current time slice, and average writes in the previous time slice
  • the overwrite is used to calculate a feature value used for detection of the ransomware. It may include determining whether the ransomware is active based on the binary decision tree based on the feature value calculated from the number of writes.
  • the ransomware detection system includes: a logical block address storage unit that stores a logical block address for a read request generated from a NAND flash memory in a bloom-filter; An overwrite checker for checking whether an overwrite has occurred in a bloom filter in which a logical block address for the read request is stored as a write request occurs in the NAND flash memory; And a ransomware detection unit configured to detect whether ransomware is active by using a feature value used to detect ransomware as it is determined that the overwrite has occurred in the bloom filter.
  • the ransomware detection algorithm is an environment that can be installed inside the SSD firmware or it is difficult to install on the SSD, the user needs to install a separate program to protect the ransomware because it can be made and operated as a general application program. none.
  • the present invention consumes less memory and has a very fast execution time, it hardly affects the performance of the SSD, so that manufacturers and users can expect the same performance as the existing SSD in an SSD equipped with a detection algorithm.
  • FIG. 1 is an example showing a plurality of bloom filters used in an annular shape according to an embodiment.
  • FIG. 2 is a block diagram illustrating a configuration of a ransomware detection system according to an embodiment.
  • FIG. 3 is a flowchart illustrating a method of detecting ransomware in a ransomware detection system according to an exemplary embodiment.
  • FIG. 4 is a flowchart illustrating a method of performing optimization in a ransomware detection system.
  • FIG. 1 is an example showing a plurality of bloom filters used in an annular shape according to an embodiment.
  • Bloom filters are probabilistic data structures devised by Burton Howard Bloom in 1970 to determine whether an element exists in a set. Although the Bloom filter judged that an element exists in a set, in reality, a false-positive that does not belong to the set may occur, and the opposite, false-negative, never occurs.
  • the bloom filter can be used after initializing all m bit arrays to 0.
  • adding an element to the bloom filter it can be performed by calculating k hash values with k hash functions for the value of the element to be added, and then setting all the bits corresponding to each of the k hash values to 1. .
  • k hash values can be calculated using k hash functions for the values of k elements, and the bits corresponding to each of the calculated k hash values can be checked. In this case, it may be checked whether all bits corresponding to k hash values calculated using k hash functions are 1. It is determined that an element belongs to the set only when all the bits are 1, and when any of the bits are not 1, it can be determined that the element has not been added to the bloom filter. Since bits are used and multiple hash functions are used, the possibility of collision can be adjusted and minimized while saving memory.
  • the ransomware detection system may be allocated space for using the bloom filter. At this time, one bloom filter may store a read request address for 1 second, and m MB of memory may be required. Basically, ransomware can be detected by observing n seconds using n (n is a natural number) bloom filter. In addition, in order to improve the detection accuracy of ransomware, ransomware can be detected by observing p seconds using p bloom filters more than n.
  • the ransomware detection system can operate on NAND flash memory.
  • the NAND flash memory may represent a solid state drive (SSD).
  • SSD solid state drive
  • time information, a start address, and size information of the read request occurrence may be collected, and the logical block address for the read request may be stored in the bloom filter based on the time information at which the read request occurred.
  • the ransomware detection system may store a logical block address for a read request in the bloom filter based on a time range set in the bloom filter. In the ransomware detection system, a time range for storing a logical block address may be set in a block filter.
  • a logical block address for a read request may be stored by moving to a bloom filter (N+1) following the bloom filter (Nth bloom Peter).
  • a logical block address for a read request is stored by rotating n bloom filters in an annular shape, and all bits of the bloom filter after n seconds are made 0, and then a new read is entered. You can store the logical block address for the request. In other words, after all bits of the bloom filter after a certain period of time are reset to 0, a logical block address for a read request newly requested from the bloom filter may be stored.
  • the ransomware detection system may collect information on the start address and size of the write request and check whether a logical block address for a read request exists for n bloom filters. If a block address for a read request exists in one or more bloom filters, the ransomware detection system may determine that overwriting has occurred by performing a write on the logical block address for the read request within the last n seconds. The ransomware detection system can increase the number of overwrite occurrences so that six characteristic values used for ransomware detection can be calculated.
  • the ransomware detection system can optimize the bloom filter. Multiple hash functions can be used when storing addresses in the bloom filter and when checking addresses. Therefore, in order to optimize the execution speed, all n bloom filters use the same k hash functions, and through this, duplicate hash calculations are not performed when checking the bloom filter when a write request is made. In addition, since there is no need to use cryptographic hashes such as SHA-256 or MD5 when performing a hash operation on an address, a non-cryptographic hash function with relatively short execution time was used. Finally, using a read speed faster than writing to memory, check if the bit at the location obtained as k hash values is 0 when storing the address in the bloom filter, and write the bit as 1 only when it is 0.
  • the ransomware detection system may obtain a result value indicating whether the ransomware is active by setting a plurality of characteristic values calculated from the number of overwrites and the number of writes as an input parameter of the binary decision tree.
  • the ransomware detection system may acquire each feature value by calculating feature values corresponding to each of a plurality of features in a counting table. For example, the ransomware detection system may acquire six feature values. In this case, for example, six feature values may be calculated based on the counting table.
  • the counting table may store information for obtaining a feature value according to each feature.
  • the ransomware detection system may obtain whether or not ransomware is determined at a corresponding time (eg, seconds) by transferring six feature values to a binary pseudo tree.
  • the output of the Euijin decision tree may correspond to a result value indicating whether the ransomware is active. If the determination of whether the ransomware detection system is 0, the possibility of being attacked by ransomware at a corresponding time is low, and if it is 1, the possibility of being attacked by ransomware is high. In other words, for example, if the ransomware is active (i.e., active), a value of 1 is output as a result value, and if the ransomware is not active, a value of 0 is output as the result value of the tree. Can be.
  • the ransomware detection system may determine that the ransomware is active if the sum value output as 1 as a result of observing for a preset time is greater than a threshold value (eg, 3).
  • FIG. 2 is a block diagram illustrating a configuration of a ransomware detection system according to an embodiment
  • FIG. 3 is a flowchart illustrating a method of detecting ransomware in a ransomware detection system according to an embodiment.
  • the processor of the ransomware detection system 100 may include a logical block address storage unit 210, an overwrite inspection unit 220, a ransomware detection unit 230, and a bloom filter optimization unit 240. Components of such a processor may be expressions of different functions performed by the processor according to a control command provided by a program code stored in the ransomware detection system 100.
  • the processor and components of the processor may control the ransomware detection system 100 to perform steps 310 to 330 included in the ransomware detection method of FIG. 3.
  • the processor and the components of the processor may be implemented to execute an instruction according to the code of the operating system included in the memory and the code of at least one program.
  • the processor may load the program code stored in the program file for the ransomware detection method into the memory. For example, when a program is executed in the ransomware detection system 100, the processor may control the ransomware detection system 100 to load a program code from a program file into a memory under the control of an operating system.
  • the processor and the processor included in the processor are each of the logical block address storage unit 210, the overwrite inspection unit 220, the ransomware detection unit 230, and the bloom filter optimization unit 240 among program codes loaded into the memory. It may be different functional representations of the processor for executing the subsequent steps 310 to 330 by executing an instruction of the corresponding portion. The operation of the bloom filter optimization unit 240 will be described with reference to FIG. 4.
  • the logical block address storage unit 210 may store a logical block address for a read request generated from the NAND flash memory in a bloom filter.
  • the logical block address storage unit 210 may generate a plurality of bloom filters having a bit arrangement.
  • the plurality of bloom filters calculate k hash values using the same k hash functions in each of the plurality of bloom filters in order to add an element related to the logical block address for the read request, and to each calculated hash value.
  • the logical block address storage unit 210 collects time information, start address, and size information at which the read request occurs, and based on the collected time information, the logical block address for the read request ( LBA) can be stored in the bloom filter.
  • the logical block address storage unit 210 stores the logical block address for the read request in the bloom filter based on a preset time range, and when the read request exceeds the preset time range, the logical block address for the read request is stored. It can be stored in the next block filter.
  • the overwrite inspection unit 220 may check whether an overwrite has occurred in the bloom filter in which the logical block address for the read request is stored as a write request occurs in the NAND flash memory. . As a write request occurs in the NAND flash memory, the overwrite inspection unit 220 collects information on the start address and size of the write request, and inspects the bloom filter including the logical block address for the read request address from the plurality of bloom filters. I can. When the bloom filter including the logical block address for the read request address exists, the overwrite checker 220 may determine that overwriting has occurred in the bloom filter including the logical block address for the read request address.
  • the logical block address for the write request is overwritten by performing element checks for k bit positions from each of the plurality of block filters using the same k hash functions in each of the plurality of bloom filters. Overwrite can be checked.
  • the ransomware detection unit 230 may detect whether the ransomware is active using a feature value used to detect ransomware.
  • the ransomware detection unit 230 may determine whether the ransomware is active based on the binary decision tree based on the feature value calculated from the number of overwrites for calculating the feature value used for detecting the ransomware.
  • the feature value is overwritten to prevent the user from recovering the original data by deleting the user's original file and recording new data (e.g., random data or original data encrypted by a hacker) in the deleted location.
  • OWST indicating the ratio of overwrite blocks to the total number of (write requests)
  • PWIO indicating the number of overwrites that occurred during the time window
  • blocks with continuous overwrites in the current time window continuously AVGWIO indicating the average length of the overwritten block
  • OWSLOPE indicating the ratio between the average number of overwrites in the previous time window versus the number of overwrites in the current time slice, previous It may include a value calculated from IO indicating a ratio of the average number of writes in the time slice to the number of overwrites in the current time slice.
  • the ransomware detection unit 230 may acquire whether to determine ransomware at a specific time. If the determination is 0, the ransomware detection unit 230 determines that the possibility of being attacked by ransomware at the current time (for example, the determined time) is low, and if it is 1, the possibility of being attacked by ransomware is high. I can. The ransomware detection unit 230 may finally determine that the ransomware is active if the sum value output as 1 is greater than the threshold value (set as 3 in the current program) as a result of observation for n seconds.
  • FIG. 4 is a flowchart illustrating a method of performing optimization in a ransomware detection system.
  • the bloom filter optimizer 240 may perform a first optimization on the bloom filter.
  • the first optimization refers to memory optimization to prevent the same hash operation.
  • the same hash operation may occur in a situation in which an element check is performed on 10 bloom filters, that is, in a situation in which an overwrite check is performed. If 10 bloom filters each use k different hash functions, when a write request occurs, k hashing must be performed for 10 bloom filters as much as the block length of the requested LBA. If the number of times the hash operation is performed is expressed as an equation, it is shown in Equation 2.
  • a hash value obtained by calculating a block length as much as a block length with k hash functions of a logical block address can be stored in an integer 2D array of size (k ⁇ block length).
  • the hash value of a specific logical block address calculated to check one bloom filter is not duplicated in order to check another bloom filter.
  • the number of hash operations performed after applying the first optimization is equal to Equation 3, and compared to before optimization, the number of hash operations required for an overwrite check occurring when a write request is made may be reduced to 1/10.
  • the bloom filter optimizer 240 may perform a second optimization on the bloom filter.
  • the second optimization may mean non-cryptographic hashing.
  • the bloom filter optimizer 240 obtains a hash value using only a non-cryptographic hash function that is relatively faster than a cryptographic hash function with k hash functions when adding elements to the bloom filter and checking the elements. You can do it.
  • the ransomware detection system may be installed in SSD firmware to detect ransomware independently of an operating system (OS).
  • the ransomware detection system can be installed inside the SSD firmware by using a bloom filter without affecting the performance of the SSD.
  • the manufacturer's point of view can reduce the concern of the increase in the unit price for maintaining the performance due to the mounting of the detection algorithm, and the user's point of view is the ransomware by using an SSD of the same performance with the detection algorithm even without installing a separate program. Can be protected from attacks from Accordingly, it can be provided so that the SSD can be safely used from the threat of ransomware.
  • the apparatus described above may be implemented as a hardware component, a software component, and/or a combination of a hardware component and a software component.
  • the devices and components described in the embodiments are, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA). , A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, such as one or more general purpose computers or special purpose computers.
  • the processing device may execute an operating system (OS) and one or more software applications executed on the operating system. Further, the processing device may access, store, manipulate, process, and generate data in response to the execution of software.
  • OS operating system
  • the processing device may access, store, manipulate, process, and generate data in response to the execution of software.
  • the processing device is a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that it may include.
  • the processing device may include a plurality of processors or one processor and one controller.
  • other processing configurations are possible, such as a parallel processor.
  • the software may include a computer program, code, instructions, or a combination of one or more of these, configuring the processing unit to behave as desired or processed independently or collectively. You can command the device.
  • Software and/or data may be interpreted by a processing device or, to provide instructions or data to a processing device, of any type of machine, component, physical device, virtual equipment, computer storage medium or device. Can be embodyed.
  • the software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.
  • the method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium.
  • the computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination.
  • the program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and usable to those skilled in computer software.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks.
  • -A hardware device specially configured to store and execute program instructions such as magneto-optical media, and ROM, RAM, flash memory, and the like.
  • Examples of program instructions include not only machine language codes such as those produced by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé et un système de détection efficace de rançongiciel utilisant un filtre de Bloom. Le procédé de détection de rançongiciel mis en œuvre par le système de détection de rançongiciel, selon un mode de réalisation, peut comprendre les étapes consistant à : stocker, dans un filtre de Bloom, une adresse de bloc logique pour une demande de lecture générée dans une mémoire flash NAND ; en réponse à une demande d'écriture générée dans la mémoire flash NAND, vérifier si un écrasement s'est ou non produit dans le filtre de Bloom dans lequel l'adresse de bloc logique pour la demande de lecture a été stockée ; et lorsqu'il est déterminé que l'écrasement s'est produit dans le filtre de Bloom, détecter si le rançongiciel est ou non actif, en utilisant une valeur de caractéristique utilisée pour la détection de rançongiciel.
PCT/KR2019/018794 2019-10-01 2019-12-31 Procédé et système de détection efficace de rançongiciel utilisant un filtre de bloom WO2021066257A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020190121777A KR102259158B1 (ko) 2019-10-01 2019-10-01 블룸 필터를 이용한 효율적인 랜섬웨어 탐지 방법 및 시스템
KR10-2019-0121777 2019-10-01

Publications (1)

Publication Number Publication Date
WO2021066257A1 true WO2021066257A1 (fr) 2021-04-08

Family

ID=75336579

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/018794 WO2021066257A1 (fr) 2019-10-01 2019-12-31 Procédé et système de détection efficace de rançongiciel utilisant un filtre de bloom

Country Status (2)

Country Link
KR (1) KR102259158B1 (fr)
WO (1) WO2021066257A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113535719A (zh) * 2021-07-07 2021-10-22 锐掣(杭州)科技有限公司 数据过滤方法、数据过滤装置、存储介质及产品
CN117370624A (zh) * 2023-12-04 2024-01-09 北京四方启点科技有限公司 一种电子单据处理方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101476039B1 (ko) * 2013-06-19 2014-12-23 세명대학교 산학협력단 데이터베이스 암호화 방법 및 이의 실시간 검색 방법
KR20150017875A (ko) * 2013-08-08 2015-02-23 주식회사 시큐아이 네트워크 스캔 탐지 방법 및 장치
US20150347585A1 (en) * 2014-05-27 2015-12-03 Quixey, Inc. Personalized Search Results
KR101850650B1 (ko) * 2017-05-11 2018-05-30 한양대학교 산학협력단 랜섬웨어탐지를 수행하는 이동식저장장치 및 이를 위한 방법
KR101970993B1 (ko) * 2017-11-29 2019-04-23 주식회사 더볼터 랜섬웨어에 대한 데이터 손실이 없는 ssd 내부 방어 방법 및 랜섬웨어 탐지 시스템

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101476039B1 (ko) * 2013-06-19 2014-12-23 세명대학교 산학협력단 데이터베이스 암호화 방법 및 이의 실시간 검색 방법
KR20150017875A (ko) * 2013-08-08 2015-02-23 주식회사 시큐아이 네트워크 스캔 탐지 방법 및 장치
US20150347585A1 (en) * 2014-05-27 2015-12-03 Quixey, Inc. Personalized Search Results
KR101850650B1 (ko) * 2017-05-11 2018-05-30 한양대학교 산학협력단 랜섬웨어탐지를 수행하는 이동식저장장치 및 이를 위한 방법
KR101970993B1 (ko) * 2017-11-29 2019-04-23 주식회사 더볼터 랜섬웨어에 대한 데이터 손실이 없는 ssd 내부 방어 방법 및 랜섬웨어 탐지 시스템

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113535719A (zh) * 2021-07-07 2021-10-22 锐掣(杭州)科技有限公司 数据过滤方法、数据过滤装置、存储介质及产品
CN117370624A (zh) * 2023-12-04 2024-01-09 北京四方启点科技有限公司 一种电子单据处理方法及系统

Also Published As

Publication number Publication date
KR20210039212A (ko) 2021-04-09
KR102259158B1 (ko) 2021-06-02

Similar Documents

Publication Publication Date Title
Min et al. Amoeba: An autonomous backup and recovery SSD for ransomware attack defense
Baek et al. SSD-insider: Internal defense of solid-state drive against ransomware with perfect data recovery
JP4406627B2 (ja) 仮想マシンまたは強化オペレーティングシステムなどにおけるコンピュータのセキュリティ管理
US11809605B2 (en) Method and system for storage-based intrusion detection and recovery
EP3014447B1 (fr) Techniques pour détecter une vulnérabilité de sécurité
US8607342B1 (en) Evaluation of incremental backup copies for presence of malicious codes in computer systems
JP5881859B2 (ja) ストレージ装置
CN110998582A (zh) 安全存储装置
JP6192660B2 (ja) ステージング・エリアを管理するためのコンピュータ実施プロセス、コンピュータ・プログラム製品、装置
JP7390932B2 (ja) マルウェアについて複数のアーカイブスライスを検査するシステムおよび方法
US8621625B1 (en) Methods and systems for detecting infected files
JP2009031859A (ja) 情報収集システムおよび情報収集方法
US9542557B2 (en) Snoop-based kernel integrity monitoring apparatus and method thereof
WO2021066257A1 (fr) Procédé et système de détection efficace de rançongiciel utilisant un filtre de bloom
WO2019107609A1 (fr) Procédé de défense interne de ssd ne provoquant pas de perte de données due à un rançongiciel et système de détection de rançongiciel
WO2020111504A1 (fr) Procédé de détection de rançongiciel et système de détection de rançongiciel
Zhan et al. A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT
KR20170060815A (ko) 메모리의 커널영역을 보호하기 위한 전자장치 및 방법
US8621632B1 (en) Systems and methods for locating malware
US10664595B2 (en) Managing reads and writes to data entities experiencing a security breach from a suspicious process
WO2022149729A1 (fr) Système et procédé pour "dépacker" des fichiers exécutables pour l'analyse statique de code malveillant
WO2009116726A2 (fr) Procédé et système de détection de programmes malveillants furtifs
Ma et al. Travelling the hypervisor and ssd: A tag-based approach against crypto ransomware with fine-grained data recovery
WO2022215783A1 (fr) Procédé et dispositif de commande pour la détection de logiciels rançonneurs dans un ssd
KR102254283B1 (ko) 멀티프로세스 클러스터링 기반 랜섬웨어 공격 탐지 장치, 방법 및 그 방법을 실현하기 위한 프로그램을 기록한 기록매체

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19947805

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19947805

Country of ref document: EP

Kind code of ref document: A1