WO2022215783A1 - Method and controller for detecting ransomware in ssd - Google Patents

Method and controller for detecting ransomware in ssd Download PDF

Info

Publication number
WO2022215783A1
WO2022215783A1 PCT/KR2021/004614 KR2021004614W WO2022215783A1 WO 2022215783 A1 WO2022215783 A1 WO 2022215783A1 KR 2021004614 W KR2021004614 W KR 2021004614W WO 2022215783 A1 WO2022215783 A1 WO 2022215783A1
Authority
WO
WIPO (PCT)
Prior art keywords
ransomware
ransomware detection
detection
ssd
request
Prior art date
Application number
PCT/KR2021/004614
Other languages
French (fr)
Korean (ko)
Inventor
김영재
박지윤
박성순
민동현
김경표
Original Assignee
(주)글루시스
서강대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)글루시스, 서강대학교산학협력단 filed Critical (주)글루시스
Publication of WO2022215783A1 publication Critical patent/WO2022215783A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
    • H01L21/00Processes or apparatus adapted for the manufacture or treatment of semiconductor or solid state devices or of parts thereof
    • H01L21/02Manufacture or treatment of semiconductor devices or of parts thereof
    • H01L21/04Manufacture or treatment of semiconductor devices or of parts thereof the devices having potential barriers, e.g. a PN junction, depletion layer or carrier concentration layer
    • H01L21/50Assembly of semiconductor devices using processes or apparatus not provided for in a single one of the subgroups H01L21/06 - H01L21/326, e.g. sealing of a cap to a base of a container
    • H01L21/56Encapsulations, e.g. encapsulation layers, coatings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity

Definitions

  • the present invention relates to a method and a controller for detecting ransomware, and more particularly, to a method for detecting ransomware performed on an SSD and a controller of an SSD for detecting the ransomware.
  • the backup technology at the SSD (Solid State Drive) storage stage is space-efficient and safe even if the OS is damaged.
  • Backup technology on SSDs does not require explicit space for backups, as it basically keeps data pages that are invalidated due to overwriting elsewhere on the SSD, rather than as a backup.
  • SSD firmware is separate from the OS. Therefore, even if the host OS is compromised by privileged ransomware, the copy can be kept safe.
  • ransomware detection To defend against ransomware attacks, the SSD performs ransomware detection, which detects whether or not ransomware is included in the data requested to be overwritten whenever a page overwrite request occurs. Because ransomware detection is performed every time an input/output (I/O) request occurs, which increases I/O latency, SSDs equipped with DMA (Direct Memory Access) hardware accelerators are being studied. However, since new hardware called DMA requires additional DMA technology and cost, it is necessary to develop a ransomware detection method that can reduce I/O latency while being performed at the firmware level.
  • I/O input/output
  • An object of the present invention is to provide a ransomware detection method and an SSD controller capable of reducing a delay time of foreground input/output.
  • performing a first overwrite-requested file ransomware detection checking whether an I/O request exists at at least one preset preemption point while the ransomware detection is being performed; and processing the I/O request according to the check result.
  • the method comprising: performing ransomware detection for a file requested to be overwritten; storing ransomware detection information indicating a state of ransomware detection performed from at least one preemption point preset to the preemption point, and processing an I/O request; and resuming the ransomware detection by using the ransomware detection information after the I/O request is processed.
  • the ransomware detection unit for detecting the ransomware on the overwrite requested file; and an I/O request processing unit configured to process the I/O request by checking whether an I/O request exists at at least one preemption point set in advance while the ransomware detection is being performed, wherein the ransomware detection unit comprises the An SSD controller for resuming the ransomware detection after an I/O request is performed is provided.
  • an input/output delay time may be reduced by preferentially processing an input/output request at each preset preemption point during ransomware detection.
  • the delay in detecting ransomware according to the existing overwrite request can be prevented, and garbage collection is not performed. Problems that cannot be solved can be solved.
  • FIG. 1 is a diagram for explaining a controller of an SSD according to an embodiment of the present invention.
  • FIG. 2 is a diagram for explaining a ransomware detection method according to an embodiment of the present invention.
  • 3 is a diagram for explaining a specific embodiment of ransomware detection.
  • FIG. 4 is a diagram for explaining a ransomware detection method according to another embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example of a ransomware detection process performed in an SSD according to an embodiment of the present invention.
  • FIG. 6 is a diagram for explaining the effect of a ransomware detection method according to an embodiment of the present invention.
  • the detection of ransomware which is performed whenever a page overwrite request occurs, delays the processing time for the input/output request. This is because the input/output request including the overwrite request is processed after the ransomware detection of the file for which the overwrite request has occurred is completed.
  • the present invention proposes a ransomware detection method of an SSD that performs an input/output request while performing ransomware detection.
  • an input/output request is preferentially processed at each preset preemption point during ransomware detection.
  • preemption means stopping ransomware detection and preferentially processing input/output requests
  • preemption point means a point at which ransomware detection is stopped and input/output requests are performed.
  • FIG. 1 is a diagram for explaining a controller of an SSD according to an embodiment of the present invention.
  • the controller 110 of the SSD includes a ransomware detection unit 111 and an I/O request processing unit 113 .
  • the ransomware detection unit 111 detects the ransomware on the file requested to be overwritten.
  • Ransomware detection may be performed through various detection algorithms, and as an embodiment, may be performed through calculation of similarity and entropy.
  • the I/O request processing unit 113 processes the I/O request by checking whether an I/O request exists at at least one preset preemption point while the ransomware is detected.
  • the I/O request is a read request
  • data stored in the NAND flash 120 is transmitted to the host
  • the I/O request is a write request
  • data transmitted from the host is stored in the NAND flash 120 .
  • the DRAM 130 serves as a cache.
  • FIG. 2 is a diagram for explaining a ransomware detection method according to an embodiment of the present invention
  • FIG. 3 is a diagram for explaining a specific embodiment of ransomware detection.
  • the SSD detects ransomware on a file for which the first overwrite is requested ( S210 ).
  • the SSD may perform ransomware detection as shown in FIG. 3 as an embodiment in step S210.
  • a first step (S310) the SSD is transmitted from the host, and first data for the file for which the first overwrite is requested is stored in the DRAM of the SSD.
  • the SSD stores second data for the file stored in the page and for which the first overwrite is requested in the DRAM of the SSD.
  • the first data is data updated from the second data by overwriting, and the SSD detects whether ransomware is included in the first data.
  • the SSD checks whether an I/O request exists at at least one preset preemption point during ransomware detection ( S220 ).
  • the SSD can check whether an I/O request exists by checking the I/O request accumulated in the request queue.
  • the preemption point may be set between the first step (S310) and the second step (S320) as an embodiment, and may be a point included in the process of performing the third step (S330) and the fourth step (S340). have. If preemption is made while performing the first and second steps S310 and S320, data must be stored in DRAM from the beginning, so preemption is not performed during the process of the first and second steps S310 and S320. desirable. On the other hand, even if preemption is made while performing the third and fourth steps S330 and S340, the ransomware detection may be resumed from the point where the ransomware detection is stopped.
  • the number of preemption points included in the process of performing the third and fourth steps is determined by the latency of the third and fourth steps (S330 and S340) and the I/O request. It may be determined from the overhead according to the confirmation, and as an example [Equation 1], it may be calculated to be proportional to the latency and inversely proportional to the overhead.
  • the time required to perform the third and fourth steps (S330 and S340) and the time taken to confirm the I/O request may be determined as latency and overhead, respectively, and may be determined experimentally.
  • the number of preemption points for the third and fourth steps S330 and S340 may be determined as an integer not exceeding the result value of [Equation 1], and if the result value of [Equation 1] is less than 1, preemption The number of points may be determined to be 1. For example, if the number of preemption points is determined to be 2, preemption may be performed twice while the third and fourth steps S330 and S340 are performed.
  • the positions of the preemption points for the third and fourth steps S330 and S340 may be determined in various ways, and may be positions on time or data.
  • the location of the preemption point may be determined as a point after a preset time from the time when the ransomware detection is started, or may be determined as a point corresponding to some size of the total size of data to be detected by the ransomware.
  • the location of the preemption point may be set so that the ransomware detection can be performed for a uniform time before and after the preemption, or may be determined according to the size of the first and second data. As the size of the first and second data increases, the interval between the preemption points may increase.
  • the SSD processes the I/O request according to the confirmation result (S230). If there is an I/O request, the SSD preferentially processes the I/O request while the ransomware detection is stopped. If there is no I/O request, the SSD detects the ransomware.
  • the SSD may resume the ransomware detection using the ransomware detection information, and the method of resuming the ransomware detection will be described in detail with reference to FIG. 4 .
  • FIG. 4 is a diagram for explaining a ransomware detection method according to another embodiment of the present invention.
  • the SSD detects ransomware on a file requested to be overwritten ( S410 ).
  • ransomware detection information indicating the state of ransomware detection performed up to the preemption point is stored, and an I/O request is processed ( S420 ).
  • the ransomware detection information is used to resume detection of ransomware, which will be described later.
  • the SSD according to an embodiment of the present invention resumes detection of ransomware using ransomware detection information (S430).
  • the ransomware detection information includes, as an embodiment, offset information indicating the number of a page where the ransomware detection is stopped at the preemption point, and byte information on which the detection is performed from the page where the ransomware detection is stopped to the preemption point can do.
  • information on a step in which the detection of ransomware is stopped by preemption among the third and fourth steps (S330 and S340) may be further included.
  • the SSD according to an embodiment of the present invention uses this ransomware detection information, in the page corresponding to the page number in the stage where the ransomware detection is stopped, for data following the byte data corresponding to the offset information, Ransomware detection can be resumed.
  • 5 is a diagram illustrating an example of a ransomware detection process performed in an SSD according to an embodiment of the present invention. 5 shows an embodiment in which there are two preemption points.
  • OW denotes overwrite
  • R denotes read
  • W denotes write
  • D denotes ransomware detection.
  • the SSD resumes the ransomware detection (D1_2) regardless of the remaining number of preemption points to complete the ransomware detection. That is, in the embodiment of FIG. 5 , there is one remaining preemption point, but the SSD does not check the I/O request at the remaining preemption point, but restarts and completes the ransomware detection. And when the detection of the ransomware is completed, overwriting of the file for which the first overwrite (OW1) is requested is processed.
  • the SSD when the I/O request existing at the preemption point is an overwrite request, the SSD according to an embodiment of the present invention ignores the remaining preemption point and resumes the stopped ransomware detection to complete the ransomware detection.
  • the ransomware detection (D2_1) for the file for which the second overwrite (OW2) is requested is performed. start performing Then, the I/O request (R, W, R) confirmed at the first preemption point 521 is performed, and the ransomware detection (D2_2) is resumed. Thereafter, the checked I/O request (W, R, W) is performed at the second preemption point 522 and the ransomware detection (D2_3) is completed.
  • FIG. 6 is a diagram for explaining the effect of a ransomware detection method according to an embodiment of the present invention.
  • FIG. 6( a ) shows an SSD (original SSD) that does not detect ransomware, an inline detection SSD (SSD) that detects ransomware without using preemption, and 50 according to an embodiment of the present invention in an Erebus ransomware environment. It is a view showing the foreground I/O response time of a preemptive detection SSD (SSD) using preemptive points in the form of a cumulative distribution function (CDF), and FIG. 6(b) is When a new overwrite request occurs, according to an embodiment of the present invention, it is a diagram showing a detection time when the detection of ransomware is resumed regardless of the remaining number of preemption points.
  • SSD original SSD
  • SSD inline detection SSD
  • CDF cumulative distribution function
  • the average I/O response time for detecting ransomware without using preemption is 622.6 ms, and the average I/O response time for not detecting ransomware is 23.7 ms. As much as 26.3 times, it can be seen that the input/output delay is very serious if preemption is not used.
  • the average I/O response time is 26.4 ms, and it can be seen that there is no significant difference from the case where the ransomware is not detected.
  • the technical contents described above may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium.
  • the computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination.
  • the program instructions recorded on the medium may be specially designed and configured for the embodiments, or may be known and available to those skilled in the art of computer software.
  • Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks.
  • - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like.
  • Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like.
  • a hardware device may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Power Engineering (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Manufacturing & Machinery (AREA)
  • Condensed Matter Physics & Semiconductors (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed are a ransomware detection method and SSD controller, which can reduce delay time of foreground input and output. The disclosed method for detecting ransomware in an SSD comprises the steps of: performing ransomware detection on a file for which a first overwrite is requested; checking whether there is an I/O request at one or more preset pre-occupied points while performing the ransomware detection; and processing the I/O request according to the checking result.

Description

SSD의 랜섬웨어 감지 방법 및 컨트롤러Ransomware detection method and controller on SSD
본 발명은 랜섬웨어 감지 방법 및 컨트롤러에 관한 발명으로서, 보다 상세하게는 SSD에서 수행되는 랜섬웨어 감지 방법 및 랜섬웨어를 감지하는 SSD의 컨트롤러에 관한 것이다.The present invention relates to a method and a controller for detecting ransomware, and more particularly, to a method for detecting ransomware performed on an SSD and a controller of an SSD for detecting the ransomware.
랜섬웨어(Ransomware)는 멀웨어의 일종으로 사용자의 데이터를 암호화시킨 후, 사용자가 데이터 복구를 위한 비용을 지불하도록 위협한다. 랜섬웨어로 인한 피해 금액은 지속적으로 증가하고 있기 때문에 해결책의 필요성이 증대되고 있으며, 해결책의 하나로서, 랜섬웨어의 공격을 방어하기 위한 백업 기술이 활발히 연구되어 왔다. 전통적으로 백업은 호스트 단에서 수행되어 왔다. 하지만 복사본을 위한 명시적인 백업 수행은 결과적으로 스토리지에 추가적인 공간을 요구하고 OS(운영체제)가 손상될 경우에 복사본 역시 파괴될 수 있다는 단점이 있다. Ransomware is a type of malware that encrypts a user's data and then threatens to force the user to pay for data recovery. Since the amount of damage caused by ransomware is continuously increasing, the need for a solution is increasing, and as one of the solutions, a backup technology for preventing an attack of the ransomware has been actively studied. Traditionally, backups have been performed at the host end. However, performing an explicit backup for the copy requires additional space in the storage as a result and has the disadvantage that the copy may also be destroyed if the operating system (OS) is damaged.
이와 달리 SSD(Solid State Drive) 스토리지 단에서의 백업 기술은 공간 효율적이고 OS가 손상된 경우에도 안전하다. SSD에서의 백업 기술은 기본적으로 SSD의 다른자리 덮어쓰기로 인해 무효화되는 데이터 페이지를 없애지않고 백업으로써 유지하기 때문에 백업본을 위한 명시적인 공간이 필요 없다. 또한 SSD 펌웨어는 OS와 분리되어 있다. 따라서 권한을 가진 랜섬웨어로 인해 호스트 OS가 손상된 경우에도 복사본은 안전하게 지켜질 수 있다.In contrast, the backup technology at the SSD (Solid State Drive) storage stage is space-efficient and safe even if the OS is damaged. Backup technology on SSDs does not require explicit space for backups, as it basically keeps data pages that are invalidated due to overwriting elsewhere on the SSD, rather than as a backup. Also, SSD firmware is separate from the OS. Therefore, even if the host OS is compromised by privileged ransomware, the copy can be kept safe.
랜섬웨어의 공격을 방어하기 위해, SSD는 페이지에 대한 덮어쓰기 요청이 발생할 때마다, 덮어쓰기 요청된 데이터에 랜섬웨어가 포함되어 있는지 여부를 감지하는 랜섬웨어 감지를 수행한다. 입출력(I/O) 요청이 발생할 때마다 랜섬웨어 감지가 수행되는 것은, I/O의 대기시간을 증가시키기 때문에, DMA(Direct Memory Access) 하드웨어 가속기가 탑재된 SSD가 연구되고 있다. 하지만 DMA라는 새로운 하드웨어는, 추가적인 DMA 기술과 비용을 요구하기 때문에, 펌웨어 단에서 수행되면서 I/O의 대기 시간을 줄일 수 있는 랜섬웨어 감지 방법의 개발이 필요하다.To defend against ransomware attacks, the SSD performs ransomware detection, which detects whether or not ransomware is included in the data requested to be overwritten whenever a page overwrite request occurs. Because ransomware detection is performed every time an input/output (I/O) request occurs, which increases I/O latency, SSDs equipped with DMA (Direct Memory Access) hardware accelerators are being studied. However, since new hardware called DMA requires additional DMA technology and cost, it is necessary to develop a ransomware detection method that can reduce I/O latency while being performed at the firmware level.
본 발명은 포그라운드(foreground) 입출력의 지연 시간을 줄일 수 있는 랜섬웨어 감지 방법 및 SSD 컨트롤러를 제공하기 위한 것이다.An object of the present invention is to provide a ransomware detection method and an SSD controller capable of reducing a delay time of foreground input/output.
상기한 목적을 달성하기 위한 본 발명의 일 실시예에 따르면, 제1덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행하는 단계; 상기 랜섬웨어 감지의 수행중에, 미리 설정된 적어도 하나의 선점 지점에서 I/O 요청이 존재하는지 확인하는 단계; 및 상기 확인 결과에 따라서, 상기 I/O 요청을 처리하는 단계를 포함하는 SSD의 랜섬웨어 감지 방법이 제공된다.According to an embodiment of the present invention for achieving the above object, performing a first overwrite-requested file ransomware detection; checking whether an I/O request exists at at least one preset preemption point while the ransomware detection is being performed; and processing the I/O request according to the check result.
또한 상기한 목적을 달성하기 위한 본 발명의 다른 실시예에 따르면, 덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행하는 단계; 미리 설정된 적어도 하나의 선점 지점에서, 상기 선점 지점까지 수행된 랜섬웨어 감지의 상태를 나타내는 랜섬웨어 감지 정보를 저장하고, I/O 요청을 처리하는 단계; 및 상기 I/O 요청이 처리된 이후, 상기 랜섬웨어 감지 정보를 이용하여, 상기 랜섬웨어 감지를 재개하는 단계를 포함하는 SSD의 랜섬웨어 감지 방법이 제공된다.In addition, according to another embodiment of the present invention for achieving the above object, the method comprising: performing ransomware detection for a file requested to be overwritten; storing ransomware detection information indicating a state of ransomware detection performed from at least one preemption point preset to the preemption point, and processing an I/O request; and resuming the ransomware detection by using the ransomware detection information after the I/O request is processed.
또한 상기한 목적을 달성하기 위한 본 발명의 또 다른 실시예에 따르면, 덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행하는 랜섬웨어 감지부; 및 상기 랜섬웨어 감지의 수행중에, 미리 설정된 적어도 하나의 선점 지점에서 I/O 요청이 존재하는지 확인하여, 상기 I/O 요청을 처리하는 I/O 요청 처리부를 포함하며, 상기 랜섬웨어 감지부는 상기 I/O 요청이 수행된 이후 상기 랜섬웨어 감지를 재개하는 SSD 컨트롤러가 제공된다.In addition, according to another embodiment of the present invention for achieving the above object, the ransomware detection unit for detecting the ransomware on the overwrite requested file; and an I/O request processing unit configured to process the I/O request by checking whether an I/O request exists at at least one preemption point set in advance while the ransomware detection is being performed, wherein the ransomware detection unit comprises the An SSD controller for resuming the ransomware detection after an I/O request is performed is provided.
본 발명의 일실시예에 따르면, 랜섬웨어 감지 수행 중에 미리 설정된 선점 지점마다 입출력 요청을 우선적으로 처리함으로써, 입출력 지연 시간을 줄일 수 있다.According to an embodiment of the present invention, an input/output delay time may be reduced by preferentially processing an input/output request at each preset preemption point during ransomware detection.
또한 본 발명의 일실시예에 따르면, 랜섬웨어의 감지 도중 새로운 덮어쓰기 요청이 발생하더라도, 기존 덮어쓰기 요청에 따른 랜섬웨어 감지가 지연되는 것이 방지될 수 있으며, 가비지 컬랙션(Garbage collection)이 수행되지 못하는 문제가 해결될 수 있다.Also, according to an embodiment of the present invention, even if a new overwrite request occurs during the detection of ransomware, the delay in detecting ransomware according to the existing overwrite request can be prevented, and garbage collection is not performed. Problems that cannot be solved can be solved.
도 1은 본 발명의 일실시예에 따른 SSD의 컨트롤러를 설명하기 위한 도면이다.1 is a diagram for explaining a controller of an SSD according to an embodiment of the present invention.
도 2는 본 발명의 일실시예에 따른 랜섬웨어 감지 방법을 설명하기 위한 도면이다. 2 is a diagram for explaining a ransomware detection method according to an embodiment of the present invention.
도 3은 랜섬웨어 감지의 구체적인 실시예를 설명하기 위한 도면이다.3 is a diagram for explaining a specific embodiment of ransomware detection.
도 4는 본 발명의 다른 실시예에 따른 랜섬웨어 감지 방법을 설명하기 위한 도면이다.4 is a diagram for explaining a ransomware detection method according to another embodiment of the present invention.
도 5는 본 발명의 일실시예에 따른 SSD에서 수행되는 랜섬웨어 감지 과정의 일예를 나타내는 도면이다.5 is a diagram illustrating an example of a ransomware detection process performed in an SSD according to an embodiment of the present invention.
도 6은 본 발명의 일실시예에 따른 랜섬웨어 감지 방법의 효과를 설명하기 위한 도면이다.6 is a diagram for explaining the effect of a ransomware detection method according to an embodiment of the present invention.
본 발명은 다양한 변경을 가할 수 있고 여러 가지 실시예를 가질 수 있는 바, 특정 실시예들을 도면에 예시하고 상세한 설명에 상세하게 설명하고자 한다. 그러나, 이는 본 발명을 특정한 실시 형태에 대해 한정하려는 것이 아니며, 본 발명의 사상 및 기술 범위에 포함되는 모든 변경, 균등물 내지 대체물을 포함하는 것으로 이해되어야 한다. 각 도면을 설명하면서 유사한 참조부호를 유사한 구성요소에 대해 사용하였다. Since the present invention can have various changes and can have various embodiments, specific embodiments are illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all modifications, equivalents and substitutes included in the spirit and scope of the present invention. In describing each figure, like reference numerals have been used for like elements.
전술된 바와 같이, 페이지에 대한 덮어쓰기 요청이 발생할 때마다 수행되는 랜섬웨어 감지는, 입출력 요청에 대한 처리 시간을 지연시킨다. 덮어쓰기 요청이 발생한 파일에 대한 랜섬웨어 감지가 완료된 이후, 덮어쓰기 요청을 포함한 입출력 요청이 처리되기 때문이다. 본 발명은 이러한 문제를 해결하기 위해, 랜섬웨어 감지 수행 중에 입출력 요청을 수행하는 SSD의 랜섬웨어 감지 방법을 제안한다.As described above, the detection of ransomware, which is performed whenever a page overwrite request occurs, delays the processing time for the input/output request. This is because the input/output request including the overwrite request is processed after the ransomware detection of the file for which the overwrite request has occurred is completed. In order to solve this problem, the present invention proposes a ransomware detection method of an SSD that performs an input/output request while performing ransomware detection.
본 발명의 일실시예는 랜섬웨어 감지 수행 중에 미리 설정된 선점 지점마다 입출력 요청을 우선적으로 처리한다. 여기서 선점(Preemption)이란, 랜섬웨어 감지 수행을 중단하고 입출력 요청을 우선적으로 처리하는 것을 의미하며, 선점 지점(Preemption Point)이란 랜섬웨어 감지 수행이 중단되고 입출력 요청이 수행되는 지점을 의미한다.According to an embodiment of the present invention, an input/output request is preferentially processed at each preset preemption point during ransomware detection. Here, preemption means stopping ransomware detection and preferentially processing input/output requests, and preemption point means a point at which ransomware detection is stopped and input/output requests are performed.
따라서, 본 발명의 일실시예에 따르면 랜섬웨어 감지의 종료 전에 입출력 요청이 처리될 수 있으므로, 랜섬웨어 감지에 따른 입출력 처리의 지연이 개선될 수 있다.Therefore, according to an embodiment of the present invention, since an input/output request can be processed before the end of the ransomware detection, the delay of the input/output processing according to the ransomware detection can be improved.
이하에서, 본 발명에 따른 실시예들을 첨부된 도면을 참조하여 상세하게 설명한다.Hereinafter, embodiments according to the present invention will be described in detail with reference to the accompanying drawings.
도 1은 본 발명의 일실시예에 따른 SSD의 컨트롤러를 설명하기 위한 도면이다.1 is a diagram for explaining a controller of an SSD according to an embodiment of the present invention.
도 1을 참조하면, 본 발명의 일실시예에 따른 SSD의 컨트롤러(110)는 랜섬웨어 감지부(111) 및 I/O 요청 처리부(113)를 포함한다.Referring to FIG. 1 , the controller 110 of the SSD according to an embodiment of the present invention includes a ransomware detection unit 111 and an I/O request processing unit 113 .
랜섬웨어 감지부(111)는 덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행한다. 랜섬웨어 감지는 다양한 감지 알고리즘을 통해 수행될 수 있으며 일실시예로서, 유사도(Similarity)와 엔트로피(entropy) 계산을 통해 수행될 수 있다.The ransomware detection unit 111 detects the ransomware on the file requested to be overwritten. Ransomware detection may be performed through various detection algorithms, and as an embodiment, may be performed through calculation of similarity and entropy.
I/O 요청 처리부(113)는 랜섬웨어 감지의 수행중에, 미리 설정된 적어도 하나의 선점 지점에서 I/O 요청이 존재하는지 확인하여, I/O 요청을 처리한다. I/O 요청이 읽기 요청일 경우, 낸드 플래시(120)에 저장된 데이터는 호스트로 전송되고, I/O 요청이 쓰기 요청일 경우, 호스트로부터 전송된 데이터는 낸드 플래시(120)에 저장된다. 호스트와 낸드 플래시(120) 사이의 데이터 송수신 과정에서, 디램(DRAM, 130)은 캐시(cache) 역할을 수행한다.The I/O request processing unit 113 processes the I/O request by checking whether an I/O request exists at at least one preset preemption point while the ransomware is detected. When the I/O request is a read request, data stored in the NAND flash 120 is transmitted to the host, and when the I/O request is a write request, data transmitted from the host is stored in the NAND flash 120 . In the data transmission/reception process between the host and the NAND flash 120 , the DRAM 130 serves as a cache.
I/O 요청이 존재할 경우, 랜섬웨어 감지부(111)의 랜섬웨어 감지는 중단되며, I/O 요청 처리부(113)는 I/O요청을 처리한다. 랜섬웨어 감지의 중단 시점까지 수행된 랜섬웨어 감지의 상태를 나타내는 랜섬웨어 감지 정보는 SSD에 저장되며, 랜섬웨어 감지부(111)는 I/O 요청이 처리된 이후, 랜섬웨어 감지 정보에 기반하여 랜섬웨어 감지를 재개한다.When there is an I/O request, the ransomware detection of the ransomware detection unit 111 is stopped, and the I/O request processing unit 113 processes the I/O request. Ransomware detection information indicating the state of the ransomware detection performed until the point of stopping the ransomware detection is stored in the SSD, and the ransomware detection unit 111 is Resumes ransomware detection.
도 2는 본 발명의 일실시예에 따른 랜섬웨어 감지 방법을 설명하기 위한 도면이며, 도 3은 랜섬웨어 감지의 구체적인 실시예를 설명하기 위한 도면이다.2 is a diagram for explaining a ransomware detection method according to an embodiment of the present invention, and FIG. 3 is a diagram for explaining a specific embodiment of ransomware detection.
도 2를 참조하면, 본 발명의 일실시예에 따른 SSD는 제1덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행(S210)한다. SSD는 단계 S210에서 일실시예로서, 도 3과 같이 랜섬웨어 감지를 수행할 수 있다.Referring to FIG. 2 , the SSD according to an embodiment of the present invention detects ransomware on a file for which the first overwrite is requested ( S210 ). The SSD may perform ransomware detection as shown in FIG. 3 as an embodiment in step S210.
제1단계(S310)에서, SSD는 호스트로부터 전송되며, 제1덮어쓰기가 요청된 파일에 대한 제1데이터를 SSD의 디램에 저장한다. 그리고 제2단계(S320)에서 SSD는, 페이지에 저장되어 있으며, 제1덮어쓰기가 요청된 파일에 대한 제2데이터를 SSD의 디램에 저장한다. 여기서, 제1데이터는 덮어쓰기에 의해 제2데이터로부터 갱신되는 데이터로서, SSD는 제1데이터에 랜섬웨어가 포함되어 있는지를 감지한다.In a first step (S310), the SSD is transmitted from the host, and first data for the file for which the first overwrite is requested is stored in the DRAM of the SSD. And in the second step ( S320 ), the SSD stores second data for the file stored in the page and for which the first overwrite is requested in the DRAM of the SSD. Here, the first data is data updated from the second data by overwriting, and the SSD detects whether ransomware is included in the first data.
그리고 SSD는 제3단계(S330)에서, 제1 및 제2데이터의 유사도를 판단하고, 제4단계(S340)에서 제1데이터의 엔트로피를 계산한다. 여기서, 유사도는 이전 데이터인 제2데이터와 새로운 데이터인 제1데이터 사이의 바이트-레벨(byte-level)에서의 차이를 의미하며, 엔트로피는 섀넌 엔트로피(Shannon entropy)로서 새로운 데이터의 무질서도를 의미한다. SSD는 유사도가 제1임계값 이하이고, 무질서도가 제2임계값 이상인 경우, 제1데이터에 랜섬웨어가 포함된 것으로 판단할 수 있다. 랜섬웨어 감지를 위한 유사도와 엔트로피의 계산을 위한 방법은 공지된 다양한 알고리즘을 통해 수행될 수 있다.The SSD determines the similarity between the first and second data in a third step (S330), and calculates the entropy of the first data in a fourth step (S340). Here, the similarity refers to a difference in byte-level between the second data, which is the previous data, and the first data, which is the new data, and the entropy is the Shannon entropy, which refers to the disorder of the new data. do. The SSD may determine that the first data includes ransomware when the similarity is equal to or less than the first threshold and the disorder is greater than or equal to the second threshold. A method for calculating the similarity and entropy for detecting ransomware may be performed through various known algorithms.
다시 도 2로 돌아와, 본 발명의 일실시예에 따른 SSD는 랜섬웨어 감지의 수행중에, 미리 설정된 적어도 하나의 선점 지점에서 I/O 요청이 존재하는지 확인(S220)한다. SSD는 요청 큐에 쌓인 I/O 요청을 확인함으로써, I/O 요청이 존재하는지 여부를 확인할 수 있다.Returning to FIG. 2 , the SSD according to an embodiment of the present invention checks whether an I/O request exists at at least one preset preemption point during ransomware detection ( S220 ). The SSD can check whether an I/O request exists by checking the I/O request accumulated in the request queue.
선점 지점은 일실시예로서, 제1단계(S310)와 제2단계(S320) 사이에 설정될 수 있으며, 제3단계(S330)와 제4단계(S340)의 수행 과정에 포함된 지점일 수 있다. 제1 및 제2단계(S310, S320)의 수행 중에 선점이 이루어질 경우, 처음부터 데이터를 디램에 저장해야하기 때문에 제1 및 제2단계(S310, S320)의 진행 과정중에는 선점이 수행되지 않는 것이 바람직하다. 반면 제3 및 제4단계(S330, S340)의 수행 중에 선점이 이루어지더라도 랜섬웨어 감지가 중단된 지점부터 랜섬웨어 감지가 재개될 수 있다.The preemption point may be set between the first step (S310) and the second step (S320) as an embodiment, and may be a point included in the process of performing the third step (S330) and the fourth step (S340). have. If preemption is made while performing the first and second steps S310 and S320, data must be stored in DRAM from the beginning, so preemption is not performed during the process of the first and second steps S310 and S320. desirable. On the other hand, even if preemption is made while performing the third and fourth steps S330 and S340, the ransomware detection may be resumed from the point where the ransomware detection is stopped.
이 때, 제3 및 제4단계(S330, S340)의 수행 과정에 포함된 선점 지점의 개수는, 제3단계 및 제4단계(S330, S340)의 레이턴시(latency)와, I/O 요청의 확인에 따른 오버헤드로부터 결정될 수 있으며, 일실시예로서 [수학식 1]과 같이, 레이턴시에 비례하고, 오버헤드에 반비례하도록 계산될 수 있다. 제3단계 및 제4단계(S330, S340)의 수행에 소요되는 시간, I/O 요청의 확인에 소요되는 시간이 각각 레이턴시와 오버헤드로 결정될 수 있으며, 실험적으로 결정될 수 있다.At this time, the number of preemption points included in the process of performing the third and fourth steps (S330 and S340) is determined by the latency of the third and fourth steps (S330 and S340) and the I/O request. It may be determined from the overhead according to the confirmation, and as an example [Equation 1], it may be calculated to be proportional to the latency and inversely proportional to the overhead. The time required to perform the third and fourth steps (S330 and S340) and the time taken to confirm the I/O request may be determined as latency and overhead, respectively, and may be determined experimentally.
Figure PCTKR2021004614-appb-img-000001
Figure PCTKR2021004614-appb-img-000001
제3 및 제4단계(S330, S340)에 대한 선점 지점의 개수는 [수학식 1]의 결과값을 초과하지 않는 정수로 결정될 수 있으며, [수학식 1]의 결과값이 1보다 작은 경우 선점 지점의 개수는 1로 결정될 수 있다. 예컨대, 선점 지점의 개수가 2로 결정된다면, 제3 및 제4단계(S330, S340)의 수행 중에 2번의 선점이 수행될 수 있다.The number of preemption points for the third and fourth steps S330 and S340 may be determined as an integer not exceeding the result value of [Equation 1], and if the result value of [Equation 1] is less than 1, preemption The number of points may be determined to be 1. For example, if the number of preemption points is determined to be 2, preemption may be performed twice while the third and fourth steps S330 and S340 are performed.
그리고, 제3 및 제4단계(S330, S340)에 대한 선점 지점의 위치는 다양한 방식으로 결정될 수 있으며, 시간 또는 데이터 상의 위치일 수 있다. 예컨대, 선점 지점의 위치는 랜섬웨어 감지가 시작된 시점으로부터 미리 설정된 시간 이후의 지점으로 결정되거나 또는 랜섬웨어 감지의 대상이 되는 데이터의 전체 크기 중 일부 크기에 대응되는 지점으로 결정될 수 있다.The positions of the preemption points for the third and fourth steps S330 and S340 may be determined in various ways, and may be positions on time or data. For example, the location of the preemption point may be determined as a point after a preset time from the time when the ransomware detection is started, or may be determined as a point corresponding to some size of the total size of data to be detected by the ransomware.
일예로서, 선점 지점의 위치는 선점 전후로 랜섬웨어 감지가 균일한 시간동안 수행될 수 있도록 설정되거나 또는 제1 및 제2데이터의 크기에 따라서 결정될 수 있다. 제1 및 제2데이터의 크기가 클수록 선점 지점 사이의 간격은 증가할 수 있다.As an example, the location of the preemption point may be set so that the ransomware detection can be performed for a uniform time before and after the preemption, or may be determined according to the size of the first and second data. As the size of the first and second data increases, the interval between the preemption points may increase.
그리고 본 발명의 일실시예에 따른 SSD는 확인 결과에 따라서, I/O 요청을 처리(S230)한다. I/O 요청이 존재하는 경우 SSD는 랜섬웨어 감지가 중단된 상태에서 우선적으로 I/O 요청을 처리하며, I/O 요청이 존재하지 않는 경우에는 랜섬웨어 감지를 수행한다.In addition, the SSD according to an embodiment of the present invention processes the I/O request according to the confirmation result (S230). If there is an I/O request, the SSD preferentially processes the I/O request while the ransomware detection is stopped. If there is no I/O request, the SSD detects the ransomware.
랜섬웨어 감지가 중단된 상태에서 I/O 요청이 처리된 경우, SSD는 랜섬웨어 감지 정보를 이용하여, 랜섬웨어 감지를 재개할 수 있으며, 랜섬웨어 감지의 재개 방법은 도 4에서 자세히 설명된다.When the I/O request is processed while the ransomware detection is stopped, the SSD may resume the ransomware detection using the ransomware detection information, and the method of resuming the ransomware detection will be described in detail with reference to FIG. 4 .
도 4는 본 발명의 다른 실시예에 따른 랜섬웨어 감지 방법을 설명하기 위한 도면이다.4 is a diagram for explaining a ransomware detection method according to another embodiment of the present invention.
도 4를 참조하면 본 발명의 일실시예에 따른 SSD는, 덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행(S410)한다.Referring to FIG. 4 , the SSD according to an embodiment of the present invention detects ransomware on a file requested to be overwritten ( S410 ).
그리고 미리 설정된 적어도 하나의 선점 지점에서, 선점 지점까지 수행된 랜섬웨어 감지의 상태를 나타내는 랜섬웨어 감지 정보를 저장하고, I/O 요청을 처리(S420)한다. 랜섬웨어 감지 정보는 후술되는 랜섬웨어 감지의 재개에 이용된다.Then, from at least one preset preemption point, ransomware detection information indicating the state of ransomware detection performed up to the preemption point is stored, and an I/O request is processed ( S420 ). The ransomware detection information is used to resume detection of ransomware, which will be described later.
본 발명의 일실시예에 따른 SSD는, I/O 요청이 처리된 이후, 랜섬웨어 감지 정보를 이용하여, 랜섬웨어 감지를 재개(S430)한다. After the I/O request is processed, the SSD according to an embodiment of the present invention resumes detection of ransomware using ransomware detection information (S430).
랜섬웨어 감지 정보는 일실시예로서, 선점 지점에서 랜섬웨어 감지가 중지된 페이지의 번호, 및 랜섬웨어 감지가 중지된 페이지에서 선점 지점까지 감지가 수행된 바이트(byte) 정보를 나타내는 오프셋 정보를 포함할 수 있다. 그리고 제3 및 제4단계(S330 및 S340) 중 선점에 의해 랜섬웨어 감지가 중지된 단계에 대한 정보를 더 포함할 수 있다.The ransomware detection information includes, as an embodiment, offset information indicating the number of a page where the ransomware detection is stopped at the preemption point, and byte information on which the detection is performed from the page where the ransomware detection is stopped to the preemption point can do. In addition, information on a step in which the detection of ransomware is stopped by preemption among the third and fourth steps (S330 and S340) may be further included.
본 발명의 일실시예에 따른 SSD는, 이러한 랜섬웨어 감지 정보를 이용하여, 랜섬웨어 감지가 중지된 단계의 페이지 번호에 대응되는 페이지에서, 오프셋 정보에 대응되는 바이트의 데이터의 다음 데이터에 대해, 랜섬웨어 감지를 재개할 수 있다.The SSD according to an embodiment of the present invention uses this ransomware detection information, in the page corresponding to the page number in the stage where the ransomware detection is stopped, for data following the byte data corresponding to the offset information, Ransomware detection can be resumed.
도 5는 본 발명의 일실시예에 따른 SSD에서 수행되는 랜섬웨어 감지 과정의 일예를 나타내는 도면이다. 도 5는 선점 지점이 2개인 실시예를 도시하고 있으며, 도 5에서 OW는 덮어쓰기(overwrite), R은 읽기, W는 쓰기, D는 랜섬웨어 감지를 나타낸다.5 is a diagram illustrating an example of a ransomware detection process performed in an SSD according to an embodiment of the present invention. 5 shows an embodiment in which there are two preemption points. In FIG. 5, OW denotes overwrite, R denotes read, W denotes write, and D denotes ransomware detection.
도 5에 도시된 바와 같이, SSD로 제1덮어쓰기(OW1)가 요청되면, SSD는 제1덮어쓰기(OW1)가 요청된 파일에 대한 랜섬웨어 감지(D1_1)를 수행한다. 이후 SSD는 제1선점 지점(511)에서 확인된 I/O 요청(R, R, W)을 수행한다. 5 , when a first overwrite (OW1) is requested by the SSD, the SSD performs ransomware detection (D1_1) on the file for which the first overwrite (OW1) is requested. Thereafter, the SSD performs the I/O request (R, R, W) identified at the first preemption point 511 .
이 때, SSD는 I/O 요청이 제2덮어쓰기(OW2) 요청인 경우, 선점 지점의 잔여 개수에 무관하게 랜섬웨어 감지(D1_2)를 재개하여 랜섬웨어 감지를 완료한다. 즉, 도 5의 실시예에서는 잔여 선점 지점이 1개가 존재하지만, SSD는 잔여 선점 지점에서 I/O 요청을 확인하지 않고, 랜섬웨어 감지를 재개하여 완료한다. 그리고 랜섬웨어 감지가 완료되면, 제1덮어쓰기(OW1)가 요청된 파일에 대한 덮어쓰기가 처리된다.At this time, when the I/O request is the second overwrite (OW2) request, the SSD resumes the ransomware detection (D1_2) regardless of the remaining number of preemption points to complete the ransomware detection. That is, in the embodiment of FIG. 5 , there is one remaining preemption point, but the SSD does not check the I/O request at the remaining preemption point, but restarts and completes the ransomware detection. And when the detection of the ransomware is completed, overwriting of the file for which the first overwrite (OW1) is requested is processed.
만일 제2덮어쓰기(OW2)가 요청된 파일에 대해 새로운 랜섬웨어 감지가 시작된다면, 제1덮어쓰기(OW1)가 요청된 파일에 대한 랜섬웨어 감지가 완료되지 못하며, 이로 인해 가비지 컬랙션(GC) 역시 수행될 수 없는 문제가 발생할 수 있다. 이에 본 발명의 일실시예에 따른 SSD는 선점 지점에 존재하는 I/O 요청이 덮어쓰기 요청인 경우 잔여 선점 지점을 무시하고, 중지된 랜섬웨어 감지를 재개하여 랜섬웨어 감지를 완료한다.If a new ransomware detection is started for the file for which the second overwrite (OW2) is requested, the ransomware detection for the file for which the first overwrite (OW1) is requested is not completed, resulting in garbage collection (GC). There may also be problems that cannot be performed. Accordingly, when the I/O request existing at the preemption point is an overwrite request, the SSD according to an embodiment of the present invention ignores the remaining preemption point and resumes the stopped ransomware detection to complete the ransomware detection.
본 발명의 일실시예에 따른 SSD는 제1덮어쓰기(OW1)가 요청된 파일에 대한 랜섬웨어 감지가 완료된 이후, 제2덮어쓰기(OW2)가 요청된 파일에 대한 랜섬웨어 감지(D2_1)의 수행을 시작한다. 그리고 제1선점 지점(521)에서 확인된 I/O 요청(R,W,R)을 수행하고, 랜섬웨어 감지(D2_2)를 재개한다. 이후 제2선점 지점(522)에서 확인된 I/O 요청(W,R,W)을 수행하고, 랜섬웨어 감지(D2_3)를 완료한다.In the SSD according to an embodiment of the present invention, after the ransomware detection for the file for which the first overwrite (OW1) is requested is completed, the ransomware detection (D2_1) for the file for which the second overwrite (OW2) is requested is performed. start performing Then, the I/O request (R, W, R) confirmed at the first preemption point 521 is performed, and the ransomware detection (D2_2) is resumed. Thereafter, the checked I/O request (W, R, W) is performed at the second preemption point 522 and the ransomware detection (D2_3) is completed.
이와 같이, 본 발명의 일실시예에 따르면 랜섬웨어의 감지 도중 새로운 덮어쓰기 요청이 발생하더라도, 기존 덮어쓰기 요청에 따른 랜섬웨어 감지가 지연되는 것이 방지될 수 있으며, 가비지 컬랙션이 수행되지 못하는 문제가 해결될 수 있다.As described above, according to an embodiment of the present invention, even if a new overwrite request occurs during the detection of ransomware, the delay in detecting ransomware according to the existing overwrite request can be prevented, and the problem that garbage collection cannot be performed is reduced. can be solved
도 6은 본 발명의 일실시예에 따른 랜섬웨어 감지 방법의 효과를 설명하기 위한 도면이다.6 is a diagram for explaining the effect of a ransomware detection method according to an embodiment of the present invention.
도 6(a)는 Erebus 랜섬웨어 환경에서, 랜섬웨어를 감지하지 않는 SSD(orginal SSD), 선점을 이용하지 않고 랜섬웨어를 감지하는 SSD(inline detection SSD), 본 발명의 일실시예에 따라서 50개의 선점 지점을 이용하는 SSD(preemptive detection SSD)의 I/O 응답 시간(foreground I/O response time)을, 누적 분포 함수(CDF, cumulative distribution function) 형태로 도시한 도면이며, 도 6(b)는 새로운 덮어쓰기 요청이 발생한 경우 본 발명의 일실시예에 따라서, 선점 지점의 잔여 개수에 무관하게 랜섬웨어 감지를 재개하는 경우의 감지 수행 시간(detection time)을 나타내는 도면이다.6( a ) shows an SSD (original SSD) that does not detect ransomware, an inline detection SSD (SSD) that detects ransomware without using preemption, and 50 according to an embodiment of the present invention in an Erebus ransomware environment. It is a view showing the foreground I/O response time of a preemptive detection SSD (SSD) using preemptive points in the form of a cumulative distribution function (CDF), and FIG. 6(b) is When a new overwrite request occurs, according to an embodiment of the present invention, it is a diagram showing a detection time when the detection of ransomware is resumed regardless of the remaining number of preemption points.
도 6(a)를 참조하면, 선점을 이용하지 않고 랜섬웨어를 감지하는 경우의 I/O 응답 평균 시간은 622.6ms로서, 랜섬웨어 감지가 수행되지 않을 경우의 I/O 응답 평균 시간 23.7ms의 26.3배에 달할 정도로, 선점을 이용하지 않을 경우 입출력 지연이 매우 심각함을 알 수 있다. 반면, 본 발명의 일실시예에 따를 경우, I/O 응답 평균 시간은 26.4ms로서 랜섬웨어를 감지가 수행되지 않을 경우와 큰 차이가 없음을 알 수 있다.Referring to FIG. 6( a ), the average I/O response time for detecting ransomware without using preemption is 622.6 ms, and the average I/O response time for not detecting ransomware is 23.7 ms. As much as 26.3 times, it can be seen that the input/output delay is very serious if preemption is not used. On the other hand, according to an embodiment of the present invention, the average I/O response time is 26.4 ms, and it can be seen that there is no significant difference from the case where the ransomware is not detected.
또한 도 6(b)를 참조하면, 총 감지 작업 중 99%가 약 16 ms이내에 수행되며, 새로운 덮어쓰기 요청에 따라서 감지 작업이 지연되는 문제가 발생하지 않음을 알 수 있다.Also, referring to FIG. 6(b) , it can be seen that 99% of the total detection operation is performed within about 16 ms, and there is no problem in that the detection operation is delayed according to a new overwrite request.
앞서 설명한 기술적 내용들은 다양한 컴퓨터 수단을 통하여 수행될 수 있는 프로그램 명령 형태로 구현되어 컴퓨터 판독 가능 매체에 기록될 수 있다. 상기 컴퓨터 판독 가능 매체는 프로그램 명령, 데이터 파일, 데이터 구조 등을 단독으로 또는 조합하여 포함할 수 있다. 상기 매체에 기록되는 프로그램 명령은 실시예들을 위하여 특별히 설계되고 구성된 것들이거나 컴퓨터 소프트웨어 당업자에게 공지되어 사용 가능한 것일 수도 있다. 컴퓨터 판독 가능 기록 매체의 예에는 하드 디스크, 플로피 디스크 및 자기 테이프와 같은 자기 매체(magnetic media), CD-ROM, DVD와 같은 광기록 매체(optical media), 플롭티컬 디스크(floptical disk)와 같은 자기-광 매체(magneto-optical media), 및 롬(ROM), 램(RAM), 플래시 메모리 등과 같은 프로그램 명령을 저장하고 수행하도록 특별히 구성된 하드웨어 장치가 포함된다. 프로그램 명령의 예에는 컴파일러에 의해 만들어지는 것과 같은 기계어 코드뿐만 아니라 인터프리터 등을 사용해서 컴퓨터에 의해서 실행될 수 있는 고급 언어 코드를 포함한다. 하드웨어 장치는 실시예들의 동작을 수행하기 위해 하나 이상의 소프트웨어 모듈로서 작동하도록 구성될 수 있으며, 그 역도 마찬가지이다.The technical contents described above may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiments, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. A hardware device may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.
이상과 같이 본 발명에서는 구체적인 구성 요소 등과 같은 특정 사항들과 한정된 실시예 및 도면에 의해 설명되었으나 이는 본 발명의 보다 전반적인 이해를 돕기 위해서 제공된 것일 뿐, 본 발명은 상기의 실시예에 한정되는 것은 아니며, 본 발명이 속하는 분야에서 통상적인 지식을 가진 자라면 이러한 기재로부터 다양한 수정 및 변형이 가능하다. 따라서, 본 발명의 사상은 설명된 실시예에 국한되어 정해져서는 아니되며, 후술하는 특허청구범위뿐 아니라 이 특허청구범위와 균등하거나 등가적 변형이 있는 모든 것들은 본 발명 사상의 범주에 속한다고 할 것이다.As described above, in the present invention, specific matters such as specific components, etc., and limited embodiments and drawings have been described, but these are only provided to help a more general understanding of the present invention, and the present invention is not limited to the above embodiments. , various modifications and variations are possible from these descriptions by those of ordinary skill in the art to which the present invention pertains. Therefore, the spirit of the present invention should not be limited to the described embodiments, and not only the claims described below, but also all those with equivalent or equivalent modifications to the claims will be said to belong to the scope of the spirit of the present invention. .

Claims (12)

  1. 제1덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행하는 단계;performing ransomware detection on the file for which the first overwrite is requested;
    상기 랜섬웨어 감지의 수행중에, 미리 설정된 적어도 하나의 선점 지점에서 I/O 요청이 존재하는지 확인하는 단계; 및checking whether an I/O request exists at at least one preset preemption point while the ransomware detection is being performed; and
    상기 확인 결과에 따라서, 상기 I/O 요청을 처리하는 단계 processing the I/O request according to the confirmation result;
    를 포함하는 SSD의 랜섬웨어 감지 방법.Ransomware detection method on SSD including
  2. 제 1항에 있어서,The method of claim 1,
    상기 랜섬웨어 감지를 수행하는 단계는The step of detecting the ransomware is
    호스트로부터 전송된 상기 파일에 대한 제1데이터를 상기 SSD의 디램에 저장하는 제1단계;a first step of storing first data for the file transmitted from a host in a DRAM of the SSD;
    페이지에 저장되어 있는 상기 파일에 대한 제2데이터를 상기 디램에 저장하는 제2단계;a second step of storing second data for the file stored in the page in the DRAM;
    상기 제1 및 제2데이터의 유사도를 판단하는 제3단계; 및a third step of determining a degree of similarity between the first and second data; and
    상기 제1데이터의 무질서도를 계산하는 제4단계 A fourth step of calculating the degree of disorder of the first data
    를 포함하는 SSD의 랜섬웨어 감지 방법.Ransomware detection method on SSD including
  3. 제 2항에 있어서,3. The method of claim 2,
    상기 선점 지점은The preemption point is
    상기 제1단계와 상기 제2단계의 사이에 설정된 지점인A point set between the first step and the second step
    SSD의 랜섬웨어 감지 방법.How to detect ransomware on SSD.
  4. 제 2항에 있어서,3. The method of claim 2,
    상기 선점 지점은The preemption point is
    상기 제3단계와 상기 제4단계의 수행 과정에 포함된 지점인A point included in the process of performing the third and fourth steps
    SSD의 랜섬웨어 감지 방법.How to detect ransomware on SSD.
  5. 제 4항에 있어서,5. The method of claim 4,
    상기 제3단계와 상기 제4단계에서 미리 설정된 선점 지점의 개수는The number of preemption points preset in the third step and the fourth step is
    상기 제3단계 및 상기 제4단계의 레이턴시와, 상기 I/O 요청의 확인에 따른 오버헤드로부터 결정되는It is determined from the latency of the third step and the fourth step and the overhead according to the confirmation of the I/O request.
    SSD의 랜섬웨어 감지 방법.How to detect ransomware on SSD.
  6. 제 1항에 있어서,The method of claim 1,
    상기 랜섬웨어 감지를 재개하는 단계는The step of resuming the ransomware detection is
    상기 I/O 요청이 처리된 이후, 상기 선점 지점까지 수행된 랜섬웨어 감지의 상태를 나타내는 랜섬웨어 감지 정보를 이용하여, 상기 랜섬웨어 감지를 재개하는 단계Resuming the ransomware detection by using the ransomware detection information indicating the state of the ransomware detection performed up to the preemption point after the I/O request is processed
    를 더 포함하는 SSD의 랜섬웨어 감지 방법.Ransomware detection method of SSD further comprising.
  7. 제 6항에 있어서,7. The method of claim 6,
    상기 랜섬웨어 감지에 대한 정보는Information on the ransomware detection is
    상기 선점 지점에서 상기 랜섬웨어 감지가 중지된 페이지의 번호, 상기 제3 및 제4단계 중 상기 랜섬웨어 감지가 중지된 단계 및 상기 랜섬웨어 감지가 중지된 페이지에서 상기 선점 지점까지 감지가 수행된 바이트 정보를 나타내는 오프셋 정보The number of the page where the ransomware detection was stopped at the preemption point, the step in which the ransomware detection was stopped during the third and fourth steps, and the bytes detected from the page where the ransomware detection was stopped to the preemption point offset information representing information
    를 포함하는 SSD의 랜섬웨어 감지 방법.Ransomware detection method on SSD including
  8. 제 6항에 있어서,7. The method of claim 6,
    상기 랜섬웨어 감지를 재개하는 단계는The step of resuming the ransomware detection is
    상기 I/O 요청이 제2덮어쓰기 요청인 경우, 상기 선점 지점의 잔여 개수에 무관하게 상기 랜섬웨어 감지를 재개하여 완료하는When the I/O request is a second overwrite request, restarting and completing the ransomware detection regardless of the remaining number of preemption points
    SSD의 랜섬웨어 감지 방법.How to detect ransomware on SSD.
  9. 제 8항에 있어서,9. The method of claim 8,
    상기 제1덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지가 완료된 이후, 상기 제2덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행하는 단계After the detection of ransomware on the file for which the first overwrite is requested is completed, performing ransomware detection on the file for which the second overwrite is requested;
    를 더 포함하는 SSD의 랜섬웨어 감지 방법.Ransomware detection method of SSD further comprising.
  10. 덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행하는 단계;performing ransomware detection on files requested to be overwritten;
    미리 설정된 적어도 하나의 선점 지점에서, 상기 선점 지점까지 수행된 랜섬웨어 감지의 상태를 나타내는 랜섬웨어 감지 정보를 저장하고, I/O 요청을 처리하는 단계; 및storing ransomware detection information indicating a state of ransomware detection performed from at least one preemption point preset to the preemption point, and processing an I/O request; and
    상기 I/O 요청이 처리된 이후, 상기 랜섬웨어 감지 정보를 이용하여, 상기 랜섬웨어 감지를 재개하는 단계After the I/O request is processed, resuming the ransomware detection using the ransomware detection information
    를 포함하는 SSD의 랜섬웨어 감지 방법.Ransomware detection method on SSD including
  11. 제 10항에 있어서,11. The method of claim 10,
    상기 랜섬웨어 감지 정보는The ransomware detection information is
    상기 선점 지점에서 상기 랜섬웨어 감지가 중지된 페이지의 번호 및 상기 랜섬웨어 감지가 중지된 페이지에서 상기 선점 지점까지 감지가 수행된 바이트 정보를 나타내는 오프셋 정보Offset information indicating the number of the page where the ransomware detection is stopped at the preemption point and byte information on which the detection is performed from the page where the ransomware detection is stopped to the preemption point
    를 포함하는 SSD의 랜섬웨어 감지 방법.Ransomware detection method on SSD including
  12. 덮어쓰기가 요청된 파일에 대한 랜섬웨어 감지를 수행하는 랜섬웨어 감지부; 및a ransomware detection unit that detects ransomware on a file requested to be overwritten; and
    상기 랜섬웨어 감지의 수행중에, 미리 설정된 적어도 하나의 선점 지점에서 I/O 요청이 존재하는지 확인하여, 상기 I/O 요청을 처리하는 I/O 요청 처리부를 포함하며,an I/O request processing unit configured to process the I/O request by checking whether an I/O request exists at at least one preemption point set in advance while the ransomware detection is being performed;
    상기 랜섬웨어 감지부는The ransomware detection unit
    상기 I/O 요청이 수행된 이후 상기 랜섬웨어 감지를 재개하는 Resuming the ransomware detection after the I/O request is performed
    SSD 컨트롤러.SSD controller.
PCT/KR2021/004614 2021-04-09 2021-04-13 Method and controller for detecting ransomware in ssd WO2022215783A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2021-0046644 2021-04-09
KR1020210046644A KR102459879B1 (en) 2021-04-09 2021-04-09 Ransomware detection method and controller for ssd

Publications (1)

Publication Number Publication Date
WO2022215783A1 true WO2022215783A1 (en) 2022-10-13

Family

ID=83545427

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2021/004614 WO2022215783A1 (en) 2021-04-09 2021-04-13 Method and controller for detecting ransomware in ssd

Country Status (2)

Country Link
KR (1) KR102459879B1 (en)
WO (1) WO2022215783A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180113638A1 (en) * 2016-10-26 2018-04-26 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Securing a media storage device using write restriction mechanisms
US10078459B1 (en) * 2016-09-26 2018-09-18 EMC IP Holding Company LLC Ransomware detection using I/O patterns
KR102105885B1 (en) * 2018-11-30 2020-05-04 주식회사 심플한 Detection method and system of ransomeware

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8819328B2 (en) * 2010-12-30 2014-08-26 Sandisk Technologies Inc. Controller and method for performing background operations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10078459B1 (en) * 2016-09-26 2018-09-18 EMC IP Holding Company LLC Ransomware detection using I/O patterns
US20180113638A1 (en) * 2016-10-26 2018-04-26 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Securing a media storage device using write restriction mechanisms
KR102105885B1 (en) * 2018-11-30 2020-05-04 주식회사 심플한 Detection method and system of ransomeware

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
PARK JIYUN, DONGHYUN MIN , JUNGHEE LEE , YOUNGJAE KIM: "Reducing Foreground I/O Latency via Preemptive Ransomware Detection on Ransomware Attack Tolerant SSD", KOREAN INSTITUTE OF INFORMATION SCIENTISTS AND ENGINEERS, 21 December 2020 (2020-12-21), pages 1019 - 1021, XP055976285 *
PARK JI-YUN: "Reducing Foreground I/O Latency via Preemptive Ransomware Detection on Ransomware Attack Tolerant SSD", MASTER, 21 December 2021 (2021-12-21), pages 1 - 51, XP055976295 *

Also Published As

Publication number Publication date
KR20220140305A (en) 2022-10-18
KR102459879B1 (en) 2022-10-27

Similar Documents

Publication Publication Date Title
US6633968B2 (en) Pre-fetching of pages prior to a hard page fault sequence
US10503405B2 (en) Zero copy memory reclaim using copy-on-write
EP0912942B1 (en) Apparatus and method for assisting exact garbage collection by using a stack cache of tag bits
WO2011105860A2 (en) Method and apparatus for generating minimum boot image
CN1723465A (en) Method and apparatus for loading a trustable operating system
US20070067359A1 (en) Centralized system for versioned data synchronization
EP3129872A1 (en) Application execution method and apparatus
US9519502B2 (en) Virtual machine backup
WO2012121559A2 (en) Storage system for supporting copy command and move command and operation method of storage system
US6317818B1 (en) Pre-fetching of pages prior to a hard page fault sequence
WO2016195343A1 (en) Method for controlling file input-output in virtualization system
WO2014077614A1 (en) Anti-malware system, method of processing data in the same, and computing device
US8898413B2 (en) Point-in-time copying of virtual storage
WO2022124720A1 (en) Method for detecting error of operating system kernel memory in real time
WO2019107609A1 (en) Ssd internal defense method incurring no data loss due to ransomware, and ransomware detection system
WO2022215783A1 (en) Method and controller for detecting ransomware in ssd
WO2018124331A1 (en) Graph processing system and method for operating graph processing system
WO2021066257A1 (en) Efficient ransomware detection method and system using bloom-filter
WO2018194237A1 (en) Method and device for processing transaction in hybrid transactional memory system
WO2015152648A1 (en) Apparatus and method for managing files using buffer in storage space of video event recorder
WO2017116186A1 (en) Protection method and protection device for metadata of file
US10922159B2 (en) Minimally disruptive data capture for segmented applications
US8892838B2 (en) Point-in-time copying of virtual storage and point-in-time dumping
WO2019225849A1 (en) Security device and method for providing security service through control of file input/output and integrity of guest operating system
WO2016190485A1 (en) Method for blocking unauthorized access to data and computing device having same function

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21936128

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21936128

Country of ref document: EP

Kind code of ref document: A1