WO2022215783A1 - Procédé et dispositif de commande pour la détection de logiciels rançonneurs dans un ssd - Google Patents

Procédé et dispositif de commande pour la détection de logiciels rançonneurs dans un ssd Download PDF

Info

Publication number
WO2022215783A1
WO2022215783A1 PCT/KR2021/004614 KR2021004614W WO2022215783A1 WO 2022215783 A1 WO2022215783 A1 WO 2022215783A1 KR 2021004614 W KR2021004614 W KR 2021004614W WO 2022215783 A1 WO2022215783 A1 WO 2022215783A1
Authority
WO
WIPO (PCT)
Prior art keywords
ransomware
ransomware detection
detection
ssd
request
Prior art date
Application number
PCT/KR2021/004614
Other languages
English (en)
Korean (ko)
Inventor
김영재
박지윤
박성순
민동현
김경표
Original Assignee
(주)글루시스
서강대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)글루시스, 서강대학교산학협력단 filed Critical (주)글루시스
Publication of WO2022215783A1 publication Critical patent/WO2022215783A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
    • H01L21/00Processes or apparatus adapted for the manufacture or treatment of semiconductor or solid state devices or of parts thereof
    • H01L21/02Manufacture or treatment of semiconductor devices or of parts thereof
    • H01L21/04Manufacture or treatment of semiconductor devices or of parts thereof the devices having potential barriers, e.g. a PN junction, depletion layer or carrier concentration layer
    • H01L21/50Assembly of semiconductor devices using processes or apparatus not provided for in a single one of the subgroups H01L21/06 - H01L21/326, e.g. sealing of a cap to a base of a container
    • H01L21/56Encapsulations, e.g. encapsulation layers, coatings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity

Definitions

  • the present invention relates to a method and a controller for detecting ransomware, and more particularly, to a method for detecting ransomware performed on an SSD and a controller of an SSD for detecting the ransomware.
  • the backup technology at the SSD (Solid State Drive) storage stage is space-efficient and safe even if the OS is damaged.
  • Backup technology on SSDs does not require explicit space for backups, as it basically keeps data pages that are invalidated due to overwriting elsewhere on the SSD, rather than as a backup.
  • SSD firmware is separate from the OS. Therefore, even if the host OS is compromised by privileged ransomware, the copy can be kept safe.
  • ransomware detection To defend against ransomware attacks, the SSD performs ransomware detection, which detects whether or not ransomware is included in the data requested to be overwritten whenever a page overwrite request occurs. Because ransomware detection is performed every time an input/output (I/O) request occurs, which increases I/O latency, SSDs equipped with DMA (Direct Memory Access) hardware accelerators are being studied. However, since new hardware called DMA requires additional DMA technology and cost, it is necessary to develop a ransomware detection method that can reduce I/O latency while being performed at the firmware level.
  • I/O input/output
  • An object of the present invention is to provide a ransomware detection method and an SSD controller capable of reducing a delay time of foreground input/output.
  • performing a first overwrite-requested file ransomware detection checking whether an I/O request exists at at least one preset preemption point while the ransomware detection is being performed; and processing the I/O request according to the check result.
  • the method comprising: performing ransomware detection for a file requested to be overwritten; storing ransomware detection information indicating a state of ransomware detection performed from at least one preemption point preset to the preemption point, and processing an I/O request; and resuming the ransomware detection by using the ransomware detection information after the I/O request is processed.
  • the ransomware detection unit for detecting the ransomware on the overwrite requested file; and an I/O request processing unit configured to process the I/O request by checking whether an I/O request exists at at least one preemption point set in advance while the ransomware detection is being performed, wherein the ransomware detection unit comprises the An SSD controller for resuming the ransomware detection after an I/O request is performed is provided.
  • an input/output delay time may be reduced by preferentially processing an input/output request at each preset preemption point during ransomware detection.
  • the delay in detecting ransomware according to the existing overwrite request can be prevented, and garbage collection is not performed. Problems that cannot be solved can be solved.
  • FIG. 1 is a diagram for explaining a controller of an SSD according to an embodiment of the present invention.
  • FIG. 2 is a diagram for explaining a ransomware detection method according to an embodiment of the present invention.
  • 3 is a diagram for explaining a specific embodiment of ransomware detection.
  • FIG. 4 is a diagram for explaining a ransomware detection method according to another embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example of a ransomware detection process performed in an SSD according to an embodiment of the present invention.
  • FIG. 6 is a diagram for explaining the effect of a ransomware detection method according to an embodiment of the present invention.
  • the detection of ransomware which is performed whenever a page overwrite request occurs, delays the processing time for the input/output request. This is because the input/output request including the overwrite request is processed after the ransomware detection of the file for which the overwrite request has occurred is completed.
  • the present invention proposes a ransomware detection method of an SSD that performs an input/output request while performing ransomware detection.
  • an input/output request is preferentially processed at each preset preemption point during ransomware detection.
  • preemption means stopping ransomware detection and preferentially processing input/output requests
  • preemption point means a point at which ransomware detection is stopped and input/output requests are performed.
  • FIG. 1 is a diagram for explaining a controller of an SSD according to an embodiment of the present invention.
  • the controller 110 of the SSD includes a ransomware detection unit 111 and an I/O request processing unit 113 .
  • the ransomware detection unit 111 detects the ransomware on the file requested to be overwritten.
  • Ransomware detection may be performed through various detection algorithms, and as an embodiment, may be performed through calculation of similarity and entropy.
  • the I/O request processing unit 113 processes the I/O request by checking whether an I/O request exists at at least one preset preemption point while the ransomware is detected.
  • the I/O request is a read request
  • data stored in the NAND flash 120 is transmitted to the host
  • the I/O request is a write request
  • data transmitted from the host is stored in the NAND flash 120 .
  • the DRAM 130 serves as a cache.
  • FIG. 2 is a diagram for explaining a ransomware detection method according to an embodiment of the present invention
  • FIG. 3 is a diagram for explaining a specific embodiment of ransomware detection.
  • the SSD detects ransomware on a file for which the first overwrite is requested ( S210 ).
  • the SSD may perform ransomware detection as shown in FIG. 3 as an embodiment in step S210.
  • a first step (S310) the SSD is transmitted from the host, and first data for the file for which the first overwrite is requested is stored in the DRAM of the SSD.
  • the SSD stores second data for the file stored in the page and for which the first overwrite is requested in the DRAM of the SSD.
  • the first data is data updated from the second data by overwriting, and the SSD detects whether ransomware is included in the first data.
  • the SSD checks whether an I/O request exists at at least one preset preemption point during ransomware detection ( S220 ).
  • the SSD can check whether an I/O request exists by checking the I/O request accumulated in the request queue.
  • the preemption point may be set between the first step (S310) and the second step (S320) as an embodiment, and may be a point included in the process of performing the third step (S330) and the fourth step (S340). have. If preemption is made while performing the first and second steps S310 and S320, data must be stored in DRAM from the beginning, so preemption is not performed during the process of the first and second steps S310 and S320. desirable. On the other hand, even if preemption is made while performing the third and fourth steps S330 and S340, the ransomware detection may be resumed from the point where the ransomware detection is stopped.
  • the number of preemption points included in the process of performing the third and fourth steps is determined by the latency of the third and fourth steps (S330 and S340) and the I/O request. It may be determined from the overhead according to the confirmation, and as an example [Equation 1], it may be calculated to be proportional to the latency and inversely proportional to the overhead.
  • the time required to perform the third and fourth steps (S330 and S340) and the time taken to confirm the I/O request may be determined as latency and overhead, respectively, and may be determined experimentally.
  • the number of preemption points for the third and fourth steps S330 and S340 may be determined as an integer not exceeding the result value of [Equation 1], and if the result value of [Equation 1] is less than 1, preemption The number of points may be determined to be 1. For example, if the number of preemption points is determined to be 2, preemption may be performed twice while the third and fourth steps S330 and S340 are performed.
  • the positions of the preemption points for the third and fourth steps S330 and S340 may be determined in various ways, and may be positions on time or data.
  • the location of the preemption point may be determined as a point after a preset time from the time when the ransomware detection is started, or may be determined as a point corresponding to some size of the total size of data to be detected by the ransomware.
  • the location of the preemption point may be set so that the ransomware detection can be performed for a uniform time before and after the preemption, or may be determined according to the size of the first and second data. As the size of the first and second data increases, the interval between the preemption points may increase.
  • the SSD processes the I/O request according to the confirmation result (S230). If there is an I/O request, the SSD preferentially processes the I/O request while the ransomware detection is stopped. If there is no I/O request, the SSD detects the ransomware.
  • the SSD may resume the ransomware detection using the ransomware detection information, and the method of resuming the ransomware detection will be described in detail with reference to FIG. 4 .
  • FIG. 4 is a diagram for explaining a ransomware detection method according to another embodiment of the present invention.
  • the SSD detects ransomware on a file requested to be overwritten ( S410 ).
  • ransomware detection information indicating the state of ransomware detection performed up to the preemption point is stored, and an I/O request is processed ( S420 ).
  • the ransomware detection information is used to resume detection of ransomware, which will be described later.
  • the SSD according to an embodiment of the present invention resumes detection of ransomware using ransomware detection information (S430).
  • the ransomware detection information includes, as an embodiment, offset information indicating the number of a page where the ransomware detection is stopped at the preemption point, and byte information on which the detection is performed from the page where the ransomware detection is stopped to the preemption point can do.
  • information on a step in which the detection of ransomware is stopped by preemption among the third and fourth steps (S330 and S340) may be further included.
  • the SSD according to an embodiment of the present invention uses this ransomware detection information, in the page corresponding to the page number in the stage where the ransomware detection is stopped, for data following the byte data corresponding to the offset information, Ransomware detection can be resumed.
  • 5 is a diagram illustrating an example of a ransomware detection process performed in an SSD according to an embodiment of the present invention. 5 shows an embodiment in which there are two preemption points.
  • OW denotes overwrite
  • R denotes read
  • W denotes write
  • D denotes ransomware detection.
  • the SSD resumes the ransomware detection (D1_2) regardless of the remaining number of preemption points to complete the ransomware detection. That is, in the embodiment of FIG. 5 , there is one remaining preemption point, but the SSD does not check the I/O request at the remaining preemption point, but restarts and completes the ransomware detection. And when the detection of the ransomware is completed, overwriting of the file for which the first overwrite (OW1) is requested is processed.
  • the SSD when the I/O request existing at the preemption point is an overwrite request, the SSD according to an embodiment of the present invention ignores the remaining preemption point and resumes the stopped ransomware detection to complete the ransomware detection.
  • the ransomware detection (D2_1) for the file for which the second overwrite (OW2) is requested is performed. start performing Then, the I/O request (R, W, R) confirmed at the first preemption point 521 is performed, and the ransomware detection (D2_2) is resumed. Thereafter, the checked I/O request (W, R, W) is performed at the second preemption point 522 and the ransomware detection (D2_3) is completed.
  • FIG. 6 is a diagram for explaining the effect of a ransomware detection method according to an embodiment of the present invention.
  • FIG. 6( a ) shows an SSD (original SSD) that does not detect ransomware, an inline detection SSD (SSD) that detects ransomware without using preemption, and 50 according to an embodiment of the present invention in an Erebus ransomware environment. It is a view showing the foreground I/O response time of a preemptive detection SSD (SSD) using preemptive points in the form of a cumulative distribution function (CDF), and FIG. 6(b) is When a new overwrite request occurs, according to an embodiment of the present invention, it is a diagram showing a detection time when the detection of ransomware is resumed regardless of the remaining number of preemption points.
  • SSD original SSD
  • SSD inline detection SSD
  • CDF cumulative distribution function
  • the average I/O response time for detecting ransomware without using preemption is 622.6 ms, and the average I/O response time for not detecting ransomware is 23.7 ms. As much as 26.3 times, it can be seen that the input/output delay is very serious if preemption is not used.
  • the average I/O response time is 26.4 ms, and it can be seen that there is no significant difference from the case where the ransomware is not detected.
  • the technical contents described above may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium.
  • the computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination.
  • the program instructions recorded on the medium may be specially designed and configured for the embodiments, or may be known and available to those skilled in the art of computer software.
  • Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks.
  • - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like.
  • Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like.
  • a hardware device may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Power Engineering (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Manufacturing & Machinery (AREA)
  • Condensed Matter Physics & Semiconductors (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Sont divulgués un procédé de détection de logiciels rançonneurs et un contrôleur SSD, qui peuvent réduire le temps de retard d'entrée et de sortie de premier plan. Le procédé de détection de logiciels rançonneurs dans un SSD comprend les étapes consistant à effectuer une détection de logiciels rançonneurs sur un fichier pour lequel un premier écrasement est demandé ; à vérifier s'il y a une demande d'E/S au niveau d'un ou de plusieurs points pré-occupés prédéfinis tout en effectuant la détection de logiciels rançonneurs ; et à traiter la demande d'E/S en fonction du résultat de la vérification.
PCT/KR2021/004614 2021-04-09 2021-04-13 Procédé et dispositif de commande pour la détection de logiciels rançonneurs dans un ssd WO2022215783A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2021-0046644 2021-04-09
KR1020210046644A KR102459879B1 (ko) 2021-04-09 2021-04-09 Ssd의 랜섬웨어 감지 방법 및 컨트롤러

Publications (1)

Publication Number Publication Date
WO2022215783A1 true WO2022215783A1 (fr) 2022-10-13

Family

ID=83545427

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2021/004614 WO2022215783A1 (fr) 2021-04-09 2021-04-13 Procédé et dispositif de commande pour la détection de logiciels rançonneurs dans un ssd

Country Status (2)

Country Link
KR (1) KR102459879B1 (fr)
WO (1) WO2022215783A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180113638A1 (en) * 2016-10-26 2018-04-26 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Securing a media storage device using write restriction mechanisms
US10078459B1 (en) * 2016-09-26 2018-09-18 EMC IP Holding Company LLC Ransomware detection using I/O patterns
KR102105885B1 (ko) * 2018-11-30 2020-05-04 주식회사 심플한 랜섬웨어 탐지 방법 및 랜섬웨어 탐지 시스템

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8819328B2 (en) * 2010-12-30 2014-08-26 Sandisk Technologies Inc. Controller and method for performing background operations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10078459B1 (en) * 2016-09-26 2018-09-18 EMC IP Holding Company LLC Ransomware detection using I/O patterns
US20180113638A1 (en) * 2016-10-26 2018-04-26 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Securing a media storage device using write restriction mechanisms
KR102105885B1 (ko) * 2018-11-30 2020-05-04 주식회사 심플한 랜섬웨어 탐지 방법 및 랜섬웨어 탐지 시스템

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
PARK JIYUN, DONGHYUN MIN , JUNGHEE LEE , YOUNGJAE KIM: "Reducing Foreground I/O Latency via Preemptive Ransomware Detection on Ransomware Attack Tolerant SSD", KOREAN INSTITUTE OF INFORMATION SCIENTISTS AND ENGINEERS, 21 December 2020 (2020-12-21), pages 1019 - 1021, XP055976285 *
PARK JI-YUN: "Reducing Foreground I/O Latency via Preemptive Ransomware Detection on Ransomware Attack Tolerant SSD", MASTER, 21 December 2021 (2021-12-21), pages 1 - 51, XP055976295 *

Also Published As

Publication number Publication date
KR102459879B1 (ko) 2022-10-27
KR20220140305A (ko) 2022-10-18

Similar Documents

Publication Publication Date Title
US6633968B2 (en) Pre-fetching of pages prior to a hard page fault sequence
US10503405B2 (en) Zero copy memory reclaim using copy-on-write
EP0912942B1 (fr) Appareil d'assistance a la recuperation des positions inutilisees faisant intervenir une antememoire renfermant des bits drapeau de pile et procede correspondant
WO2011105860A2 (fr) Procédé et appareil permettant de générer une image de démarrage minimale
CN1723465A (zh) 加载可信操作系统的方法和装置
EP3129872A1 (fr) Procédé et appareil d'exécution d'application
US20090204613A1 (en) Pattern detection apparatus, pattern detection system, pattern detection program and pattern detection method
US9519502B2 (en) Virtual machine backup
WO2012121559A2 (fr) Système de stockage permettant de prendre en charge une commande de copie et une commande de déplacement, et procédé de fonctionnement dudit système de stockage
US6317818B1 (en) Pre-fetching of pages prior to a hard page fault sequence
WO2016195343A1 (fr) Procédé de commande d'entrée-sortie de fichier dans un système de virtualisation
EP3079057A1 (fr) Procédé et dispositif pour réaliser une introspection de machine virtuelle
WO2014077614A1 (fr) Système anti-programmes malveillants, procédé de traitement de données dans ledit système, et dispositif informatique
US8898413B2 (en) Point-in-time copying of virtual storage
WO2022124720A1 (fr) Procédé de détection d'erreur de la mémoire de noyau du système d'exploitation en temps réel
WO2019107609A1 (fr) Procédé de défense interne de ssd ne provoquant pas de perte de données due à un rançongiciel et système de détection de rançongiciel
WO2022215783A1 (fr) Procédé et dispositif de commande pour la détection de logiciels rançonneurs dans un ssd
WO2018124331A1 (fr) Système de traitement graphique et procédé de fonctionnement d'un système de traitement graphique
WO2021066257A1 (fr) Procédé et système de détection efficace de rançongiciel utilisant un filtre de bloom
WO2019225849A1 (fr) Dispositif de sécurité et procédé de fourniture d'un service de sécurité par commande de l'entrée/sortie de fichier et de l'intégrité d'un système d'exploitation invité
WO2018194237A1 (fr) Procédé et dispositif de traitement de transaction dans un système de mémoire transactionnelle hybride
WO2015152648A1 (fr) Appareil et procédé de gestion de fichiers en utilisant une mémoire tampon dans un espace de stockage d'un enregistreur d'événements vidéo
WO2017116186A1 (fr) Procédé de protection et dispositif de protection de metadonnées d'un fichier
US10922159B2 (en) Minimally disruptive data capture for segmented applications
US8892838B2 (en) Point-in-time copying of virtual storage and point-in-time dumping

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21936128

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21936128

Country of ref document: EP

Kind code of ref document: A1