WO2024074195A1 - Method of protecting data during malware attack in a computing system - Google Patents

Method of protecting data during malware attack in a computing system Download PDF

Info

Publication number
WO2024074195A1
WO2024074195A1 PCT/EP2022/077582 EP2022077582W WO2024074195A1 WO 2024074195 A1 WO2024074195 A1 WO 2024074195A1 EP 2022077582 W EP2022077582 W EP 2022077582W WO 2024074195 A1 WO2024074195 A1 WO 2024074195A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage medium
identified
computing system
malware attack
ftl
Prior art date
Application number
PCT/EP2022/077582
Other languages
French (fr)
Inventor
Shahar SALZMAN
Assaf Natanzon
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2022/077582 priority Critical patent/WO2024074195A1/en
Publication of WO2024074195A1 publication Critical patent/WO2024074195A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/0223User address space allocation, e.g. contiguous or non contiguous base addressing
    • G06F12/023Free address space management
    • G06F12/0238Memory management in non-volatile memory, e.g. resistive RAM or ferroelectric memory
    • G06F12/0246Memory management in non-volatile memory, e.g. resistive RAM or ferroelectric memory in block erasable memory, e.g. flash memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/72Details relating to flash memory management
    • G06F2212/7201Logical to physical mapping or translation of blocks or pages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/72Details relating to flash memory management
    • G06F2212/7205Cleaning, compaction, garbage collection, erase control

Definitions

  • the present disclosure relates generally to the field of data security and more specifically, to a method for protecting data during a malware attack in a computing system.
  • Ransomware is a prominent cyber threat to an individual as well as to an organization when it comes to data security.
  • Ransomware is a type of malware that installs itself in a computing system and then maps a file that seems important to a user. Thereafter, the ransomware creates an encrypted copy of the target file and deletes the original file. Finally, the ransomware issues a ransom note that appears either in the file in the same location or pop-ups on the user’s screen.
  • the ransom note includes an explanation of a process to pay the ransom to access the original data. After the payment of the ransom, the user receives a key that enables the user to restore the original data. Therefore, such ransomware attack results in significant financial losses in the form of ransom, downtime, and efforts that are required to restore the original data.
  • the present disclosure provides a system and a method of protecting data during a malware attack in a computing system.
  • the present disclosure provides a solution to the existing problem of how to mitigate the risk of ransomware.
  • An objective of the present disclosure is to provide a solution that overcomes at least partially the problems encountered in the prior art and provides an improved computing system and an improved method of protecting data during the malware attack in the computing system, such as by leveraging a flash translation layer on write for ransomware protection.
  • the present disclosure provides a method of protecting data during a malware attack in a computing system.
  • the method comprises monitoring input-output (IO) operations to a storage medium in the computing system to identify a potential malware attack, activating a malware mode when an IO operation is identified as a potential malware attack, and moving the IO operation to a designated block area, separate from other blocks in the storage medium.
  • the method further comprises restoring flash translation layer (FTL) pointers for data affected by the identified IO operation and removing the FTL pointers for the IO operation moved to the designated block area.
  • FTL flash translation layer
  • the method is used to identify the potential malware attack, raise alerts, and also protect the data during the malware attack in the computing system, such as by activating a malware mode. Moreover, the activation of the malware mode for a short duration of time prevents the computing system from slowing down and improves the overall efficiency of the system.
  • the method further comprises suspending garbage collection for block reclamation when operating in the malware mode.
  • the suspending of garbage collection operating in the malware mode allows the restoration of the original data.
  • the method further comprises saving previous FTL pointers of data affected by the identified IO operation.
  • the saving of previous FTL pointers of the data affected by the identified IO operation is used to restore the previous data that is stored in the storage medium (i.e., the SSD) before encryption.
  • the method further comprises marking the blocks written by the IO operation in the designated block area for garbage collection for block reclamation.
  • the garbage collection for block reclamation is used to reuse the blocks for IO operations.
  • the method further comprises allocating a new designated block area in the storage medium while the previous blocks are reclaimed.
  • the allocation of the new designated block area in the storage medium is used for block reclamation so that the blocks can be reused again by the user to store data.
  • an IO operation is identified as a potential malware attack by monitoring the write bandwidth and/or entropy of the storage medium.
  • the high bandwidth and the high entropy raise alerts that include the identification of the potential malware attack.
  • the method further comprises notifying a user of the potential malware attack and returning to a normal mode when the identified IO operation is determined to be an operation initiated by the user.
  • notifying the user about the potential malware attack provides an opportunity for the user to review the IO operation and further decide if the IO operation is a potential malware attack or is initiated by the user.
  • a computing system comprising a storage medium, an input output (I/O) interface and a processor configured to monitor input-output (IO) operations to the storage medium in the computing system to identify a potential malware attack.
  • the processor is further configured to activate a malware mode when an IO operation is identified as a potential malware attack and move the IO operation to a designated block area, separate from other blocks in the storage medium.
  • the processor is configured to restore flash translation layer (FTL) pointers for data affected by the identified IO operation and remove FTL pointers for the IO operation moved to the designated block area.
  • FTL flash translation layer
  • the computing system achieves all the advantages and technical effects of the method of the present disclosure.
  • FIG. 1 is a flowchart of a method of protecting data during a malware attack in a computing system, in accordance with an embodiment of the present disclosure
  • FIG. 2 is a block diagram of a computing system, in accordance with an embodiment of the present disclosure
  • FIG. 3 is an exemplary diagram that depicts a mapping operation in a storage medium with a flash translation layer, in accordance with an embodiment of the present disclosure
  • FIG. 4 is an exemplary diagram that depicts a mapping operation between a user document and a storage medium, in accordance with an embodiment of the present disclosure.
  • FIG. 5 is an exemplary diagram that depicts different operations for restoration of data, in accordance with an embodiment of the present disclosure.
  • an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent.
  • a non-underlined number relates to an item identified by a line linking the nonunderlined number to the item.
  • the non-underlined number is used to identify a general item at which the arrow is pointing.
  • FIG. 1 is a flowchart of a method of protecting data during a malware attack in a computing system, in accordance with an embodiment of the present disclosure. With reference to FIG. 1, there is shown a flowchart of a method 100 that includes steps 102 to 110.
  • the method 100 is used for protecting data during a malware attack in a computing system.
  • the malware corresponds to a computer executable code that is designed to destruct the data or obstruct a user to access the data, such as a ransomware.
  • the ransomware is installs itself in the computing system and attempts to map files that are important to the user.
  • the method 100 is used to provide leveraging flash translation layer (FTL) for protecting the data during the malware attack and allowing for recovery of the data with minimal impact on normal input-output operations.
  • FTL flash translation layer
  • the method 100 comprises monitoring input-output (IO) operations of a storage medium in the computing system to identify a potential malware attack.
  • the storage medium may correspond to a solid-state drive (SSD).
  • the monitoring of the IO operations on the storage medium may facilitate to raise an alert about the potential malware attack and further mitigates the risk of malware attack.
  • the IO operation includes creating an encrypted copy of sensitive data in the storage medium.
  • the method 100 can be used to identify the potential malware attack on the sensitive data and notifies the user about such encryption.
  • the IO operation is identified as the potential malware attack by monitoring the write bandwidth and/or entropy of the storage medium.
  • the malware attack requires high write bandwidth to encrypt the mapped files that include the sensitive data in a short duration of time.
  • the IO operation is identified as the potential malware attack by monitoring the write bandwidth (e.g., a plurality of write operations) of the storage medium.
  • the malware attack requires high entropy to encrypt the mapped files that include the sensitive data in a short duration of time.
  • the IO operation is identified as the potential malware attack by monitoring the entropy (e.g., number of bits required for the transmission of the data) of the storage medium.
  • the malware attack requires high bandwidth and high entropy to encrypt the mapped files that include the sensitive data in a short duration of time.
  • the IO operation is identified as the potential malware attack by monitoring the write bandwidth and the entropy of the storage medium.
  • the high write bandwidth and/or the high entropy can be used to raise alerts that include the identification of the potential malware attack.
  • the method 100 further comprises activating a malware mode when the IO operation is identified as the potential malware attack.
  • the activation of the malware mode depends upon the IO operations, such as a read operation or a write operation on the storage medium that is identified as the potential malware attack.
  • the method 100 further comprises suspending garbage collection for block reclamation when operating in the malware mode.
  • a garbage collector is used for the garbage collection to manage physical locations that are overwritten by IO operations. Such garbage collection operation provides a safe and balanced re-using of different blocks of physical locations.
  • the method 100 comprises moving the IO operation to a designated block area, which is separate from other blocks in the storage medium.
  • a portion of the storage medium is allocated to the IO operation (e.g., data writes) that is identified as the potential malware attack.
  • the IO operation is moved to the designated block area, such as to handle the IO operations that are identified as the potential malware attack separately.
  • the identified IO operation is terminated when the designated block area in the storage medium is full.
  • the identified IO operation is terminated to prevent the overflow of moving of the IO operations in the designated block area.
  • the method 100 further comprises marking the blocks written by the IO operation in the designated block area for garbage collection for block reclamation.
  • protocol commands e.g., UNMAP commands
  • the designated block area for the garbage collection for the block reclamation is used to maintain a balance while using the physical locations for reusing the blocks that are marked as stale and cannot be used in the IO operations.
  • the garbage collection for block reclamation enables to reuse the blocks for IO operations.
  • the method 100 further comprises allocating a new designated block area in the storage medium while the previous blocks are reclaimed. In other words, the previous blocks are reclaimed, and the IO operation that is identified as the potential malware attack is now allocated to the new designated block area in the storage medium to separate such IO operation from the other blocks.
  • the method 100 further comprises notifying a user of the potential malware attack and returning to a normal mode when the identified IO operation is determined to be an operation initiated by the user. In other words, the notification of the potential malware attack provides an opportunity for the user to review the identified 10 operation. However, if the identified 10 operation is determined to be an operation initiated by the user, then the computing system is returned to the normal mode.
  • the method further comprises restoring flash translation layer (FTL) pointers for data affected by the identified 10 operation.
  • the FTL pointers correspond to a layer in a flash controller that is implemented to increase the longevity of the computing system, such as by reducing a wear levelling, facilitating an error correction, and removing the physical locations that are prone to error.
  • the FTL pointers translate the logical location of the data that is described by a storage protocol, such as logical block addressing that is further recognized by an application layer and a physical address in the storage medium.
  • the protocol commands are used to restore the FTL pointers, such as previous pointers in the FTL pointers, to restore the data that is affected by the identified 10 operation.
  • the method 100 further comprises saving previous FTL pointers of the data affected by the identified 10 operation.
  • the malware attack encrypts the file to a new file and further deletes the original file.
  • the physical data on the storage medium such as the SSD, is not overwritten. However, the physical data is written to a different location, and the mapping in the FTL pointers is changed. Therefore, by virtue of saving the previous FTL pointers of the data affected by the identified 10 operation, the method 100 can be used to restore the previous data (e.g., data before encryption) from the storage medium (i.e., the SSD). Thereafter, at step 110, the method 100 further comprises removing the FTL pointers for the IO operation moved to the designated block area.
  • the FTL pointers for the IO operation that are moved to the designated block area is removed to prevent the mapping of the encrypted file. Furthermore, the previous FTL pointers of the IO operation are saved to map the original file. Thus, enables the computing system to restore the original file during the malware attack.
  • the method 100 is used to identify the potential malware attack, raise alerts and also protect the data during the malware attack in the computing system, such as by activating a malware mode. Moreover, the activation of the malware mode for a short duration of time prevents the computing system from slowing down and improves the overall efficiency of the system.
  • a computer-readable medium comprising instructions which, when executed by a computer, cause the computer to execute the method 100.
  • the instructions are implemented on the computer-readable media which include, but is not limited to, Electrically Erasable Programmable Read-Only Memory (EEPROM), Random Access Memory (RAM), Read-Only Memory (ROM), Hard Disk Drive (HDD), Flash memory, a Secure Digital (SD) card, Solid-State Drive (SSD), a computer-readable storage medium, and/or CPU cache memory.
  • the instructions are generated by a computer program, which is implemented in view of the method 100, and for use in implementing the method 100 on the computer.
  • FIG. 2 is a block diagram of a computing system, in accordance with an embodiment of the present disclosure. With reference to FIG. 2 there is shown a block diagram 200 of a computing system 202.
  • the computing system 202 includes a storage medium 204, an input-output (I/O) interface 206, and a processor 208.
  • I/O input-output
  • the computing system 202 may include suitable logic, circuitry, interfaces, and/or code that are configured to protect the data against a potential malware attack. Examples of implementation of the computing system 202 may include but are not limited to a computer, a personal digital assistant, a portable computing device, or an electronic device.
  • the storage medium 204 is configured to store the data.
  • the storage medium 204 is a solid-state drive (SSD), which is used to provide high-speed data transmission.
  • SSD solid-state drive
  • Examples of implementation of the storage medium 204 may also include, but are not limited to, Electrically Erasable Programmable Read-Only Memory (EEPROM), Dynamic Random- Access Memory (DRAM), Random Access Memory (RAM), Read-Only Memory (ROM), Hard Disk Drive (HDD), Flash memory, a Secure Digital (SD) card, and/or CPU cache memory.
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • DRAM Dynamic Random- Access Memory
  • RAM Random Access Memory
  • ROM Read-Only Memory
  • HDD Hard Disk Drive
  • Flash memory a Secure Digital (SD) card, and/or CPU cache memory.
  • the I/O interface 206 may include hardware or software that is configured to establish communication among the storage medium 204 and the processor 208 of the computing system 202. Examples of implementation of the I/O interface 206 may include but are not limited to a computer port, a network socket, a network interface controller (NIC), and any other I/O interface device, such as a keyboard, a mouse, a monitor and the like.
  • the processor 208 is configured to monitor the IO operations and further activate a malware mode when an IO operation is identified as a potential malware attack.
  • Examples of implementation of the processor 208 may include but are not limited to a central data processing device, a microprocessor, a microcontroller, a complex instruction set computing (CISC) processor, an application-specific integrated circuit (ASIC) processor, a reduced instruction set (RISC) processor, a very long instruction word (VLIW) processor, a state machine, and other processors or control circuitry.
  • CISC complex instruction set computing
  • ASIC application-specific integrated circuit
  • RISC reduced instruction set
  • VLIW very long instruction word
  • the processor 208 is configured to monitor the IO operations of the storage medium 204 in the computing system 202 to identify the potential malware attack.
  • the storage medium 204 may correspond to a solid-state drive (SSD).
  • the monitoring of the IO operations on the storage medium 204 facilitates to raise an alert about the potential malware attack and further mitigates the risk of malware attack.
  • the processor 208 is configured to activate a malware mode when the IO operation is identified as the potential malware attack. In other words, the activation of the malware mode depends upon the IO operations, such as a read operation or a write operation on the storage medium 204, which is identified as the potential malware attack.
  • the processor 208 is further configured to move the IO operation to a designated block area, which is separate from other blocks in the storage medium 204.
  • a portion of the storage medium is allocated to the IO operation (e.g., data writes) that is identified as the potential malware attack. Thereafter, the IO operation is moved to the designated block area, such as to handle the IO operations that are identified as the potential malware attack separately.
  • the processor 208 is further configured to restore flash translation layer (FTL) pointers for the data that is affected by the identified IO operation.
  • FTL flash translation layer
  • the protocol commands are used to restore the FTL pointers, such as previous pointers in the FTL pointers to restore the data that is affected by the identified IO operation.
  • the processor 208 is configured to remove the FTL pointers for the IO operation and move the IO operations to the designated block area.
  • the FTL pointers for the IO operation that are moved to the designated block area are removed to prevent the mapping of the encrypted file and restore the original files, such as by mapping the original files through previously saved FTL pointers.
  • FIG. 3 is an exemplary diagram that depicts a mapping operation in a storage medium with a flash translation layer, in accordance with an embodiment of the present disclosure.
  • FIG. 3 there is shown an exemplary representation of physical blocks of the storage medium 204, and mapping of different storage addresses, such as X/Y, where X is the storage LU (logical unit) and Y is the storage LBA (logical block addressing).
  • SSD solid-state driver
  • an initial condition of a solid-state driver (SSD) physical block 302 (e.g., the storage medium 204 of FIG. 2) represents an application mapping of the X/Y storage address to the SSD physical block 302 on a flash translation layer (FTL), which includes data, such as “AAAAA”.
  • SSD solid-state driver
  • the data is replaced with a new data, such as “BBBBB” in the SSD physical block 302.
  • the SSD physical block 302 that includes the “AAAAA” is not overwritten.
  • the mapping of the SSD physical block 302 is changed, but a previous SSD physical block that includes the data AAAAA is retained by the computing system (i.e., the computing system 202 of the FIG. 2).
  • the computing system i.e., the computing system 202
  • through mapping of the SSD physical block 302 and further retaining the previous SSD physical block allows the computing system 202 to restore the previous data during the identification of potential malware attack, such as through mapping and restoring flash translation layer (FTL) pointers.
  • FTL flash translation layer
  • FIG. 4 is an exemplary diagram that depicts a mapping operation between a user document and a storage medium, in accordance with an embodiment of the present disclosure.
  • FIG. 4 there is shown an exemplary representation of an exemplary diagram 400 that depicts the mapping operation between a user document 404 and a storage medium 402.
  • a file system contains the mapping between the user document 404 and the physical blocks that includes the data, which is stored in the storage medium 402.
  • the user document 404 includes the physical blocks, such as 1/100, 1/5109, and 1/25004.
  • the first two physical blocks that are 1/100, and the 1/5109 are encrypted.
  • the computing system restores the previous data (i.e., the data before encryption).
  • the solid-state drive (SSD) application programming interface (API) is used to restore the previous locations of the data that, allows for the restoration of the user document 404 to an unencrypted state. Therefore, the computing system (i.e., the computing system 202 of FIG. 2) is configured to protect the data from the potential malware attack by restoring back the data.
  • FIG. 5 is an exemplary diagram that depicts different operations for restoration of data, in accordance with an embodiment of the present disclosure. With reference to FIG. 5 there is shown an exemplary diagram 500 that depicts different operations for the restoration of an original data (i.e., the data before a malware attack).
  • all the physical blocks of the storage medium such as SSD blocks, are mapped outside a designated block area (i.e., a suspicious block area) contain pointers, such as flash translation layer (FTL) pointers in the FTL.
  • FTL flash translation layer
  • the IO operation that is identified as a potential malware attack causes the storage medium (i.e., the storage medium 204 of FIG. 2) to re-route new writes to the designated block area.
  • the encrypted data such as at operation 502C, is not written in the place where the original data is stored. However, the encrypted data is stored in a new storage address.
  • the malware attack deletes the files, which causes the file system to allow block reclamation by the storage medium, such as the SSD.
  • the potential malware attack is detected, and the user instructs the storage medium to revert to the previous unencrypted state.
  • the FTL is traversed, and previous FTL pointers are reverted, such as the FTL pointers for addresses 1/100 and 1/5109 to the designated block area are removed, and the encrypted blocks are marked for garbage control.
  • a new designated block such as a suspicions block area (SBA) is allocated, and the physical blocks can be reused again after the reclamation of the previous blocks.
  • SBA suspicions block area

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

A method of protecting data during a malware attack in a computing system. The method includes monitoring input-output (IO) operations to a storage medium in the computing system to identify a potential malware attack. The method further includes activating a malware mode when an IO operation is identified as a potential malware attack and moving the IO operation to a designated block area that is separate from other blocks in the storage medium. The method further includes restoring flash translation layer (FTL) pointers for data affected by the identified IO operation and removing FTL pointers for the IO operation moved to the designated block area. The method is used to mitigate the risk of ransomware more efficiently and effectively by reversing the encryption of the file.

Description

METHOD OF PROTECTING DATA DURING MALWARE ATTACK IN A COMPUTING SYSTEM
TECHNICAL FIELD
The present disclosure relates generally to the field of data security and more specifically, to a method for protecting data during a malware attack in a computing system.
BACKGROUND
Ransomware is a prominent cyber threat to an individual as well as to an organization when it comes to data security. Ransomware is a type of malware that installs itself in a computing system and then maps a file that seems important to a user. Thereafter, the ransomware creates an encrypted copy of the target file and deletes the original file. Finally, the ransomware issues a ransom note that appears either in the file in the same location or pop-ups on the user’s screen. Moreover, the ransom note includes an explanation of a process to pay the ransom to access the original data. After the payment of the ransom, the user receives a key that enables the user to restore the original data. Therefore, such ransomware attack results in significant financial losses in the form of ransom, downtime, and efforts that are required to restore the original data.
Currently, certain attempts have been made to mitigate the risk of ransomware, such as by reducing or stopping the input-output rate during any suspicious activity. However, such an attempt, fails to mitigate the risk of ransomware completely. Additionally, the input-output rate of the data becomes very slow, which is not desirable. Moreover, attempts have also been made to mitigate the risk of ransomware by installing a software on user devices and/or by adding honey pot files to flag any process that attempts to encrypt the file. However, such attempts are inefficient and ineffective in mitigating the risk of ransomware completely. Moreover, such attempts are time and resource intensive due to complex operations that are required to recover the original data and are still not capable to recover data completely. Thus, there exists a technical problem of how to mitigate the risk of ransomware more efficiently and effectively.
Therefore, in light of the foregoing discussion, there exists a need to overcome the aforementioned drawbacks associated with the conventional method of protecting data during the ransomware attack in a computing system. SUMMARY
The present disclosure provides a system and a method of protecting data during a malware attack in a computing system. The present disclosure provides a solution to the existing problem of how to mitigate the risk of ransomware. An objective of the present disclosure is to provide a solution that overcomes at least partially the problems encountered in the prior art and provides an improved computing system and an improved method of protecting data during the malware attack in the computing system, such as by leveraging a flash translation layer on write for ransomware protection.
One or more objectives of the present disclosure are achieved by the solutions provided in the enclosed independent claims. Advantageous implementations of the present disclosure are further defined in the dependent claims.
In one aspect, the present disclosure provides a method of protecting data during a malware attack in a computing system. The method comprises monitoring input-output (IO) operations to a storage medium in the computing system to identify a potential malware attack, activating a malware mode when an IO operation is identified as a potential malware attack, and moving the IO operation to a designated block area, separate from other blocks in the storage medium. The method further comprises restoring flash translation layer (FTL) pointers for data affected by the identified IO operation and removing the FTL pointers for the IO operation moved to the designated block area.
The method is used to identify the potential malware attack, raise alerts, and also protect the data during the malware attack in the computing system, such as by activating a malware mode. Moreover, the activation of the malware mode for a short duration of time prevents the computing system from slowing down and improves the overall efficiency of the system.
In an implementation form, the method further comprises suspending garbage collection for block reclamation when operating in the malware mode.
In this implementation, the suspending of garbage collection operating in the malware mode allows the restoration of the original data. In a further implementation form, the method further comprises saving previous FTL pointers of data affected by the identified IO operation.
In such implementation, the saving of previous FTL pointers of the data affected by the identified IO operation is used to restore the previous data that is stored in the storage medium (i.e., the SSD) before encryption.
In a further implementation form, the method further comprises marking the blocks written by the IO operation in the designated block area for garbage collection for block reclamation.
In such implementation, the garbage collection for block reclamation is used to reuse the blocks for IO operations.
In a further implementation, the method further comprises allocating a new designated block area in the storage medium while the previous blocks are reclaimed.
In such implementation, the allocation of the new designated block area in the storage medium is used for block reclamation so that the blocks can be reused again by the user to store data.
In a further implementation form, an IO operation is identified as a potential malware attack by monitoring the write bandwidth and/or entropy of the storage medium.
In such implementation, the high bandwidth and the high entropy raise alerts that include the identification of the potential malware attack.
In a further implementation form, the method further comprises notifying a user of the potential malware attack and returning to a normal mode when the identified IO operation is determined to be an operation initiated by the user.
In such implementation, notifying the user about the potential malware attack provides an opportunity for the user to review the IO operation and further decide if the IO operation is a potential malware attack or is initiated by the user. In another aspect, a computing system comprising a storage medium, an input output (I/O) interface and a processor configured to monitor input-output (IO) operations to the storage medium in the computing system to identify a potential malware attack. The processor is further configured to activate a malware mode when an IO operation is identified as a potential malware attack and move the IO operation to a designated block area, separate from other blocks in the storage medium. Further, the processor is configured to restore flash translation layer (FTL) pointers for data affected by the identified IO operation and remove FTL pointers for the IO operation moved to the designated block area.
The computing system achieves all the advantages and technical effects of the method of the present disclosure.
It is to be appreciated that all the aforementioned implementation forms can be combined. It has to be noted that all devices, elements, circuitry, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application, as well as the functionalities described to be performed by the various entities, are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities. Even if, in the following description of specific embodiments, a specific functionality or step to be performed by external entities is not reflected in the description of a specific detailed element of that entity which performs that specific step or functionality, it should be clear for a skilled person that these methods and functionalities can be implemented in respective software or hardware elements, or any kind of combination thereof. It will be appreciated that features of the present disclosure are susceptible to being combined in various combinations without departing from the scope of the present disclosure as defined by the appended claims.
Additional aspects, advantages, features and objects of the present disclosure would be made apparent from the drawings and the detailed description of the illustrative implementations construed in conjunction with the appended claims that follow.
BRIEF DESCRIPTION OF THE DRAWINGS
The summary above, as well as the following detailed description of illustrative embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the present disclosure, exemplary constructions of the disclosure are shown in the drawings. However, the present disclosure is not limited to specific methods and instrumentalities disclosed herein. Moreover, those in the art will understand that the drawings are not to scale. Wherever possible, like elements have been indicated by identical numbers.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the following diagrams wherein:
FIG. 1 is a flowchart of a method of protecting data during a malware attack in a computing system, in accordance with an embodiment of the present disclosure;
FIG. 2 is a block diagram of a computing system, in accordance with an embodiment of the present disclosure;
FIG. 3 is an exemplary diagram that depicts a mapping operation in a storage medium with a flash translation layer, in accordance with an embodiment of the present disclosure;
FIG. 4 is an exemplary diagram that depicts a mapping operation between a user document and a storage medium, in accordance with an embodiment of the present disclosure; and
FIG. 5 is an exemplary diagram that depicts different operations for restoration of data, in accordance with an embodiment of the present disclosure.
In the accompanying drawings, an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent. A non-underlined number relates to an item identified by a line linking the nonunderlined number to the item. When a number is non-underlined and accompanied by an associated arrow, the non-underlined number is used to identify a general item at which the arrow is pointing.
DETAILED DESCRIPTION OF EMBODIMENTS
The following detailed description illustrates embodiments of the present disclosure and ways in which they can be implemented. Although some modes of carrying out the present disclosure have been disclosed, those skilled in the art would recognize that other embodiments for carrying out or practicing the present disclosure are also possible. FIG. 1 is a flowchart of a method of protecting data during a malware attack in a computing system, in accordance with an embodiment of the present disclosure. With reference to FIG. 1, there is shown a flowchart of a method 100 that includes steps 102 to 110.
The method 100 is used for protecting data during a malware attack in a computing system. The malware corresponds to a computer executable code that is designed to destruct the data or obstruct a user to access the data, such as a ransomware. The ransomware is installs itself in the computing system and attempts to map files that are important to the user. Moreover, the method 100 is used to provide leveraging flash translation layer (FTL) for protecting the data during the malware attack and allowing for recovery of the data with minimal impact on normal input-output operations.
At step 102, the method 100 comprises monitoring input-output (IO) operations of a storage medium in the computing system to identify a potential malware attack. In an example, the storage medium may correspond to a solid-state drive (SSD). Moreover, the monitoring of the IO operations on the storage medium may facilitate to raise an alert about the potential malware attack and further mitigates the risk of malware attack. In an implementation, the IO operation includes creating an encrypted copy of sensitive data in the storage medium. By virtue of monitoring the encrypted copy of the sensitive data in the storage medium, the method 100 can be used to identify the potential malware attack on the sensitive data and notifies the user about such encryption. In such implementation, the IO operation is identified as the potential malware attack by monitoring the write bandwidth and/or entropy of the storage medium. In an example, the malware attack requires high write bandwidth to encrypt the mapped files that include the sensitive data in a short duration of time. In such case, the IO operation is identified as the potential malware attack by monitoring the write bandwidth (e.g., a plurality of write operations) of the storage medium. In another example, the malware attack requires high entropy to encrypt the mapped files that include the sensitive data in a short duration of time. In such case, the IO operation is identified as the potential malware attack by monitoring the entropy (e.g., number of bits required for the transmission of the data) of the storage medium. In yet another example, the malware attack requires high bandwidth and high entropy to encrypt the mapped files that include the sensitive data in a short duration of time. In such case, the IO operation is identified as the potential malware attack by monitoring the write bandwidth and the entropy of the storage medium. As a result, the high write bandwidth and/or the high entropy can be used to raise alerts that include the identification of the potential malware attack. At step 104, the method 100 further comprises activating a malware mode when the IO operation is identified as the potential malware attack. In other words, the activation of the malware mode depends upon the IO operations, such as a read operation or a write operation on the storage medium that is identified as the potential malware attack. In an implementation, the method 100 further comprises suspending garbage collection for block reclamation when operating in the malware mode. Typically, a garbage collector is used for the garbage collection to manage physical locations that are overwritten by IO operations. Such garbage collection operation provides a safe and balanced re-using of different blocks of physical locations.
Furthermore, at step 106, the method 100 comprises moving the IO operation to a designated block area, which is separate from other blocks in the storage medium. In an example, a portion of the storage medium is allocated to the IO operation (e.g., data writes) that is identified as the potential malware attack. Thereafter, the IO operation is moved to the designated block area, such as to handle the IO operations that are identified as the potential malware attack separately. In an implementation, the identified IO operation is terminated when the designated block area in the storage medium is full. In such implementation, the identified IO operation is terminated to prevent the overflow of moving of the IO operations in the designated block area. In such implementation, the method 100 further comprises marking the blocks written by the IO operation in the designated block area for garbage collection for block reclamation. In an example, protocol commands (e.g., UNMAP commands) are used for block reclamation in the storage medium (e.g., the SSD). The designated block area for the garbage collection for the block reclamation is used to maintain a balance while using the physical locations for reusing the blocks that are marked as stale and cannot be used in the IO operations. Thus, the garbage collection for block reclamation enables to reuse the blocks for IO operations.
In an implementation, the method 100 further comprises allocating a new designated block area in the storage medium while the previous blocks are reclaimed. In other words, the previous blocks are reclaimed, and the IO operation that is identified as the potential malware attack is now allocated to the new designated block area in the storage medium to separate such IO operation from the other blocks. In an implementation, the method 100 further comprises notifying a user of the potential malware attack and returning to a normal mode when the identified IO operation is determined to be an operation initiated by the user. In other words, the notification of the potential malware attack provides an opportunity for the user to review the identified 10 operation. However, if the identified 10 operation is determined to be an operation initiated by the user, then the computing system is returned to the normal mode.
At step 108, the method further comprises restoring flash translation layer (FTL) pointers for data affected by the identified 10 operation. The FTL pointers correspond to a layer in a flash controller that is implemented to increase the longevity of the computing system, such as by reducing a wear levelling, facilitating an error correction, and removing the physical locations that are prone to error. Moreover, the FTL pointers translate the logical location of the data that is described by a storage protocol, such as logical block addressing that is further recognized by an application layer and a physical address in the storage medium. In an example, the protocol commands are used to restore the FTL pointers, such as previous pointers in the FTL pointers, to restore the data that is affected by the identified 10 operation. In an implementation, the method 100 further comprises saving previous FTL pointers of the data affected by the identified 10 operation. In other words, the malware attack encrypts the file to a new file and further deletes the original file. In addition, the physical data on the storage medium, such as the SSD, is not overwritten. However, the physical data is written to a different location, and the mapping in the FTL pointers is changed. Therefore, by virtue of saving the previous FTL pointers of the data affected by the identified 10 operation, the method 100 can be used to restore the previous data (e.g., data before encryption) from the storage medium (i.e., the SSD). Thereafter, at step 110, the method 100 further comprises removing the FTL pointers for the IO operation moved to the designated block area. In other words, the FTL pointers for the IO operation that are moved to the designated block area is removed to prevent the mapping of the encrypted file. Furthermore, the previous FTL pointers of the IO operation are saved to map the original file. Thus, enables the computing system to restore the original file during the malware attack.
The method 100 is used to identify the potential malware attack, raise alerts and also protect the data during the malware attack in the computing system, such as by activating a malware mode. Moreover, the activation of the malware mode for a short duration of time prevents the computing system from slowing down and improves the overall efficiency of the system.
The steps 102 to 110 are only illustrative, and other alternatives can also be provided where one or more steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein. There is provided a computer-readable medium comprising instructions which, when executed by a computer, cause the computer to execute the method 100. In an example, the instructions are implemented on the computer-readable media which include, but is not limited to, Electrically Erasable Programmable Read-Only Memory (EEPROM), Random Access Memory (RAM), Read-Only Memory (ROM), Hard Disk Drive (HDD), Flash memory, a Secure Digital (SD) card, Solid-State Drive (SSD), a computer-readable storage medium, and/or CPU cache memory. In an example, the instructions are generated by a computer program, which is implemented in view of the method 100, and for use in implementing the method 100 on the computer.
FIG. 2 is a block diagram of a computing system, in accordance with an embodiment of the present disclosure. With reference to FIG. 2 there is shown a block diagram 200 of a computing system 202. The computing system 202 includes a storage medium 204, an input-output (I/O) interface 206, and a processor 208.
The computing system 202 may include suitable logic, circuitry, interfaces, and/or code that are configured to protect the data against a potential malware attack. Examples of implementation of the computing system 202 may include but are not limited to a computer, a personal digital assistant, a portable computing device, or an electronic device.
The storage medium 204 is configured to store the data. In an implementation, the storage medium 204 is a solid-state drive (SSD), which is used to provide high-speed data transmission. Examples of implementation of the storage medium 204 may also include, but are not limited to, Electrically Erasable Programmable Read-Only Memory (EEPROM), Dynamic Random- Access Memory (DRAM), Random Access Memory (RAM), Read-Only Memory (ROM), Hard Disk Drive (HDD), Flash memory, a Secure Digital (SD) card, and/or CPU cache memory.
The I/O interface 206 may include hardware or software that is configured to establish communication among the storage medium 204 and the processor 208 of the computing system 202. Examples of implementation of the I/O interface 206 may include but are not limited to a computer port, a network socket, a network interface controller (NIC), and any other I/O interface device, such as a keyboard, a mouse, a monitor and the like. The processor 208 is configured to monitor the IO operations and further activate a malware mode when an IO operation is identified as a potential malware attack. Examples of implementation of the processor 208 may include but are not limited to a central data processing device, a microprocessor, a microcontroller, a complex instruction set computing (CISC) processor, an application-specific integrated circuit (ASIC) processor, a reduced instruction set (RISC) processor, a very long instruction word (VLIW) processor, a state machine, and other processors or control circuitry.
In operation, the processor 208 is configured to monitor the IO operations of the storage medium 204 in the computing system 202 to identify the potential malware attack. In an example, the storage medium 204 may correspond to a solid-state drive (SSD). Moreover, the monitoring of the IO operations on the storage medium 204 facilitates to raise an alert about the potential malware attack and further mitigates the risk of malware attack. Furthermore, the processor 208 is configured to activate a malware mode when the IO operation is identified as the potential malware attack. In other words, the activation of the malware mode depends upon the IO operations, such as a read operation or a write operation on the storage medium 204, which is identified as the potential malware attack.
The processor 208 is further configured to move the IO operation to a designated block area, which is separate from other blocks in the storage medium 204. In an example, a portion of the storage medium is allocated to the IO operation (e.g., data writes) that is identified as the potential malware attack. Thereafter, the IO operation is moved to the designated block area, such as to handle the IO operations that are identified as the potential malware attack separately.
The processor 208 is further configured to restore flash translation layer (FTL) pointers for the data that is affected by the identified IO operation. In an example, the protocol commands are used to restore the FTL pointers, such as previous pointers in the FTL pointers to restore the data that is affected by the identified IO operation. Thereafter, the processor 208 is configured to remove the FTL pointers for the IO operation and move the IO operations to the designated block area. In other words, the FTL pointers for the IO operation that are moved to the designated block area are removed to prevent the mapping of the encrypted file and restore the original files, such as by mapping the original files through previously saved FTL pointers. Thus, enables the computing system to restore the original file during the malware attack. FIG. 3 is an exemplary diagram that depicts a mapping operation in a storage medium with a flash translation layer, in accordance with an embodiment of the present disclosure. With reference to FIG. 3, there is shown an exemplary representation of physical blocks of the storage medium 204, and mapping of different storage addresses, such as X/Y, where X is the storage LU (logical unit) and Y is the storage LBA (logical block addressing). At operation 300A, an initial condition of a solid-state driver (SSD) physical block 302 (e.g., the storage medium 204 of FIG. 2) represents an application mapping of the X/Y storage address to the SSD physical block 302 on a flash translation layer (FTL), which includes data, such as “AAAAA”. Thereafter, at operation 300B, the data is replaced with a new data, such as “BBBBB” in the SSD physical block 302. The SSD physical block 302 that includes the “AAAAA” is not overwritten. Moreover, the mapping of the SSD physical block 302 is changed, but a previous SSD physical block that includes the data AAAAA is retained by the computing system (i.e., the computing system 202 of the FIG. 2). Thus, the computing system (i.e., the computing system 202), through mapping of the SSD physical block 302 and further retaining the previous SSD physical block allows the computing system 202 to restore the previous data during the identification of potential malware attack, such as through mapping and restoring flash translation layer (FTL) pointers.
FIG. 4 is an exemplary diagram that depicts a mapping operation between a user document and a storage medium, in accordance with an embodiment of the present disclosure. With reference to FIG. 4, there is shown an exemplary representation of an exemplary diagram 400 that depicts the mapping operation between a user document 404 and a storage medium 402. In an implementation, a file system contains the mapping between the user document 404 and the physical blocks that includes the data, which is stored in the storage medium 402. In an example, the user document 404 includes the physical blocks, such as 1/100, 1/5109, and 1/25004. Moreover, the first two physical blocks that are 1/100, and the 1/5109 are encrypted. Further, the computing system (i.e., the computing system 202) restores the previous data (i.e., the data before encryption). In an example, the solid-state drive (SSD) application programming interface (API) is used to restore the previous locations of the data that, allows for the restoration of the user document 404 to an unencrypted state. Therefore, the computing system (i.e., the computing system 202 of FIG. 2) is configured to protect the data from the potential malware attack by restoring back the data. FIG. 5 is an exemplary diagram that depicts different operations for restoration of data, in accordance with an embodiment of the present disclosure. With reference to FIG. 5 there is shown an exemplary diagram 500 that depicts different operations for the restoration of an original data (i.e., the data before a malware attack). Initially, at operation 502A, all the physical blocks of the storage medium, such as SSD blocks, are mapped outside a designated block area (i.e., a suspicious block area) contain pointers, such as flash translation layer (FTL) pointers in the FTL. Furthermore, during an IO operation, such as at operation 502B, the IO operation that is identified as a potential malware attack causes the storage medium (i.e., the storage medium 204 of FIG. 2) to re-route new writes to the designated block area. The encrypted data, such as at operation 502C, is not written in the place where the original data is stored. However, the encrypted data is stored in a new storage address. In addition, the malware attack deletes the files, which causes the file system to allow block reclamation by the storage medium, such as the SSD. Furthermore, at operation 502D, the potential malware attack is detected, and the user instructs the storage medium to revert to the previous unencrypted state. Thus, the FTL is traversed, and previous FTL pointers are reverted, such as the FTL pointers for addresses 1/100 and 1/5109 to the designated block area are removed, and the encrypted blocks are marked for garbage control. Further, at operation 502E, a new designated block, such as a suspicions block area (SBA), is allocated, and the physical blocks can be reused again after the reclamation of the previous blocks.
Modifications to embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as “including”, “comprising”, “incorporating”, “have”, “is” used to describe and claim the present disclosure are intended to be construed in a non-exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural. The word “exemplary” is used herein to mean “serving as an example, instance or illustration”. Any embodiment described as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or to exclude the incorporation of features from other embodiments. The word “optionally” is used herein to mean “is provided in some embodiments and not provided in other embodiments”. It is appreciated that certain features of the present disclosure, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the present disclosure, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable combination or as suitable in any other described embodiment of the disclosure.

Claims

1. A method ( 100) of protecting data during a malware attack in a computing system (202), the method (100) comprising: monitoring Input-Output (IO) operations to a storage medium in the computing system (202) to identify a potential malware attack; activating a malware mode when an IO operation is identified as a potential malware attack; moving the IO operation to a designated block area, separate from other blocks in the storage medium (204, 402); restoring Flash Translation Layer (FTL) pointers for data affected by the identified IO operation; and removing FTL pointers for the IO operation moved to the designated block area.
2. The method (100) of claim 1, further comprising suspending garbage collection for blocks reclamation when operating in the malware mode.
3. The method (100) of claim 1 or 2, wherein the identified IO operation is terminated when the designated block area in the storage medium (204, 402) is full.
4. The method (100) of any preceding claim, further comprising saving previous FTL pointers of data affected by the identified IO operation.
5. The method (100) of any preceding claim, further comprising marking the blocks written by the IO operation in the designated block area for garbage collection for blocks reclamation.
6. The method (100) of claim 5, further comprising allocating a new designated block area in the storage medium (204, 402) while the previous blocks are reclaimed.
7. The method (100) of any preceding claim, wherein an IO operation is identified as a potential malware attack by monitoring the write bandwidth and/or entropy of the storage medium (204, 402).
8. The method (100) of any preceding claim, wherein the IO operation comprises creating an encrypted copy of sensitive data in the storage medium (204, 402).
9. The method (100) of claim 1, further comprising notifying a user of the potential malware attack and returning to a normal mode when the identified IO operation is determined to be an operation initiated by the user.
10. A computing system (202) comprising: a storage medium (204, 402); an I/O interface (206); and a processor (208) configured to: monitor Input-Output (IO) operations to the storage medium (204, 402) in the computing system (202) to identify a potential malware attack; activate a malware mode when an IO operation is identified as a potential malware attack; move the IO operation to a designated block area, separate from other blocks in the storage medium (204, 402); restore Flash Translation Layer (FTL) pointers for data affected by the identified IO operation; and remove FTL pointers for the IO operation moved to the designated block area.
11. The computing system (202) of claim 10, wherein the storage medium (204, 402) is a Solid-State Drive (SSD).
12. A computer-readable medium comprising instructions which, when executed by a computer, cause the computer to carry out the steps of the method 100 of any one of claims 1 to 9.
PCT/EP2022/077582 2022-10-04 2022-10-04 Method of protecting data during malware attack in a computing system WO2024074195A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/077582 WO2024074195A1 (en) 2022-10-04 2022-10-04 Method of protecting data during malware attack in a computing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/077582 WO2024074195A1 (en) 2022-10-04 2022-10-04 Method of protecting data during malware attack in a computing system

Publications (1)

Publication Number Publication Date
WO2024074195A1 true WO2024074195A1 (en) 2024-04-11

Family

ID=84245991

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/077582 WO2024074195A1 (en) 2022-10-04 2022-10-04 Method of protecting data during malware attack in a computing system

Country Status (1)

Country Link
WO (1) WO2024074195A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210157524A1 (en) * 2019-11-27 2021-05-27 SK Hynix Inc. Memory system and operating method thereof
US20210271757A1 (en) * 2020-02-28 2021-09-02 Kioxia Corporation Systems and methods for protecting ssds against threats

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210157524A1 (en) * 2019-11-27 2021-05-27 SK Hynix Inc. Memory system and operating method thereof
US20210271757A1 (en) * 2020-02-28 2021-09-02 Kioxia Corporation Systems and methods for protecting ssds against threats

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
BAEK SUNGHA ET AL: "SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery", 2018 IEEE 38TH INTERNATIONAL CONFERENCE ON DISTRIBUTED COMPUTING SYSTEMS (ICDCS), IEEE, 2 July 2018 (2018-07-02), pages 875 - 884, XP033375939, DOI: 10.1109/ICDCS.2018.00089 *

Similar Documents

Publication Publication Date Title
Min et al. Amoeba: An autonomous backup and recovery SSD for ransomware attack defense
CN107977573B (en) Method and system for secure disk access control
US7146525B2 (en) Method for backing up and recovering data in the hard disk of a computer
KR20170129702A (en) Manage previous versions of data for logical addresses of storage devices
US8631203B2 (en) Management of external memory functioning as virtual cache
KR101054981B1 (en) Computer-implemented methods, information processing systems, and computer-readable recording media for securely storing the context of a program
US20090094698A1 (en) Method and system for efficiently scanning a computer storage device for pestware
US9529805B2 (en) Systems and methods for providing dynamic file system awareness on storage devices
US8762431B2 (en) System and method for secure erase in copy-on-write file systems
JP2020502648A (en) Systems and methods for detecting cryptoware
CN109739613B (en) Maintenance method and access control method of nested page table and related device
US10203899B2 (en) Method for writing data into flash memory apparatus, flash memory apparatus, and storage system
US20190095285A1 (en) Backup and recovery of data files using hard links
WO2023206968A1 (en) Data storage method and system, and computer readable storage medium
US20210117110A1 (en) Data processing method and storage device
EP2880538A1 (en) System and method for object deletion in persistent memory using bitmap windows
CN111989679A (en) Injecting trap code in an execution path of a process executing a program to generate a trap address range to detect potentially malicious code
Paik et al. Poster: Self-defensible storage devices based on flash memory against ransomware
Wang et al. Mimosaftl: adding secure and practical ransomware defense strategy to flash translation layer
US7565382B1 (en) Safely rolling back a computer image
EP2998903B1 (en) System and method for robust full-drive encryption
US20140281581A1 (en) Storage Device
WO2024074195A1 (en) Method of protecting data during malware attack in a computing system
KR20210039212A (en) Efficient ransomware detection method and system using bloom-filter
US11314453B2 (en) Memory system managing map data based on risk of malware—infection of host, and operating method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22800184

Country of ref document: EP

Kind code of ref document: A1