Systems and methods of monitoring and controlling enterprise information stored on a cloud computing service (ccs)
US-2016275303-A1 · Sep 22, 2016 · US
Systems and methods of detecting and responding to ransomware on a file system
US11190540B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11190540-B2 |
| Application number | US-201916673922-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 4, 2019 |
| Priority date | Aug 10, 2016 |
| Publication date | Nov 30, 2021 |
| Grant date | Nov 30, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The technology disclosed relates to detecting a data attack on a local file system. The detecting includes scanning a list to identify files of the local file system that have been updated within a timeframe, reading payloads of files identified by the scanning, calculating current content properties from the payload of the files, obtaining historical content properties of the files, determining that a malicious activity is in process by analyzing the current content properties and the historical content properties to identify a pattern of changes that exceeds a predetermined change velocity. Further, the detecting includes determining that the malicious activity is in process by analyzing the current content properties and known patterns of malicious metadata to identify a match between the current metadata and the known patterns of malicious metadata, determining a machine/user that initiated the malicious activity, and implementing a response mechanism that restricts file modifications by the machine/user.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of detecting a ransomware attack impacting a cloud-based file storage service, the method comprising: collecting metadata on files stored on the cloud-based file storage service as the files are manipulated, wherein the cloud-based file storage service supports manipulation by creating, editing and sharing the files, and wherein the collected metadata includes at least one of an extension of a file name, a magic number, and a size; storing the collected metadata as historical metadata separate from and not under control of the cloud-based file storage service, as the files are manipulated; detecting multiple artifacts of the ransomware attack resulting from ransomware manipulation of the files, the detecting including: comparing at least one of the extension, the magic number and the size included in the historical metadata to at least one of the extension, the magic number and the size included in current metadata of the files to identify a volume of changes in the files; and detecting that the identified volume of changes exceeds a predetermined change volume to determine that the ransomware attack is in progress; and identifying a user and/or machine that manipulated the files exhibiting the multiple artifacts and responding to the determination that the ransomware attack is in progress by restricting further manipulation of other files on the cloud-based file storage service by the identified user and/or machine, wherein at least a portion of the metadata is actively collected and stored using an active agent of a proxy device positioned between users and the cloud-based file storage service during the manipulation of the files, and wherein at least a portion of the metadata is introspectively collected and stored using an inspective agent of the proxy device through an application programming interface to the cloud-based file storage service in response to the manipulation of files that are transferred to the cloud-based file storage service using a network that is outside of a network through which the metadata is actively collected by the active agent. 2. The method of claim 1 , wherein the responding to the determination that the ransomware attack is in progress further includes: notifying the user and/or machine that the ransomware attack was detected; and providing a location of the ransomware attack to the user and/or machine. 3. The method of claim 1 , wherein the responding to the determination that the ransomware attack is in progress further includes: isolating the cloud-based file storage service by disconnecting the identified user and/or machine from the cloud-based file storage service and by disconnecting additional users who have access to the cloud-based file storage service; and preventing the identified user and/or machine from accessing the cloud-based file storage service. 4. The method of claim 1 , wherein the responding to the determination that the ransomware attack is in progress further includes at least one of performing a backup of the files and performing a backup of the cloud-based file storage service on which the files are stored. 5. The method of claim 1 , wherein the responding to the determination that the ransomware attack is in progress further includes: forcing the identified user and/or machine to perform a local scan for the ransomware attack; forcing a scan for the ransomware attack on any other cloud-based file storage service for which the identified user and/or machine has access; forcing additional users who have access to the cloud-based file storage service to perform the local scan for the ransomware attack; and forcing a scan for the ransomware attack on any other cloud-based file storage service for which the additional users have access. 6. The method of claim 1 , wherein the responding to the determination that the ransomware attack is in progress includes restoring a previous backup of the cloud-based file storage service, and wherein the restoring of the previous backup is automated or performed with user interaction. 7. The method of claim 1 , wherein the responding to the determination that the ransomware attack is in progress includes: determining a creator of a file having caused the ransomware attack to be initiated on the identified user and/or machine based on the current metadata and the historical metadata; and identifying and performing a specific response mechanism of multiple response mechanisms based on the determined creator. 8. A method of detecting a ransomware attack impacting a cloud-based file storage service, the method comprising: collecting content properties from payloads of files stored on the cloud-based file storage service, as the files are manipulated, wherein the cloud-based file storage service supports manipulation by creating, editing and sharing the files; wherein the collected content properties include at least one of a computed entropy or layered entropy, a locality-sensitive hashing (LSH) and an indication of an occurrence of a stub; storing the collected content properties as historical content properties separate from and not under control of the cloud-based file storage service, as the files are manipulated; detecting multiple artifacts of the ransomware attack resulting from ransomware manipulation of the files, the detecting including: comparing at least one of the computed entropy or layered entropy, the LSH and the indication of the occurrence of the stub included in the historical content properties to respective at least one of a computed entropy or layered entropy, LSH and indication of the occurrence of the stub included in current content properties of the files to identify a volume of changes in the files; and detecting that the identified volume of changes exceeds a predetermined change volume to determine that the ransomware attack is in progress; and identifying a user and/or machine that manipulated the files exhibiting the multiple artifacts and responding to the determination that the ransomware attack is in progress by restricting further manipulation of other files on the cloud-based file storage service by the identified user and/or machine, wherein at least a portion of the content properties is actively collected and stored using an active agent of a proxy device positioned between users and the cloud-based file storage service during the manipulation of the files, and wherein at least a portion of the content properties is introspectively collected and stored using an inspective agent of the proxy device through an application programming interface to the cloud-based file storage service in response to the manipulation of files that are transferred to the cloud-based file storage service using a network that is outside of a network through which the content properties are actively collected by the active agent. 9. The method of claim 8 , wherein the identified volume of changes are identified by determining a hamming distance between the LSH for the current content properties and the LSH for the historical content properties. 10. The method of claim 8 , wherein the responding to the determination that the ransomware attack is in progress includes: calculating an entropy of the payloads of the files; comparing the entropy of the files with entropies of known user-initiated encryption techniques to determine whether or not the identified user and/or machine has implemented a user-initiated encryption technique; identifying each of the files for which the identified user and/or machine has implemented the user-initiated encryption technique; determining that the ransomware attack is in process by analyzing the current cont
Assignees
Inventors
Classifications
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
Auditing as a secondary aspect · CPC title
Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
by checking file integrity · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11190540B2 cover?
- The technology disclosed relates to detecting a data attack on a local file system. The detecting includes scanning a list to identify files of the local file system that have been updated within a timeframe, reading payloads of files identified by the scanning, calculating current content properties from the payload of the files, obtaining historical content properties of the files, determinin…
- Who is the assignee on this patent?
- Netskope Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/552. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 30 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).