Systems and methods for migrating files to tiered storage systems
US-8984027-B1 · Mar 17, 2015 · US
Malicious activity detection, validation, and remediation in virtualized file servers
US12182264B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12182264-B2 |
| Application number | US-202217693206-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 11, 2022 |
| Priority date | Mar 11, 2022 |
| Publication date | Dec 31, 2024 |
| Grant date | Dec 31, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of file analytics systems are described that may obtain metadata data and events data from a virtualized file server. The file analytics systems may detect one or more events from the events data matching a criteria indicating malicious activity. The file analytics systems may validate the detection of malicious activity. The validation may be performed by comparing the file type, such as the MIME type, of sample files before and after the suspected malicious activity. The systems may recover a share of the distributed file server including the one or more affected files by replacing the one or more affected files with stored versions of the one or more affected files from a snapshot of the share taken prior to the detected malicious activity.
First claim
Opening claim text (preview).
What is claimed is: 1. At least one non-transitory computer readable medium encoded with instructions which, when executed, cause a system to: detect one or more file server events in a distributed file server, the one or more file server events indicative of malicious activity, the distributed file server hosting files distributed across multiple computing nodes including a first computing node and a second computing node; identify candidate files in the distributed file server, the candidate files suspected of being compromised by the malicious activity; and validate the candidate files were compromised by the malicious activity, wherein said validate comprises comparing, for a sample file of the candidate files, a file type of the sample file prior to detection of the malicious activity and a file type of the sample file after the malicious activity; and recover a share of the distributed file server including the candidate files by replacing the candidates files with stored versions from a snapshot of the share taken prior to the detected malicious activity, a first portion of the snapshot of the share at the first computing node and a second portion of the snapshot of the share at the second computing node. 2. The at least one computer readable medium of claim 1 , wherein said comparing a file type of the sample file comprises comparing a MIME type of the sample file. 3. The at least one computer readable medium of claim 1 , wherein said comparing validates the candidate files were compromised when the file type of the sample file after the malicious activity is an encrypted file type and the file type of the sample file before the malicious activity is other than the encrypted file type. 4. The at least one computer readable medium of claim 1 , wherein said comparing comprises requesting a current file type of the sample file from the distributed file server and comparing the current file type with a previously stored file type for the sample file. 5. The at least one computer readable medium of claim 4 , wherein said requesting the current file type comprises providing an identification of the sample file to the distributed file server in an API call. 6. The at least one computer readable medium of claim 1 , wherein said detect one or more file server events comprises compare a sequence of events for a file of the distributed file server to one or more patterns of file server events associated with the malicious activity. 7. The at least one computer readable medium of claim 1 , wherein said detect one or more file server events comprises compare a file entropy measurement of a file of the distributed file server to a threshold file entropy measurement. 8. The at least one computer readable medium of claim 1 , wherein the share of the distributed file server including at least one affected file includes files distributed across the first computing node and the second computing node, wherein the instructions further cause the system to retrieve the first portion of the snapshot of the share from the first computing node and the second portion of the snapshot of the share from the second computing node. 9. The at least one computer readable medium of claim 1 , wherein the instructions further cause the system to update a file blocking policy of the distributed file server based on the file server events associated with the detected malicious activity. 10. The at least one computer readable medium of claim 1 , wherein the instructions further cause the system to, when recovering the share of the distributed file server including at least one affected file: mount the share and the snapshot of the share; delete the at least one affected file from the share; and copy the stored version of the at least one affected file from the snapshot of the share to the share. 11. The at least one computer readable medium of claim 1 , wherein the instructions further cause the system to restrict access to at least one affected file in the distributed file server prior to recovery of the share of the distributed file server including the at least one affected file. 12. The at least one computer readable medium of claim 1 , wherein the detected malicious activity is a ransomware attack. 13. A system comprising: a distributed file server hosting files across a plurality of computing nodes including a first computing node and a second computing node; an analytics service, the analytics service configured to: detect one or more file server events in the distributed file server indicative of malicious activity; identify candidate files in the distributed file server, the candidate files suspected of being compromised by the malicious activity; and validate the candidate files were compromised by the malicious activity, wherein said validate comprises comparing, for a sample file of the candidate files, a file type of the sample file prior to detection of the malicious activity and a file type of the sample file after the malicious activity; and recover a share of the distributed file server including the candidate files at least in part by replacing the candidate files with stored versions file from a snapshot of the share taken prior to the malicious activity, a first portion of the snapshot of the share at the first computing node and a second portion of the snapshot of the share at the second computing node. 14. The system of claim 13 , wherein said analytics service is configured to validate at least in part by comparing a MIME type of the sample file. 15. The system of claim 13 , wherein said analytics service is configured to validate the candidate files were compromised when the file type of the sample file after the malicious activity is an encrypted file type and the file type of the sample file before the malicious activity is other than the encrypted file type. 16. The system of claim 13 , wherein said analytics service is configured to request a current file type of the sample file from the distributed file server and compare the current file type with a previously stored file type for the sample file. 17. The system of claim 16 , wherein said analytics service is configured to request the current file type by providing an identification of the sample file to the distributed file server in an API call. 18. The system of claim 13 , wherein the analytics service is configured to detect the one or more file server events indicative of malicious activity at least in part by comparing a sequence of events for a file of the distributed file server to one or more patterns of file server events associated with the malicious activity. 19. The system of claim 13 , wherein the share of the distributed file server including at least one affected file includes files distributed across the first computing node and the second computing node of the plurality of computing nodes, wherein the analytics service is further configured to retrieve the first portion of the snapshot of the share from the first computing node and the second portion of the snapshot of the share from the second computing node. 20. The system of claim 13 , wherein the analytics service is further configured to update a file blocking policy of the distributed file server based on the file server events associated with the detected malicious activity. 21. The system of claim 13 , wherein the analytics service is further configured to, when recovering the share of the distributed file server including at least one affected file: mount the share and
Assignees
Inventors
Classifications
for networked environments · CPC title
Using snapshots, i.e. a logical point-in-time copy of the data · CPC title
Test or assess a computer or a system · CPC title
Event-based monitoring · CPC title
Error avoidance (G06F11/07 and subgroups take precedence) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12182264B2 cover?
- Examples of file analytics systems are described that may obtain metadata data and events data from a virtualized file server. The file analytics systems may detect one or more events from the events data matching a criteria indicating malicious activity. The file analytics systems may validate the detection of malicious activity. The validation may be performed by comparing the file type, such…
- Who is the assignee on this patent?
- Nutanix Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/565. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 31 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).