Detecting and preventing crypto-ransomware attacks against data
US-10122752-B1 · Nov 6, 2018 · US
Just-in-time filesystem-based ransomware backup
US12373299B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12373299-B2 |
| Application number | US-202318159394-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 25, 2023 |
| Priority date | Jan 25, 2023 |
| Publication date | Jul 29, 2025 |
| Grant date | Jul 29, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
One example method includes detecting a file access process, such as a write operation performed by a ransomware process, directed to a file, based on the detecting, incrementing a counter, checking to determine if the counter exceeds a defined threshold, and when the counter exceeds the defined threshold, creating a backup of the file. The backup file may be a read-only file, and may expire, and be deleted, at a particular time, or after the passage of a period of time.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: detecting a file access process directed to a file; in a case where the file access process is detected, checking a name of the file to determine whether the file is a backup file; in a case where it is determined that the file is the backup file, shutting down the file access process; and in a case where it is determined that the file is not the backup file: based on the detecting, incrementing a counter each time the file access process is detected; checking to determine if the counter exceeds a defined threshold; and when the counter exceeds the defined threshold, creating a backup of the file, wherein, in a case where the file is determined to be the backup file, an administrator is notified of the file access, or a machine where the file access is occurring is shut down. 2. The method as recited in claim 1 , wherein the file access process comprises a write operation. 3. The method as recited in claim 1 , wherein a possible ransomware attack is indicated by the counter exceeding the defined threshold. 4. The method as recited in claim 1 , wherein the file is only backed up when the counter exceeds the defined threshold. 5. The method as recited in claim 1 , wherein the backup automatically expires, and is deleted, at a particular time, or after a particular period of time has passed. 6. The method as recited in claim 1 , wherein the defined threshold comprises a rate at which the file access process and one or more additional file access processes, collectively, are performed. 7. The method as recited in claim 1 , wherein the backup is used to overwrite the file when part of the file is encrypted by a ransomware process. 8. The method as recited in claim 1 , wherein when part of the file is encrypted by a ransomware process, the file is restored using the backup. 9. The method as recited in claim 1 , wherein the file access process corresponds to a process ID in a map, and the counter comprises the process ID. 10. A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: detecting a file access process directed to a file; in a case where the file access process is detected, checking a name of the file to determine whether the file is a backup file; in a case where it is determined that the file is the backup file, shutting down the file access process; and in a case where it is determined that the file is not the backup file: based on the detecting, incrementing a counter each time the file access process is detected; checking to determine if the counter exceeds a defined threshold; and when the counter exceeds the defined threshold, creating a backup of the file, wherein, in a case where the file is determined to be the backup file, an administrator is notified of the one file access, or a machine where the one file access is occurring is shut down. 11. The non-transitory storage medium as recited in claim 10 , wherein the file access process comprises a write operation. 12. The non-transitory storage medium as recited in claim 10 , wherein a possible ransomware attack is indicated by the counter exceeding the defined threshold. 13. The non-transitory storage medium as recited in claim 10 , wherein the file is only backed up when the counter exceeds the defined threshold. 14. The non-transitory storage medium as recited in claim 10 , wherein the backup automatically expires, and is deleted, at a particular time, or after a particular period of time has passed. 15. The non-transitory storage medium as recited in claim 10 , wherein after the backup of the file is created, both the file and the backup of the file are monitored for file access processes. 16. The non-transitory storage medium as recited in claim 10 , wherein the backup is used to overwrite the file when part of the file is encrypted by a ransomware process. 17. The non-transitory storage medium as recited in claim 10 , wherein when part of the file is encrypted by a ransomware process, the file is restored using the backup. 18. The non-transitory storage medium as recited in claim 10 , wherein the file access process corresponds to a process ID in a map, and the counter comprises the process ID.
Assignees
Inventors
Classifications
Management of the backup or restore process · CPC title
Event detection, e.g. attack signature detection · CPC title
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
- G06F11/1451Primary
by selection of backup contents · CPC title
- H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12373299B2 cover?
- One example method includes detecting a file access process, such as a write operation performed by a ransomware process, directed to a file, based on the detecting, incrementing a counter, checking to determine if the counter exceeds a defined threshold, and when the counter exceeds the defined threshold, creating a backup of the file. The backup file may be a read-only file, and may expire, a…
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F11/1451. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 29 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).