Systems and methods for protecting against malware attacks
US-11475132-B2 · Oct 18, 2022 · US
Ransomware detection using inode traversal scoring
US12437064B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12437064-B2 |
| Application number | US-202318189928-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 24, 2023 |
| Priority date | Mar 24, 2023 |
| Publication date | Oct 7, 2025 |
| Grant date | Oct 7, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
One example method includes monitoring a file access request made by a process, searching, in a pointer array that corresponds to the process, for a pointer to the file that was requested by the process, when the pointer is found in the pointer array, incrementing a score associated with the process, performing an anomaly detection check, and when an anomaly is detected, blocking access to the file by the process, and when no anomaly is detected, updating the pointer array to include a pointer to the file to which access was requested by the process.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: monitoring a file access request made by a process; in response to the file access request, searching, in a pointer array that corresponds to the process, for a pointer to the file that was requested by the process; when the pointer is found in the pointer array, incrementing a score associated with the process; performing an anomaly detection check; and when an anomaly is detected, blocking access to the file by the process, and when no anomaly is detected, updating the pointer array to include a pointer to the file to which access was requested by the process. 2. The method as recited in claim 1 , wherein when a value of the score exceeds a threshold, the process is inferred to comprise a ransomware process, and the process is prevented from accessing the file. 3. The method as recited in claim 1 , wherein when the pointer is not found in the pointer array, the score associated with the process is decremented. 4. The method as recited in claim 1 , wherein the process operates in a user space, and the monitoring, the searching, the incrementing, the performing, and the updating, are performed in a kernel space. 5. The method as recited in claim 1 , wherein the file comprises an inode of a filesystem. 6. The method as recited in claim 1 , wherein the anomaly is indicative of a ransomware process. 7. The method as recited in claim 1 , wherein the file access request is one of multiple file access requests that are being monitored. 8. The method as recited in claim 1 , wherein when no anomaly is detected, and the score is below a threshold, access is granted to the file. 9. The method as recited in claim 1 , wherein a recursive scanning of a filesystem that includes the file causes the score to exceed a threshold indicative of ransomware. 10. The method as recited in claim 1 , wherein the process runs in a user space, and the monitoring, the searching, the incrementing, the performing, and the updating, are not perceptible by the process. 11. A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: monitoring a file access request made by a process; in response to the file access request, searching, in a pointer array that corresponds to the process, for a pointer to the file that was requested by the process; when the pointer is found in the pointer array, incrementing a score associated with the process; performing an anomaly detection check; and when an anomaly is detected, blocking access to the file by the process, and when no anomaly is detected, updating the pointer array to include a pointer to the file to which access was requested by the process. 12. The non-transitory storage medium as recited in claim 11 , wherein when a value of the score exceeds a threshold, the process is inferred to comprise a ransomware process, and the process is prevented from accessing the file. 13. The non-transitory storage medium as recited in claim 11 , wherein when the pointer is not found in the pointer array, the score associated with the process is decremented. 14. The non-transitory storage medium as recited in claim 11 , wherein the process operates in a user space, and the monitoring, the searching, the incrementing, the performing, and the updating, are performed in a kernel space. 15. The non-transitory storage medium as recited in claim 11 , wherein the file comprises an inode of a filesystem. 16. The non-transitory storage medium as recited in claim 11 , wherein the anomaly is indicative of a ransomware process. 17. The non-transitory storage medium as recited in claim 11 , wherein the file access request is one of multiple file access requests that are being monitored. 18. The non-transitory storage medium as recited in claim 11 , wherein when no anomaly is detected, and the score is below a threshold, access is granted to the file. 19. The non-transitory storage medium as recited in claim 11 , wherein a recursive scanning of a filesystem that includes the file causes the score to exceed a threshold indicative of ransomware. 20. The non-transitory storage medium as recited in claim 11 , wherein the process runs in a user space, and the monitoring, the searching, the incrementing, the performing, and the updating, are not perceptible by the process.
Assignees
Inventors
Classifications
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Test or assess a computer or a system · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12437064B2 cover?
- One example method includes monitoring a file access request made by a process, searching, in a pointer array that corresponds to the process, for a pointer to the file that was requested by the process, when the pointer is found in the pointer array, incrementing a score associated with the process, performing an anomaly detection check, and when an anomaly is detected, blocking access to the …
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Oct 07 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).