Malicious data manipulation using markers and the data protection layer

What is claimed is: 1 . A method of detecting malicious modification of data in a network, comprising: setting, by a first layer of network resources, a number of markers associated with input/output (I/O) operations of the network; saving the markers, I/O data location, and associated metadata in a marker database; reading, by a second layer of the network resources, the markers corresponding to relevant I/O operations; and verifying each scanned I/O operation against a corresponding marker to determine whether or not data for a specific I/O operation has been improperly modified for the first and second layers and any intermediate layer resulting in a fault condition, and if so, taking remedial action to flag or abort the specific I/O operation. 2 . The method of claim 1 wherein the resources comprise at least one of: applications, containers, virtual machines, hypervisors, storage systems, and data protection components of the network. 3 . The method of claim 1 wherein the number of markers may be defined by a set parameter, and wherein a number of scanned I/O operations comprises a percentage of all I/O operations based on a defined periodicity parameter. 4 . The method of claim 1 wherein the remedial action comprises one of: issuing an alarm, take corrective measure, recommend corrective measures, or any combination or other remedial action. 5 . The method of claim 1 wherein each marker of the markers comprises an offset and length as metadata and certain marker data. 6 . The method of claim 5 wherein the data of the markers comprises a hash of the data for the specific I/O operation. 7 . The method of claim 5 wherein the marker data comprises a pseudo-random value that can be reconstructed from an offset value and a known seed. 8 . The method of claim 7 wherein the marker data comprises a decoy containing synthetic information that might be considered valuable for a possible attacker, depending on the protected application. 9 . The method of claim 1 wherein the network comprises part of a data replication system using snapshot-based backups, and wherein changes between each scanned I/O operation and the corresponding marker are made using the snapshot backups. 10 . An apparatus detecting malicious modification of data in a network, comprising: a first driver for a first layer of network resources, setting a number of markers associated with input/output (I/O) operations of the network, and saving the markers, location, and associated metadata in a marker database; a second driver of a second layer of the network resources, reading the markers corresponding to relevant I/O operations; and a comparator verifying each scanned I/O operation against a corresponding marker to determine whether or not data for a scanned specific I/O operation has been improperly modified for the first and second layers and any intermediate layer resulting in a fault condition, and if so, taking remedial action to flag or abort the specific I/O operation. 11 . The apparatus of claim 10 wherein the resources comprise at least one of: applications, containers, virtual machines, hypervisors, storage systems, and data protection components of the network. 12 . The apparatus of claim 10 wherein the number of markers may be defined by a set parameter. 13 . The apparatus of claim 10 wherein a number of scanned I/O operations comprises a percentage of all I/O operations based on a defined periodicity parameter. 14 . The apparatus of claim 10 wherein the remedial action comprises one of: issuing an alarm, take corrective measure, recommend corrective measures, or any combination or other remedial action. 15 . The apparatus of claim 10 wherein each marker comprises an offset, length and certain marker data. 16 . The apparatus of claim 15 wherein the marker data comprises a pseudo-random value that can be reconstructed from an offset and a known seed 17 . The apparatus of claim 15 wherein the marker data comprises a decoy containing synthetic information that might be considered valuable for a possible attacker, depending on the protected application. 18 . The apparatus of claim 10 wherein the network comprises part of a data replication system using snapshot-based backups, and wherein changes between each scanned I/O operation and the corresponding marker are made using the snapshot backups 19 . A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein, the computer-readable program code adapted to be executed by one or more processors to perform a method of detecting malicious modification of data in a network, by: setting, by a first layer of network resources, a number of markers associated with input/output (I/O) operations of the network; saving the markers, location, and associated metadata in a marker database; reading, by a second layer of the network resources, the markers corresponding to relevant I/O operations; and verifying each scanned I/O operation against a corresponding marker to determine whether or not data for a scanned specific I/O operation has been improperly modified for the first and second layers and any intermediate layer resulting in a fault condition, and if so, taking remedial action to flag or abort the specific I/O operation. 20 . The computer program product of claim 19 wherein the resources comprise at least one of: applications, containers, virtual machines, hypervisors, storage systems, and data protection components of the network.