Ransomware resetter
US-10839072-B2 · Nov 17, 2020 · US
Ransomware infection detection in filesystems
US2026010626A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2026010626-A1 |
| Application number | US-202519327792-A |
| Country | US |
| Kind code | A1 |
| Filing date | Sep 12, 2025 |
| Priority date | Jul 30, 2018 |
| Publication date | Jan 8, 2026 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Described herein is a system that detects ransomware infection in filesystems. The system detects ransomware infection by using backup data of machines. The system detects ransomware infection in two stages. In the first stage, the system analyzes a filesystem's behavior. The filesystem's behavior can be obtained by loading the backup data and crawling the filesystem to create a filesystem metadata including information about file operations during a time interval. The filesystem determines a pattern of the file operations and compares the pattern to a normal patter to analyze the filesystem's behavior. If the filesystem's behavior is abnormal, the system proceeds to the second stage to analyze the content of the files to look for signs of encryption in the filesystem. The system combines the analysis of both stages to determine whether the filesystem is infected by ransomware.
First claim
Opening claim text (preview).
1 . A method, comprising: accessing a data store to obtain a first set of snapshots corresponding to a machine, each snapshot indicating data of the machine at a corresponding point in time, the first set of snapshots comprising a plurality of snapshots spanning a period of time; generating metadata indicating operations to one or more files in a filesystem of the machine over time intervals corresponding to the first set of snapshots; training, using the metadata, a ransomware detection model operative to define a normal pattern of behavior of the filesystem and to detect an infection of the filesystem of the machine by ransomware, wherein the ransomware detection model comprises a first model feature that is based at least in part on the metadata corresponding to the first set of snapshots, and wherein the ransomware detection model further comprises a second model feature that is based at least in part on respective entropies of the one or more files in the filesystem of the machine; receiving, by the ransomware detection model, a second snapshot of the machine, the second snapshot indicating data of the machine at a corresponding point in time subsequent to the first set of snapshots, wherein the second snapshot indicates operations to one or more files in the filesystem of the machine over a second time interval; applying the ransomware detection model to the second snapshot to screen for abnormal behavior of the filesystem, wherein the ransomware detection model is operative to assess changes in the filesystem over the second time interval and entropies of one or more files in the filesystem associated with the second time interval, wherein the ransomware detection model is further operative to calculate one or more scores indicating a respective probability that a behavior of the filesystem is anomalous; comparing the one or more scores to a respective threshold value; based at least in part on at least one of the one or more scores crossing the respective threshold value, generating a user interface for presenting a determination that the filesystem is infected; and providing the user interface for display. 2 . The method of claim 1 , wherein the machine is a virtual machine. 3 . The method of claim 1 , wherein the changes in the filesystem is recorded in the metadata, the metadata including a list of entries corresponding to data changes in the filesystem. 4 . The method of claim 1 , wherein the period of time comprises a plurality of time intervals corresponding to the first set of snapshots and wherein the period of time is greater than the second time interval. 5 . The method of claim 1 , wherein the ransomware detection model is operative to generate a combined anomaly score by combining the one or more scores. 6 . The method of claim 1 , further comprising: training the ransomware detection model using additional training data, the additional training data including at least one of filesystem data of filesystems owned by multiple users, and filesystem data of multiple filesystems owned by a user. 7 . The method of claim 1 , wherein the training of the ransomware detection model is performed in a cloud platform. 8 . The method of claim 1 , wherein the ransomware detection model is hosted in a cloud platform. 9 . The method of claim 1 , wherein the ransomware detection model comprises a first machine learning model and a second machine learning model, wherein the first machine learning model includes the first model feature and is operative to determine whether the behavior of the filesystem is anomalous, wherein the second machine learning model includes the second model feature and is operative to detect a ransomware encryption event. 10 . The method of claim 9 , wherein the ransomware detection model applies the second machine learning model to the second snapshot if the first machine learning model identifies that the filesystem behavior of the machine is anomalous. 11 . An apparatus for data management, comprising: at least one processor; memory coupled with the at least one processor; and instructions stored in the memory and executable by the at least one processor to cause the apparatus to perform operations comprising: accessing a data store to obtain a first set of snapshots corresponding to a machine, each snapshot indicating data of the machine at a corresponding point in time, the first set of snapshots comprising a plurality of snapshots spanning a period of time; generating metadata indicating operations to one or more files in a filesystem of the machine over time intervals corresponding to the first set of snapshots; training, using the metadata, a ransomware detection model operative to define a normal pattern of behavior of the filesystem and to detect an infection of the filesystem of the machine by ransomware, wherein the ransomware detection model comprises a first model feature that is based at least in part on the metadata corresponding to the first set of snapshots, and wherein the ransomware detection model further comprises a second model feature that is based at least in part on respective entropies of the one or more files in the filesystem of the machine; receiving, by the ransomware detection model, a second snapshot of the machine, the second snapshot indicating data of the machine at a corresponding point in time subsequent to the first set of snapshots, wherein the second snapshot indicates operations to one or more files in the filesystem of the machine over a second time interval; applying the ransomware detection model to the second snapshot to screen for abnormal behavior of the filesystem, wherein the ransomware detection model is operative to assess changes in the filesystem over the second time interval and entropies of one or more files in the filesystem associated with the second time interval, wherein the ransomware detection model is further operative to calculate one or more scores indicating a respective probability that a behavior of the filesystem is anomalous; comparing the one or more scores to a respective threshold value; based at least in part on at least one of the one or more scores crossing the respective threshold value, generating a user interface for presenting a determination that the filesystem is infected; and providing the user interface for display. 12 . The apparatus of claim 11 , wherein the machine is a virtual machine. 13 . The apparatus of claim 11 , wherein the changes in the filesystem is recorded in the metadata, the metadata including a list of entries corresponding to data changes in the filesystem. 14 . The apparatus of claim 11 , wherein the period of time comprises a plurality of time intervals corresponding to the first set of snapshots and wherein the period of time is greater than the second time interval. 15 . The apparatus of claim 11 , wherein the ransomware detection model is operative to generate a combined anomaly score by combining the one or more scores. 16 . The apparatus of claim 11 , further comprising: training the ransomware detection model using additional training data, the additional training data including at least one of filesystem data of filesystems owned by multiple users, and filesystem data of multiple filesystems owned by a user. 17 . The apparatus of claim 11 , wherein the training of the ransomware detection model is performed in a cloud platform. 18 . The apparatus of claim 11 , wherein the ransomware detection model is hosted in a cloud platform. 19 . The apparatus of claim 11 ,
Assignees
Inventors
Classifications
eliminating virus, restoring damaged files · CPC title
Backup restoration techniques · CPC title
Details of file system snapshots on the file-level, e.g. snapshot creation, administration, deletion (error detection or correction of the data by redundancy in operations or in hardware G06F11/14, G06F11/16) · CPC title
Management of the backup or restore process · CPC title
Test or assess a computer or a system · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2026010626A1 cover?
- Described herein is a system that detects ransomware infection in filesystems. The system detects ransomware infection by using backup data of machines. The system detects ransomware infection in two stages. In the first stage, the system analyzes a filesystem's behavior. The filesystem's behavior can be obtained by loading the backup data and crawling the filesystem to create a filesystem meta…
- Who is the assignee on this patent?
- Rubrik Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/565. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Jan 08 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).