| CPC G06F 21/554 (2013.01) [G06N 5/04 (2013.01); G06F 2221/034 (2013.01)] | 20 Claims |
|
1. A computer-implemented method performed by a data storage manager that manages malicious activity in a data processing system, the method comprising:
identifying an encryption event associated with a storage of the data processing system, the encryption event being associated with a change in encryption state of a portion of data stored in the storage and is reported to the data storage manager by a storage manager installed within the data processing system in response to the storage manager receiving one or more encryption instructions to encrypt data stored in the storage, the storage manager managing the storage and the data;
performing type classification for an encryption associated with the encryption event;
making a first determination, using the type classification, that the encryption event is authorized;
after the first determination, collecting telemetry of one or more computing components of the data processing system that are impacted by the encryption, the telemetry comprises at least a list of input-output (I/O) operations of the storage leading up to and during the encryption event, and the encryption event being identified without using the telemetry;
making a second determination, after collecting the telemetry and based on the telemetry, that the encryption is actually not authorized; and
performing, based on the second determination that the encryption is actually not authorized, an action set to remediate risk associated with the encryption event, the action set being based, at least in part, on outcomes of the first determination and of the second determination.
|