| CPC G06F 21/565 (2013.01) [G06F 2221/034 (2013.01)] | 17 Claims |
|
1. A method comprising:
identifying a storage object that is a logical disk drive having a set of contiguous fixed-size logical block addresses (LBAs) and on which data associated with only a single host application is logically stored by a block-based storage system that lacks metadata that identifies files within the data;
prior to a malicious attack, computing a profile of characteristics of normal snapshots of the storage object from a plurality of snapshots of the storage object, the characteristics comprising write LBA dispersion indicative of distances between different writes in terms of counts of unwritten LBAs between written LBAs, write workload indicative of read:write input/output (IO) command ratio, number of write IO commands received, and size of associated write operations in terms of storage capacity or fixed-size chunks;
creating a new snapshot of the storage object after the malicious attack has commenced and before the malicious attack has been detected;
identifying characteristics of the new snapshot; and
detecting the malicious attack by comparing the characteristics of the new snapshot with the characteristics of the profile to identify an anomalistic change indicative of the malicious attack.
|