| CPC G06F 21/554 (2013.01) [G06F 21/565 (2013.01); G06F 21/566 (2013.01); G06F 2221/034 (2013.01)] | 19 Claims |
|
1. A non-transitory computer-readable storage medium, having instructions stored thereon that, when executed by a computing device, cause the computing device to perform operations, the operations comprising:
monitoring requests to write data, wherein the requests to write data are interpreted as operations performed on a plurality of files;
identifying at least one of (i) unauthorized encryption of at least one file in the plurality of files in the requests to write data, (ii) unauthorized deletion of the at least one file and (iii) detection of malicious activity;
recording the requests to write data to a journal stored on a storage device;
recording, in the journal, location and content of the plurality of files;
restoring, when the unauthorized encryption is identified, the at least one file from the journal,
wherein the identifying further comprises:
detecting, by a change detection algorithm, changes to the one or more files;
wherein the detecting further comprises:
monitoring a first portion of a data stream and a second portion of the data stream, wherein the first portion corresponds to a start of the data stream, and
wherein the second portion corresponds to a variable section of the data stream;
calculating a test statistic d that quantifies closeness of distribution of the data;
reporting, at a point in the data stream when the test statistic d is greater than a change value α, a change in the data stream;
resetting the start of the data stream to the point; and
for the first portion having values X1 and the second portion having values X2, and for each segment A of real numbers:
calculating a fraction of values in X1 that fall in A, denoted S1(A);
calculating a fraction of values in X2 that fall in A, denoted S2(A); and
calculating a Φ value according to a formula:
 |