US 11,698,965 B2
Detection of encrypting malware attacks
M Corneliu Constantinescu, San Jose, CA (US); Frank Schmuck, Campbell, CA (US); and Deepavali M. Bhagwat, Cupertino, CA (US)
Assigned to International Business Machines Corporation, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on Apr. 9, 2020, as Appl. No. 16/844,856.
Prior Publication US 2021/0319103 A1, Oct. 14, 2021
Int. Cl. G06F 21/56 (2013.01); G06F 16/17 (2019.01); G06N 20/00 (2019.01); G06F 16/182 (2019.01)
CPC G06F 21/566 (2013.01) [G06F 16/1734 (2019.01); G06F 16/182 (2019.01); G06F 21/565 (2013.01); G06N 20/00 (2019.01); G06F 2221/034 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A computer-implemented method, comprising:
monitoring file access activity on nodes in a distributed file system comprising a server in communication with the nodes;
generating an audit log based on the file access activity on the nodes;
periodically collecting samples of file usage activity over predefined windows of time from the nodes, wherein the windows of time are cumulatively less than a duration of the monitoring, wherein the nodes locally process events that are collected over a period of time in memory buffers in the respective nodes;
running a pattern recognition algorithm on the samples of the file usage activity for detecting malware activity;
in response to detecting malware activity, restoring at least one file based on the audit log; and
in response to detecting suspected malware activity, modifying a file of one of the nodes, performing a detailed analysis of the modified file, wherein the detailed analysis is performed by a different node than the node on which the modified file is stored.