CPC H04L 63/1466 (2013.01) [G06F 21/554 (2013.01); G06F 21/55 (2013.01); H04L 63/0884 (2013.01); H04L 63/145 (2013.01)] | 18 Claims |
1. A method for detecting ransomware attacks on an SMB (Server Message Block) file sharing system (FSS), the method comprising:
authenticating a user's request for access to the SMB file sharing system;
when the user is successfully authenticated, initiating an SMB session for the user;
during the SMB session, detecting QUERY_INFO and OPLOCK_BREAK SMB commands issued by the user;
evaluating the detected QUERY_INFO and OPLOCK_BREAK SMB commands against an activity profile based on SMB commands in prior SBM sessions by the user to identify repeated sequences of a QUERY_INFO command followed directly by an OPLOCK_BREAK command;
and
when repeated sequences of a QUERY_INFO command followed directly by an OPLOCK_BREAK command are identified, terminating the user's SMB session.
|