| CPC G06F 21/566 (2013.01) [G06F 16/1734 (2019.01); G06F 16/1752 (2019.01); G06F 2221/034 (2013.01); G06F 2221/2101 (2013.01)] | 19 Claims |
|
1. A computer-implemented method for detecting file activity anomalies, the method comprising:
monitoring, with a filter driver, file system operations performed on primary data by a client computing device;
performing at least a first data protection operation that copies at least a portion of the primary data associated with the client computing device to one or more secondary storage devices as part of secondary data associated with the client computing device;
removing, at a first time, at least some of the secondary data stored in the one or more secondary storage devices according to a secondary data retention policy associated with the client computing device;
detecting, at a second time subsequent to the first time and prior to a second data protection operation, a file activity anomaly based at least on one or more first file system operations of the file system operations performed on the primary data that satisfy one or more threshold conditions associated with the client computing device;
determining, based at least on second file system operations performed on primary data associated with multiple client computing devices, that the detection of the file activity anomaly does not qualify as an actual file activity anomaly; and
wherein determining that the detection of the file activity anomaly does not qualify as an actual file activity anomaly overrides the detection of the file activity anomaly made at the second time.
|