US 12,445,484 B2
Inline ransomware detection via server message block (SMB) traffic
Zhibin Zhang, Santa Clara, CA (US); Mengying Jiang, Campbell, CA (US); Bo Qu, Saratoga, CA (US); and Sultanbek Omurzakov, Los Gatos, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Mar. 30, 2023, as Appl. No. 18/128,789.
Prior Publication US 2024/0333759 A1, Oct. 3, 2024
Int. Cl. H04L 9/00 (2022.01); H04L 9/40 (2022.01)
CPC H04L 63/1466 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A system, comprising:
a processor configured to:
receive, at a firewall appliance interposed between a client and a server, a server message block (SMB) network communication between the client and the server as part of a session between the client and the server;
determine, at the firewall appliance, and using the received SMB network communication, an attempted creation of a ransom note associated with an attempted ransomware attack on the server by the client, wherein the determining includes detecting at least one of a file creation or file open request made by the client to the server and applying at least one of a trained model or a set of rules to identify the attempted creation on the server by the client of the ransom note; and
in response to detecting the attempted ransomware attack, perform a remedial action, including by terminating, by the firewall appliance, the session between the client and the server; and
a memory coupled to the processor and configured to provide the processor with instructions.