| 摘要 |
Improved techniques involve comparing access patterns in a storage system to expected access patterns under similar circumstances. An intrusion detection system, in response to a suspected malicious application workload, collects information about a current session on the storage processor, e.g., application workload s running, users logged in, and timestamp, as well as parameters such as storage allocation requests sampled at prespecified intervals over a period of time. In a database that stores such sampled parameter values by application workload, user, and time, the system extracts the sampled parameter values having the application workload, user, and time corresponding to the current session. The system then compares the extracted sampled parameter values with the current parameter values and computes a difference. Based on the difference, the system determines whether the storage system is accessed by a malicious application workload. |
| 主权项 |
1. A method of monitoring a data storage system for malicious application workloads, the method comprising:
collecting a set of values of a parameter over a particular period of time, each set of values being indicative of a state of the data storage system over the particular period of time; performing a comparison operation on (i) the set of values of the parameter and (ii) a set of historical values of the parameter over another period of time prior to the particular period of time and having a length substantially the same as the particular period of time, the set of historical values of the parameter being representative of values of the state of the data storage system substantially free of malicious application workloads, the comparison operation providing a comparison result indicative of a similarity between the set of values of the parameter and the set of historical values of the set of the parameters; and based on the comparison result, providing a decision as to whether the data storage system is accessed by a malicious application workload. |
