Search

US-12625962-B2 - Instruction monitoring for dynamic cloud workload reallocation based on ransomware attacks

US12625962B2US 12625962 B2US12625962 B2US 12625962B2US-12625962-B2

Abstract

The present embodiments relate to identifying a ransomware attack. One embodiment relates to a method comprising configuring an operating system to collect metrics related to a hardware component. A message can be received from a user space library to validate an instruction detected in a cache, the instruction being associated with the hardware component. A metric can be compared to a threshold metric. The metric can be associated with the hardware component. A likelihood of a ransomware attack can be determined based at least in part on the comparison. A message can be transmitted to the user space library comprising the determination of the likelihood of the ransomware.

Inventors

  • Phani Bhushan Avadhanam

Assignees

  • ORACLE INTERNATIONAL CORPORATION

Dates

Publication Date
20260512
Application Date
20220513

Claims (20)

  1. 1 . A computer-implemented method, comprising: during hardware-based execution of at least one instruction in a set of instructions in an instruction cache accessible by a hardware processor, executing a monitoring operation to monitor the instruction cache; detecting a modification of a mapping of a first memory location to a cache location within the instruction cache; based at least on detecting the modification of the mapping, triggering a validation operation for validating one or more instructions of the set of instructions in the instruction cache; causing execution of the validation operation for validating the one or more instructions of the set of instructions in the instruction cache, wherein executing the validation operation comprises: collecting a metric associated with the one or more instructions of the set of instructions in the instruction cache; and determining a likelihood of a ransomware attack based on the metric; and transmitting a first notification based on the likelihood of the ransomware attack.
  2. 2 . The computer-implemented method of claim 1 , wherein the method further comprises: detecting an instruction class of a first instruction stored in the instruction cache; determining a frequency of instances of the first instruction in the instruction cache; assigning a weight to the first instruction based at least in part on the instruction class; and determining the likelihood of the ransomware attack based at least in part on the weight.
  3. 3 . The computer-implemented method of claim 1 , wherein the method further comprises: generating a first cryptographic bitmap comprising a first row of encryption related data associated with the instruction cache, and generating a second cryptographic bitmap comprising a second row of encryption related data associated with the instruction cache, wherein the first row is associated with a first instruction of the one or more instructions; performing, on the first row and the second row, a mathematical exclusive operation to derive a delta value; comparing derived delta value to a threshold delta value; and determining whether the likelihood of the ransomware attack is a false positive based on the comparing.
  4. 4 . The computer-implemented method of claim 1 , wherein the method further comprises registering a callback function, and wherein the first notification is transmitted using the callback function.
  5. 5 . The computer-implemented method of claim 1 , wherein the method further comprises receiving a second notification that an instance has been repaved based at least in part on the determination of the likelihood of the ransomware attack.
  6. 6 . The method of claim 1 , wherein the operations further comprise: determining that modifications to the mapping exceed a threshold number of modifications, wherein executing the validation instruction is responsive to determining that the modifications to the mapping exceed a threshold number of modifications.
  7. 7 . The method of claim 1 , wherein: the one or more instructions comprise assembly instructions related to encryption; and determining the likelihood of the ransomware attack based on the metric comprises determining that one or more of the assembly instructions exceed a threshold.
  8. 8 . The method of claim 1 , wherein determining the likelihood of the ransomware attack based on the metric comprises: assigning each instruction of the one or more instructions to one of a plurality of instruction classes based on a respective instruction type of the one or more instructions; determining a weighted frequency of each instruction class using weights respectively associated with the plurality of instruction classes; and determining the likelihood of the ransomware attack based on a sum of the weighted frequencies exceeding a threshold.
  9. 9 . The method of claim 1 , wherein the modification of the mapping of the instruction cache location, within the instruction cache, to the first memory location is performed prior to executing the operation stored at the first memory location.
  10. 10 . The computer-implemented method of claim 1 , wherein: the metric is indicative of encryption instruction types; and determining the likelihood of a ransomware attack comprises: determining, based on the metric, a first frequency of instances of a first encryption instruction type included in the one or more instructions in the instruction cache; assigning a first weight to the first frequency of instances based on the first encryption instruction type; determining, based on the metric, a second frequency of instances of a second encryption instruction type included in the one or more instructions in the instruction cache; assigning a second weight to the second frequency of instances based on the second encryption instruction type; and determining the likelihood of the ransomware attack based at least in part on (a) a combination of the first weight and the first frequency, and (b) a combination of the second weight and the second frequency.
  11. 11 . A cloud infrastructure node, comprising: a processor; and a computer-readable medium including instructions that, when executed by the processor, cause the processor to: during hardware-based execution of at least one instruction in a set of instructions in an instruction cache accessible by a hardware processor, execute a monitoring operation to monitor the instruction cache; detect a modification of a mapping of a first memory location to a cache location within the instruction cache; based at least on detecting the modification of the mapping, trigger a validation operation for validating one or more instructions of the set of instructions in the instruction cache; cause execution of the validation operation for validating the one or more of the set of instructions in the instruction cache, wherein executing the validation operation comprises: collecting a metric associated with the one or more instructions of the set of instructions in the instruction cache; and determining a likelihood of a ransomware attack based at least in part on the metric; and transmit a first notification of the likelihood of the ransomware attack.
  12. 12 . The cloud infrastructure node of claim 11 , wherein the instructions included in the computer-readable medium further cause the processor to: detect an instruction class of a first instruction stored in the instruction cache; determine a frequency of instances of the first instruction in the instruction cache; assign a weight to the first instruction based at least in part on the instruction class; and determine the likelihood of the ransomware attack based at least in part on the weight.
  13. 13 . The cloud infrastructure node of claim 11 , wherein the instructions included in the computer-readable medium further cause the processor to: generate a first cryptographic bitmap comprising a first row of encryption related data associated with the instruction cache, and generating a second cryptographic bitmap comprising a second row of encryption related data associated with the instruction cache, wherein the first row is associated with a first instruction of the one or more instructions; perform, on the first row and the second row, a mathematical exclusive operation to derive a delta value; compare derived delta value to a threshold delta value; and determine whether the likelihood of the ransomware attack is a false positive based on the comparing.
  14. 14 . The cloud infrastructure node of claim 11 , wherein the instructions included in the computer-readable medium further cause the processor to register a callback function, and wherein the first notification is transmitted using the callback function.
  15. 15 . The cloud infrastructure node of claim 11 , wherein the instructions included in the computer-readable medium further cause the processor to receive a second notification that an instance has been repaved based at least in part on the determination of the likelihood of the ransomware attack.
  16. 16 . The cloud infrastructure node of claim 11 , wherein the operations further comprise: determining that modifications to the mapping exceed a threshold number of modifications, wherein executing the validation instruction is responsive to determining that the modifications to the mapping exceed a threshold number of modifications.
  17. 17 . The cloud infrastructure node of claim 11 , wherein: the one or more instructions comprise assembly instructions related to encryption; and determining the likelihood of the ransomware attack based on the metric comprises determining that one or more of the assembly instructions exceed a threshold.
  18. 18 . The cloud infrastructure node of claim 11 , wherein determining the likelihood of the ransomware attack based on the metric comprises: assigning each instruction of the one or more instructions to one of a plurality of instruction classes based on a respective instruction type of the one or more instructions; determining a weighted frequency of each instruction class using weights respectively associated with the plurality of instruction classes; and determining the likelihood of the ransomware attack based on a sum of the weighted frequencies exceeding a threshold.
  19. 19 . The cloud infrastructure node of claim 11 , wherein the modification of the mapping of the instruction cache location, within the instruction cache, to the first memory location is performed prior to executing the operation stored at the first memory location.
  20. 20 . A non-transitory computer-readable medium including stored thereon a sequence of instructions that, when executed by a processor of a cloud infrastructure node, causes the processor to perform operations comprising: during hardware-based execution of at least one instruction in a set of instructions in an instruction cache accessible by a hardware processor, executing a monitoring operation to monitor the instruction cache; detecting a modification of a mapping of a first memory location to a cache location within the instruction cache; based at least on detecting the modification of the mapping, triggering a validation operation for validating one or more instructions of the set of instructions in the instruction cache; causing execution of the validation operation for validating the one or more instructions of the set of instructions in the instruction cache, wherein executing the validation operation comprises: collecting a metric associated with the one or more instructions of the set of instructions in the instruction cache; and determining a likelihood of a ransomware attack based on the metric; and transmitting a notification based on the likelihood of the ransomware attack.

Description

BACKGROUND A cloud computing environment includes a combination of a cloud computing infrastructure layer, a cloud platform layer, and an application layer. Each of these layers further includes sub-elements to permit a cloud computing system to deliver services to its customers. Each of these cloud computing layers and elements can provide an opportunity for a bad actor to subvert security measures and harm the functioning of the cloud computing environment. SUMMARY The present embodiments relate to dynamic cloud workload reallocation based on an active ransomware attack. A first example embodiment provides a computer-implemented method for dynamic cloud workload reallocation. The method can include configuring an operating system to collect a metric related to a hardware component The computer-implemented method can further include receiving a message from a user space library to validate an instruction detected in a cache, the instruction being associated with the hardware component. The computer-implemented method can further include comparing the metric to a threshold metric, the metric being associated with the hardware component, based at least in part on the message. The computer-implemented method can further include determining a likelihood of a ransomware attack based at least in part on the comparison. The computer-implemented method can further include transmitting a message to the user space library comprising the determination of the likelihood of the ransomware. A second embodiment related to a cloud infrastructure node. The cloud infrastructure node can include a processor and a non-transitory computer-readable medium. The non-transitory computer-readable medium can include instructions that, when executed by the processor, cause the processor to configure an operating system to collect a metric related to a hardware component. The instructions can further cause the processor to receive a message from a user space library to validate an instruction detected in a cache, the instruction being associated with the hardware component. The instructions can further cause the processor to compare the metric to a threshold metric, the metric being associated with the hardware component, based at least in part on the message. The instructions can further cause the processor to determine a likelihood of a ransomware attack based at least in part on the comparison. The instructions can further cause the processor to transmit a message to the user space library comprising the determination of the likelihood of the ransomware. A third embodiment relates to a non-transitory computer-readable medium. The non-transitory computer-readable medium can include stored thereon a sequence of instructions which, when executed by a processor, cause the processor to execute a process. The process can include configuring an operating system to collect a metric related to a hardware component. The process can further include receiving a message from a user space library to validate an instruction detected in a cache, the instruction being associated with the hardware component. The process can further include comparing the metric to a threshold metric, the metric being associated with the hardware component, based at least in part on the message. The process can further include determining a likelihood of a ransomware attack based at least in part on the comparison. The process can further include transmitting a message to the user space library comprising the determination of the likelihood of the ransomware. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a block diagram of an example system for ransomware detection in a cloud infrastructure environment, according to at least one embodiment. FIG. 2 is a block diagram of an example repaving system, according to at least one embodiment. FIG. 3 is a signaling process for an example memory sweeping process, according to at least one embodiment. FIG. 4 is a block diagram of an example memory system, according to at least one embodiment. FIG. 5 is a block diagram of an example process for ransomware detection, according to at least one embodiment. FIG. 6 is a block diagram of an example process for ransomware detection, according to at least one embodiment. FIG. 7 is a block diagram illustrating a pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. FIG. 8 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. FIG. 9 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. FIG. 10 is a block diagram illustrating another pattern for implementing a cloud infrastructure as a service system, according to at least one embodiment. FIG. 11 is a block diagram illustrating an example computer system, according to at least one embodiment. DETAILED DESCRIPTION