[go: up one dir, main page]

WO2024256001A1 - Computer system items recovery - Google Patents

Computer system items recovery Download PDF

Info

Publication number
WO2024256001A1
WO2024256001A1 PCT/EP2023/065948 EP2023065948W WO2024256001A1 WO 2024256001 A1 WO2024256001 A1 WO 2024256001A1 EP 2023065948 W EP2023065948 W EP 2023065948W WO 2024256001 A1 WO2024256001 A1 WO 2024256001A1
Authority
WO
WIPO (PCT)
Prior art keywords
item
items
application
operating system
compromised
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2023/065948
Other languages
French (fr)
Inventor
Shmoolik Yosub
Idan Zach
Assaf Natanzon
Asaf Yeger
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/EP2023/065948 priority Critical patent/WO2024256001A1/en
Publication of WO2024256001A1 publication Critical patent/WO2024256001A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1435Saving, restoring, recovering or retrying at system level using file system or storage system metadata
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • G06F11/1451Management of the data involved in backup or backup restore by selection of backup contents
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • G06F11/1469Backup restoration techniques
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Definitions

  • Data recovery may be required due to physical damage to the storage device(s) and/or logical damage to the file system, that may prevent it from being mounted by the host operating system (OS).
  • OS host operating system
  • logical failures may occur when a storage device such as a hard drive and/or the like is functional but the user and/or automated-OS cannot retrieve and/or access data stored in it. Such failure may occur for example due to corrupt engineering chip, lost partitions, deleted data, firmware failure, failed formatting/re-installation, and/or the like.
  • a method for computer system recovery comprising: storing in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recovering the operating system; and in response to determining a compromised item is an application item, recovering the plurality of application items of a respective application to which the compromised item is mapped.
  • recovering the operating system being performed from a repository of operating system versions and/or updates is optionally performed from a repository of operating system versions and/or updates.
  • the method further comprising, in response to the compromised item is not determined to be an operating system item or an application item, recovering the compromised item from a most recent snapshot preceding compromise thereof.
  • the method further comprising recording in at least one data structure a full path in a storage system of an item of the plurality of operating system items of the respective versions and/or updates and the plurality of application items of the respective applications per snapshot.
  • a computer program for computer system recovery comprising program instructions which, when executed by at least one processor, cause the at least one processor to: store in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recover the operating system; and in response to determining a compromised item is an application item, recover the plurality of application items of a respective application to which the compromised item is mapped.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the operating system from a repository of operating system versions and/or updates.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the plurality of application items of the respective application from a repository thereof.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the plurality of application items from a most recent snapshot in which the plurality of application items had not been compromised.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to, in response to the compromised item is not determined to be an operating system item or an application item, recover the compromised item from a most recent snapshot preceding compromise thereof.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to record in at least one data structure a full path in a storage system of an item of the plurality of operating system items of the respective versions and/or updates and the plurality of application items of the respective applications per snapshot.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to record in at least one data structure a full path in a storage system of compromised items per snapshot.
  • an item on the plurality of snapshots is selected from the group consisting of: a file; a folder; a storage service object.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to automatically identify and map an application item of a respective application.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to automatically identify and map an operating system item of a respective version and/or update.
  • the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to prompt a user for manual authorization of a respective timepoint of a snapshot for use in recovery of the compromised item.
  • FIG. 1 A is a schematic illustration of an exemplary scenario of malware attack in a data center requiring for computer system recovery, according to some embodiments
  • FIG. IB is a schematic illustration of an exemplary and/or optional information obtained and/or used for computer system recovery in an exemplary scenario of malware attack in a data center, according to some embodiments;
  • FIG. 1C is a schematic illustration of an exemplary and/or optional recommended procedure for computer system recovery in an exemplary scenario of malware attack in a data center, according to some embodiments;
  • Users may also install other protection measures such as anti-virus, anti-ransomware, and/or likewise software to minimize a risk of data items being infected, but there may still always remain a risk at some level, whereas from one day to the next, malware attacks become more and more sophisticated.
  • protection measures such as anti-virus, anti-ransomware, and/or likewise software to minimize a risk of data items being infected, but there may still always remain a risk at some level, whereas from one day to the next, malware attacks become more and more sophisticated.
  • Another approach which may be considered as opposite in a sense, may be to look up for each compromised item a most recent backup of that item prior to being compromised and recover the item from that backup.
  • Such approach may lead to inoperability or malfunctioning of the system, as items from different backups at disparate points in time may not be compatible with one another, for example, items may belong to different versions and/or updates of an operating system and/or application that may be conflictory, duplicate, deficient, non-compliant and/or the like with regard to those items and/or relative to other items thereof, e.g. noncompromised items, such as in a malware attack scenario as described with reference to FIG. 1 A herein.
  • the computer system may be brought to a clean state with the most recent versions of all files as may be available in the backup snapshots and/or additional source(s).
  • the computer system may make sure that they have the most up-to-date versions of all applications - even if one may not have the most recent versions on the backup repository. This is in contrast to current practices that cannot restore files unless they are already backed-up.
  • Embodiments may be a system, a method, and/or a computer program product.
  • the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the embodiments.
  • the computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device.
  • the computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
  • a non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, and any suitable combination of the foregoing.
  • RAM random access memory
  • ROM read-only memory
  • EPROM or Flash memory erasable programmable read-only memory
  • SRAM static random access memory
  • CD-ROM compact disc read-only memory
  • DVD digital versatile disk
  • memory stick a floppy disk, and any suitable combination of the foregoing.
  • Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • the network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers.
  • a network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
  • These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
  • FIG. 1 A is a schematic illustration of an exemplary scenario of malware attack in a data center requiring for computer system recovery, according to some embodiments.
  • a backup repository for a primary storage and/or any likewise computer system, digital information resource, etc. may contain a plurality of snapshots of all items (e.g., files) present in the backed up primary storage at each respective time point, for example, the three snapshots “Snap 0”, “Snap 1”, and “Snap 2” created at the timepoints to, ti and t2, respectively.
  • Each snapshot may represent a state of the computer system (i.e., primary storage) in terms of files, their contents, their physical and/or logical location, and/or the like.
  • a description of the type (and/or purpose) of each file in the exemplary scenario such as illustrated in FIG. 1 A may be as provided in the following exemplary Table 1 :
  • both the primary storage and backup repository may have an identical set of files, “fl.dat” and “f2.txt”.
  • these files may be, for example, user files, i.e., files that may neither be operating system nor application-related files.
  • both files in to may be clean of malware.
  • the file “fl.dat” may be affected by a malware (hence the highlight marking), and at a same time and/or interval a new operating-system file “f3.dll” may be added. Since the backup occurred after the malware attack, both primary storage and backup repository may have the latest version of “fl.dat” with the malware.
  • the best restore plan may be to restore to the last known good backup snapshot.
  • this may mean to restore to to as follows: 1. Restoring “fl .dat” from to - latest valid state;
  • FIG. IB illustrates how the disclosed subject matter in some embodiments thereof may be implemented and/or utilized in the exemplary scenario such as illustrated and described herein with reference to FIG. 1A.
  • FIG. IB for each backup snapshot there may be generated and/or maintained one or more of the three tables as follows: an applications list and respective application items table (denoted as App List on FIG. IB); an operating system items and/or information table (denoted as OS Info on FIG. IB); and an infected items table (denoted as Infected on FIG. IB).
  • an applications list and respective application items table denoted as App List on FIG. IB
  • an operating system items and/or information table denotes information on FIG. IB
  • an infected items table denotes the full path of each listed item may be indicated (not shown on FIG. IB).
  • an Infected table listing all affected items in each backup snapshot may be obtained.
  • the information in the Infected table may be attained using tools and/or techniques known in the art for detection and/or determination that a computer system item may be compromised, such as data forensics, automated malware scanners, automated tests, and/or the like.
  • the Infected table may optionally indicate a full path of each compromised item listed, as may be obtained for example from one or more of the OS Info table, the App List table, and/or otherwise.
  • FIG. 1C is a schematic illustration of an exemplary and/or optional recommended procedure for computer system recovery in an exemplary scenario of malware attack in a data center, according to some embodiments.
  • an infected file “f3.dll” may be mapped to an operating system items group based on the App List and/or OS Info tables, another infected file “f4. exe” may be mapped to an application items group of an application (denoted on FIG.
  • the determination of type(s) of items listed as affected may be recorded in a further data structure, e.g., a table, where details of a recommended procedure for recovery may be recorded and/or retained, in accordance with each item type, i.e., a Restore Recommendation table.
  • a Restore Recommendation table For example, as shown on FIG. 1C, to restore the infected operating system file “f3.dll”, the operating system may be recovered, optionally to a respective most recent version and/or update as may be listed on the OS Info table (i.e., the version/update denoted on FIG. 1C as “OS Update 3”).
  • OS Update 3 the version/update denoted on FIG. 1C as “OS Update 3”.
  • the Restore Recommendation table may be used for one or more of the following: applying automatically restore recommendation(s) for affected item(s) to recover from most recent clean state of each as may be applicable; outputting a report to a user (e.g. system administrator) with all the recommendations advising them to repair affected applications, update the operating system if needed, restore other items to their latest valid state from backup snapshot(s) and/or other trusted location(s), and/or the like; prompting a user for authorization of restore recommendation prior to automatic execution; and/or the like.
  • a user e.g. system administrator
  • FIG. 2 is a schematic block diagram of an exemplary apparatus for computer system recovery, according to some embodiments.
  • An exemplary apparatus 200 may be used for performing one or more of the acts for computer system recovery such as described with reference to FIGS. IB, 1C, and/or 3 herein.
  • the apparatus 200 may comprise and/or be implemented as, for example, a computer, a server, a computing node, a cluster of computing nodes and/or the like, which may include an Input/Output (I/O) interface 210 for connecting to one or more external devices, systems, services and/or the like, a processor(s) 212 for executing the process 100, a storage 214 for storing data and/or code (program store), and/or the like.
  • I/O Input/Output
  • processor(s) 212 for executing the process 100
  • storage 214 for storing data and/or code (program store), and/or the like.
  • the I/O interface 210 may include one or more wired and/or wireless network interfaces for connecting to a network 202 comprising one or more wired and/or wireless networks, for example, a Local Area Network (LAN), a Wide Area Network (WAN), a Metropolitan Area Network (MAN), a cellular network, the internet and/or the like.
  • a network 202 comprising one or more wired and/or wireless networks, for example, a Local Area Network (LAN), a Wide Area Network (WAN), a Metropolitan Area Network (MAN), a cellular network, the internet and/or the like.
  • the optimization system 200 may communicate, optionally via the network 202, with one or more (optionally remote, e.g., networked) recovery resources 206, which may optionally comprise and/or be implemented as, for example, a server, a computing node, a storage server, a networked database, a cloud service and/or the like.
  • the apparatus 200 may optionally further communicate with one or more client terminals 204, for example, a computer, a server, a laptop, a mobile device and/or the like used by one or more users, for example, an operator, a researcher, an analyst, a system administrator, an information technology (IT) expert, and/or the like.
  • client terminals 204 for example, a computer, a server, a laptop, a mobile device and/or the like used by one or more users, for example, an operator, a researcher, an analyst, a system administrator, an information technology (IT) expert, and/or the like.
  • client terminals 204 and/or recovery resources 206 may reside at and/or be coupled to the apparatus 200 locally.
  • the I/O interface 210 may further include one or more wired and/or wireless I/O interfaces, ports, interconnections and/or the like for connecting to one or more external devices, for example, a Universal Serial Bus (USB) interface, a serial interface, a Radio Frequency (RF) interface, a Bluetooth interface and/or the like.
  • USB Universal Serial Bus
  • RF Radio Frequency
  • the apparatus 200 may communicate with one or more external devices (not shown) attached to the I/O interface(s), for example, an attachable mass storage device, an external media device and/or the like.
  • the processor(s) 212 may include one or more processing nodes arranged for parallel processing, as clusters and/or as one or more multi core processor(s).
  • the storage 214 may include one or more tangible, non-transitory persistent storage devices, for example, a hard drive, a Flash array and/or the like.
  • the storage 214 may also include one or more volatile devices, for example, a Random Access Memory (RAM) component, a cache and/or the like.
  • RAM Random Access Memory
  • the storage 214 may further comprise one or more local and/or remote network storage resources, for example, a storage server, a Network Attached Storage (NAS), a network drive, a cloud storage service and/or the like accessible via the I/O interface 210.
  • NAS Network Attached Storage
  • the processor(s) 212 may execute one or more software modules such as, for example, a process, a script, an application, an agent, a utility, a tool, an Operating System (OS) and/or the like each comprising a plurality of program instructions stored in a non-transitory medium (program store) such as the storage 214 and executed by one or more processors such as the processor(s) 212.
  • software modules such as, for example, a process, a script, an application, an agent, a utility, a tool, an Operating System (OS) and/or the like each comprising a plurality of program instructions stored in a non-transitory medium (program store) such as the storage 214 and executed by one or more processors such as the processor(s) 212.
  • program store such as the storage 214
  • processors such as the processor(s) 212.
  • the processor(s) 212 may therefore execute one or more functional modules utilized by one or more software modules, one or more of the hardware modules and/or a combination thereof.
  • the processor(s) 212 may execute a system recovery optimizer functional module 220 for determining an optimal and/or otherwise recommended computer system recovery plan, in accordance with some embodiments.
  • One or more of the client terminals 204 may execute one or more applications, services and/or tools for communicating with the apparatus 200 and more specifically with the system recovery optimizer 220 to enable one or more of the users to interact with the system recovery optimizer 220.
  • one or more client terminals 204 may execute a web browser for communicating with the prediction models constructor 220 and presenting a User Interface (UI), specifically a Graphical UI (GUI) which may be used by the respective users to interact with the system recovery optimizer 220.
  • UI User Interface
  • GUI Graphical UI
  • one or more client terminals 204 may execute a local agent which communicates with the system recovery optimizer 220 and presents a GUI which may be used by the respective users to interact with the system recovery optimizer 220.
  • the system recovery optimizer 220 may be adapted to track a state of computer system items in each backup snapshot and manage one or more of the App List table, OS Info table, Infected table, and/or the like.
  • the system recovery optimizer 220 may be adapted to detect and record for each item whether the item may be operating system related, application related, and/or otherwise.
  • the system recovery optimizer 220 may be adapted to determine and/or otherwise obtain an indication of which items may be compromised and construct a Restore Recommendations table accordingly.
  • the system recovery optimizer 220 may be adapted to use the Restore Recommendations table to apply recovery of compromised items per the Restore Recommendations table automatically, send a report to a user with all recommendations for recovery of compromised items, and/or the like.
  • FIG. 3 is a flowchart schematically representing an optional flow of operations for computer system recovery, according to some embodiments.
  • a backup repository storing a plurality of snapshots at different timepoints of items of a computer system.
  • a mapping of items of the computer system in each of the backup snapshots obtained at 302 to operating system items and/or application items of respective one or more applications may be obtained.
  • an indication of one or more compromised items of the computer system may be obtained.
  • a determination may be made whether compromised item(s) per the indication obtained at 310 may be operating system item(s), application item(s) of respective application(s), and/or otherwise.
  • recovery of the operating system may be performed.
  • composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
  • a compound or “at least one compound” may include a plurality of compounds, including mixtures thereof.
  • the word “exemplary” is used herein to mean “serving as an example, instance or illustration”. Any embodiment described as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments and/or to exclude the incorporation of features from other embodiments.
  • range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of embodiments. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.
  • a numerical range is indicated herein, it is meant to include any cited numeral (fractional or integral) within the indicated range.
  • the phrases “ranging/ranges between” a first indicate number and a second indicate number and “ranging/ranges from” a first indicate number “to” a second indicate number are used herein interchangeably and are meant to include the first and second indicated numbers and all the fractional and integral numerals therebetween.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Library & Information Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A method, apparatus, and computer program for computer system recovery, the method comprising: storing in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recovering the operating system; and in response to determining a compromised item is an application item, recovering the plurality of application items of a respective application to which the compromised item is mapped.

Description

COMPUTER SYSTEM ITEMS RECOVERY
BACKGROUND
Some embodiments described in the present disclosure relate to data management and, more specifically, but not exclusively, to computer system recovery and/or recovery of computer system items.
In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, formatted, and/or otherwise compromised data from alternate source(s) such as secondary storage, removable media and/or files, and/or the like, when the data stored in a primary storage cannot be accessed in a usual way.
Data recovery may be required due to physical damage to the storage device(s) and/or logical damage to the file system, that may prevent it from being mounted by the host operating system (OS). For example, logical failures may occur when a storage device such as a hard drive and/or the like is functional but the user and/or automated-OS cannot retrieve and/or access data stored in it. Such failure may occur for example due to corrupt engineering chip, lost partitions, deleted data, firmware failure, failed formatting/re-installation, and/or the like.
In some real-life scenarios, data recovery may be used in the context of forensics, espionage, counter-intelligence, cybercrime, and/or the like, where data which have been encrypted, hidden, or deleted, rather than damaged, may be recovered. For example, sometimes data present in the computer may get encrypted or hidden due to reasons like malware attacks, such as ransomware and/or the like.
Data recovery may pose a significant technical challenge on some occasions, thus requiring great skill, proficiency and/or expertise to be carried out and/or dealt with.
SUMMARY
It is an object of the present disclosure to describe tools and/or techniques for computer system recovery and/or recovery of computer system items. The foregoing and other objects are achieved by the features of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.
According to an aspect of some embodiments of the disclosed subject matter, there is provided a method for computer system recovery, comprising: storing in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recovering the operating system; and in response to determining a compromised item is an application item, recovering the plurality of application items of a respective application to which the compromised item is mapped.
Optionally, recovering the operating system being performed from a repository of operating system versions and/or updates.
Optionally, recovering the plurality of application items of the respective application being performed from a repository thereof.
Optionally, recovering the plurality of application items being performed from a most recent snapshot in which the plurality of application items had not been compromised.
Optionally, the method further comprising, in response to the compromised item is not determined to be an operating system item or an application item, recovering the compromised item from a most recent snapshot preceding compromise thereof.
Optionally, the method further comprising recording in at least one data structure a full path in a storage system of an item of the plurality of operating system items of the respective versions and/or updates and the plurality of application items of the respective applications per snapshot.
Optionally, the method further comprising recording in at least one data structure a full path in a storage system of compromised items per snapshot.
Optionally, an item on the plurality of snapshots is selected from the group consisting of a file; a folder; a storage service object. Optionally, the method further comprising automatically identifying and mapping an application item of a respective application.
Optionally, the method further comprising automatically identifying and mapping an operating system item of a respective version and/or update.
Optionally, the method further comprising prompting a user for manual authorization of a respective timepoint of a snapshot for use in recovery of the compromised item.
According to another aspect of some embodiments of the disclosed subject matter, there is provided an apparatus for computer system recovery, comprising: a memory; and a processing unit adapted to: store in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recover the operating system; and in response to determining a compromised item is an application item, recover the plurality of application items of a respective application to which the compromised item is mapped.
Optionally, the processing unit is adapted to perform the recovery of the operating system from a repository of operating system versions and/or updates.
Optionally, the processing unit is adapted to perform the recovery of the plurality of application items of the respective application from a repository thereof.
Optionally, the processing unit is adapted to perform the recovery of the plurality of application items from a most recent snapshot in which the plurality of application items had not been compromised.
Optionally, the processing unit is further adapted to, in response to the compromised item is not determined to be an operating system item or an application item, recover the compromised item from a most recent snapshot preceding compromise thereof. Optionally, the processing unit is further adapted to record in at least one data structure a full path in a storage system of an item of the plurality of operating system items of the respective versions and/or updates and the plurality of application items of the respective applications per snapshot.
Optionally, the processing unit is further adapted to record in at least one data structure a full path in a storage system of compromised items per snapshot.
Optionally, an item on the plurality of snapshots is selected from the group consisting of a file; a folder; a storage service object.
Optionally, the processing unit is further adapted to automatically identify and map an application item of a respective application.
Optionally, the processing unit is further adapted to automatically identify and map an operating system item of a respective version and/or update.
Optionally, the processing unit is further adapted to prompt a user for manual authorization of a respective timepoint of a snapshot for use in recovery of the compromised item.
According to yet another aspect of some embodiments of the disclosed subject matter, there is provided a computer program for computer system recovery, the computer program comprising program instructions which, when executed by at least one processor, cause the at least one processor to: store in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recover the operating system; and in response to determining a compromised item is an application item, recover the plurality of application items of a respective application to which the compromised item is mapped.
Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the operating system from a repository of operating system versions and/or updates. Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the plurality of application items of the respective application from a repository thereof.
Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the plurality of application items from a most recent snapshot in which the plurality of application items had not been compromised.
Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to, in response to the compromised item is not determined to be an operating system item or an application item, recover the compromised item from a most recent snapshot preceding compromise thereof.
Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to record in at least one data structure a full path in a storage system of an item of the plurality of operating system items of the respective versions and/or updates and the plurality of application items of the respective applications per snapshot.
Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to record in at least one data structure a full path in a storage system of compromised items per snapshot.
Optionally, an item on the plurality of snapshots is selected from the group consisting of: a file; a folder; a storage service object.
Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to automatically identify and map an application item of a respective application. Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to automatically identify and map an operating system item of a respective version and/or update.
Optionally, the computer program further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to prompt a user for manual authorization of a respective timepoint of a snapshot for use in recovery of the compromised item.
Other systems, methods, features, and advantages of the present disclosure will be or become apparent to one with skill in the art upon examination of the following drawings and detailed description. It is intended that all such additional systems, methods, features, and advantages be included within this description, be within the scope of the present disclosure, and be protected by the accompanying claims.
Unless otherwise defined, all technical and/or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which embodiments. Although methods and materials similar or equivalent to those described herein can be used in the practice or testing of embodiments, exemplary methods and/or materials are described below. In case of conflict, the patent specification, including definitions, will control. In addition, the materials, methods, and examples are illustrative only and are not intended to be necessarily limiting.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)
Some embodiments are herein described, by way of example only, with reference to the accompanying drawings. With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of embodiments. In this regard, the description taken with the drawings makes apparent to those skilled in the art how embodiments may be practiced.
In the drawings:
FIG. 1 A is a schematic illustration of an exemplary scenario of malware attack in a data center requiring for computer system recovery, according to some embodiments; FIG. IB is a schematic illustration of an exemplary and/or optional information obtained and/or used for computer system recovery in an exemplary scenario of malware attack in a data center, according to some embodiments;
FIG. 1C is a schematic illustration of an exemplary and/or optional recommended procedure for computer system recovery in an exemplary scenario of malware attack in a data center, according to some embodiments;
FIG. 2 is a schematic block diagram of an exemplary apparatus for computer system recovery, according to some embodiments;
FIG. 3 is a flowchart schematically representing an optional flow of operations for computer system recovery, according to some embodiments.
DETAILED DESCRIPTION
Some embodiments described in the present disclosure relate to data management and, more specifically, but not exclusively, to computer system recovery and/or recovery of computer system items.
Aspects of the disclosed subject matter may relate to secondary storage systems and/or intelligent data management. In some embodiments, items of a computer system, such as for example, files, folders, storage objects (e.g., cloud storage service objects of Amazon Simple Storage Service, also known as Amazon S3, available from Amazon Web Services (AWS), and/or the like), and/or any likewise computer system items, may be spread among different machines, such as for example, one or more physical machines, one or more virtual machines located on different hosts and/or hosts type (e.g., VMware, Hyper- V, etc.), different data centers, and/or the like. Such items may include, for example, operating system items (e.g., files, folders, objects and/or the like that may be used and/or maintained by an operating system), application items (e.g., items that may be used and/or maintained by an application program), other items that may be neither operating system items nor application items, and/or the like.
In order to minimize data loss in case of data corruption and/or the like, users may have to create backups in small intervals, since the general approach in case of harm due to, for example, a malware attack and/or the like is to restore to the last good backup. When creating backups in small intervals, the smaller the interval between backups may be, the lower the chance of important data being lost, however, data loss risk may also depend on the detection rate and/or detection capabilities of the system. For example, if the system may perform a backup every 1 hour, but detection of a malware may be after 5 hours from attack, it may probably be useless to restore to the backup that was performed 1 hour ago. Users may also install other protection measures such as anti-virus, anti-ransomware, and/or likewise software to minimize a risk of data items being infected, but there may still always remain a risk at some level, whereas from one day to the next, malware attacks become more and more sophisticated.
It may sometimes be impossible to recover a compromised (e.g., corrupted) data item. The risk may be greater when the item may be an operating-system or application-related item. Users do not always have backups, and even if they do, it may not always be of all items. Thus, there may potentially always be an item (possibly, a part of an application, for example) which may be corrupted where there may be no backup for it. Even if a corrupted item may have a backup, it may not necessarily be helpful since it might be corrupted as well. Users may potentially lose large amounts of important data or lose a critical system update due to corruption and/or other data compromise.
One technical challenge dealt with by the disclosed subject matter is to recover compromised (e.g., corrupted) data items. Sometimes, items may get compromised due to a malware attack (e.g. ransomware, virus, etc.) or from any other reason. Once an item may be compromised, a user may usually seek a way to restore it to its previous (most recent) non-compromised state.
A brute force approach may be to detect a most recent backup of a computer system prior to any of its items got compromised and recover the system from that backup. However, such approach may be highly inefficient and/or non-effective, as there may be an abundant number of non-compromised items in a valid state that may be functional and not require restoration from backup. Moreover, due to a slow rate, stealth mechanism and/or attack vector of some malware applications such as ransomware and/or the like, detection in effect that the system had been compromised may be relatively long time past such last valid backup, thus any and all data of a time interval in between may be lost. Another approach, which may be considered as opposite in a sense, may be to look up for each compromised item a most recent backup of that item prior to being compromised and recover the item from that backup. However, such approach may lead to inoperability or malfunctioning of the system, as items from different backups at disparate points in time may not be compatible with one another, for example, items may belong to different versions and/or updates of an operating system and/or application that may be conflictory, duplicate, deficient, non-compliant and/or the like with regard to those items and/or relative to other items thereof, e.g. noncompromised items, such as in a malware attack scenario as described with reference to FIG. 1 A herein.
According to some embodiments, recovery of a computer system may be performed in a selective manner based on respective grouping of items into categories for recovery, such as for example, operating system items, application items, and other items. A state of an item may be tracked throughout a plurality of backup snapshots of the computer system, as may be recorded and maintained in secondary storage system(s) and/or the like. Items may be mapped to one of predefined groups, e.g., operating system items, application items, and/or other items or item types, classes, genus, species, and/or the like. Recovery of the computer system may be performed according to the mapping of items, for example, the operating system may be recovered in response to a compromised item being an operating system, items mapped to a respective application may be recovered in response to a compromised item being an application item of the respective application, and/or the like.
In some embodiments, one or more data structures such as, for example, tables and/or the like may be managed for facilitating mapping of items of a computer system into groups. For example, for each backup snapshot of the computer system there may be managed one or more of the exemplary three tables as follows: (i) an App List table, which may store a list of all installed and/or otherwise available applications of the computer system, optionally with a root path for each of them; (ii) an operating system (OS) Info table, which may store operating system information, optionally including system paths, a list of all updates, and/or the like; (iii) an Infected table, which may store a list of all items (optionally with full paths) in the snapshot that may be compromised, i.e., affected by malware and/or the like.
In some embodiments, a general type, grouping, category, classification and/or the like of an item may be determined for example, using a full path of the item. For example, an item (whether compromised or otherwise) may be determined based on its full path as being of one of the types as follows: (1) an operating system item; (2) an application item (e.g., an item of an installed application downloaded by a user or native to the operating system and/or the like); and (3) other item (e.g., user data and/or the like).
In some embodiments, any and all operating system information, updates, and/or the like as may be stored in the OS Info table may be detected automatically. A detection procedure may use, for example, operating system commands (such as for example “dpkg” in Linux, “regedit” with parsing and analysis in Windows, and/or the like) to retrieve such information.
In some embodiments, information on applications residing on a computer system such as may be stored in the App List table may be discovered automatically to an extent possible (such as for example using same and/or similar commands such as “dpkg”, “regedit”, and/or the like, as may be applicable). Additionally or alternatively, a user such as for example system administrator and/or the like may be allowed to provide relevant and/or additional information (e.g., references to program code repositories that host the applications and/or the like).
In some embodiments, in an event of items being compromised, e.g., due to a malware attack or any other item corruption, a list of all affected items and optionally a full path of each may be obtained. Using the one or more tables managed, for example, using at least the App List table, a determination may be made as to which items may be operating system related, which may be application related, and which may be neither of these two. The determination may be made, for example, using the full path as obtained for the item, so as to check if it is a part of an application, a system path, or neither. Optionally, a result of a determination of a type of an affected item may be stored for further usage, e.g., user report and/or the like, in a further data structure such as a table, which may be referred to as Restore Recommendations table, and may indicate an optimal course of action to restore each affected item listed.
An exemplary optimal recovery procedure as may be provided in a Restore Recommendations table according to some embodiments may be as follows. In case there may be any affected operating system items, the operating system may be recovered, for example, an operating system installation and/or update may be automatically scheduled and/or performed. The recovery may be carried out according to a most recent version/update of the operating system of the backup snapshots, a latest version indicated/listed by a user (e.g., system administrator), a most up to date version/update of the operating system in a trusted repository, and/or the like.
Optionally, such exemplary optimal recovery procedure may also entail an automatic repair to each application that may be affected, for example, using a most recent backup snapshot in which all items mapped to a respective application had been in a clean (i.e., valid) state, or by applying an update/re-installation of the respective application if necessary, optionally using a trusted repository for obtaining required installation file(s) and/or package(s).
More optionally, under such exemplary optimal recovery procedure, any other affected file may be restored to its latest valid state, as may be obtained using the backup snapshots or otherwise.
In some embodiments, a computer system recovery may be performed using the Restore Recommendations table to do one or more of the following: (A) automatically apply one or more of the recommendations for optimal recovery procedure as indicated on the table to recover from a most recent clean state; (B) send a report to a user (e.g. system administrator) with all the recommendations advising them to repair affected applications, update the operating system if needed and/or restore other items to their latest valid state.
By applying one or more of the actions in (A) and/or (B) as described herein, the computer system may be brought to a clean state with the most recent versions of all files as may be available in the backup snapshots and/or additional source(s). Using this approach, one may make sure that they have the most up-to-date versions of all applications - even if one may not have the most recent versions on the backup repository. This is in contrast to current practices that cannot restore files unless they are already backed-up.
One technical effect of utilizing the disclosed subject matter is to provide for recovery of each item of a computer system to its most recent clean state. Another technical effect of utilizing the disclosed subject matter is to allow users to repair items that may not be backed up by using other trusted locations.
Other technical challenges, approaches, and/or effects dealt with, improved upon and/or contributed by the disclosed subject matter may become apparent from the disclosure herein. Before explaining at least one embodiment in detail, it is to be understood that embodiments are not necessarily limited in its application to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or the Examples. Implementations described herein are capable of other embodiments or of being practiced or carried out in various ways.
Embodiments may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the embodiments.
The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.
Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
Computer readable program instructions for carrying out operations of embodiments may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of embodiments.
Aspects of embodiments are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the fimctions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.
Reference is now made to FIG. 1 A which is a schematic illustration of an exemplary scenario of malware attack in a data center requiring for computer system recovery, according to some embodiments.
As shown on FIG. 1 A, a backup repository for a primary storage and/or any likewise computer system, digital information resource, etc., may contain a plurality of snapshots of all items (e.g., files) present in the backed up primary storage at each respective time point, for example, the three snapshots “Snap 0”, “Snap 1”, and “Snap 2” created at the timepoints to, ti and t2, respectively. Each snapshot may represent a state of the computer system (i.e., primary storage) in terms of files, their contents, their physical and/or logical location, and/or the like.
A description of the type (and/or purpose) of each file in the exemplary scenario such as illustrated in FIG. 1 A may be as provided in the following exemplary Table 1 :
Figure imgf000017_0001
Table 1
As shown on FIG. 1 A, in timepoint to both the primary storage and backup repository may have an identical set of files, “fl.dat” and “f2.txt”. For illustration purposes, these files may be, for example, user files, i.e., files that may neither be operating system nor application-related files. As shown on FIG. 1 A, both files in to may be clean of malware.
As further shown on FIG. 1A, in ti the file “fl.dat” may be affected by a malware (hence the highlight marking), and at a same time and/or interval a new operating-system file “f3.dll” may be added. Since the backup occurred after the malware attack, both primary storage and backup repository may have the latest version of “fl.dat” with the malware.
As yet further shown on FIG. 1A, in t2 the operating system file “f3.dll” may be affected by a malware, and at a same time and/or interval a new application file “f4.exe” may be added to both primary storage and backup repository locations, which may be already infected with a malware.
Given that a system administrator may have detected the malware attack immediately after t2, and using only pre-existing practices, tools, and/or techniques, the best restore plan may be to restore to the last known good backup snapshot. In the exemplary scenario such as illustrated and described herein with reference to FIG. 1 A, this may mean to restore to to as follows: 1. Restoring “fl .dat” from to - latest valid state;
2. Restoring “f2.txt” from to - may not be optimal since an update from t2 may be lost;
3. Cannot restore “f3.dll” - may not be possible since there may not be a version of the file in to;
4. Cannot restore “f4.exe” - may not be possible since there may not be a version of the file in to.
The exemplary scenario such as illustrated and described herein with reference to FIG. 1 A, thus clearly demonstrate that pre-existing practices, tools, and/or techniques suffer from significant shortcomings in restoring application-related and/or operating system files to their latest valid state.
Reference is now made to FIG. IB which is a schematic illustration of an exemplary and/or optional information obtained and/or used for computer system recovery in an exemplary scenario of malware attack in a data center, according to some embodiments.
FIG. IB illustrates how the disclosed subject matter in some embodiments thereof may be implemented and/or utilized in the exemplary scenario such as illustrated and described herein with reference to FIG. 1A. As shown on FIG. IB, for each backup snapshot there may be generated and/or maintained one or more of the three tables as follows: an applications list and respective application items table (denoted as App List on FIG. IB); an operating system items and/or information table (denoted as OS Info on FIG. IB); and an infected items table (denoted as Infected on FIG. IB). Optionally in each table a full path of each listed item may be indicated (not shown on FIG. IB).
In some embodiments, the OS Info table may (optionally automatically) be created using, for example, operating system command(s) (e.g., “dpkg” in Linux, “regedit” in Windows, and/or the like) to retrieve operating system information such as versions, updates, full system paths of operating system items, and/or the like. Additionally or alternatively, a user may be allowed to manually indicate information in the OS Info table, in whole and/or in part. As shown on FIG. IB, the OS Info table for the exemplary scenario such as described with reference to FIG. 1A herein may comprise, for example, an indication of an operating system version, and optionally a list of updates, e.g., updatel as in backup snapshot Snap 0, updatel and update2 as in backup snapshot Snap 1, and so forth. In some embodiments, the App List table may (optionally automatically) be created using, for example, same and/or similar command(s) (“dpkg”, “regedit”, and/or the like, as may be applicable) to discover any and/or all applications, respective application item(s) related to each application discovered and/or listed, full path(s) for the respective application item(s), and/or the like. Additionally or alternatively, a user (e.g., system administrator) may be allowed to manually indicate relevant and/or additional information, such as references to program code repositories that host the applications (e.g., a GitHub repository and/or the like).
In some embodiments, in an event of items corruption and/or otherwise being compromised, such as for example due to a malware attack, an Infected table listing all affected items in each backup snapshot may be obtained. The information in the Infected table may be attained using tools and/or techniques known in the art for detection and/or determination that a computer system item may be compromised, such as data forensics, automated malware scanners, automated tests, and/or the like. Furthermore, the Infected table may optionally indicate a full path of each compromised item listed, as may be obtained for example from one or more of the OS Info table, the App List table, and/or otherwise.
Reference is now made to FIG. 1C which is a schematic illustration of an exemplary and/or optional recommended procedure for computer system recovery in an exemplary scenario of malware attack in a data center, according to some embodiments.
As shown on FIG. 1C, using information such as obtained according to some embodiments similarly as described with reference to FIG. IB herein, a recovery plan in addressing of the exemplary scenario as described with reference to FIG. 1 A herein may be constructed.
In some embodiments, using for example information in the App List table there may be easily made a determination which of the items in the Infected table may be operating system related, which may be application related, and which may be neither of these two. For example, using the known full path of each affected item, as provided for example by the Infected table, one may check whether it may be a part of an application, a system path, or neither. For example, as shown on FIG. 1C, an infected file “f3.dll” may be mapped to an operating system items group based on the App List and/or OS Info tables, another infected file “f4. exe” may be mapped to an application items group of an application (denoted on FIG. 1C as “Application D”), and yet another infected file “fl.dat” may not be mapped by either one of the App List and/or OS Info tables to an operating system items group and/or an application items group of an application, thus determined as a member of a default class “Other” and/or the like.
The determination of type(s) of items listed as affected may be recorded in a further data structure, e.g., a table, where details of a recommended procedure for recovery may be recorded and/or retained, in accordance with each item type, i.e., a Restore Recommendation table. For example, as shown on FIG. 1C, to restore the infected operating system file “f3.dll”, the operating system may be recovered, optionally to a respective most recent version and/or update as may be listed on the OS Info table (i.e., the version/update denoted on FIG. 1C as “OS Update 3”). As another example, and as further shown on FIG. 1C, to restore the infected application file “f4.exe”, a respective application to which it may be mapped (denoted on FIG. 1C as “Application D”) as may be indicated on the App List table may be re-installed and/or updated. As yet another example, and as yet further shown on FIG. 1C, to restore the infected user data file “fl.dat” its last valid state in the backup repository (i.e., backup snapshot Snap 0) may be retrieved.
Optionally, the Restore Recommendation table may be used for one or more of the following: applying automatically restore recommendation(s) for affected item(s) to recover from most recent clean state of each as may be applicable; outputting a report to a user (e.g. system administrator) with all the recommendations advising them to repair affected applications, update the operating system if needed, restore other items to their latest valid state from backup snapshot(s) and/or other trusted location(s), and/or the like; prompting a user for authorization of restore recommendation prior to automatic execution; and/or the like.
Reference is now made to FIG. 2 is a schematic block diagram of an exemplary apparatus for computer system recovery, according to some embodiments. An exemplary apparatus 200 may be used for performing one or more of the acts for computer system recovery such as described with reference to FIGS. IB, 1C, and/or 3 herein.
The apparatus 200 may comprise and/or be implemented as, for example, a computer, a server, a computing node, a cluster of computing nodes and/or the like, which may include an Input/Output (I/O) interface 210 for connecting to one or more external devices, systems, services and/or the like, a processor(s) 212 for executing the process 100, a storage 214 for storing data and/or code (program store), and/or the like.
The I/O interface 210 may include one or more wired and/or wireless network interfaces for connecting to a network 202 comprising one or more wired and/or wireless networks, for example, a Local Area Network (LAN), a Wide Area Network (WAN), a Metropolitan Area Network (MAN), a cellular network, the internet and/or the like. Using the network interface(s) the optimization system 200 may communicate, optionally via the network 202, with one or more (optionally remote, e.g., networked) recovery resources 206, which may optionally comprise and/or be implemented as, for example, a server, a computing node, a storage server, a networked database, a cloud service and/or the like. Through the network 202 and/or otherwise, the apparatus 200 may optionally further communicate with one or more client terminals 204, for example, a computer, a server, a laptop, a mobile device and/or the like used by one or more users, for example, an operator, a researcher, an analyst, a system administrator, an information technology (IT) expert, and/or the like. Optionally one or more of the client terminals 204 and/or recovery resources 206 may reside at and/or be coupled to the apparatus 200 locally.
The I/O interface 210 may further include one or more wired and/or wireless I/O interfaces, ports, interconnections and/or the like for connecting to one or more external devices, for example, a Universal Serial Bus (USB) interface, a serial interface, a Radio Frequency (RF) interface, a Bluetooth interface and/or the like. Through the I/O interface 210, the apparatus 200 may communicate with one or more external devices (not shown) attached to the I/O interface(s), for example, an attachable mass storage device, an external media device and/or the like.
The apparatus 200, communicating with one or more of the external devices, client terminals 204, and/or recovery resources 206, may therefore receive, fetch, collect and/or otherwise obtain data and information required for computer system recovery. Such data and information may include, for example: one or more backup snapshots comprising computer system items at different timepoints; computer system items mapping(s) to groups of operating system items, groups of application items of different applications, groups of user data items and/or the like; reference(s) to one or more repositories and/or likewise trusted locations of operating system versions and/or updates and/or of applications deployments and/or updates for re-installation and/or updating of the same; and/or the like. Optionally the apparatus 200 may communicate with one or more of the external devices and/or client terminals 204 to output data and information to a user pertaining to computer system recovery, such as for example, computer system recovery reports, recovery recommendations, and/or the like.
The processor(s) 212, homogenous or heterogeneous, may include one or more processing nodes arranged for parallel processing, as clusters and/or as one or more multi core processor(s). The storage 214 may include one or more tangible, non-transitory persistent storage devices, for example, a hard drive, a Flash array and/or the like. The storage 214 may also include one or more volatile devices, for example, a Random Access Memory (RAM) component, a cache and/or the like. The storage 214 may further comprise one or more local and/or remote network storage resources, for example, a storage server, a Network Attached Storage (NAS), a network drive, a cloud storage service and/or the like accessible via the I/O interface 210.
The processor(s) 212 may execute one or more software modules such as, for example, a process, a script, an application, an agent, a utility, a tool, an Operating System (OS) and/or the like each comprising a plurality of program instructions stored in a non-transitory medium (program store) such as the storage 214 and executed by one or more processors such as the processor(s) 212. The processor(s) 212 may further include, utilize and/or otherwise facilitate one or more hardware modules (elements), for example, a circuit, a component, an integrated circuit (IC), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), a Digital Signals Processor (DSP), a Graphic Processing Units (GPU), an Artificial Intelligence (Al) accelerator and/or the like.
The processor(s) 212 may therefore execute one or more functional modules utilized by one or more software modules, one or more of the hardware modules and/or a combination thereof. For example, the processor(s) 212 may execute a system recovery optimizer functional module 220 for determining an optimal and/or otherwise recommended computer system recovery plan, in accordance with some embodiments.
Optionally, the apparatus 200, specifically the system recovery optimizer 220 may be utilized by one or more cloud computing services, platforms and/or infrastructures such as, for example, Infrastructure as a Service (laaS), Platform as a Service (PaaS), Software as a Service (SaaS) and/or the like provided by one or more vendors, for example, Google Cloud, Microsoft Azure, Amazon Web Service (AWS) and Elastic Compute Cloud (EC2) and/or the like.
One or more of the client terminals 204 may execute one or more applications, services and/or tools for communicating with the apparatus 200 and more specifically with the system recovery optimizer 220 to enable one or more of the users to interact with the system recovery optimizer 220. For example, one or more client terminals 204 may execute a web browser for communicating with the prediction models constructor 220 and presenting a User Interface (UI), specifically a Graphical UI (GUI) which may be used by the respective users to interact with the system recovery optimizer 220. In another example, one or more client terminals 204 may execute a local agent which communicates with the system recovery optimizer 220 and presents a GUI which may be used by the respective users to interact with the system recovery optimizer 220.
The system recovery optimizer 220 may be adapted to track a state of computer system items in each backup snapshot and manage one or more of the App List table, OS Info table, Infected table, and/or the like. The system recovery optimizer 220 may be adapted to detect and record for each item whether the item may be operating system related, application related, and/or otherwise. The system recovery optimizer 220 may be adapted to determine and/or otherwise obtain an indication of which items may be compromised and construct a Restore Recommendations table accordingly. The system recovery optimizer 220 may be adapted to use the Restore Recommendations table to apply recovery of compromised items per the Restore Recommendations table automatically, send a report to a user with all recommendations for recovery of compromised items, and/or the like.
Reference is now made to FIG. 3 is a flowchart schematically representing an optional flow of operations for computer system recovery, according to some embodiments.
At 302 a backup repository storing a plurality of snapshots at different timepoints of items of a computer system. At 306 a mapping of items of the computer system in each of the backup snapshots obtained at 302 to operating system items and/or application items of respective one or more applications may be obtained. At 310 an indication of one or more compromised items of the computer system may be obtained. At 314 a determination may be made whether compromised item(s) per the indication obtained at 310 may be operating system item(s), application item(s) of respective application(s), and/or otherwise. At 318 in response to a compromised item determined at 314 to be an operating system item, recovery of the operating system may be performed. At 322 in response to a compromised item determined at 314 to be an application item of a respective application mapped for the compromised item, recovery of respective item(s) of the respective application may be performed. At 326 in response to a compromised item determined at 314 to be neither an operating system item nor an application item, recovery of the compromised item may be performed.
The descriptions of the various embodiments have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
It is expected that during the life of a patent maturing from this application many relevant computer systems, operating system platforms, and/or application programs will be developed and the scope of the terms “computer system”, “operating system”, and “applications” is intended to include all such new technologies a priori.
As used herein the term “about” refers to ± 10 %.
The terms "comprises", "comprising", "includes", "including", “having” and their conjugates mean "including but not limited to". This term encompasses the terms "consisting of and "consisting essentially of'.
The phrase "consisting essentially of' means that the composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
As used herein, the singular form "a", "an" and "the" include plural references unless the context clearly dictates otherwise. For example, the term "a compound" or "at least one compound" may include a plurality of compounds, including mixtures thereof. The word “exemplary” is used herein to mean “serving as an example, instance or illustration”. Any embodiment described as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments and/or to exclude the incorporation of features from other embodiments.
The word “optionally” is used herein to mean “is provided in some embodiments and not provided in other embodiments”. Any particular embodiment may include a plurality of “optional” features unless such features conflict.
Throughout this application, various embodiments may be presented in a range format. It should be understood that the description in range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of embodiments. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.
Whenever a numerical range is indicated herein, it is meant to include any cited numeral (fractional or integral) within the indicated range. The phrases “ranging/ranges between” a first indicate number and a second indicate number and “ranging/ranges from” a first indicate number “to” a second indicate number are used herein interchangeably and are meant to include the first and second indicated numbers and all the fractional and integral numerals therebetween.
It is appreciated that certain features of embodiments, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of embodiments, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment. Certain features described in the context of various embodiments are not to be considered essential features of those embodiments, unless the embodiment is inoperative without those elements. Although embodiments have been described in conjunction with specific embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, it is intended to embrace all such alternatives, modifications and variations that fall within the spirit and broad scope of the appended claims.
It is the intent of the applicant(s) that all publications, patents and patent applications referred to in this specification are to be incorporated in their entirety by reference into the specification, as if each individual publication, patent or patent application was specifically and individually noted when referenced that it is to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present disclosure. To the extent that section headings are used, they should not be construed as necessarily limiting. In addition, any priority document(s) of this application is/are hereby incorporated herein by reference in its/their entirety.

Claims

1. An apparatus for computer system recovery, comprising: a memory; and a processing unit adapted to: store in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recover the operating system; and in response to determining a compromised item is an application item, recover the plurality of application items of a respective application to which the compromised item is mapped.
2. The apparatus of claim 1, wherein the processing unit is adapted to perform the recovery of the operating system from a repository of operating system versions and/or updates.
3. The apparatus of claim 1, wherein the processing unit is adapted to perform the recovery of the plurality of application items of the respective application from a repository thereof.
4. The apparatus of claim 1, wherein the processing unit is adapted to perform the recovery of the plurality of application items from a most recent snapshot in which the plurality of application items had not been compromised.
5. The apparatus of claim 1, wherein the processing unit is further adapted to, in response to the compromised item is not determined to be an operating system item or an application item, recover the compromised item from a most recent snapshot preceding compromise thereof.
6. The apparatus of claim 1, wherein the processing unit is further adapted to record in at least one data structure a full path in a storage system of an item of the plurality of operating system items of the respective versions and/or updates and the plurality of application items of the respective applications per snapshot.
7. The apparatus of claim 1, wherein the processing unit is further adapted to record in at least one data structure a full path in a storage system of compromised items per snapshot.
8. The apparatus of claim 1, wherein an item on the plurality of snapshots is selected from the group consisting of a file; a folder; a storage service object.
9. The apparatus of claim 1 , wherein the processing unit is further adapted to automatically identify and map an application item of a respective application.
10. The apparatus of claim 1 , wherein the processing unit is further adapted to automatically identify and map an operating system item of a respective version and/or update.
11. The apparatus of claim 1, wherein the processing unit is further adapted to prompt a user for manual authorization of a respective timepoint of a snapshot for use in recovery of the compromised item.
12. A computer program for computer system recovery, the computer program comprising program instructions which, when executed by at least one processor, cause the at least one processor to: store in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recover the operating system; and in response to determining a compromised item is an application item, recover the plurality of application items of a respective application to which the compromised item is mapped.
13. The computer program of claim 12, further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the operating system from a repository of operating system versions and/or updates.
14. The computer program of claim 12, further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the plurality of application items of the respective application from a repository thereof.
15. The computer program of claim 12, further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to perform the recovery of the plurality of application items from a most recent snapshot in which the plurality of application items had not been compromised.
16. The computer program of claim 12, further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to, in response to the compromised item is not determined to be an operating system item or an application item, recover the compromised item from a most recent snapshot preceding compromise thereof.
17. The computer program of claim 12, further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to record in at least one data structure a full path in a storage system of an item of the plurality of operating system items of the respective versions and/or updates and the plurality of application items of the respective applications per snapshot.
18. The computer program of claim 12, further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to automatically identify and map an application item of a respective application.
19. The computer program of claim 12, further comprising program instructions which, when executed by the at least one processor, cause the at least one processor to automatically identify and map an operating system item of a respective version and/or update.
20. A method for computer system recovery, comprising: storing in a backup repository a plurality of snapshots of a plurality of items at different time points comprising a plurality of operating system items mapped to respective operating system versions and/or updates and a plurality of application items mapped to respective applications; in response to determining a compromised item is an operating system item, recovering the operating system; and in response to determining a compromised item is an application item, recovering the plurality of application items of a respective application to which the compromised item is mapped.
PCT/EP2023/065948 2023-06-14 2023-06-14 Computer system items recovery Pending WO2024256001A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/065948 WO2024256001A1 (en) 2023-06-14 2023-06-14 Computer system items recovery

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/065948 WO2024256001A1 (en) 2023-06-14 2023-06-14 Computer system items recovery

Publications (1)

Publication Number Publication Date
WO2024256001A1 true WO2024256001A1 (en) 2024-12-19

Family

ID=87001875

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2023/065948 Pending WO2024256001A1 (en) 2023-06-14 2023-06-14 Computer system items recovery

Country Status (1)

Country Link
WO (1) WO2024256001A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004047078A2 (en) * 2002-11-20 2004-06-03 Filesx Ltd. Fast backup storage and fast recovery of data (fbsrd)
WO2012067964A1 (en) * 2010-11-16 2012-05-24 Actifio, Inc. Systems and methods for data management virtualization
US8510271B1 (en) * 2009-03-30 2013-08-13 Symantec Corporation Application and file system data virtualization from image backup
US20210216412A1 (en) * 2020-01-14 2021-07-15 Western Digital Technologies, Inc. Memory Health Tracking for Differentiated Data Recovery Configurations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004047078A2 (en) * 2002-11-20 2004-06-03 Filesx Ltd. Fast backup storage and fast recovery of data (fbsrd)
US8510271B1 (en) * 2009-03-30 2013-08-13 Symantec Corporation Application and file system data virtualization from image backup
WO2012067964A1 (en) * 2010-11-16 2012-05-24 Actifio, Inc. Systems and methods for data management virtualization
US20210216412A1 (en) * 2020-01-14 2021-07-15 Western Digital Technologies, Inc. Memory Health Tracking for Differentiated Data Recovery Configurations

Similar Documents

Publication Publication Date Title
US10831933B2 (en) Container update system
US10467085B2 (en) Fault processing method, system, and computer program product
US12229013B2 (en) Method and system to discover and manage distributed applications in virtualization environments
US7437764B1 (en) Vulnerability assessment of disk images
US11290492B2 (en) Malicious data manipulation detection using markers and the data protection layer
US9813443B1 (en) Systems and methods for remediating the effects of malware
US20210349748A1 (en) Virtual machine restoration for anomaly condition evaluation
US10565369B2 (en) Programming code execution management
US9524215B1 (en) Systems and methods for managing virtual machine backups
US11210003B2 (en) Method, device and computer program product for restoring data based on replacing child node identifiers with parent node identifier
US11550595B2 (en) Adaptive system for smart boot sequence formation of VMs for disaster recovery
Kim et al. Prof-gen: Practical study on system call whitelist generation for container attack surface reduction
CN105022678A (en) Data backup method and apparatus for virtual machine
KR20160036205A (en) Method and apparatus for virtual machine vulnerability analysis and recovery
US20250094208A1 (en) Detecting security exceptions across multiple compute environments
US11314605B2 (en) Selecting optimal disk types for disaster recovery in the cloud
US10976941B2 (en) Validation of storage volumes that are in a peer to peer remote copy relationship
US20250036763A1 (en) Rapid malware scanning using validated reputation cache
US10684881B2 (en) Batch processing of computing elements to conditionally delete virtual machine(s)
WO2024256001A1 (en) Computer system items recovery
WO2025056177A1 (en) Application backup service level agreement validation
US20220382649A1 (en) Restore assistant: using augmented backup metadata for step-by-step restore guide

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23733890

Country of ref document: EP

Kind code of ref document: A1