TWI740627B

Movatterモバイル変換

Info

Publication number: TWI740627B
Application number: TW109129560A
Authority: TW
Inventors: 美玲陳; 尼札爾博古艾拉
Original assignee: 新加坡商豐立有限公司
Priority date: 2019-08-29
Filing date: 2020-08-28
Publication date: 2021-09-21
Also published as: TW202113643A; SG10202004811XA

Abstract

Computer implemented systems and methods for performing electromotive force analysis of a storage device that include a storage device, an Artificial Intelligence Co-processor (AI-Coprocessor) chipset, a thin coil inductor positioned in proximity to a portion of the surface of the storage device for capturing data from electro motive radia generated by the storage device, an analog-to-digital-converter, and at least one probe for communicating the captured data to an analog-to-digital converter. The data is captured by the thin coil inductor and communicated to the analog-to-digital-converter via the at least one probe and the analog-to-digital-converter digitizes the voltage level of the captured data and communicates the results of the digitization and amplification to the Ai-Coprocessor. The Ai-Coprocessor chipset performs analysis of the data to detect any anomalies in the operation of the storage device and outputs those result for further processing. Embodiments include the use of an NVM Express protocol or an AHCI controller engine so it can detect in real time any hardware threats or attacks such as side channel attack, power glitch and any other hardware changes. Embodiments can detect malicious activities such as ransomware, virus and malware, or non-malicious activities by measuring the electromotive force energy caused by anomalous activities.

Description

Translated fromChinese

使用AI協同處理器偵測儲存裝置中的惡意程式所引起的異常的方法和系統Method and system for using AI co-processor to detect abnormalities caused by malicious programs in storage devices

本發明標的之實施例有關用於偵測在例如固態硬碟(SSD)的儲存裝置中的異常，並且更明確的是用於利用硬體及軟體來獨立地偵測惡意程式攻擊之系統、設備及方法。The subject embodiment of the present invention relates to systems and equipment used to detect anomalies in storage devices such as solid state drives (SSDs), and more specifically, to use hardware and software to independently detect malware attacks And method.

相關專利申請案的交互參照Cross-reference of related patent applications

本申請案主張2019年8月29日申請的新加坡臨時申請案第10201907989W號的益處，其以其整體被納入在此作為參考。This application claims the benefits of Singapore Provisional Application No. 10201907989W filed on August 29, 2019, which is incorporated herein as a reference in its entirety.

和SSD有關的一常見問題是保持所儲存的資料安全且受保護以免於任意類型的惡意程式攻擊(例如勒索軟體攻擊)，而同時即時地監視所述SSD的安全性。勒索軟體以及其它的惡意程式的威脅及攻擊已隨著時間來增加而在本質上變得越來越複雜的，並且因此更難以偵測並且使其失效，其在使用者或管理者的系統部分上需要更多的硬體及軟體資源以及頻繁的更新。A common problem related to SSDs is to keep the stored data safe and protected from any type of malicious program attacks (such as ransomware attacks), while monitoring the security of the SSD in real time. The threats and attacks of ransomware and other malicious programs have increased over time and become more and more complex in nature, and are therefore more difficult to detect and invalidate. They are part of the user's or administrator's system. It requires more hardware and software resources and frequent updates.

有關於人工智慧偵測威脅或異常活動，例如勒索軟體、病毒及惡意程式，之方法的習知技術的例子包含韌體、軟體或硬體為基礎的解決方案。在這些習知技術例子的某些例子中，所述韌體或軟體解決方案與原始韌體一致的位在固態硬碟控制器晶片組之內，因而這些元件依賴所述固態硬碟控制器晶片組的資源。這些類型的習知技術配置可能會因為來自威脅分析活動的延遲而造成在操作上的時間延遲。在這些習知技術的例子中，在不足記憶體儲存(RAM)容量的情形中，記憶體資源可能輕易地過載、或是CPU使用率、功率以及電流過載亦可能發生。在例如旁路或DPA攻擊的特定類型的攻擊下，這些問題可能會造成資訊的洩漏。Examples of conventional technologies related to artificial intelligence methods for detecting threats or abnormal activities, such as ransomware, viruses, and malware, include firmware, software, or hardware-based solutions. In some of these examples of conventional technology, the firmware or software solution is consistent with the original firmwareLocated in the solid-state drive controller chipset, these components depend on the resources of the solid-state drive controller chipset. These types of conventional technology configurations may cause operational time delays due to delays from threat analysis activities. In these examples of conventional technologies, in the case of insufficient RAM storage capacity, memory resources may be easily overloaded, or CPU usage, power, and current overload may also occur. Under certain types of attacks such as bypass or DPA attacks, these problems may cause information leakage.

再者，所述習知技術通常具有韌體可攜性的問題，因為在一裝置中的韌體在所述固態硬碟微控制器架構改變時需要被更新。這些更新可能需要人為介入，此亦可能會導致在系統瑕疵的頻率上的一增加。此外，在這些點失效的韌體或軟體整合可能會使得整體固態硬碟變成無功能的。在利用硬體解決方案的某些例子中，所述習知技術牽涉到竄改偵測、偵測偽造的硬體及未被授權的韌體、偵測可能劣化所述裝置的功能的軟體及韌體的類型。在某些習知技術的硬體解決方案中，所用方法聚焦在所述積體電路快閃記憶體中所存的功能上，其並不檢查在所述固態硬碟NAND快閃中所儲存的資料的完整性。此外，此類型的習知技術在無使用或整合人工智慧下監視資料。此外，用於在固態硬碟中偵測勒索軟體攻擊的習知技術方法是利用NVM快捷協定或AHCI。許多亦利用韌體或軟體為基礎的解決方案，其隨著架構改變而需要人為介入以進行碼更新。隨著更多的指令被執行，所述習知技術在相關於例如RAM、DMA及快閃記憶體的SSD控制器晶片組資源的資訊處理上亦有延遲。Furthermore, the conventional technology usually has a firmware portability problem, because the firmware in a device needs to be updated when the architecture of the solid-state drive microcontroller is changed. These updates may require human intervention, which may also cause an increase in the frequency of system defects. In addition, firmware or software integration that fails at these points may render the solid state drive non-functional. In some examples using hardware solutions, the conventional technology involves tampering detection, detection of counterfeit hardware and unauthorized firmware, and detection of software and firmware that may degrade the functionality of the device. The type of body. In some conventional hardware solutions, the method used focuses on the functions stored in the integrated circuit flash memory, which does not check the data stored in the solid state drive NAND flash Completeness. In addition, this type of conventional technology monitors data without using or integrating artificial intelligence. In addition, the conventional technical method for detecting ransomware attacks in the solid state drive is to use the NVM shortcut protocol or AHCI. Many also use firmware or software-based solutions, which require human intervention to update code as the architecture changes. As more instructions are executed, the conventional technology also has a delay in the processing of information related to the resources of the SSD controller chipset such as RAM, DMA, and flash memory.

所舉例說明的實施例提供電腦實施方法、設備、以及系統，其利用最先進技術以偵測目標在固態硬碟(SSD)儲存裝置的勒索軟體攻擊、威脅或活動，其藉由施加一人工智慧協同處理器(AI協同處理器)以監視所述固態硬碟控制器晶片組的NVM快捷(NVMe/NVM Express)協定或AHCI(Advanced Host Controller Interface/先進主機控制器介面)命令的輸入及/或輸出，連貫地藉由量測固態驅動器在NVM快捷協定或AHCI命令的執行期間所引起的電動勢能量。由於資料完整性變成是重要的，因此所主張標的之實施例容許使用者及管理者有一層額外安全性來對抗藉由習知的安全性工具可能難以偵測的勒索軟體威脅或攻擊。The exemplified embodiments provide computer implementation methods, equipment, and systems that use the most advanced technology to detect ransomware attacks, threats or activities targeted on solid-state drive (SSD) storage devices by applying an artificial intelligence Co-processor (AI co-processor) to monitor the SSD controlInput and/or output of the NVM Express (NVMe/NVM Express) protocol or AHCI (Advanced Host Controller Interface) command of the device chipset, continuously by measuring the solid state drive in the NVM Express protocol or AHCI command The electromotive force energy caused by the execution period. As data integrity becomes important, the claimed subject embodiment allows users and administrators to have an extra layer of security against ransomware threats or attacks that may be difficult to detect with conventional security tools.

許多所述實施例包含一撓性印刷電路板、一剛性彎曲的印刷電路板、及/或一剛性印刷電路板。再者，這些板中的許多板具有一低的輪廓厚度。本實施例容許可擴充性能夠被整合到任何現有的固態硬碟格式。Many of these embodiments include a flexible printed circuit board, a rigidly bent printed circuit board, and/or a rigid printed circuit board. Furthermore, many of these boards have a low profile thickness. This embodiment allows scalability to be integrated into any existing solid state drive format.

所述實施例亦包含一ASIC、一FPGA及/或一內嵌的FPGA的使用，其和被動構件及/或主動構件一起充滿在單一印刷電路板中以用於系統整合。實施例亦整合ASIC、FPGA及/或內嵌式FPGA與一固態驅動器晶片組、或是在某些實施例中，所述構件可被置放在所述固態硬碟的印刷電路板以及一保護蓋之間。在其它實施例中，構件可被設置為一覆蓋的印刷電路板，其利用和目標固態硬碟印刷板佈局相同或類似的輪廓。在這些實施例的某些實施例中，一小量感應的電感可被置放在所述固態硬碟積體電路的頂端上或是旁邊，使得所述實施例經由焊接在所述AI協同處理器的印刷電路板中的一連接器或穿孔來直接連接至所述電路。The embodiment also includes the use of an ASIC, an FPGA, and/or an embedded FPGA, which are filled with passive components and/or active components in a single printed circuit board for system integration. The embodiments also integrate ASIC, FPGA and/or embedded FPGA and a solid-state drive chipset, or in some embodiments, the components can be placed on the printed circuit board of the solid-state drive and a protection Between the covers. In other embodiments, the component may be configured as a covered printed circuit board, which utilizes the same or similar outline as the target solid-state drive printed circuit board layout. In some of these embodiments, a small amount of induced inductance can be placed on or next to the top of the solid-state drive integrated circuit, so that the embodiment is soldered to the AI co-processing A connector or perforation in the printed circuit board of the device is directly connected to the circuit.

在這些實施例的許多實施例中，所述AI協同處理器被程式化以具有自訓練或自學習模式。在所述自訓練或自學習模式期間，所述固態驅動器裝置可在一指定時間期間執行一系列的預先定義的NVM快捷協定及/或AHCI命令。在此執行期間，所述AI協同處理器從固態硬碟裝置，透過一安全的通訊匯流排，例如I2C協定、一SPI協定、一USB、一LVDS及/或藉由使用者所界定或在工廠預先界定的任何指明協定來接收資料流。在這些實施例中，所述AI協同處理器利用具有高解析度位元的外部或內部的一類比至數位轉換器，以量測所述固態驅動器控制器晶片組在線性模式中所產生的電動勢能量，以用於產生以一系列二進位或十六進位碼的呈現的一或多個簽名模式。這些碼接著例如可被儲存在一或多個AI協同處理器安全的快閃儲存元件內。在這些實施例中，所產的模式可具有一富(rich)值以及一貧(lean)值，並且這些值可被利用作為用於例如那些由惡意程式或勒索軟體引起的任何異常威脅、攻擊及/或活動的臨界值極限。In many of these embodiments, the AI coprocessor is programmed to have a self-training or self-learning mode. During the self-training or self-learning mode, the solid-state drive device can execute a series of predefined NVM shortcut protocols and/or AHCI commands during a specified period of time. During this execution period, the AI co-processor from the solid state drive device through a secure communication bus, such as I2C protocol, an SPI protocol, a USB, a LVDS and/or defined by the user or in the factory Any specified agreement defined in advance to receive the data stream. In these embodiments, the AI co-processor utilizesAn external or internal analog-to-digital converter with high-resolution bits to measure the electromotive force energy generated by the solid-state drive controller chipset in linear mode for generating a series of binary or decimal One or more signature patterns for the presentation of hexadecimal codes. These codes can then be stored in one or more secure flash storage elements of the AI co-processor, for example. In these embodiments, the generated pattern can have a rich value and a lean value, and these values can be used for any unusual threats, attacks, such as those caused by malicious programs or ransomware. And/or the critical value limit of the activity.

實施例亦可提供內嵌在所述AI協同處理器內的卷積層的演算法模組，以使得所述實施例能夠具有在不利用外部的深度學習模型下訓練本身的能力，而仍然致能所儲存資料的完整性的即時監視。The embodiment may also provide an algorithm module of the convolutional layer embedded in the AI coprocessor, so that the embodiment can have the ability to train itself without using an external deep learning model, while still enabling Real-time monitoring of the integrity of stored data.

所述實施例的許多實施例藉由介接或設置一專用硬體的AI協同處理器來運作，其導致在所述裝置的效能、安全性的可靠度上的增加，並且藉由利用包含例如快閃記憶體以及例如RAM的其它類型的記憶體的硬體之獨立資源來消除所述目標固態驅動器的RAM溢位以導致在時間延遲上的縮減。某些實施例藉由利用超低的電源電壓來運作在一防止故障模式中。Many of the described embodiments operate by interfacing or setting up an AI co-processor with a dedicated hardware, which leads to an increase in the reliability of the device’s performance and security, and by using such devices as fast The independent resources of the hardware of flash memory and other types of memory, such as RAM, eliminate the RAM overflow of the target solid-state drive, resulting in a reduction in time delay. Some embodiments operate in a failure prevention mode by using an ultra-low power supply voltage.

許多實施例經由一安全的連接匯流排而被連結到所述目標的固態硬碟控制器、或與其通訊。某些實施例利用一智慧型演算法以用於在攻擊能夠散佈之前，早期偵測例如惡意程式或勒索軟體的攻擊的威脅攻擊。在此的實施例可在一些不同的積體電路封裝下加以利用，例如實施例可和任意的固態硬碟控制器架構整合，而不需要韌體更新或和所述目標的固態硬碟控制器同步化。Many embodiments are connected to or communicate with the target's solid state drive controller via a secure connection bus. Some embodiments utilize a smart algorithm for early detection of threats such as malicious programs or ransomware attacks before the attack can be spread. The embodiment here can be used in a number of different integrated circuit packages. For example, the embodiment can be integrated with any solid-state drive controller architecture without requiring a firmware update or the target solid-state drive controller. Synchronization.

本案實施例的許多實施例容許在上市時間上有顯著縮減，同時提供可靠方法以監視資料的完整性、以及有關於和一或多個固態硬碟整合的韌體及控制器方法的相關裝置之相關操作。在一範例攻擊中，一勒索軟體攻擊利用所述主機系統的頂層來執行在所述目標固態驅動器積體電路的快閃記憶體的韌體之外的一或多個序列的NVMe或AHCI命令。作為響應的，一實施例將會取樣或量測由勒索軟體活動及操作利用所述NVMe協定或所述AHCI協定而透過所述固態硬碟所產生的電動勢能量。在所述攻擊活動期間，所述勒索軟體攻擊包含有害序列的NVMe/或是AHCI命令，其導致所述目標固態驅動器積體電路產生一系列的電動勢簽名，所述電動勢簽名相對於其它威脅而言是唯一的。Many of the embodiments of the present case allow a significant reduction in time to market, while providing a reliable method to monitor the integrity of data, as well as related devices related to the firmware and controller methods integrated with one or more solid-state drives Related operations. In one example attack, a ransomware attack uses the top layer of the host system to execute one or more sequences of NVMe or AHCI commands outside the firmware of the flash memory of the target solid-state drive integrated circuit. In response, one embodiment will sample orMeasure the electromotive force energy generated by the ransomware activity and operation using the NVMe protocol or the AHCI protocol through the solid state drive. During the attack activity, the ransomware attack contains a harmful sequence of NVMe/or AHCI commands, which causes the target solid-state drive integrated circuit to generate a series of electromotive force signatures, which are relative to other threats only one.

100:硬體系統100: hardware system

110:電感線圈110: Inductance coil

120:AI協同處理器晶片組120: AI co-processor chipset

121:差動信號121: Differential signal

122:數位濾波器122: digital filter

123:硬體計時器模組123: hardware timer module

124:NVMe/AHCI模組124: NVMe/AHCI module

125:I/O匯流排模組125: I/O bus module

126:數位信號處理演算法126: Digital signal processing algorithm

127:頻譜影像產生器127: Spectrum Image Generator

128:DSP/SOC128: DSP/SOC

129:內部快閃記憶體129: Internal flash memory

130:I/O匯流排130: I/O bus

140:類比至數位轉換器140: analog to digital converter

141:PMIC141: PMIC

142:固態硬碟(SSD)主板/固態硬碟控制器IC142: Solid State Drive (SSD) Motherboard/Solid State Drive Controller IC

143:安全快閃記憶體143: Secure flash memory

200:印刷電路板200: printed circuit board

201、202、203、204:NAND快閃模組201, 202, 203, 204: NAND flash module

205:固態硬碟控制器205: Solid State Drive Controller

210:區域邊界210: Regional Boundary

211:邊界防護跡線211: Border Protection Trace

212:類比至數位轉換器212: Analog to Digital Converter

213:安全快閃記憶體213: Secure flash memory

214:被動構件214: Passive component

215:電源管理單元215: Power Management Unit

216:AI協同處理器216: AI co-processor

220:電感線圈220: Inductance coil

221、222:差動信號線221, 222: Differential signal line

300:模組化M.2卡300: Modular M.2 card

301:區域301: area

302:正信號302: positive signal

303:負信號303: Negative signal

304:電感線圈304: Inductance coil

305:防護跡線邊界305: Protection trace boundary

306:PCIe電源墊跡線306: PCIe power pad trace

310:圖310: figure

311:NVMe/AHCI寫入命令311: NVMe/AHCI write command

312:勒索軟體偵測值的臨界值312: Threshold of ransomware detection value

320:圖320: figure

321:異常的些微差異321: Anomalous Slight Differences

322:電動勢能量322: electromotive force energy

330:圖330: figure

331:量測到值331: Measured value

332:臨界值332: critical value

333:量測到值333: Measured value

400:系統400: System

410:計時器值410: Timer value

420:電動勢能量值420: EMF energy value

430:NVMe/AHCI變數430: NVMe/AHCI variable

440:AI協同處理器系統440: AI co-processor system

441:(32位元)計時器暫存器441: (32-bit) timer register

442:(32位元)暫存器442: (32-bit) register

443:(3位元)暫存器443: (3-bit) register

444:第二DFT444: second DFT

445:第一DFT445: First DFT

446:相關性分析引擎446: Correlation Analysis Engine

447:勒索軟體分數驗證引擎447: Ransomware Score Verification Engine

448:FFT(快速傅立葉轉換)引擎448: FFT (Fast Fourier Transform) engine

449:神經網路引擎449: Neural Network Engine

450:記憶體控制器450: Memory Controller

451:協定匯流排451: Protocol Bus

452:匯流排線452: bus line

453、454、455:子模組453, 454, 455: submodules

本發明所主張的標的之實施例將會例如參考所附的圖式來描述，其中：[圖1]描繪展示根據所主張標的之實施例的一AI協同處理器的模組與外部的積體電路區塊的方塊概要圖，其展示一勒索軟體偵測器利用NVMe協定或AHCI協定而結合一固態硬碟來執行的；[圖2]描繪根據所主張標的之實施例的固態硬碟的三維視圖，其具有被整合在一印刷電路板中的一M.2模組化卡的形狀因數；[圖3]描繪根據所主張標的之實施例的一模組化M.2卡的俯視分解視圖，其具有被配置為一硬體解決方案的一固態硬碟控制器與一AI協同處理器的勒索軟體偵測器整合；[圖4]描繪根據所主張標的之實施例的NVMe/AHCI命令相對線性地隨著時間所量測到的Vemf的一相關性；[圖5]A描繪根據所主張標的之實施例的電動勢能量的一範例的電壓位準，其具有例如存在勒索軟體的一異常，並且具有隨著時間線性的一正常操作模式；[圖5]B描繪根據所主張標的之實施例的被偵測到具有勒索軟體或一範例異常的NVMe/AHCI緩衝命令的取樣位元組的互相關；以及[圖6]描繪根據所主張標的之實施例的所述AI協同處理器互連線的一種系統。Embodiments of the claimed subject matter of the present invention will be described, for example, with reference to the accompanying drawings, in which: [FIG. 1] depicts an AI co-processor module and external integration according to the claimed subject matter's embodiment A block diagram of the circuit block, which shows a ransomware detector using NVMe protocol or AHCI protocol and combined with a solid state drive to execute; [Figure 2] depicts the three-dimensional solid state drive according to the claimed subject embodiment A view, which has the form factor of an M.2 modular card integrated in a printed circuit board; [Figure 3] depicts a top exploded view of a modular M.2 card according to an embodiment of the claimed subject matter , Which has a solid-state drive controller configured as a hardware solution and an AI co-processor ransomware detector integration; [Figure 4] depicts the NVMe/AHCI command relative to the claimed subject embodiment A correlation of Vemf measured linearly with time; [FIG. 5] A depicts an exemplary voltage level of electromotive force energy according to the claimed subject embodiment, which has an anomaly such as the presence of ransomware, And has a normal operating mode linear with time; [FIG. 5] B depicts the interaction of the sample bytes of the NVMe/AHCI buffer command detected to have ransomware or a sample abnormality according to the claimed subject embodiment Related; and [FIG. 6] depicts the AI coprocessor interconnection line according to the claimed subject embodimentA kind of system.

根據所主張標的之實施例，各種設備、系統及方法系統用於偵測惡意程式，其包括由包含勒索軟體的惡意程式所做的攻擊。According to the claimed subject embodiment, various devices, systems, and methods are used to detect malicious programs, including attacks by malicious programs containing ransomware.

實施例可被利用以保護在儲存裝置內所儲存的資料，其利用人工智慧，藉由取樣由針對於異常的電流流動所引起的電動勢，所述異常指出可能的惡意程式或其它威脅。異常包含在一儲存裝置的輸入/輸出活動中的變化，例如那些見於在勒索軟體對邏輯區塊位址進行存取期間的變化。The embodiment can be used to protect data stored in a storage device, using artificial intelligence, by sampling the electromotive force caused by the current flow directed at abnormalities that indicate possible malicious programs or other threats. Anomalies include changes in the input/output activity of a storage device, such as those seen during ransomware access to logical block addresses.

在目前實施例的許多實施例中，一AI協同處理器被介接到、或被設置在一利用NVM快捷協定或AHCI的固態硬碟控制器晶片組附近。在數個實施例中，所述AI協同處理器可和固態硬碟控制器晶片一起、在其內部、或在其頂端側來加以置放。在某些實施例中，所述AI協同處理器被嵌入一客製ASIC中、一內嵌式FPGA、或一SoC+FPGA，以作為單一核心或多核心的。In many of the current embodiments, an AI co-processor is interfaced to, or placed near a solid-state drive controller chipset using NVM shortcut protocol or AHCI. In several embodiments, the AI co-processor can be placed together with the solid state drive controller chip, inside it, or on the top side of it. In some embodiments, the AI co-processor is embedded in a custom ASIC, an embedded FPGA, or a SoC+FPGA as a single core or multiple cores.

這些實施例將會獨立於所述固態硬碟控制器晶片組資源來執行，其即時地偵測勒索軟體攻擊。在一用途例子中，許多威脅或攻擊的每一個都具有其本身的電動勢(EMF)模式簽名，並且這些簽名被使用於進一步分析，並且和在正常操作中的一或多個固態硬碟控制器晶片組的電動勢(EMF)做比較。These embodiments will execute independently of the resources of the SSD controller chipset, which can detect ransomware attacks in real time. In an example of use, each of the many threats or attacks has its own electromotive force (EMF) pattern signature, and these signatures are used for further analysis and with one or more solid state drive controllers in normal operation Compare the electromotive force (EMF) of the chipset.

所述實施例的許多實施例提供一種易於使用的解決方案來整合所述實施例與一現有固態硬碟控制器積體電路板，其具有一標準通訊匯流排，容許與利用NVM快捷協定及/或AHCI的任意類型的固態硬碟的可擴充性。所述惡意程式的偵測特點是基於所述AI協同處理器，其與固態硬碟控制器積體電路具有經由一定義的安全協定的一專用匯流排通訊鏈路。所有的NVMe序列(包含管理序列命令以及使用者序列命令)可即時地與所述AI協同處理器共用。所述AI協同處理器將會量測由所述固態硬碟晶片組的積體電路結合在任何正常操作狀況中以及在惡意程式(包含勒索軟體)攻擊期間接收到的任何NVMe、任何AHCI序列、任何NVMe、或任何AHCI串流所產生的電動勢(EMF)。Many of the embodiments provide an easy-to-use solution to integrate the embodiment with an existing solid-state drive controller integrated circuit board, which has a standard communication bus that allows and utilizes NVM shortcut protocols and/ Or the scalability of any type of solid state drive of AHCI. The detection feature of the malicious program is based on the AI co-processor, which has a dedicated bus communication link with the solid-state drive controller integrated circuit via a defined security protocol. All NVMe sequences (including management sequence commands and user sequence commands) can be shared with the AI coprocessor in real time. The AI AssociationThe same processor will measure any NVMe, any AHCI sequence, any NVMe, any NVMe, any NVMe, any NVMe, any NVMe, any NVMe, any NVMe received by the integrated circuit of the said solid-state drive chipset under any normal operating conditions and during malware (including ransomware) attacks. Or any electromotive force (EMF) generated by the AHCI stream.

所述實施例的許多實施例的一優點具有時間延遲最小化的即時分析，其可有助於使用在雲端儲存伺服器應用程式或是高階平台伺服器應用程式。這些實施例的許多實施例容許早期的惡意程式/勒索軟體偵測，其有助於消除假的偵測數量，而導致對於偵測來自包含勒索軟體的惡意程式的威脅及攻擊有更高的正確率。One advantage of many of the described embodiments is real-time analysis with minimized time delay, which can be helpful for use in cloud storage server applications or high-end platform server applications. Many of these embodiments allow early malware/ransomware detection, which helps eliminate the number of false detections, resulting in higher accuracy in detecting threats and attacks from malware containing ransomware Rate.

在所述實施例的許多實施例中，所量測到的電動勢能量利用一類比數位控制器而被轉換成一數位信號，並且所產生信號接著藉由不同的信號卷積演算法依照時間系列分析而被計算出或轉換，且/或對照大量儲存的威脅模式、惡意程式模式、及/或勒索軟體模式來做比較。用於比較的模式數量可多達數百萬個。其它實施例利用一或多個自訓練模組(在所述AI協同處理器之內或是在其外部)，其在所述固態驅動器控制器的正常操作期間執行，以進行任意數量及類型的適當模式的比較。In many of the embodiments described, the measured electromotive force energy is converted into a digital signal using an analog digital controller, and the generated signal is then analyzed by different signal convolution algorithms in accordance with the time series. It is calculated or converted, and/or compared against a massively stored threat model, malware model, and/or ransomware model. The number of patterns used for comparison can be as many as millions. Other embodiments utilize one or more self-training modules (inside or outside the AI coprocessor), which are executed during normal operation of the solid-state drive controller to perform any number and type of Comparison of appropriate models.

在這些被用來偵測勒索軟體的實施例的許多實施例中，當一勒索軟體分數、一臨界值、或一相關性係數的時間標準到達勒索軟體威脅的預設或即時決定位準時，所述AI協同處理器將會透過一般用途的輸入/輸出匯流排來觸發警報，以警告所述固態硬碟控制器採取進一步的預防措施，並且執行一或多個對應配置。這些實施例的許多實施例獨立於所述固態硬碟電源來運作，並且它們包含專用的內部RAM、快閃記憶體以及一或多個通訊週邊裝置。其它實施例可具有不同的構件配置。實施例可採用任何習知的ASIC解決方案封裝的格式，其包含但不限於一BGA、一CSP、或是作為一位元流檔以從任意的FPGA及/或任意的內嵌式FPGA來運作。所述較佳實施例和外部的積體電路一起活動，並且利用被動及主動構件以量測或捕捉電動勢能量。In many of these embodiments used to detect ransomware, when a ransomware score, a threshold, or a correlation coefficient time standard reaches the preset or real-time determination level of the ransomware threat, The AI co-processor will trigger an alarm through a general-purpose input/output bus to warn the solid-state drive controller to take further preventive measures and execute one or more corresponding configurations. Many of these embodiments operate independently of the solid state drive power supply, and they include dedicated internal RAM, flash memory, and one or more communication peripherals. Other embodiments may have different component configurations. The embodiment can adopt any conventional ASIC solution packaging format, including but not limited to a BGA, a CSP, or as a bit stream file to operate from any FPGA and/or any embedded FPGA . The preferred embodiment is active with the external integrated circuit, and utilizes theMoving and active components to measure or capture electromotive force energy.

本實施例並不限於獨特配置來用以偵測在支援NVMe協定或AHCI協定的固態硬碟上的來自惡意程式、病毒、勒索軟體或是任何其它類型的攻擊的威脅及攻擊。實施例可利用任意數量的實施方式及介接至被監測硬體，例如任何目標協定，例如相關於儲存的NVMe-oF協定，其例如用在像是SaaS系統的系統中的儲存。This embodiment is not limited to a unique configuration for detecting threats and attacks from malware, viruses, ransomware, or any other types of attacks on solid-state hard disks supporting the NVMe protocol or the AHCI protocol. The embodiment can utilize any number of implementations and interface to the monitored hardware, such as any target protocol, such as the NVMe-oF protocol related to storage, which is used for storage in a system such as a SaaS system, for example.

在所述實施例的許多實施例中，目標用於NVMe以及AHCI的協定被利用，但是各種協定亦可單獨被利用、或是結合其它協定來加以利用。例如，所述NVMeOF(MVMe over Fabric)可結合所述AI核心來加以利用。這些協定亦可被利用以監視活動並且訓練所述實施例以識別利用任意類型的協定的異常活動。這些所述實施例的某些實施例將會進一步利用軟體整合。In many of the described embodiments, the protocols targeted for NVMe and AHCI are used, but various protocols can also be used alone or in combination with other protocols. For example, the NVMeOF (MVMe over Fabric) can be used in conjunction with the AI core. These agreements can also be utilized to monitor activity and train the embodiment to recognize anomalous activity that utilizes any type of agreement. Some of these described embodiments will be further integrated with software.

在這些實施例的許多實施例中，一些不同威脅以及相關於硬體的任何異常活動可被監測，例如某些使用模式、或是指出所述儲存正部分或完全地被複製的模式。例如，相較於正常使用的較高的使用量可指出相關於儲存裝置的一不當活動。In many of these embodiments, different threats and any abnormal activities related to the hardware can be monitored, such as certain usage patterns, or patterns that indicate that the storage is being partially or completely copied. For example, a higher usage amount compared to normal usage may indicate an improper activity related to the storage device.

現在轉到所述圖式，圖1描繪一範例的硬體系統100的方塊圖，其基於一AI協同處理器晶片組以用於偵測涉及固態硬碟控制器的勒索軟體，其利用由所述固態硬碟晶片組在對應於NVMe協定或AHCI協定的執行時間期間所產生的電動勢能量。所述硬體系統100包含一AI協同處理器晶片組120，其透過一預先定義的通訊匯流排而在同一印刷電路中與一固態硬碟(SSD)主板142介接。在所述硬體系統100的開機狀態期間，電源由一PMIC(Power Management IC：電源管理IC)141積體電路所提供，其中若為所要的話，電源輸出值能夠藉由所述AI協同處理器晶片組120來配置。Turning now to the drawings, Figure 1 depicts a block diagram of anexample hardware system 100, which is based on an AI co-processor chipset for detecting ransomware involving a solid-state drive controller, which is used by all The solid-state drive chipset generates electromotive force energy during the execution time corresponding to the NVMe protocol or the AHCI protocol. Thehardware system 100 includes anAI co-processor chipset 120, which interfaces with a solid state drive (SSD)motherboard 142 in the same printed circuit through a predefined communication bus. During the power-on state of thehardware system 100, power is provided by a PMIC (Power Management IC) 141 integrated circuit, where the power output value can be provided by the AI co-processor if required Thechipset 120 is configured.

在所述電源狀態被指出為有效的之後，所述硬體系統100利用一小的電感線圈110來開始取樣由所述固態硬碟主板142或是所述固態硬碟控制器IC142所產生的電動勢能量。其它實施例可使用一更大或較小的電感線圈、或是熟習此項技術者已知的另一資料收集構件。在這些實施例中，所述AI協同處理器藉由抽取在所量測到的資料中的屬性來處理辨識活動或威脅。利用所述AI協同處理器的實施例將會減少在分析所捕捉資料時的任何時延延遲，但是其它利用非AI協同處理器的實施例亦可被用來分析所捕捉資料。After the power state is indicated as valid, thehardware system 100 uses aThesmall inductance coil 110 starts to sample the electromotive force energy generated by the solid state diskmain board 142 or the solid statedisk controller IC 142. Other embodiments may use a larger or smaller inductance coil, or another data collection device known to those skilled in the art. In these embodiments, the AI co-processor extracts attributes from the measured data to process identification activities or threats. The embodiment using the AI co-processor will reduce any delay in analyzing the captured data, but other embodiments using the non-AI co-processor can also be used to analyze the captured data.

所述電感器或電感線圈可以是薄的形狀因數，例如使用於M.2 SSD格式、或者其可以是任何其它適當的大小。例如，在像是資料中心的某些設施中，在每一個伺服器殼體之內或是當被設置使用於一膝上型/筆記型電腦裝置時具有有限空間，一較小或是較薄的形狀因數可被利用。這些實施例的某些實施例可被置放在一M.2PCB的附近，其利用在殼體內的任何可利用空間，例如在一具有1.35mm厚度(在主機板與M.2 PCB之間的間隙)的膝上型電腦殼體中，被置放在所述儲存裝置附近的一薄的電感器可被使用。The inductor or inductance coil may be a thin form factor, such as used in M.2 SSD format, or it may be any other suitable size. For example, in some facilities like data centers, there is limited space within each server housing or when set up for use in a laptop/notebook computer device, one is smaller or thinner The form factor of can be used. Some of these embodiments can be placed near an M.2 PCB, which utilizes any available space in the housing, such as a thickness of 1.35 mm (between the motherboard and the M.2 PCB). In the laptop casing of the gap), a thin inductor placed near the storage device can be used.

在此實施例中，跨越所述電感線圈110的能量藉由所述類比至數位轉換器140而被取樣，並且所取樣值透過一或多個差動信號而被傳遞至所述AI協同處理器晶片組120。所述類比至數位轉換器140的資料緩衝被暫時保持在所述差動信號(DIFF-SIGNAL)121專用的暫存器中，並且被傳遞至專用的數位濾波器122以用於進一步處理，以避免非所要信號的比較。在許多實施例中，非所要信號的濾波利用一或多個軟體演算法而被達成，每一個演算法可依據一或多個使用者預先定義的設定及一或多個校正而定，並且因此所述實施例可不限於單一狀態機。在某些實施例中，單一AI協同處理器晶片組可被使用，但是在其它實施例中，單一或多個AI協同處理器晶片組可結合一或多個核心以平行或是以串列配置而被一起使用在某些工作之中，以處理所捕捉資料。In this embodiment, the energy across theinductor 110 is sampled by the analog-to-digital converter 140, and the sampled value is transmitted to the AI coprocessor through one or more differential signals Thechipset 120. The data buffer of the analog-to-digital converter 140 is temporarily held in the special register of the differential signal (DIFF-SIGNAL) 121, and is passed to the specialdigital filter 122 for further processing. Avoid comparison of undesired signals. In many embodiments, filtering of undesired signals is achieved using one or more software algorithms, each of which can be based on one or more user-defined settings and one or more calibrations, and therefore The described embodiments may not be limited to a single state machine. In some embodiments, a single AI co-processor chipset can be used, but in other embodiments, a single or multiple AI co-processor chipsets can be combined with one or more cores in parallel or in tandem configuration They are used together in certain tasks to process the captured data.

一硬體計時器(TIMER)模組123登錄所述數位濾波器122的一或多個時間週期。NVMe/AHCI模組124登錄所述NVMe協定或是所述AHCI協定的已經透過I/O匯流排模組125執行的所有命令，所述I/O匯流排模組125利用一SPI協定、或是I2C、或是任何高速的通訊控制，結合所述固態硬碟主板142或是一固態硬碟控制器IC 142而被程式化。A hardware timer (TIMER)module 123 registers one or of thedigital filter 122Multiple time periods. The NVMe/AHCI module 124 registers all commands of the NVMe protocol or the AHCI protocol that have been executed through the I/O bus module 125, the I/O bus module 125 uses an SPI protocol, or I2C, or any high-speed communication control, is programmed in combination with the solid-state disk motherboard 142 or a solid-statedisk controller IC 142.

在來自所有三個所述模組(所述數位濾波器122、所述硬體計時器模組123以及所述NVMe/AHCI模組124)的資料取樣的一預先定義期間之後，其中來自那些模組的所有資料透過在所述AI協同處理器晶片組120之內的內部匯流排資料而被轉移至一數位信號處理演算法126以用於進一步轉換，其包含根據使用者是如何配置所述序列來施加一或多個不同計算。所述一或多個計算的結果(例如藉由所述數位信號處理演算法126產生的緩衝信框)被傳遞至頻譜影像產生器127模組，並且所產生影像將會藉由具有神經網路演算法的一DSP/SoC來和在內部快閃記憶體129內的一自訓練影像模式比對。After a predefined period of data sampling from all three of the modules (thedigital filter 122, thehardware timer module 123, and the NVMe/AHCI module 124) All data of the group is transferred to a digitalsignal processing algorithm 126 for further conversion through the internal bus data in theAI co-processor chipset 120, which includes how to configure the sequence according to the user To apply one or more different calculations. The result of the one or more calculations (for example, the buffer frame generated by the digital signal processing algorithm 126) is transmitted to thespectral image generator 127 module, and the generated image will be processed by a neural network. A DSP/SoC of the algorithm is compared with a self-training image mode in theinternal flash memory 129.

若沒有匹配、部分匹配、或是其它解的結果展示一可能的勒索軟體威脅，則外部的安全快閃記憶體143的積體電路被詢問。若一勒索軟體狀態模式例如利用具有神經網路演算法的所述DSP/SoC128而被偵測到，則所述系統將會中斷I/O匯流排130至所述固態硬碟主板142或是/固態硬碟控制器IC 142的安全性警告輸出接腳。當所述安全性事件造成一中斷時，所述固態硬碟主板142或是固態硬碟控制器IC 142可根據藉由使用者及/或製造商安裝的一或多個預先定義配置，進一步採取一或多個進一步動作。所述系統的一中斷可用熟習此項技術者已知的任意數種方式來達成，例如若所述AI協同處理器被設置在IC之內，則利用一物理匯流排線的使用、或是若所述AI協同處理器與所述SSD控制器整合的，則藉由一韌體碼，其中所述中斷可藉由寫入在所述晶片組內的一預先定義的暫存器來加以達成。在其它實施例中，由OEM工廠所用的一專屬SSD IC控制器可透過至少一I/O連接匯流排來加以配置，以共享活動並且交換從所述SSD控制器收集的屬性，其包含例如以下的屬性：相對於時間的EMF值。其它實施例可使用一種Diewafe解決方案(ASIC HW IP)，其中所述AI核心可從RTL被轉換成GDS格式。另外其它的實施例可藉由軟體實施方式而被實施在一或多個平行核心之內。If no match, partial match, or other solution results show a possible ransomware threat, the integrated circuit of the externalsecure flash memory 143 is asked. If a ransomware status mode is detected, for example, using the DSP/SoC128 with neural network algorithm, the system will interrupt the I/O bus 130 to the solid state drivemain board 142 or solid state The safety warning output pin of the harddisk controller IC 142. When the security event causes an interruption, the solid-state drive motherboard 142 or the solid-statedrive controller IC 142 can be further implemented according to one or more predefined configurations installed by the user and/or manufacturer One or more further actions. An interruption of the system can be achieved in any number of ways known to those skilled in the art, for example, if the AI coprocessor is installed in the IC, the use of a physical bus line, or if The AI co-processor and the SSD controller are integrated by a firmware code, wherein the interrupt can be achieved by writing a predefined register in the chipset. In other embodiments, a dedicated SSD IC controller used by the OEM factory can be configured through at least one I/O connection bus to share activities and exchange receipts from the SSD controller.The attributes of the set include, for example, the following attributes: EMF value with respect to time. Other embodiments may use a Diewafe solution (ASIC HW IP) in which the AI core can be converted from RTL to GDS format. In addition, other embodiments can be implemented in one or more parallel cores through software implementation.

在某些實施例中，進一步的步驟或動作可包含限制對於所儲存資料的存取、傳遞一或多個警告，例如是透過一外部的無線連線、或是一有線連線、或是兩者來傳送一或多個警告射束、鎖住所述儲存裝置、或是在所述儲存裝置之內的一構件、或是在所述儲存裝置外部的一構件、及/或容許不具有覆寫任何所儲存資料的能力的唯讀模式。In some embodiments, further steps or actions may include restricting access to stored data, transmitting one or more warnings, such as through an external wireless connection, or a wired connection, or two To transmit one or more warning beams, lock the storage device, or a component inside the storage device, or a component outside the storage device, and/or allow no coverage Read-only mode with the ability to write any stored data.

在所述實施例的許多實施例中，自訓練可被用來容許所述AI協同處理器晶片組能夠學習何者是正常的、以及何者是異常的。在一例子中，所述AI協同處理器晶片組在所述一或多個比較中利用用於參考的一資料組對照利用一或多個容限位準的其它資料組。在一範例的自訓練實施例中，一正常的操作臨界值設置利用一或多個預先定義的屬性的數位值。在某些實施例中，在所述AI協同處理器晶片組中執行的人工智慧演算法比較目前的操作資料組與所述正常或基線的操作資料組，同時使用所述目前進入的資料組來更新或修改在使用中的資料組，而不需要外部輸入值。In many of the embodiments, self-training can be used to allow the AI co-processor chipset to learn what is normal and what is abnormal. In one example, the AI co-processor chipset uses a data set for reference in the one or more comparisons against other data sets that use one or more tolerance levels. In an exemplary self-training embodiment, a normal operating threshold setting utilizes one or more pre-defined attribute digital values. In some embodiments, the artificial intelligence algorithm executed in the AI co-processor chipset compares the current operating data set with the normal or baseline operating data set, and uses the currently entered data set to Update or modify the data group in use without external input value.

圖2描繪一固態硬碟的三維視圖，其具有一M.2模組化卡的形狀因數。此實施例被整合在同一印刷電路板200中。NAND快閃模組201、202、203及204被成串接設置，並且具有和所述固態硬碟控制器205直接的連接。此外，此實施例被設置在邊界防護跡線211之內，其容許AI協同處理器216能夠受保護免於非刻意的信號，並且將進入的敏感信號與其它可能干擾所述實施例的高速信號隔離。被置放在所述固態硬碟控制器205的頂端上的一電感線圈220捕捉產生的電動勢能量，其藉由2條差動信號線221及222而連結至類比至數位轉換器212。所述電感線圈220可被置放在所述固態硬碟控制器205附近的可進行讀取的任何位置。Figure 2 depicts a three-dimensional view of a solid state drive with the form factor of an M.2 modular card. This embodiment is integrated in the same printedcircuit board 200. TheNAND flash modules 201, 202, 203, and 204 are arranged in series, and have a direct connection with the solidstate drive controller 205. In addition, this embodiment is placed within theborder guard trace 211, which allows theAI coprocessor 216 to be protected from unintentional signals, and to combine incoming sensitive signals with other high-speed signals that may interfere with the embodiment. isolation. Aninductor 220 placed on the top of the solidstate disk controller 205 captures the generated electromotive force energy, which is connected to the analog-to-digital converter 212 through twodifferential signal lines 221 and 222. Theinductance coil 220 can be placed near the solid-state drive controller 205 and can be read.Location.

在此實施例中，在所述勒索軟體偵測程序期間，一外部的安全快閃記憶體213被使用作為用於勒索軟體模式資料的一資料庫。熟習此項技術者已知的任何其它儲存媒體亦可被使用。在區域邊界210之內的所有構件藉由專用的一電源管理單元215結合被動構件214一起來供電的。這些實施例描繪用於所述勒索軟體偵測器配置的一硬體解決方案的一個例子，其可被利用以保護任意類型的M.2模組化卡。熟習此項技術者已知的利用不同構件達成相同結果的其它配置亦可被利用，例如像是M.2的任何標準儲存裝置的佈局格式。In this embodiment, during the ransomware detection process, an externalsecure flash memory 213 is used as a database for ransomware pattern data. Any other storage media known to those skilled in the art can also be used. All components within thearea boundary 210 are powered by a dedicatedpower management unit 215 combined with thepassive components 214. These embodiments describe an example of a hardware solution for the ransomware detector configuration, which can be utilized to protect any type of M.2 modular card. Other configurations known to those skilled in the art that use different components to achieve the same result can also be used, such as the layout format of any standard storage device such as M.2.

圖3描繪根據所主張標的之實施例的一模組化M.2卡300的頂端分解視圖，其中一固態硬碟控制器與一AI協同處理器勒索軟體偵測器整合的，其被配置為一硬體解決方案。所述實施例被設置在區域301中，並且藉由防護跡線邊界305來加以保護。電感線圈304是被用來捕捉電動勢能量的一撓性印刷電路板，並且電感線圈304在區域301之內透過成對的信號線來加以連接。在此實施例中，第一線是正信號302，並且第二線是負信號303。同樣在此實施例中，所述構件被設置成非常靠近PCIe電源墊跡線306，以便於降低電源雜訊。FIG. 3 depicts a top exploded view of a modular M.2card 300 according to an embodiment of the claimed subject matter, in which a solid-state drive controller is integrated with an AI co-processor ransomware detector, which is configured as A hardware solution. The described embodiment is placed in thearea 301 and protected by theguard trace boundary 305. Theinductance coil 304 is a flexible printed circuit board used to capture electromotive force energy, and theinductance coil 304 is connected in thearea 301 through a pair of signal lines. In this embodiment, the first line is apositive signal 302, and the second line is anegative signal 303. Also in this embodiment, the component is placed very close to the PCIepower pad trace 306 in order to reduce power noise.

圖4描繪NVMe/AHCI命令線性地隨著時間對照量測到的Vemf的相關性，即如同在圖310中所示。在所述圖310中的點代表在一5毫秒的時間期間之內取樣的一群組的位元組，其中一NVMe/AHCI寫入命令311連續被執行，其導致所述固態控制器晶片組過載，更多電流流動。此配置造成在所述電動勢能量上的增加，其可超越勒索軟體偵測值的臨界值，其在所述圖310中藉由虛線312而被展示的。此圖310描繪被用來偵測勒索軟體的一種預先計算方法的一個例子。前述的時間期間可以是廣範圍的(例如一奈秒到一秒)，其根據使用者及/或製造需求而定，例如針對於一特定的SSD控制器、儲存裝置或是其它硬體構件而被最佳化的一時間期間。FIG. 4 depicts the correlation of the NVMe/AHCI command against the measured Vemf linearly over time, that is, as shown in FIG. 310. The dots in thegraph 310 represent a group of bytes sampled within a time period of 5 milliseconds, in which an NVMe/AHCI write command 311 is continuously executed, which causes the solid-state controller chipset Overload, more current flows. This configuration causes an increase in the electromotive force energy, which can exceed the threshold of the ransomware detection value, which is shown by the dottedline 312 in thegraph 310. This diagram 310 depicts an example of a pre-calculation method used to detect ransomware. The aforementioned time period can be in a wide range (for example, one nanosecond to one second), which is determined according to user and/or manufacturing requirements, such as for a specific SSD controller, storage device, or other hardware components. A period of time that is optimized.

圖5A描繪以圖320展示的電動勢能量一範例的電壓位準，其具有例如存在勒索軟體的一異常以及具有隨著時間線性的一正常操作模式。如同可見的，例如由勒索軟體引起的異常和所述NVMe/AHCI的正常操作稍微不同的執行。在此程序期間，所述電動勢能量使得所述固態硬碟晶片組執行更多的指令，並且此在指令上的增加導致沿著積體電路信號流動的電流的增加。所捕捉到的此異常的些微差異(在此例中由勒索軟體的存在所引起的)利用虛線321來展示。相較於在所述NVMe/AHCI執行的命令的正常操作期間所產生的電動勢能量322，所述圖320展示更大的電動勢能量被產生。此差異展示利用電動勢能量來識別異常值。FIG. 5A depicts an exemplary voltage level of the electromotive force energy shown in FIG. 320, which has an abnormality such as the presence of ransomware and a normal operation mode that is linear with time. As can be seen, for example, the abnormality caused by the ransomware is executed slightly differently from the normal operation of the NVMe/AHCI. During this procedure, the electromotive force energy causes the SSD chipset to execute more instructions, and this increase in instructions results in an increase in the current flowing along the integrated circuit signal. The slight difference in the captured anomaly (caused by the presence of ransomware in this example) is shown by the dashedline 321. Compared to theelectromotive force energy 322 generated during the normal operation of the command executed by the NVMe/AHCI, thegraph 320 shows that a larger electromotive force energy is generated. This difference shows the use of electromotive force energy to identify outliers.

圖5B描繪根據所主張標的之實施例的偵測到的具有勒索軟體或是一範例異常的NVMe/AHCI緩衝命令的取樣位元組的互相關，並且更明確地說，其以圖330展示偵測到的具有勒索軟體或是其它異常的NVMe/AHCI緩衝命令的取樣位元組的互相關。一異常(例如勒索軟體的活動)的量測到值以虛線331來展示，並且此量測到值以線333展示具有和在正常操作期間存在NVMe/AHCI命令的所量測到值的正相關性。此類型的分析可有助於避免偽陽性，例如那些由於發生在正常操作中的NVMe/AHCI的抹除/刪除命令所造成的偽陽性，其原本可能引起例如勒索軟體的一異常存在的錯誤警告。藉由在圖330中設定臨界分數在9到10之間，所述波峰的異常或是/勒索軟體可在其超出被呈現為虛線332的臨界值時被偵測到，此容許例如勒索軟體的異常能在其被容許毀壞檔案或是進行其它類型的損壞之前的早期階段就被偵測到。FIG. 5B depicts the cross-correlation of the sample bytes of the NVMe/AHCI buffer command detected with ransomware or an exemplary anomaly according to an embodiment of the claimed subject matter, and more specifically, it is shown in FIG. 330. The measured cross-correlation of the sample bytes of the NVMe/AHCI buffer command with ransomware or other abnormalities. The measured value of an anomaly (such as ransomware activity) is shown as a dashedline 331, and the measured value is shown as aline 333 to have a positive correlation with the measured value in the presence of NVMe/AHCI commands during normal operation sex. This type of analysis can help avoid false positives, such as those caused by NVMe/AHCI erase/delete commands that occur in normal operations, which might have caused false warnings such as an abnormal existence of ransomware. . By setting the critical score between 9 and 10 in Figure 330, the abnormality of the peak or/ransomware can be detected when it exceeds the critical value shown as the dashedline 332, which allows for example ransomware Anomalies can be detected at an early stage before they are allowed to destroy files or perform other types of damage.

圖6描繪根據所主張標的之實施例的所述AI協同處理器單元互連線的一種系統400。在這些實施例中，三個外部變數被使用於進一步的數位計算。這些變數是NVMe/AHCI變數430的三個位元，其中MSB表示NVMe/AHCI寫入命令，第二位元表示讀取命令，而LSB表示抹除/刪除命令。當所述命令中之一被捕捉到時，一個0或1的值被呈現在對應位元位置中。其次，量測到的電動勢能量值420以三十二個位元來呈現，而最後的計時器值410亦以三十二個位元來呈現。這些外部值暫時被保持在相應的緩衝暫存器中：3位元的NVMe/AHCI在(3位元)暫存器443、32位元的電動勢能量值在(32位元)暫存器442、以及32位元的計時器值在(32位元)計時器暫存器441。在其它實施例中，變數的數目可大於或小於三個。FIG. 6 depicts asystem 400 of the AI coprocessor unit interconnection line according to an embodiment of the claimed subject matter. In these embodiments, three external variables are used for further digital calculations. These variables are the three bits of the NVMe/AHCI variable 430, where the MSB represents the NVMe/AHCI write command, the second bit represents the read command, and the LSB represents the erase/delete command. When one of the said orders was arrestedWhen caught, a value of 0 or 1 is presented in the corresponding bit position. Secondly, the measured electromotiveforce energy value 420 is presented in thirty-two bits, and thefinal timer value 410 is also presented in thirty-two bits. These external values are temporarily held in the corresponding buffer registers: 3-bit NVMe/AHCI in the (3-bit) register 443, 32-bit electromotive force energy value in the (32-bit) register 442 , And the 32-bit timer value is stored in the (32-bit)timer register 441. In other embodiments, the number of variables may be greater than or less than three.

AI協同處理器系統440的子模組454是起始利用兩個DFT(離散傅立葉轉換)引擎對緩衝器值的計算的第一模組。相關性分析引擎446計算來自第一DFT 445以及第二DFT 444的兩個信號的互相關。所述相關性分析引擎446接著將所計算出的第一DFT 445及第二DFT 444的值和所計算出的互相關維度值一起傳輸至位在子模組455中的勒索軟體分數驗證引擎447。若所述分數大於所述臨界值，則第一DFT 445以及第二DFT 444的值都被轉移至FFT(快速傅立葉轉換)引擎448，並且所產生的FFT引擎448的值接著被子模組453中的神經網路引擎449用作為一頻譜影像。此頻譜影像對照具有異常或勒索軟體的頻譜影像簽名的一資料庫來做比較，所述資料庫藉由所述神經網路引擎449而被預先載入、預先計算及/或訓練的。為了具有對於所述資料庫的存取，所述神經網路引擎449透過記憶體控制器450來操作一序列的讀取及寫入命令。具有雙向模式的特定的協定匯流排451讀取目標快閃記憶體電路。若所述神經網路引擎449的計算偵測到例如勒索軟體的一異常而導致匹配，則所述神經網路引擎449透過一匯流排線452來傳送一信號警告至所述目標固態硬碟控制器。The sub-module 454 of theAI co-processor system 440 is the first module that initiates the calculation of the buffer value using two DFT (Discrete Fourier Transform) engines. The correlation analysis engine 446 calculates the cross-correlation of the two signals from thefirst DFT 445 and the second DFT 444. The correlation analysis engine 446 then transmits the calculated values of thefirst DFT 445 and the second DFT 444 and the calculated cross-correlation dimension value to the ransomware score verification engine 447 located in thesubmodule 455. . If the score is greater than the critical value, the values of thefirst DFT 445 and the second DFT 444 are transferred to the FFT (Fast Fourier Transform)engine 448, and the generated value of theFFT engine 448 is then transferred to the sub-module 453 Theneural network engine 449 is used as a spectrum image. This spectral image is compared against a database with anomalous or ransomware spectral image signatures, which is pre-loaded, pre-calculated and/or trained by theneural network engine 449. In order to have access to the database, theneural network engine 449 operates a series of read and write commands through thememory controller 450. Thespecific protocol bus 451 with bidirectional mode reads the target flash memory circuit. If the calculation of theneural network engine 449 detects an abnormality such as ransomware resulting in a match, theneural network engine 449 sends a signal warning through abus line 452 to the target solid state drive control Device.

表1及2展示根據所主張標的之實施例的範例的演算法，儘管熟習所述技術者已知的任何其它適當演算法亦可被利用。Tables 1 and 2 show algorithms according to examples of embodiments of the claimed subject matter, although any other suitable algorithms known to those skilled in the art may also be used.

表1：演算法：卷積演算法

Table 1: Algorithm: Convolution Algorithm

在某些實施例中，在此所述的平台、系統、媒體、以及方法包含一數位處理裝置、或是使用相同類型的裝置。在許多實施例中，所述數位處理裝置包含一或多個硬體的中央處理單元(CPU)或是一般用途的圖形處理單元(GPU)，其實行所述一或多個裝置的功能。在某些實施例中，所述數位處理裝置進一步包括一作業系統，其被配置以實行可執行指令。在許多實施例中，所述數位處理裝置選配地連接至一電腦網路。在另一實施例中，所述數位處理裝置選配地連接至例如網際網路的一網路，此給予其接達位在全球資訊網上的伺服器的能力。在另外其它實施例中，所述數位處理裝置選配地連接至一雲端計算的基礎結構。在其它實施例中，所述數位處理裝置選配地連接至一內部網路。在其它實施例中，所述數位處理裝置選配地連接至一資料儲存裝置。In some embodiments, the platforms, systems, media, and methods described herein include a digital processing device or use the same type of device. In many embodiments, the digital processing device includes one or more hardware central processing units (CPU) or general-purpose graphics processing units(GPU), which performs the functions of the one or more devices. In some embodiments, the digital processing device further includes an operating system configured to execute executable instructions. In many embodiments, the digital processing device is optionally connected to a computer network. In another embodiment, the digital processing device is optionally connected to a network such as the Internet, which gives it the ability to access servers on the World Wide Web. In still other embodiments, the digital processing device is optionally connected to a cloud computing infrastructure. In other embodiments, the digital processing device is optionally connected to an internal network. In other embodiments, the digital processing device is optionally connected to a data storage device.

根據在此的說明，適當的數位處理裝置包含(舉非限制性的例子)伺服器電腦、桌上型電腦、膝上型電腦、筆記型電腦、小型筆記型電腦、小筆電電腦、網路平板電腦、機上盒電腦、媒體串流裝置、手持式電腦、網際網路設備、行動智慧型手機、平板電腦、個人數位助理、電玩遊戲機、以及車輛。According to the description here, suitable digital processing devices include (to give non-limiting examples) server computers, desktop computers, laptop computers, notebook computers, small notebook computers, small laptop computers, and Internet Tablet computers, set-top box computers, media streaming devices, handheld computers, Internet devices, mobile smartphones, tablets, personal digital assistants, video game consoles, and vehicles.

具有此項技術的技能者將會體認到許多智慧型手機適合用於在此所述的系統。具有此項技術的技能者亦將會體認到選擇具有選配的電腦網路連接性的電視、視訊播放器、以及數位音樂播放器適合用於在此所述的實施例。適當的平板電腦包含具有此項技術的技能者已知的那些具有書本功能(booklet)、直板式(slate)、以及可轉換配置的平板電腦。Those skilled in this technology will recognize that many smart phones are suitable for use in the system described here. Those skilled in this technology will also realize that selecting TVs, video players, and digital music players with optional computer network connectivity are suitable for the embodiments described herein. Suitable tablet computers include those with booklet, slate, and convertible configurations known to those skilled in the art.

在某些實施例中，所述數位處理裝置包含一作業系統，其被配置以實行可執行指令。所述作業系統例如是包含程式及資料的軟體，其管理所述裝置的硬體並且提供服務以用於應用程式的實行。具有此項技術的技能者將會體認到適當的伺服器作業系統包含(舉非限制性的例子)FreeBSD、OpenBSD、NetBSD®、Linux、Apple® Mac OS X Server®、Oracle® Solaris®、Windows Server®、以及Novell® NetWare®。具有此項技術的技能者將會體認到適當的個人電腦作業系統包含(舉非限制性的例子)Microsoft® Windows®、Apple® Mac OS X®、UNIX®、以及類UNIX的作業系統，例如GNU/Linux®。在某些實施例中，所述作業系統由雲端計算所提供的。具有此項技術的技能者亦將會體認到適當的行動智慧型手機作業系統包含(舉非限制性的例子)Nokia® Symbian® OS、Apple® iOS®、Research In Motion® BlackBerry OS®、Google® Android®、Microsoft® Windows Phone® OS、Microsoft® Windows Mobile® OS、Linux®、以及Palm® WebOS®。具有此項技術的技能者亦將會體認到適當的媒體串流裝置作業系統包含(舉非限制性的例子)Apple TV®、Roku®、Boxee®、Google TV®、Google Chromecast®、Amazon Fire®、以及Samsung® HomeSync®。具有此項技術的技能者亦將會體認到適當的電玩遊戲主機作業系統包含(舉非限制性的例子)Sony® PS3®、Sony® PS4®、Microsoft® Xbox 360®、Microsoft Xbox One、Nintendo® Wii®、Nintendo® Wii U®、以及Ouya®。In some embodiments, the digital processing device includes an operating system configured to execute executable instructions. The operating system is, for example, software including programs and data, which manages the hardware of the device and provides services for the execution of applications. Those skilled in this technology will recognize that appropriate server operating systems include (non-limiting examples) FreeBSD, OpenBSD, NetBSD®, Linux, Apple® Mac OS X Server®, Oracle® Solaris®, Windows Server®, and Novell® NetWare®. Those skilled in this technology will recognize that appropriate personal computer operating systems include (to give non-limiting examples) Microsoft® Windows®, Apple® Mac OS X®, UNIX®, and UNIX-like operating systems, such as GNU/Linux®. In some embodiments,The operating system is provided by cloud computing. Those skilled in this technology will also realize that appropriate mobile smartphone operating systems include (to give non-limiting examples) Nokia® Symbian® OS, Apple® iOS®, Research In Motion® BlackBerry OS®, Google ® Android®, Microsoft® Windows Phone® OS, Microsoft® Windows Mobile® OS, Linux®, and Palm® WebOS®. Those skilled in this technology will also realize that appropriate media streaming device operating systems include (to give non-limiting examples) Apple TV®, Roku®, Boxee®, Google TV®, Google Chromecast®, Amazon Fire ®, and Samsung® HomeSync®. Those skilled in this technology will also realize that appropriate console operating systems for video game consoles include (to give non-limiting examples) Sony® PS3®, Sony® PS4®, Microsoft® Xbox 360®, Microsoft Xbox One, Nintendo ® Wii®, Nintendo® Wii U®, and Ouya®.

在某些實施例中，所述裝置包含一儲存及/或記憶體裝置。所述儲存及/或記憶體裝置是被用來暫時或永久地儲存資料或程式的一或多個物理設備。在某些實施例中，所述裝置是揮發性記憶體，因而需要電力以維持儲存資訊。在某些實施例中，所述裝置是非揮發性記憶體，因而在所述數位處理裝置未被供電時仍保持儲存資訊。在另一實施例中，所述非揮發性記憶體包括快閃記憶體。在某些實施例中，所述非揮發性記憶體包括動態隨機存取記憶體(DRAM)。在某些實施例中，所述非揮發性記憶體包括鐵電隨機存取記憶體(FRAM)。在某些實施例中，所述非揮發性記憶體包括相變隨機存取記憶體(PRAM)。在其它實施例中，所述裝置是一儲存裝置，其包含(舉非限制性的例子)CD-ROM、DVD、快閃記憶體裝置、磁碟機、磁帶機、光碟機、以及雲端計算為基礎的儲存。在另一實施例中，所述儲存及/或記憶體裝置是例如那些在此所記載裝置的一組合。In some embodiments, the device includes a storage and/or memory device. The storage and/or memory device is one or more physical devices used to temporarily or permanently store data or programs. In some embodiments, the device is a volatile memory and therefore requires power to maintain stored information. In some embodiments, the device is a non-volatile memory, so that information is kept stored when the digital processing device is not powered. In another embodiment, the non-volatile memory includes flash memory. In some embodiments, the non-volatile memory includes dynamic random access memory (DRAM). In some embodiments, the non-volatile memory includes ferroelectric random access memory (FRAM). In some embodiments, the non-volatile memory includes phase change random access memory (PRAM). In other embodiments, the device is a storage device, which includes (to give non-limiting examples) CD-ROM, DVD, flash memory device, disk drive, tape drive, optical disk drive, and cloud computing as Basic storage. In another embodiment, the storage and/or memory device is a combination of devices such as those described herein.

在某些實施例中，在此記載的平台、系統、媒體、以及方法包含一或多個非暫態的電腦可讀取儲存媒體，其被編碼有包含指令的一程式，所述指令可藉由一選配地連網的數位處理裝置的作業系統來執行。在另一實施例中，一電腦可讀取儲存媒體是一數位處理裝置的一實體構件。在另外其它實施例中，一電腦可讀取儲存媒體選配地可從一數位處理裝置拆卸的。在某些實施例中，一電腦可讀取儲存媒體包含(舉非限制性的例子)CD-ROM、DVD、快閃記憶體裝置、固態記憶體、磁碟機、磁帶機、光碟機、雲端計算系統及服務、與類似者。在某些情形中，所述程式及指令是永久地、實質永久地、半永久地、或是非暫時地被編碼在所述媒體上。In some embodiments, the platforms, systems, media, and methods described herein include one or more non-transitory computer-readable storage media, which are encoded with a program containing instructions, and the instructions can be It is executed by the operating system of an optionally connected digital processing device. In another embodiment, aThe computer-readable storage medium is a physical component of a digital processing device. In still other embodiments, a computer-readable storage medium is optionally detachable from a digital processing device. In some embodiments, a computer readable storage medium includes (to give non-limiting examples) CD-ROM, DVD, flash memory device, solid state memory, magnetic disk drive, tape drive, optical disk drive, cloud Computing systems and services, and similar ones. In some cases, the programs and instructions are permanently, substantially permanently, semi-permanently, or non-temporarily encoded on the medium.

在許多實施例中，在此記載的平台、系統、媒體、以及方法包含至少一電腦程式、及/或其用途。一電腦程式包含一序列的指令，其可在所述數位處理裝置的CPU中執行的，被撰寫以執行一指定工作。電腦可讀取指令可被實施為程式模組，例如是函數、物件、應用程式介面(API)、資料結構、與類似者，其執行特定工作或是實施特定的抽象資料類型。根據在此所提供的本記載內容，具有此項技術的技能者將會體認到根據所述實施例的一電腦程式可用各種版本的各種語言來撰寫。In many embodiments, the platforms, systems, media, and methods described herein include at least one computer program and/or uses thereof. A computer program includes a sequence of instructions that can be executed in the CPU of the digital processing device and is written to perform a specified task. Computer readable instructions can be implemented as program modules, such as functions, objects, application programming interfaces (APIs), data structures, and the like, which perform specific tasks or implement specific abstract data types. According to the content provided here, those skilled in the art will realize that a computer program according to the embodiment can be written in various versions and languages.

所述電腦可讀取指令的功能可在各種環境中，根據需要來組合或是分散。在某些實施例中，一電腦程式包括一序列的指令。在某些實施例中，一電腦程式包括複數個序列的指令。在某些實施例中，一電腦程式從一位置提供的。在其它實施例中，一電腦程式從複數個位置提供的，其包含內嵌或是位在硬體中的程式。在各種的實施例中，一電腦程式包含一或多個軟體模組。在各種實施例中，一電腦程式(部分或整體)包含一或多個網頁應用程式、一或多個行動應用程式、一或多個單機式獨立的應用程式、一或多個網頁瀏覽器插件、擴充功能、外掛程式、或附加元件、或是其之組合。The functions of the computer readable instructions can be combined or dispersed according to needs in various environments. In some embodiments, a computer program includes a sequence of instructions. In some embodiments, a computer program includes a plurality of sequences of instructions. In some embodiments, a computer program is provided from a location. In other embodiments, a computer program is provided from a plurality of locations, including programs that are embedded or located in hardware. In various embodiments, a computer program includes one or more software modules. In various embodiments, a computer program (partially or wholly) includes one or more web applications, one or more mobile applications, one or more stand-alone independent applications, and one or more web browser plug-ins , Extensions, plug-ins, or additional components, or a combination thereof.

某些實施例包含一關聯式資料庫管理系統(RDBMS)。RDBMS的適當例子包含Firebird、MySQL、PostgreSQL、SQLite、Oracle Database、Microsoft SQLServer、IBM DB2、IBM Informix、SAP Sybase、SAP Sybase、Teradata、與類似者。熟習此項技術者將會體認到有大量的硬體及軟體配置可利用以達成所述實施例的結果，而不脫離所主張標的之範疇。Some embodiments include a relational database management system (RDBMS). Suitable examples of RDBMS include Firebird, MySQL, PostgreSQL, SQLite, Oracle Database, Microsoft SQLServer, IBM DB2, IBM Informix, SAP Sybase, SAP Sybase, Teradata, andSimilar. Those familiar with the technology will realize that there are a large number of hardware and software configurations available to achieve the results of the described embodiments without departing from the scope of the claimed subject matter.

在某些實施例中，使用於所述實施例的一電腦程式包含一單機式應用程式，其是運作為一獨立式電腦程序的一程式，而不是一現有程序中的附加元件，例如不是外掛。具有此項技術的技能者將會體認到單機式應用程式通常被編譯的。一編譯器是轉換用一程式化語言而被撰寫的原始碼成為二進位目的碼(例如組合語言或機器碼)的電腦程式。適當的編譯的程式化語言包含(舉非限制性的例子)C、C++、Objective-C、COBOL、Delphi、Eiffel、Java^TM、Lisp、Python^TM、Visual Basic、以及VB.NET、或是其之組合。編輯通常被執行(至少部分)以產生一可執行程式。在某些實施例中，一電腦程式包含一或多個可執行的編譯應用程式。這些應用程式或程式可被使用於所主張標的之各種實施例。In some embodiments, a computer program used in the embodiment includes a stand-alone application program, which is a program that operates as a stand-alone computer program, rather than an additional component in an existing program, such as not a plug-in . Those skilled in this technology will realize that stand-alone applications are usually compiled. A compiler is a computer program that converts source code written in a programming language into binary object code (such as assembly language or machine code). Appropriate compiled programming languages include (to give non-limiting examples) C, C++, Objective-C, COBOL, Delphi, Eiffel, Java^TM , Lisp, Python^TM , Visual Basic, and VB.NET, or some of them combination. Editing is usually performed (at least partially) to produce an executable program. In some embodiments, a computer program includes one or more executable compiled application programs. These applications or programs can be used in various embodiments of the claimed subject matter.

在某些實施例中，在此記載的平台、系統、媒體、以及方法包含軟體、伺服器、及/或資料庫模組、或是其用途。考慮到在此提出的本記載內容，軟體模組藉由具有此項技術的技能者已知的技術，利用所述技術已知的機器、軟體、以及語言來產生。在此記載的軟體模組用任意數種方式來加以實施。在各種實施例中，一軟體模組包括一檔案、一區段碼、一程式化物件、一程式化結構、或是其之組合。在另外的各種實施例中，一軟體模組包括複數個檔案、複數個區段的碼、複數個程式化物件、複數個程式化結構、或是其之組合。在各種實施例中，所述一或多個軟體模組包括(舉非限制性的例子)一網頁應用程式、一行動應用程式、以及一單機式應用程式。在某些實施例中，軟體模組在一電腦程式或應用程式中。在其它實施例中，軟體模組在超過一個電腦程式或應用程式中。在某些實施例中，軟體模組寄宿在一機器上。在其它實施例中，軟體模組寄宿在超過一個機器上。在另一實施例中，軟體模組是寄宿在雲端計算平台上。在某些實施例中，軟體模組寄宿在一位置中的一或多個機器上。在其它實施例中，軟體模組寄宿在超過一個位置中的一或多個機器上。In some embodiments, the platforms, systems, media, and methods described herein include software, servers, and/or database modules, or their uses. Taking into account the contents of this description proposed here, the software module is produced by using a technology known to those skilled in the art, using machines, software, and languages known to the technology. The software modules described here can be implemented in any number of ways. In various embodiments, a software module includes a file, a section code, a program object, a program structure, or a combination thereof. In other various embodiments, a software module includes a plurality of files, a plurality of section codes, a plurality of programming objects, a plurality of programming structures, or a combination thereof. In various embodiments, the one or more software modules include (to give non-limiting examples) a web application, a mobile application, and a stand-alone application. In some embodiments, the software module is in a computer program or application program. In other embodiments, the software module is in more than one computer program or application program. In some embodiments, the software module is hosted on a machine. In other embodiments, the software module is hosted on more than one machine. In another embodiment, the software module is hosted on a cloud computing platform. In some embodiments, the software modules are hosted on one or more machines in a location. In other embodiments, the software moduleHosted on one or more machines in more than one location.

在某些實施例中，在此記載的平台、系統、媒體、以及方法包含一或多個資料庫、或是其用途。考慮到在此提出的本記載內容，具有此項技術的技能者將會體認到許多資料庫適合用於例如一或多個記錄以及所述一或多個記錄的索引之內容以及相關資訊的儲存及取出。在各種實施例中，適當的資料庫包含(舉非限制性的例子)關聯式資料庫、非關聯式資料庫、物件導向資料庫、物件資料庫、實體關係模型資料庫、關聯資料庫、以及XML資料庫。另外非限制性的例子包含SQL、PostgreSQL、MySQL、Oracle、DB2、以及Sybase。在某些實施例中，一資料庫以網際網路為基礎的。在另一實施例中，一資料庫以網頁為基礎的。在另外其它實施例中，一資料庫是雲端計算為基礎的。在其它實施例中，一資料庫是根據包含SSD裝置的一或多個本地電腦儲存裝置。In some embodiments, the platforms, systems, media, and methods described herein include one or more databases, or their uses. Considering the content of this record proposed here, those skilled in this technology will realize that many databases are suitable for use in, for example, one or more records and the content of the index of the one or more records and related information. Store and take out. In various embodiments, suitable databases include (to give non-limiting examples) relational databases, non-relational databases, object-oriented databases, object databases, entity relationship model databases, relational databases, and XML database. Other non-limiting examples include SQL, PostgreSQL, MySQL, Oracle, DB2, and Sybase. In some embodiments, a database is Internet-based. In another embodiment, a database is web-based. In still other embodiments, a database is based on cloud computing. In other embodiments, a database is based on one or more local computer storage devices including SSD devices.