RANSOMWARE DETECTION METHOD AND RANSOMWARE DETECTION SYSTEM

摘要

The present invention relates to a ransomware detection method and a ransomware detection system which are capable of preventing ransomware by detecting ransomware activity inside a NAND flash memory-based solid state drive (SSD), and, more particularly, to a ransomware detection method and a ransomware detection system, the ransomware detection method comprising the steps of: classifying files that are infected with ransomware and periodically monitoring, at each predefined monitoring time, an IO request with respect to files having the same magic number as the classified files in order to detect the ransomware; identifying whether overwriting has occurred on a memory block having the same logic block address (LBA) as a read-requested block, on the basis of distribution of a monitored IO request header; counting the number of overwriting times according to a plurality of predefined features in order to specify operation characteristics of the ransomware, on the basis of the identifying whether overwriting has occurred; and detecting ransomware activity, on the basis of the counted number of overwriting times.