IBM adds real-time malware IO detection to flash drives

Malware detection
Malware detection

IBM has added real-time detection of ransomware and other attacks using machine learning to the firmware of its latest FlashCore Modules (FCMs).

Update. IBM comments added at end. 4 March 2024.

These FCMs are proprietary flash drives used in IBM FlashSystem 5000 and Storwize arrays. They come in a U.2 form factor with an NVMe interface. The existing gen 3 FCMs come in 4.8, 9.6, 19.2, and 38.4 TB usable capacity levels, with the 19.2 and 38.4 TB FCMs having a PCIe 4 connection. The other capacities use PCIe gen 3. Onboard compression increases effective capacity by up to 2.3x.

Sam Werner, IBM Storage Product Management VP, blogs: “The FCM4 technology in new FlashSystem arrays is designed to capture and summarize detailed statistics about every I/O in real time. FlashSystem uses machine learning models to distinguish ransomware and malware from normal behavior, enabling organizations to take immediate action and keep operating in the event of an attack.”

He says: “Existing IBM FlashSystem products scan all incoming data down to block level granularity without impact to performance as it’s being written, using inline data corruption detection software and cloud-based AI to help identify anomalies that might indicate the start of a cyber-attack, thereby enabling the system to detect, respond, and rapidly recover with immutable copies. The new technology enabled by FCM4 is designed to continuously monitor statistics gathered from every single I/O using machine learning models to detect anomalies like ransomware in less than a minute.”

The gen 4 FCMs interoperate with IBM Storage Defender software, which incorporates Index Engines’ CyberSense code and Cohesity’s DataProtect offering. Storage Defender uses AI with event monitoring across multiple storage platforms to help detect ransomware, human error, and sabotage.

Werner says: “FCM works with Storage Defender to provide end-to-end data resilience across primary and secondary workloads with AI-powered sensors that provide earlier notification of cyber threats so enterprises can recover faster.”

Storage Defender has expanded its threat detection capabilities with the AI-powered FCM hardware “and software sensors that inform an industry leading index of the relative trustworthiness of copies, whether backup or primary snapshots. Additionally, IBM Storage Defender includes sensors developed by IBM Research that are engineered to detect potential threats, such as ransomware, in near real time and raise high fidelity alerts to security tools.”

IBM has also added “workload and storage inventory management capabilities to IBM Storage Defender to help organizations assess their applications and data so they can properly incorporate all their assets in a business continuity plan to recover a minimum viable company after a cyberattack.”

In Werner’s view: “Threat actors are now deploying AI-based cyber-attacks, and we must fight fire with fire. Our new FlashCore Module hardware and Storage Defender software both leverage IBM’s AI capabilities to help them better address this challenge.”

Were standard SSD suppliers such as Micron, Samsung, SK hynix, and Kioxia/Western Digital to add similar AI-scanning of SSD IOs in real time, they would need to send attack alerts upstream to some system management resource to respond to the alerts. IBM’s Storage Defender is that resource for its customers. The commercial-off-the-shelf SSD suppliers don’t have similar functionality unless they partner with an upstream software vendor.


Barry Whyte, Principal Storage Technical Specialist and IBM Master Inventor, told us: “The FCM4 are PCIe Gen 4 across all capacities now. They are also now using “Charge-Trap” NAND technology which allows us to use the 176-layer NAND which gives faster programming times, best economics – but of course needs the intelligence in the computation storage that is FCM – no other vendor has anything close!  Also, the FCM are across all NVMe based FlashSystem (we dropped the Storwize name some time ago) so 5200,7300,9500 (the other smaller 5000, 5015, 5045 are still SAS based and can’t use FCMs)”