NetApp intros AI-driven ransomware detection

AI everywhere
AI everywhere

NetApp is previewing an ONTAP AI-powered automated ransomware protection service, which a UK-based testing lab says detects 99 percent of ransomware attacks.

ONTAP’s ARP/AI service detects ransomware attacks against data in a NetApp array in real time. The SE Labs testing facility provides independent testing and consulting services to cybersecurity vendors and end users, giving the top products A, AA, or AAA awards. It also funds its own comparative studies and awards. SE Labs tested NetApp ARP/AI against hundreds of known ransomware variants with a 99 percent detection rate. NetApp ARP/AI achieved 100 percent detection of legitimate files without flagging any false positives.

Dr Arun Gururajan, Research & Data Science VP at NetApp, stated: “NetApp has passed a significant milestone in the fight against ransomware as the first and only storage vendor to offer AI-driven on-box ransomware detection with externally validated top-notch protection effectiveness.”

He criticized reliance on ransomware detection using backup datasets. “Ransomware detection methodologies that rely only on backup data are too slow to effectively mitigate the risks businesses face from cybersecurity threats. NetApp ARP/AI hardens enterprise storage by providing robust, built-in detection capabilities that can respond to ransomware threats in real time.” Gururajan says NetApp wants to provide “the most secure storage on the planet.”

NetApp says ARP, first introduced in 2021, uses workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack. Its ransomware detection is based on:

  • Identification of the incoming data as encrypted or plaintext
  • Analytics, which detect
    • Entropy: An evaluation of the randomness of data in a file
    • File extension types: An extension that does not conform to the normal extension type
    • File IOPS: A surge in abnormal volume activity with data encryption

When an attack is suspected, ARP creates new Snapshot copies, in addition to existing protection from scheduled Snapshot copies. After an up to 30-day learning period, it can detect the spread of most ransomware attacks after only a small number of files are encrypted, take action automatically to protect data, and alert you that a suspected attack is happening.

ARP/AI goes further. It will offer near real-time detection of ransomware attacks – from file entropy changes, extensions, header manipulations, partial encryption, and more.

SE Labs ransomware software table from NetApp ARP/AI report
SE Labs ransomware software table from NetApp ARP/AI report

There are no other SE Labs reports evaluating in-array malware attack capabilities so no direct comparisons with other suppliers are possible. However, Infinidat has just announced its automated cyber resiliency system, InfiniSafe Automated Cyber Protection (ACP).

Infinidat states: “Leveraging real-time monitoring that exists within many company security operations centers and the speed of compute on any alert level, a security team may define a trigger to automatically and immediately create immutable snapshots on an Infinidat storage environment thus reducing the risk of damaging data corruption, data deletion, data encryption, etc.

“InfiniSafe Cyber Detection performs deep scanning of block, file, and database stores by presenting InfiniBox and InfiniBoxT SSA immutable snapshots to a powerful AI-based scanning engine … scanning uses more than 200 data points to determine which data may have been compromised with 99.5 percent accuracy.”

Infinidat’s Cyber Detection is based on Index Engines’ machine learning model technology. This is also being used by Dell and IBM.

NetApp says its ARP/AI detection technology continuously adapts and evolves as new ransomware variants are discovered.  There are non-disruptive updates to model parameters that are seamless and can be done at any time, independent of ONTAP release cycles. ARP/AI is currently in tech preview. Customers can request tech preview participation by contacting their NetApp sales rep.

Download the SE Labs NetApp ARP/AI report here.