Abstract: A method, computing device, and non-transitory machine-readable medium for detecting malware attacks and mitigating data loss. In various embodiments, an agent is implemented in the operating system of a storage node to provide protection at the bottommost level in a data write path. The agent intercepts write requests and observes file events over time to detect anomalous behavior. For example, the agent may monitor incoming write requests and, when an incoming write request is detected, determine whether the file is associated with a malware attack risk based on an analysis of an encryption state of data in the file.

Abstract: A method, a computing device, and a non-transitory machine-readable medium for detecting malware attacks. In one example, an agent implemented in an operating system detects an overwrite in which an original data component is overwritten with a new data component. The agent computes a plurality of features associated with the overwrite, the plurality of features including an original entropy corresponding to the original data component, a new entropy corresponding to the new data component, an overwrite fraction, and a set of divergence features. The agent determines whether the new data component is encrypted using the plurality of features.

Abstract: Methods and systems for a networked storage system is provided. One method includes transforming by a processor, performance parameters associated with storage volumes of a storage system for representing each storage volume as a data point in a parametric space; generating by the processor, a plurality of bins in the parametric space using the transformed performance parameters; adjusting by the processor, bin boundaries for the plurality of bins for defining a plurality of service levels for the storage system based on the performance parameters; and using the defined plurality of service levels for operating the storage system.

Abstract: A method, a computing device, and a non-transitory machine-readable medium for detecting malware attacks. In one example, an agent implemented in an operating system detects an overwrite in which an original data component is overwritten with a new data component. The agent computes a plurality of features associated with the overwrite, the plurality of features including an original entropy corresponding to the original data component, a new entropy corresponding to the new data component, an overwrite fraction, and a set of divergence features. The agent determines whether the new data component is encrypted using the plurality of features.

Abstract: Methods and systems for a networked storage system is provided. One method includes transforming by a processor, performance parameters associated with storage volumes of a storage system for representing each storage volume as a data point in a parametric space; generating by the processor, a plurality of bins in the parametric space using the transformed performance parameters; adjusting by the processor, bin boundaries for the plurality of bins for defining a plurality of service levels for the storage system based on the performance parameters; and using the defined plurality of service levels for operating the storage system.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: A method, computing device, and non-transitory machine-readable medium for detecting malware attacks and mitigating data loss. In various embodiments, an agent is implemented in the operating system of a storage node to provide protection at the bottommost level in a data write path. The agent intercepts write requests and observes file events over time to detect anomalous behavior. For example, the agent may monitor incoming write requests and, when an incoming write request is detected, determine whether the file is associated with a malware attack risk based on an analysis of an encryption state of data in the file.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: A method, computing device, and non-transitory machine-readable medium for detecting malware attacks and mitigating data loss. In various embodiments, an agent is implemented in the operating system of a storage node to provide protection at the bottommost level in a data write path. The agent intercepts write requests and observes file events over time to detect anomalous behavior. For example, the agent may monitor incoming write requests and, when an incoming write request is detected, determine whether the file is associated with a malware attack risk based on an analysis of an encryption state of data in the file. If the file is associated with a malware attack risk, an entry for the file is added to a file log. The agent may analyze the chi-square values for data written to the files, the file log, and the file format to determine whether a malware attack is underway.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: A method, a computing device, and a non-transitory machine-readable medium for detecting malware attacks. In one example, an agent implemented in an operating system detects an overwrite in which an original data component is overwritten with a new data component. The agent computes a plurality of features associated with the overwrite, the plurality of features including an original entropy corresponding to the original data component, a new entropy corresponding to the new data component, an overwrite fraction, and a set of divergence features. The agent determines whether the new data component is encrypted using the plurality of features.

Abstract: A method, a computing device, and a non-transitory machine-readable medium for detecting malware attacks (e.g., ransomware attacks) and mitigating data loss. In one or more embodiments, an agent is implemented in the operating system of a storage node to provide protection at the bottommost level in a data write path. The agent intercepts write requests and observes file events over time to detect anomalous behavior. For example, the agent may monitor incoming write requests and, when an incoming write request is detected, determine whether the file is associated with a malware attack risk based on an analysis of an encryption state of data in the file. If the file associated with a malware attack risk, an entry for the file is added to a file log. The agent may analyze the chi-square values for data written to the files, the file log, and the file format to determine whether a malware attack is underway.

Abstract: Methods and systems for document classification are provided. One method includes generating by a processor, a plurality of topics using content of a plurality of electronic documents, where each topic includes a plurality of words associated with the plurality of electronic documents; reducing by the processor, the plurality of topics to a subset of topics to represent the plurality of electronic documents based on a parameter indicating a property of each subset topic and separation between the subset topics; automatically generating by the processor, a tag for each subset topic, based on the tag's position within the subset topic; wherein each tag is an attribute of each subset topic; storing by the processor, the subset of topics with corresponding tags in a model data structure; and updating the model data structure by the processor based on one of a new topic and a new tag associated with an electronic document.

Abstract: Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

Abstract: Methods and systems for a networked storage system is provided. One method includes transforming by a processor, performance parameters associated with storage volumes of a storage system for representing each storage volume as a data point in a parametric space; generating by the processor, a plurality of bins in the parametric space using the transformed performance parameters; adjusting by the processor, bin boundaries for the plurality of bins for defining a plurality of service levels for the storage system based on the performance parameters; and using the defined plurality of service levels for operating the storage system.

Abstract: Methods and systems for document classification are provided. One method includes generating by a processor, a plurality of topics using content of a plurality of electronic documents, where each topic includes a plurality of words associated with the plurality of electronic documents; reducing by the processor, the plurality of topics to a subset of topics to represent the plurality of electronic documents based on a parameter indicating a property of each subset topic and separation between the subset topics; automatically generating by the processor, a tag for each subset topic, based on the tag's position within the subset topic; wherein each tag is an attribute of each subset topic; storing by the processor, the subset of topics with corresponding tags in a model data structure; and updating the model data structure by the processor based on one of a new topic and a new tag associated with an electronic document.

Abstract: A system and method for creating an accurate black-box model of a live storage system and for predicting performance of the storage system under a given workload is disclosed. An analytics engine determines a subset of counters that are relevant to performance of the storage system with respect to a particular output (e.g., throughput or latency) from performance data in counters of the storage system. Using the subset of counters, the analytics engine creates a workload signature for the storage system by using a recursive partitioning technique, such as a classification and regression tree. The analytics engine then creates the black-box model of the storage system performance by applying uncertainty measurement techniques, such as a Gaussian process, to the workload signature.

Abstract: A live non-volatile (NV) replay technique enables a partner node to efficiently takeover a failed node of a high-availability pair in a multi-node storage cluster by dynamically replaying operations synchronously logged in a non-volatile random access memory (NVRAM) of the partner node, while also providing high performance during normal operation. Dynamic live replay may be effected through interpretation of metadata describing the logged operations. The metadata may specify a location and type of each logged operation within a partner portion of the NVRAM, as well as any dependency among the logged operation and any other logged operations that would impose an ordering constraint. During normal operation, the partner node may consult the metadata to identify dependent logged operations and dynamically replay those operations to satisfy one or more requests.

Abstract: A live non-volatile (NV) replay technique enables a partner node to efficiently takeover a failed node of a high-availability pair in a multi-node storage cluster by dynamically replaying operations synchronously logged in a non-volatile random access memory (NVRAM) of the partner node, while also providing high performance during normal operation. Dynamic live replay may be effected through interpretation of metadata describing the logged operations. The metadata may specify a location and type of each logged operation within a partner portion of the NVRAM, as well as any dependency among the logged operation and any other logged operations that would impose an ordering constraint. During normal operation, the partner node may consult the metadata to identify dependent logged operations and dynamically replay those operations to satisfy one or more requests.