Storage device, storage system, and method of operating a storage system

By setting up a trap file region in the storage device and generating anomaly notifications, combined with the system controller slowing down the storage device and performing machine learning detection, the performance degradation caused by ransomware attacks is resolved, achieving efficient malware detection without affecting system performance.

CN122197008APending Publication Date: 2026-06-12SAMSUNG ELECTRONICS CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SAMSUNG ELECTRONICS CO LTD
Filing Date
2025-12-11
Publication Date
2026-06-12

Smart Images

  • Figure CN122197008A_ABST
    Figure CN122197008A_ABST
Patent Text Reader

Abstract

A storage system and an operating method thereof are provided. The storage system includes a plurality of storage devices each configured to store a trap file, and a system controller configured to control the plurality of storage devices based on a plurality of commands received from a host. The system controller can be configured to reduce an operation speed of at least one storage device among the plurality of storage devices based on receiving an exception value notification from the at least one storage device, and to perform a malware detection operation based on a command corresponding to the exception value notification among the plurality of commands. The at least one storage device can be configured to transmit the exception value notification to the system controller based on detecting an access to a trap area of the trap file.
Need to check novelty before this filing date? Find Prior Art

Description

Cross-references to related applications

[0001] This application claims priority to Korean Patent Application No. 10-2024-0183993, filed on December 11, 2024, with the Korean Intellectual Property Office, the disclosure of which is incorporated herein by reference in its entirety. Technical Field

[0002] This disclosure relates to storage devices, storage systems, and methods for operating storage systems. Background Technology

[0003] Ransomware is malware that causes significant harm to users by secretly encrypting critical data, files, or folders and only releasing the decryption key after a ransom is paid. Ransomware attacks target various sectors, including healthcare, finance, energy, and media, and various solutions are being developed to counter them.

[0004] For example, input / output (I / O) commands can be analyzed in real time to detect ransomware attacks on storage systems. However, this leads to a degrade in storage system performance. Additional hardware accelerators are needed to address this issue. Summary of the Invention

[0005] One or more embodiments provide storage devices, storage systems, and methods for operating storage systems, all of which more effectively prevent the effects of malware without performance degradation.

[0006] According to one or more embodiments, a storage system includes: a plurality of storage devices and a system controller, each storage device being configured to store a trap file, and the system controller being configured to control the plurality of storage devices based on a plurality of commands received from a host. The system controller may be configured to reduce the operating speed of at least one storage device based on receiving an anomaly notification from at least one of the plurality of storage devices, and to perform malware detection operations based on a command corresponding to the anomaly notification among the plurality of commands. The at least one storage device may be configured to send an anomaly notification to the system controller based on detected access to a trap region of the stored trap file.

[0007] Each of the multiple storage devices can be configured to set the logical block address (LBA) range corresponding to the trap region as a write-protected region, and to send an exception notification to the system controller when an access to the write-protected region is detected.

[0008] Each of the multiple storage devices can be configured to send an exception value notification to the system controller via an asynchronous event.

[0009] Each of the plurality of storage devices can operate in one of a plurality of power states with different operating speeds, and the system controller can be configured to modify the power state of the at least one storage device to reduce the operating speed of the at least one storage device.

[0010] The system controller can be configured to reduce the operating speed of multiple storage devices based on receiving an anomaly notification from the at least one storage device.

[0011] The multiple storage devices may include a first group used by a first host and a second group used by a second host. The first group may include the at least one storage device and additional storage devices, and the system controller may be configured to reduce the operating speed of the storage devices included in the first group based on receiving an anomaly notification from the at least one storage device.

[0012] The system controller can be configured to store information about multiple commands based on a sliding window of a predetermined size, and to perform malware detection operations based on information about the commands included in the sliding window when an anomaly notification is received.

[0013] Information about commands can include information about the type of each command and information related to the logical block address (LBA) corresponding to each command.

[0014] The system controller can be configured to extract multiple features from information about commands included in a sliding window when an anomaly notification is received, and apply the extracted features to a machine learning-based malware detection algorithm to perform malware detection operations. The malware detection algorithm may include at least one of convolutional neural networks, recurrent neural networks, principal component analysis models, and random forest models.

[0015] Malware detection algorithms can be configured to output scores for each of a number of predefined malware based on the extracted features.

[0016] The system controller can be configured to provide the host with information related to abnormal value notifications.

[0017] Information relating to outlier notifications may include at least one of the following: (i) information about a group that includes at least one storage device that sends outlier notifications, (ii) information about storage devices included in the group, (iii) information about commands included in a sliding window at the time the outlier notification is received, (iv) command input / output history information of the at least one storage device that sends outlier notifications, and (v) telemetry data of the at least one storage device that sends outlier notifications.

[0018] According to one or more embodiments, a storage device includes: a memory device including a trap region storing a trap file transferred from a host; and a memory controller configured to set a logical block address (LBA) range corresponding to the trap region as a write-protected region, and to generate an exception value notification when an access to the write-protected region is detected.

[0019] The memory controller can be configured to send exception value notifications to a system controller outside the storage device via asynchronous events.

[0020] The memory controller can be configured to, while controlling the memory device to operate in a first power state among a plurality of power states, receive an operation speed change request from the system controller in response to the transmission of an exception value notification, control the memory device to operate in a second power state having an operation speed lower than that of the first power state.

[0021] The memory controller can be configured to, in response to receiving an information request related to an anomaly notification from the system controller, send at least one of the command input / output history information and telemetry data of the storage device to the system controller in response to the information request.

[0022] According to one or more embodiments, a method of operating a storage system including multiple storage devices includes: storing a trap file in a trap area of ​​each of the multiple storage devices; controlling the operation of the multiple storage devices based on a plurality of commands received from a host; reducing the operating speed of a first storage device when an access to a trap area of ​​a first storage device among the multiple storage devices is detected; and performing malware detection operations based on a predetermined number of commands among the multiple commands corresponding to the time point at which the access to the trap area is detected.

[0023] Each of the multiple storage devices can operate in one of multiple power states with different operating speeds, and reducing the operating speed can include modifying the power state of the first storage device.

[0024] The method may include storing information about multiple commands based on a sliding window of a predetermined size. Performing malware detection operations may include: extracting multiple features from information about commands included in the sliding window at a point in time when access to a trap region is detected, and applying the extracted features to a machine learning-based malware detection algorithm to perform malware detection operations.

[0025] The method may include providing the host with information relating to access to the trap area. The information relating to access to the trap area may include at least one of the following: information about a group including the first storage device, information about the storage devices included in the group, information about the commands included in the sliding window at the time the access to the trap area was detected, command input / output history information of the first storage device, and telemetry data of the first storage device. Attached Figure Description

[0026] Figure 1 This is a block diagram illustrating the configuration of a storage system according to one or more embodiments.

[0027] Figure 2 This is a block diagram illustrating the configuration of a system controller according to one or more embodiments.

[0028] Figure 3 This is a block diagram illustrating the configuration of a storage protection module according to one or more embodiments.

[0029] Figure 4 This is a table showing the power states of a storage device according to one or more embodiments.

[0030] Figure 5 This is a diagram illustrating malware detection operations of a system controller according to one or more embodiments.

[0031] Figure 6 This is a diagram illustrating an example of a storage system operating at reduced speed according to one or more embodiments.

[0032] Figure 7 This is a block diagram illustrating the configuration of a storage device according to one or more embodiments.

[0033] Figure 8 This is a block diagram illustrating the configuration of a memory controller according to one or more embodiments.

[0034] Figure 9 This is a flowchart illustrating a method of operating a storage system according to one or more embodiments.

[0035] Figure 10 This is a flowchart illustrating the operation of a storage system according to one or more embodiments.

[0036] Figure 11 This is a block diagram illustrating the configuration of a data center according to one or more embodiments. Detailed Implementation

[0037] In this disclosure, terms such as “first” and “second” as used herein may modify various elements regardless of the order and / or importance of the respective elements, and do not limit the respective elements. These terms may be used for the purpose of distinguishing one element from another.

[0038] It will be understood that when an element (e.g., the first element) is "coupled" to or "connected" to another element (e.g., the second element), the element may be directly coupled to the other element, and an intermediate element (e.g., a third element) may exist between the element and the other element.

[0039] Hereinafter, exemplary embodiments will be described in detail to enable those skilled in the art to readily implement this disclosure.

[0040] Figure 1 This is a block diagram illustrating the configuration of a storage system according to one or more embodiments. The storage system 10 may be a server or data center used by a host or host device, but the embodiments are not limited thereto.

[0041] Reference Figure 1 The storage system 10 may include a system controller 200 and multiple storage devices 100_1 to 100_n.

[0042] Multiple storage devices 100_1 to 100_n can be controlled by system controller 200 and can store data sent from the host or provide stored data to the host.

[0043] Each of the plurality of storage devices 100_1 to 100_n may include a non-volatile memory device that stores data regardless of whether it is powered on. For example, the plurality of storage devices 100_1 to 100_n may be at least one of solid-state drives (SSDs), embedded memory, and removable external memory. When the storage device is an SSD, the storage device may conform to the Non-Volatile Memory Fast (NVMe) standard. When the storage device is embedded memory or external memory, the storage device may conform to the Universal Flash Memory (UFS) or Embedded Multimedia Card (eMMC) standard.

[0044] When the non-volatile memory device of the storage device includes flash memory, the flash memory may include a 2D NAND memory array or a 3D (or vertical) NAND (VNAND) memory array. The storage device may also include various other types of non-volatile memory devices. For example, the storage device may include magnetic RAM (MRAM), spin-torque MRAM, conductive bridged RAM (CBRAM), ferroelectric RAM (FeRAM), phase RAM (PRAM), resistive RAM, or various other types of memory.

[0045] A portion of the multiple storage devices 100_1 to 100_n can be used as a boot disk for operating the storage system 10. The boot disk can store the operating system or various utilities of the storage system 10 in the form of an ISO image.

[0046] In some embodiments, each of the plurality of storage devices 100_1 to 100_n may store a trap file. The trap file may be generated by the host or system controller 200 and provided to each storage device. In some embodiments, the trap file may be generated to have a filename that can be searched before user files during a malware file search, but embodiments are not limited thereto. The trap file may be stored in a predetermined area (hereinafter referred to as the "trap area") on each storage device. The trap area may be different for each storage device, but embodiments are not limited thereto.

[0047] Trap files can be used to detect malicious access by attackers. For example, each of the multiple storage devices 100_1 to 100_n can set a trap area as a write-protected area. An attempt to access the trap area can be considered abnormal access, allowing each of the multiple storage devices 100_1 to 100_n to send an anomaly notification to the system controller 200 based on the detection of access to the trap area.

[0048] System controller 200 can control multiple storage devices 100_1 to 100_n. System controller 200 can write data to multiple storage devices 100_1 to 100_n based on multiple commands received from the host, or read data stored in multiple storage devices 100_1 to 100_n and provide the read data to the host.

[0049] For example, system controller 200 can perform malware detection operations. Malware is malicious software designed to perform malicious actions (such as damaging the system or modifying or disclosing information against the user's interests), and can include computer viruses, Trojan horses, adware, cryptojackers, ransomware, etc.

[0050] In some embodiments, the system controller 200 may perform malware detection operations based on receiving anomaly notifications from at least one of the plurality of storage devices 100_1 to 100_n. As described above, anomaly notifications can be received from the storage devices when access to a trap region is detected. Access to the trap region can be malicious access by an attacker, but it can also be access caused by operational errors. Therefore, the system controller 200 may perform malware detection operations to determine whether the anomaly notification is due to malicious access by an attacker.

[0051] System controller 200 can perform malware detection operations based on a predetermined number of commands corresponding to the time point at which an anomaly notification is received. In some embodiments, when system controller 200 controls multiple storage devices 100_1 to 100_n based on commands received from the host, system controller 200 can store the received commands based on a sliding window of a predetermined size. Therefore, system controller 200 can use commands corresponding to the time point at which an anomaly notification is received to perform malware detection operations. The commands constituting malware have a sequence, such that malware detection performance can be adequately guaranteed by performing malware detection operations based on commands related to commands requesting access to a trap region.

[0052] For example, in some embodiments, the system controller 200 may perform malware detection operations based on a predetermined number of commands received from the storage device upon receiving an anomaly notification, rather than performing malware detection operations in real time on all commands received from the host. Therefore, compared to typical techniques that perform malware detection operations in real time based on all commands, the performance degradation of the storage system 10 caused by malware detection operations can be reduced.

[0053] When an anomaly notification is received from at least one of the multiple storage devices 100_1 to 100_n, the system controller 200 may reduce the operating speed of the corresponding storage device(s) and perform malware detection operations.

[0054] The services provided by storage system 10 can be maintained regardless of the reduced operating speed of the storage device. Furthermore, as the operating speed decreases, system controller 200 can achieve resource availability, allowing the aforementioned malware detection operations to be performed without significantly degrading the performance of storage system 10. Additionally, when the received outlier notification is due to malware, the scope of malware infection can be significantly reduced.

[0055] In some embodiments, the system controller 200 may provide the host with information related to anomaly notifications. This information may include at least one of the following: information about a group of storage devices that have been detected to have access to a trap region; information about the storage devices included in the group; information about the commands included in the sliding window at the time the access to the trap region was detected; command input / output history information of the storage devices that have been detected to have access to the trap region; and telemetry information of the storage devices that have been detected to have access to the trap region. This can assist the host in performing subsequent actions.

[0056] As described above, according to one or more embodiments, a storage system that more effectively prevents the effects of malware without performance degradation can be provided.

[0057] Figure 2 This is a block diagram illustrating the configuration of a system controller according to one or more embodiments. Figure 2 The system controller 200 can correspond to Figure 1 The system controller 200. (Refer to...) Figure 2 The system controller 200 may include a processor 210, a working memory 220, a host interface 230, a storage protection module 240, and a system interface 250.

[0058] Processor 210 may include a central processing unit or a microprocessor. Processor 210 can drive firmware executed in system controller 200. For example, processor 210 can drive various types of firmware or software loaded into working memory 220. Furthermore, processor 210 can execute functions responsible for storage device 100 (see [link to storage device 100]). Figure 7 The firmware or software that performs the core functions of a device, such as the Host Interface Layer (HIL) or Flash Translation Layer (FTL).

[0059] Software (or firmware) or data used to control system controller 200 can be loaded into working memory 220. The software and data loaded into working memory 220 can be driven or processed by processor 210. For example, a flash translation layer (FTL) (not shown) driven by processor 210 can perform functions such as address mapping, garbage collection, or wear leveling. For example, storage protection module 240 can be loaded into working memory 220. As will be discussed later... Figure 3 As described herein, the storage protection module 240, driven by the processor 210, can perform functions such as adjusting the operating speed of the storage device, storing commands, extracting the characteristics of commands, or detecting malware.

[0060] The working memory 220 may include volatile memory (such as static random access memory (SRAM), dynamic RAM (DRAM) or synchronous DRAM (SDRAM)) and / or non-volatile memory (such as flash memory, phase change RAM (PRAM), magnetoresistive RAM (MRAM), resistive RAM (ReRAM) or ferroelectric RAM (FRAM)).

[0061] Host interface 230 provides an interface between the host and system controller 200. The host and system controller 200 can be connected via one of various standardized interfaces. Standardized interfaces may include various interface methods such as Advanced Technology Attachment (ATA), Serial ATA (SATA), External SATA (e-SATA), Small Computer Small Interface (SCSI), Serial Attached SCSI (SAS), Peripheral Component Interconnect (PCI), PCI Express (PCIe), Universal Serial Bus (USB), IEEE 1394, Universal Flash Memory (UFS), Embedded Multimedia Card (eMMC), NVMe, etc.

[0062] System interface 250 provides an interface between system controller 200 and multiple storage devices 100_1 to 100_n. For example, data or commands processed by processor 210 can be sent to the multiple storage devices 100_1 to 100_n via system interface 250. Additionally, data stored in the multiple storage devices 100_1 to 100_n or signals generated in the multiple storage devices 100_1 to 100_n can be sent to system controller 200 via system interface 250.

[0063] In some embodiments, the aforementioned outlier notification can be provided to the system controller 200 via an asynchronous event. For this purpose, the system interface 250 can provide an asynchronous event interface between the system controller 200 and the plurality of storage devices 100_1 to 100_n.

[0064] In the following text, reference will be made to Figures 3 to 5 The operation of system controller 200 is described in more detail. Figure 3 This is a block diagram illustrating the configuration of a storage protection module according to one or more embodiments. Figure 4 This is a table showing the power states of a storage device according to one or more embodiments. Figure 5 This is a diagram illustrating malware detection operations of a system controller according to one or more embodiments.

[0065] The system controller 200 can perform the functions of the components included in the storage protection module 240. (See reference...) Figure 3 The storage protection module 240 may include an operation speed control module 241, a command storage module 242, a feature extractor 243, and a malware detection module 244.

[0066] The operation speed control module 241 can control the operation speed of multiple storage devices 100_1 to 100_n. In some embodiments, when an abnormal value notification is received from at least one of the multiple storage devices 100_1 to 100_n, the operation speed control module 241 can reduce the operation speed of at least one storage device.

[0067] In some embodiments, each of the plurality of storage devices 100_1 to 100_n can be, as... Figure 4 The device operates under a single power state among the five power states PS0, PS1, PS2, PS3, and PS4 shown. The storage device can operate at different speeds under the corresponding power states PS0, PS1, PS2, PS3, and PS4. Figure 4 In the example, the storage device can operate at full speed under PS0, and the operating speed of the storage device can be gradually reduced through PS1, PS2, PS3 and PS4.

[0068] When an anomaly notification is received from at least one of the plurality of storage devices 100_1 to 100_n, the operation speed control module 241 may change the current power state of the storage device to a power state corresponding to a lower operating speed. In some embodiments, when an anomaly notification is received from storage device 100_1 while all of the plurality of storage devices 100_1 to 100_n are operating at PS0, the operation speed control module 241 may control the power state of storage device 100_1 to PS4 to reduce the operating speed of storage device 100_1.

[0069] Command storage module 242 can store information about a predetermined number of commands among a plurality of commands received from the host. In some embodiments, command storage module 242 can store information about the plurality of commands received from the host based on a sliding window of a predetermined size. (See also...) Figure 5 The command storage module 242 can apply a sliding window 50 of a predetermined size to multiple commands CMD tk-2 to CMD t+2 received from the host, and store information about the commands CMD tk to CMD t currently included in the sliding window 50.

[0070] Information about commands can be included in the metadata for each command. In some embodiments, the information about commands may include information about the type of each command and information related to the logical block address (LBA) corresponding to each command. For example, the information about commands may include the OP code of each command, the starting logical block address (SLBA) of each command, the number of logical blocks (NLB) corresponding to each command, or the queue identifier (QID) of each command, but the embodiments are not limited thereto.

[0071] Feature extractor 243 can extract multiple features from information about commands. In some embodiments, when system controller 200 receives an outlier notification, feature extractor 243 can extract multiple features, Feature 1 to Feature m, from information about commands CMD tk to CMD t included in sliding window 50 at the current time point when the outlier notification is received.

[0072] Multiple features, from Feature 1 to Feature m, extracted by Feature Extractor 243 can be associated with malware detection. For example, Features 1 to Feature m may include time differences between commands, command patterns, frequency of occurrence in commands, the difference between the minimum and maximum SLBA, the percentage of read and write commands, the amount of data written by write commands, and information about whether large command blocks are received in short time intervals, but the embodiments are not limited thereto.

[0073] The malware detection module 244 can perform malware detection operations based on features 1 to m extracted by the feature extractor 243. In some embodiments, the malware detection module 244 can apply features 1 to m extracted by the feature extractor 243 to a machine learning-based malware detection algorithm 44 to perform malware detection operations.

[0074] For example, malware detection algorithm 44 can output scores S1 to Si for each of a plurality of predefined malware when given multiple features extracted by feature extractor 243. Therefore, when there is a malware item for which a score higher than a predetermined standard value is output, it can be determined that malware for that item has been detected.

[0075] To this end, the malware detection algorithm 44 may include at least one of convolutional neural networks, recurrent neural networks, principal component analysis models, and random forest models, and may be trained based on multiple predefined malware. The multiple predefined malware may be known malware whose commands constitute the corresponding malware. The malware detection algorithm 44 may be trained using features extracted from the commands constituting known malware, and when features are input, it outputs a similarity score with the corresponding malware.

[0076] As described above, according to one or more embodiments, the system controller 200 may reduce the operating speed of at least one storage device based on receiving an anomaly notification from at least one of a plurality of storage devices 100_1 to 100_n, and perform malware detection operations based on information about a predetermined number of commands corresponding to the time point at which the anomaly notification was received.

[0077] Although an example has been provided of the system controller 200 reducing the operating speed of the storage device that sent the abnormal value notification when an abnormal value notification is received, the embodiments are not limited thereto.

[0078] Figure 6 This is a diagram illustrating an example of a storage system operating at reduced speed according to one or more embodiments. Figure 6 The storage system 10A can be Figure 1 An example of storage system 10. In Figure 6 In this context, the initiator represents the transmission entity and can correspond to a host. Additionally, NQN stands for NVMe Qualified Name, and SSD stands for Storage Device.

[0079] In some embodiments, storage system 10 may be used by multiple hosts, and different storage devices may be assigned to each of the multiple hosts. For example, the multiple storage devices 100_1 to 100_n may include multiple groups for each host. When an anomaly notification is received, system controller 200 may not only slow down the storage device that sent the anomaly notification, but also slow down other storage devices included in the group to which that storage device belongs.

[0080] Reference Figure 6 For example, storage system 10A can be used by initiator A, initiator B, and initiator C. SSD #1 and SSD #6 can be assigned to initiator A, SSD #2, SSD #3, and SSD #4 can be assigned to initiator B, and SSD #5 can be assigned to initiator C. For instance, when access to the trap region of SSD #3 occurs, SSD #3 can send an anomaly notification to system controller 200. System controller 200 can not only slow down the operation of SSD #3, but also slow down the operation of other SSDs included in the group to which SSD #3 belongs (e.g., SSD #2 and SSD #4), and perform the aforementioned malware detection operations.

[0081] As described above, according to one or more embodiments, when storage system 10 provides services in a multi-tenant environment, outliers can be detected in storage devices allocated to a single host (e.g., initiator B). In some embodiments, system controller 200 may reduce the operating speed of only the storage device (e.g., SSD #3) to which the outlier was detected, and perform the aforementioned malware detection operation. In an alternative embodiment, system controller 200 may reduce the operating speed of all storage devices SSD #2, SSD #3, and SSD #4 in the group to which the storage device (e.g., SSD #3) to which the outlier was detected, and perform the aforementioned malware detection operation. Therefore, malware detection operations can be performed without affecting services provided to other hosts (e.g., initiator A and initiator C).

[0082] However, one or more embodiments are not limited thereto. For example, when an anomaly notification is received from at least one of the plurality of storage devices 100_1 to 100_n, the system controller 200 may reduce the operating speed of all storage devices 100_1 to 100_n in the storage system 10 and perform the aforementioned malware detection operation.

[0083] In some embodiments, the system controller 200 may provide the host with information related to anomaly notifications. For example, the system controller 200 may perform the aforementioned malware detection operation and then provide the host with information related to anomaly notifications along with the detection results.

[0084] Information related to outlier notifications may include at least one of the following: information about a group including the storage device that sent the outlier notification, information about the storage devices included in the group, information about the commands included in the sliding window 50 at the time the outlier notification was received, command input / output history information of the storage device that sent the outlier notification, and telemetry information of the storage device that sent the outlier notification. Therefore, in some embodiments, the system controller 200 may request and obtain the command input / output history information and telemetry information corresponding to the time when the outlier notification was sent from the storage device that sent the outlier notification.

[0085] Information related to the anomaly notification sent to the host can be used by the host for subsequent malware-related actions. For example, when storage system 10 is infected with malware, the host can use the information related to the anomaly notification to determine subsequent actions. For instance, information about the commands included in the sliding window 50 at the time the anomaly notification was received can include key information for encryption operations used by ransomware. The host can use the key information to perform subsequent actions.

[0086] Figure 7This is a block diagram illustrating the configuration of a storage device according to one or more embodiments. Figure 7 The storage device 100 can correspond to Figure 1 Each of the plurality of storage devices 100_1 to 100_n, but the embodiments are not limited thereto.

[0087] Reference Figure 7 The storage device 100 may include a memory controller 110 and a non-volatile memory device (NVM) 120.

[0088] The memory controller 110 can control the overall operation of the storage device 100. For example, the memory controller 110 can control the programming, reading, and erasing operations of the non-volatile memory device 120 by providing the address ADDR, command CMD, and control signal CTRL to the non-volatile memory device 120 in response to requests from the host sent via the system controller 200. The memory controller 110 can store data received via the system controller 200 in the non-volatile memory device 120, or read data stored in the non-volatile memory device 120.

[0089] In some embodiments, the memory controller 110 may store trap files sent via the system controller 200 in the trap region 21 of the non-volatile memory device 120.

[0090] Additionally, when an access to trap region 21 is detected, memory controller 110 can generate an exception value notification. For example, memory controller 110 can set the logical block address (LBA) range corresponding to the trap region as a write-protected region. Therefore, when an access to the write-protected region is detected, memory controller 110 can generate an exception value notification and send the generated exception value notification to system controller 200. The exception value notification can be sent to system controller 200 via an asynchronous event, but the embodiment is not limited to this.

[0091] In some embodiments, the memory controller 110 can control the power state of the storage device 100. For example, the storage device 100 may have multiple power states (see, for example, see...). Figure 4 Multiple power states can have different operating speeds. The memory controller 110 can receive an operating speed change request from the system controller 200 when controlling the storage device 100 to operate in a first power state among the multiple power states. The operating speed change request can also be received from the system controller 200 in response to the sending of an exception value notification.

[0092] The memory controller 110 can control the storage device 100 to operate in a second power state with a lower operating speed than the first power state in response to a received operating speed change request.

[0093] The memory controller 110 may provide information related to anomaly notifications to the system controller 200. For example, the memory controller 110 may receive a request from the system controller 200 for information related to anomaly notifications. In response to a received request for information, the memory controller 110 may send at least one of command input / output history information and telemetry information from the non-volatile memory device 120 to the system controller 200.

[0094] In some embodiments, the memory controller 110 may temporarily store commands and data sent via the system controller 200. Therefore, the memory controller 110 may, in response to an information request, provide the system controller 200 with commands and data corresponding to the time point at which the exception value notification was sent.

[0095] Additionally, the memory controller 110 may store telemetry information generated during the operation of the non-volatile memory device 120. The telemetry information may include information related to error correction operations of the non-volatile memory device 120, such as Uncorrectable Error Correction Code (UECC) data, Correctable Error Correction Code (CEC) data, etc., but embodiments are not limited thereto. Therefore, the memory controller 110 may provide telemetry information corresponding to the time point at which an anomaly notification was sent to the system controller 200 in response to an information request.

[0096] The non-volatile memory device 120 can program data received from the memory controller 110 or send stored data to the memory controller 110 under the control of the memory controller 110.

[0097] The non-volatile memory device 120 may include a memory cell array 121 and control circuitry 122. The memory cell array 121 may include multiple memory blocks. Each memory block may include multiple pages, and each page may include multiple memory cells. Each of the multiple memory cells may be connected to a word line WL and a bit line BL. In some embodiments, each of the multiple memory cells may be used as a single-level cell (SLC), multi-level cell (MLC), three-level cell (TLC), four-level cell (QLC), etc. Each of the multiple memory cells may be implemented as various non-volatile memory elements, such as NAND flash memory, NOR flash memory, phase-change RAM (PRAM), resistive RAM (ReRAM), magnetic RAM (MRAM), ferroelectric RAM (FRAM), etc. In some embodiments, each of the multiple memory cells may be implemented in a three-dimensional array structure such as vertical NAND flash memory (VNAND), but embodiments are not limited thereto.

[0098] For example, in some embodiments, the memory cell array 121 may include a trap region 21. The trap region 21 may be a region storing trap files sent via the system controller 200. As described above, the logical block address (LBA) range corresponding to the trap region 21 may be set as a write-protected region.

[0099] In some embodiments, the trap file may be stored in a folder that can be searched first by malware. For example, the trap file may be stored in a trap folder formed in the topmost path of the non-volatile memory device 120. The trap folder may have a folder name that can be searched first by malware. However, the embodiments are not limited to this, and the trap file may be stored in any area within the user area of ​​the memory cell array 121.

[0100] Control circuitry 122 can control the overall operation of non-volatile memory device 120. Control circuitry 122 may include various analog or digital circuits required to store data in or read data from memory cell array 121. Control circuitry 122 can store data DATA in memory cell array 121 or read data stored in memory cell array 121 and provide the stored data DATA to memory controller 110 based on commands CMD, address ADDR, and control signals CTRL received from memory controller 110.

[0101] Figure 8 This is a block diagram illustrating the configuration of a memory controller according to an example embodiment. Figure 8 The memory controller 110 can correspond to Figure 7 The memory controller 110. (See reference...) Figure 8 The memory controller 110 may include a processor 111, a working memory 112, a system interface 113, a range checker 114, and a flash memory interface 115.

[0102] Processor 111 may include a central processing unit or a microprocessor. Processor 111 may drive firmware that executes in memory controller 110. For example, processor 111 may drive various types of firmware or software loaded into working memory 112. In addition, processor 111 may execute firmware or software responsible for the core functions of storage device 100, such as host interface layer (HIL) or flash translation layer (FTL).

[0103] Software (or firmware) or data used to control memory controller 110 can be loaded into working memory 112. The software and data loaded into working memory 112 can be driven or processed by processor 111. For example, a flash translation layer (FTL) (not shown) driven by processor 111 can perform functions such as address mapping, garbage collection, or wear leveling.

[0104] In some embodiments, the working memory 112 may temporarily store commands and data transmitted via the system controller 200. Additionally, the working memory 112 may store telemetry information generated during the operation of the non-volatile memory device 120.

[0105] The working memory 112 may include volatile memory (such as static random access memory (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM)) and / or non-volatile memory (such as flash memory, phase change RAM (PRAM), magnetoresistive RAM (MRAM), resistive RAM (ReRAM), ferroelectric RAM (FRAM), etc.).

[0106] Range checker 114 can perform various system lock operations on non-volatile memory device 120. For example, in a system lock state, access to non-volatile memory device 120 can be prevented for a predetermined period of time. Alternatively, in a system lock state, non-volatile memory device 120 can operate in read-only mode. Alternatively, in a system lock state, access to a specific area of ​​memory cell array 121 can be prevented. Alternatively, in a system lock state, a specific area of ​​memory cell array 121 can operate in read-only mode. When an attempt is made to perform a system lock prohibition operation, range checker 114 can generate an error signal.

[0107] For example, in some embodiments, the range checker 114 may set the logical block address (LBA) range corresponding to the trap region 21 as a write-protected region and may generate an anomaly notification when an access to the write-protected region is detected. The anomaly notification may be an error signal and may be sent to the system controller 200 via an asynchronous event.

[0108] System interface 113 can provide an interface between memory controller 110 and system controller 200. In some embodiments, system interface 113 can provide an asynchronous event interface between memory controller 110 and system controller 200 to send exception value notifications to system controller 200. Furthermore, in some embodiments, memory controller 110 can receive information requests or operating speed change requests related to exception value notifications from system controller 200 via system interface 113.

[0109] For example, when a request for information related to an anomaly notification is received, the memory controller 110 can send at least one of command input / output history information and telemetry information to the non-volatile memory device 120 via the system interface 113.

[0110] In addition, when a request to change the operating speed is received, the memory controller 110 can control the operation of the storage device 100 by changing the power state to a power state with an operating speed lower than the current power state.

[0111] The flash memory interface 115 can provide an interface between the memory controller 110 and the non-volatile memory device 120. The memory controller 110 can send commands or data to the non-volatile memory device 120 or receive data from the non-volatile memory device 120 through the flash memory interface 115.

[0112] Figure 9 This is a flowchart illustrating an operation method of a storage system according to an embodiment of the present invention. The operation method is as follows: Figure 9 The storage system described in [the document] can correspond to [the specific storage system]. Figure 1 and Figure 6 Storage systems 10 and 10A. Descriptions of features that are the same as or similar to those in the above embodiments are omitted to avoid redundancy.

[0113] Reference Figure 9 In operation S910, the storage system 10 may store the trap file in the trap region 21 of each of the plurality of storage devices 100_1 to 100_n. The trap region 21 may be different for each storage device, but the embodiment is not limited thereto.

[0114] In operation S920, the storage system 10 can control the operation of multiple storage devices 100_1 to 100_n based on multiple commands received from the host. The storage system 10 can store information about the multiple commands based on a sliding window 50 of a predetermined size.

[0115] In operation S930, when an access to a trap region of at least one of the plurality of storage devices 100_1 to 100_n is detected, the storage system 10 may reduce the operating speed of at least one storage device.

[0116] For example, each of the plurality of storage devices 100_1 to 100_n can operate in one of a plurality of power states with different operating speeds. Therefore, the storage system 10 can change the power state of at least one storage device to reduce the operating speed of at least one storage device.

[0117] In operation S940, storage system 10 can perform malware detection operations based on a predetermined number of commands from a plurality of commands received from the host that correspond to the time point at which access to trap area 21 is detected.

[0118] For example, storage system 10 can extract multiple features from information about commands included in sliding window 50 at the time when access to trap area 21 is detected, and apply the extracted features to a machine learning-based malware detection algorithm to perform malware detection operations.

[0119] In some embodiments, the storage system 10 may provide the host with information relating to access to the trap region 21. The information relating to access to the trap region may include at least one of the following: information about a group comprising at least one storage device, information about the storage devices included in the group, information about the commands included in the sliding window 50 at the time when access to the trap region 21 was detected, command input / output history information of at least one storage device, and telemetry information of at least one storage device.

[0120] Figure 10 This is a flowchart illustrating the operation of a storage system according to one or more embodiments. Its operation method is described in... Figure 10 The storage system described in [the document] can correspond to [the specific storage system]. Figure 1 and Figure 6 The descriptions of features that are the same as or similar to those in the above embodiments are omitted from the storage systems 10 and 10A to avoid redundancy.

[0121] Reference Figure 10 During operation S1010, system controller 200 may send a trap file to storage device 100. The trap file may be generated and provided by the host. In some embodiments, the trap file may be generated by system controller 200.

[0122] In operation S1015, storage device 100 may store the received trap file in trap region 21. Storage device 100 may set the LBA range corresponding to trap region 21 as a write-protected region.

[0123] In operation S1020, the host may send multiple commands to the system controller 200. Therefore, in operation S1025, the system controller 200 may store information about the multiple commands received from the host. In some embodiments, the system controller 200 may store information about the multiple commands based on a sliding window 50 of a predetermined size.

[0124] During operation S1030, the system controller 200 can send multiple commands received from the host to the storage device 100 and execute operations corresponding to the multiple commands.

[0125] In operation S1035, when an access to the trap region 21 is detected while performing operations corresponding to multiple commands, the storage device 100 can detect an anomaly and generate an anomaly notification. Therefore, in operation S1040, the storage device 100 can send the anomaly notification to the system controller 200. The anomaly notification can be sent via an asynchronous event.

[0126] In operation S1045, the system controller 200, having received the anomaly notification, can perform malware detection. In some embodiments, the system controller 200 can perform malware detection based on information about the commands included in the sliding window 50 at the time the anomaly notification was received.

[0127] For example, system controller 200 can extract multiple features from information about the command included in the sliding window 50 at the time when the outlier notification is received, and perform malware detection operations by applying the extracted multiple features to a machine learning-based malware detection algorithm.

[0128] When the extracted features are fed into a malware detection algorithm, the algorithm can output similarity as a score for each of several predefined malware variants. Therefore, it can be determined whether anomalies detected in storage device 100 are due to genuine malware infections.

[0129] In operation S1050, the system controller 200 may request information related to the abnormal value notification from the storage device 100. In operation S1055, the storage device 100 may send the information related to the abnormal value notification to the system controller 200.

[0130] During operation S1060, system controller 200 can provide the host with information related to anomaly notifications. Results of malware detection operations can also be provided to the host. Therefore, the host can use the information related to the anomaly notifications to perform subsequent actions.

[0131] Figure 11 This is a block diagram illustrating a data center configuration according to one or more embodiments. (Refer to...) Figure 11Data center 3000 is a facility that collects various types of data and provides services, and may also be referred to as a data storage center. Data center 3000 can be a system for operating search engines and databases, and can be a computing system used by companies such as banks or government agencies. Data center 3000 may include application servers 3100 to 3100n and storage servers 3200 to 3200m. The number of application servers 3100 to 3100n and the number of storage servers 3200 to 3200m can be selected in various ways according to one or more embodiments, and the number of application servers 3100 to 3100n and the number of storage servers 3200 to 3200m can differ from each other.

[0132] Application server 3100 or storage server 3200 may respectively include at least one of processor 3110 or 3210 and memory 3120 or 3220. For example, in storage server 3200, processor 3210 may control the overall operation of storage server 3200 and may access memory 3220 to execute commands and / or data loaded into memory 3220. Memory 3220 may be dual data rate synchronous DRAM (DDR SDRAM), high bandwidth memory (HBM), hybrid memory cube (HMC), dual in-line memory module (DIMM), Optane DIMM and / or non-volatile DIMM (NVMDIMM). The number of processors 3210 and the number of memory 3220 included in storage server 3200 may be selected differently according to one or more embodiments. In some embodiments, processor 3210 and memory 3220 may provide processor-memory pairs. In some embodiments, the number of processors 3210 and the number of memory 3220 may be different from each other. Processor 3210 may include a single-core processor or a multi-core processor. The above description of storage server 3200 can be similarly applied to application server 3100. In some embodiments, application server 3100 may not include storage device 3150. Storage server 3200 may include at least one storage device 3250. The number of storage devices 3250 included in storage server 3200 may be selected differently depending on one or more embodiments.

[0133] In some embodiments, storage server 3200 may correspond to Figure 1 Storage system 10. Furthermore, storage device 3250 may correspond to... Figure 1 One of the storage devices 100_1 to 100_n or Figure 7 The storage device 100. Furthermore, the processor 3210 and memory 3220 may respectively correspond to... Figure 2 The processor 210 and the working memory 220.

[0134] For example, the NAND flash memory device 3252 can independently combine commands from the controller (CTRL) 3251 and adjust the processing order of the commands.

[0135] Application servers 3100 to 3100n and storage servers 3200 to 3200m can communicate with each other via network 3300. Network 3300 can be implemented using Fibre Channel (FC), Ethernet, etc. FC is a medium used for relatively high-speed data transmission and can use optical switches that provide high performance / high availability. Depending on the access method of network 3300, storage servers 3200 to 3200m can be configured as file storage, block storage, or object storage.

[0136] In some embodiments, network 3300 may be a storage-specific network, such as a storage area network (SAN). For example, the SAN may be an FC-SAN implemented using an FC network and based on the FC protocol (FCP). For example, the SAN may be an IP-SAN implemented using a TCP / IP network and based on the TCP / IP-based SCSI or Internet SCSI protocol (iSCSI). In some embodiments, network 1300 may be a general-purpose network, such as a TCP / IP network. For example, network 1300 may be implemented based on protocols such as Ethernet-based FC (FCoE), network-attached storage (NAS), or NVMe (NVMe-oF) based on network fabrics.

[0137] The following description will focus on application server 3100 and storage server 3200. The description of application server 3100 can also be applied to other application servers 3100n, and the description of storage server 3200 can also be applied to other storage servers 3200m.

[0138] Application server 3100 can store data requested by users or clients in one of storage servers 3200 to 3200m via network 3300. Additionally, application server 3100 can retrieve data requested by users or clients from one of storage servers 3200 to 3200m via network 3300. For example, application server 3100 can be implemented as a web server or a database management system (DBMS).

[0139] Application server 3100 can access memory 3120n or storage device 3150n included in another application server 3100n via network 3300, or can access memory 3220 to 3220m or storage device 3250 to 3250m included in storage servers 3200 to 3200m via network 3300. Therefore, application server 3100 can perform various operations on data stored in application servers 3100 to 3100n and / or storage servers 3200 to 3200m. For example, application server 3100 can execute commands to move or copy data between application servers 3100 to 3100n and / or storage servers 3200 to 3200m. Data can be moved from storage devices 3250 to 3250m of storage servers 3200 to 3200m to memory devices 3220 to 3220m of storage servers 3200 to 3200m, or directly to memory devices 3120 to 3120n of application servers 3100 to 3100n. For security or privacy, data moved over network 3300 can be encrypted.

[0140] For example, in storage server 3200, interface (I / F) 3254 can provide physical connectivity between processor 3210 and controller 3251, as well as physical connectivity between network interconnect (NIC) 3240 and controller 3251. For example, interface 3254 can be implemented as direct-attached storage (DAS), which directly connects storage device 3250 to a dedicated cable. Furthermore, interface 3254 can be implemented in various interface modes, such as Advanced Technology Attachment (ATA), Serial ATA (SATA), External SATA (e-SATA), Small Computer Small Interface (SCSI), Serial Attached SCSI (SAS), Peripheral Component Interconnect (PCI), PCI Fast (PCIe), NVM Fast (NVMe), IEEE 1394, Universal Serial Bus (USB), Secure Digital (SD) card, Multimedia Card (MMC), Embedded Multimedia Card (eMMC), Universal Flash (UFS), Embedded Universal Flash (eUFS), and / or Compact Flash (CF) card interfaces.

[0141] The storage server 3200 may also include a switch 3230 and a NIC 3240. Under the control of the processor 3210, the switch 3230 can selectively connect the processor 3210 and the storage device 3250, or selectively connect the NIC 3240 and the storage device 3250.

[0142] In some embodiments, NIC 3240 may include a network interface card, network adapter, etc. NIC 3240 may connect to network 3300 via a wired interface, wireless interface, Bluetooth interface, optical interface, etc. NIC 3240 may include internal memory, digital signal processor (DSP), host bus interface, etc., and may connect to processor 3210 and / or switch 3230 via the host bus interface. The host bus interface may be implemented as one of the above examples of interface 3254. In some embodiments, NIC 3240 may be integrated with at least one of processor 3210, switch 3230, and storage device 3250.

[0143] In storage servers 3200 to 3200m or application servers 3100 to 3100n, the processor can send commands to storage devices 3150 to 3150n and 3250 to 3250m or memories 3120 to 3120n and 3220 to 3220m to program or read data. Error correction codes (ECC) can be used to correct errors in the data. The data can be processed via data bus inversion (DBI) or data masking (DM) and may include cyclic redundancy check (CRC) information. Data can be encrypted for security or privacy.

[0144] Storage devices 3150 to 3150n and 3250 to 3250m can send control signals and command / address signals to NAND flash memory devices 3252 to 3252m in response to a read command received from the processor. Therefore, when reading data from NAND flash memory devices 3252 to 3252m, a read enable signal can be input as a data output control signal, and the read enable signal is used to output data to the DQ bus. A data strobe can be generated using the read enable signal. Command and address signals can be latched in the page buffer based on the rising or falling edge of the write enable signal.

[0145] In some embodiments, controller 3251 may correspond to Figure 8 The processor 111, and the DRAM 3253 can correspond to Figure 8 The working memory 112. Additionally, the NAND flash memory device 3252 can correspond to... Figure 7 The non-volatile memory device 120.

[0146] Controller 3251 can control the overall operation of storage device 3250. In some embodiments, controller 3251 may include static random access memory (SRAM). Controller 3251 may write data to NAND flash memory device 3252 in response to a write command, or may read data from NAND flash memory device 3252 in response to a read command. For example, write and / or read commands may be provided from processor 3210 in storage server 3200, processor 3210m in another storage server 3200m, or processors 3110 and 3110n in application servers 3100 and 3100n. DRAM 3253 may temporarily store (e.g., buffer) data to be written to or read from NAND flash memory device 3252. Additionally, DRAM 3253 may store metadata. Metadata may be data generated by controller 3251 to manage NAND flash memory device 3252. Storage device 3250 may include security elements for security or privacy.

[0147] Based on the various embodiments described above, a storage system that more effectively prevents the impact of malware without performance degradation can be provided.

[0148] Various embodiments can be implemented as software, which includes commands stored in a machine-readable storage medium that can be read by a machine (e.g., a computer). A machine refers to a device capable of invoking instructions stored in the storage medium and capable of operating based on the invoked instructions, and may include a system controller 200 or a memory controller 110 according to the embodiments described above.

[0149] When a processor executes instructions, it can perform the function corresponding to the instructions itself, or, under its control, by using other components, perform the function corresponding to the instructions. Instructions may include code generated or executed by a compiler or interpreter. Machine-readable storage media may be provided in the form of non-transitory storage media. The term "non-transitory" only means that the storage medium does not include signals and is tangible, but does not indicate whether data is stored semi-permanently or temporarily in the storage medium.

[0150] In some embodiments, the methods according to the various embodiments described above can be provided as being included in a computer program product. The computer program product can be traded as a commodity between a seller and a buyer. The computer program product can be distributed in the form of a machine-readable storage medium or distributed online through an app store. In the case of online distribution, at least a portion of the computer program product can be temporarily stored or temporarily generated in a storage medium (such as the manufacturer's server, the app store's server, or the memory of a relay server).

[0151] As mentioned above, a storage system can be provided that more effectively prevents the effects of malware without performance degradation.

[0152] Although exemplary embodiments have been shown and described above, it will be apparent to those skilled in the art that modifications and variations can be made without departing from the scope of the inventive concept as defined by the appended claims.

Claims

1. A storage system, comprising: Multiple storage devices, each configured to store trap files; as well as A system controller configured to control the plurality of storage devices based on a plurality of commands received from the host. in: The system controller is configured to reduce the operating speed of at least one storage device based on receiving an anomaly notification from at least one of the plurality of storage devices, and to perform malware detection based on a command corresponding to the anomaly notification from among the plurality of commands; and The at least one storage device is configured to send the anomaly notification to the system controller based on the detection of access to a trap region storing the trap file.

2. The storage system according to claim 1, wherein: Each of the plurality of storage devices is configured to set the logical block address range corresponding to the trap region as a write-protected region, and to send the abnormal value notification to the system controller when an access to the write-protected region is detected.

3. The storage system according to claim 2, wherein: Each of the plurality of storage devices is configured to send the abnormal value notification to the system controller via an asynchronous event.

4. The storage system according to claim 1, wherein: Each of the plurality of storage devices operates in one of a plurality of power states with different operating speeds; and The system controller is configured to modify the power state of the at least one storage device to reduce the operating speed of the at least one storage device.

5. The storage system according to claim 1, wherein: The system controller is configured to reduce the operating speed of the plurality of storage devices based on receiving the anomaly notification from the at least one storage device.

6. The storage system according to claim 1, wherein: The plurality of storage devices includes a first group used by a first host and a second group used by a second host; The first group includes the at least one storage device and an additional storage device; and The system controller is configured to reduce the operating speed of the storage devices included in the first group based on receiving the anomaly notification from the at least one storage device.

7. The storage system according to claim 1, wherein: The system controller is configured to store information about the plurality of commands based on a sliding window of a predetermined size, and to perform the malware detection operation based on information about the commands included in the sliding window when the anomaly notification is received.

8. The storage system according to claim 7, wherein: Information about the commands includes information about the type of each command and information related to the logical block address corresponding to each command.

9. The storage system according to claim 7, wherein: The system controller is configured to extract multiple features from information regarding commands included in the sliding window when the anomaly notification is received, and to apply the extracted features to a machine learning-based malware detection algorithm to perform the malware detection operation; and The malware detection algorithm includes at least one of convolutional neural networks, recurrent neural networks, principal component analysis models, and random forest models.

10. The storage system according to claim 9, wherein: The malware detection algorithm is configured to output a score for each of a plurality of predefined malware based on the extracted features.

11. The storage system according to claim 7, wherein: The system controller is configured to provide the host with information related to the anomaly notification.

12. The storage system according to claim 11, wherein: Information relating to the outlier notification includes at least one of the following: (i) information about a group comprising the at least one storage device that sent the outlier notification, (ii) information about storage devices included in the group, (iii) information about the command included in the sliding window at the time the outlier notification was received, (iv) command input / output history information of the at least one storage device that sent the outlier notification, and (v) telemetry data of the at least one storage device that sent the outlier notification.

13. A storage device, comprising: A memory device including a trap region for storing trap files transferred from a host; as well as A memory controller is configured to set the logical block address range corresponding to the trap region as a write-protected region and generate an exception value notification when an access to the write-protected region is detected.

14. The storage device according to claim 13, wherein: The memory controller is configured to send the abnormal value notification to a system controller outside the storage device via an asynchronous event.

15. The storage device according to claim 14, wherein: The memory controller is configured to: when, while controlling the memory device to operate in a first power state among multiple power states, and in response to receiving an operation speed change request from the system controller in response to the transmission of the abnormal value notification, control the memory device to operate in a second power state having an operation speed lower than that of the first power state.

16. The storage device according to claim 14, wherein: The memory controller is configured to, upon receiving an information request related to the anomaly notification from the system controller in response to the transmission of the anomaly notification, send at least one of the command input / output history information and telemetry data of the storage device to the system controller in response to the information request.

17. A method of operating a storage system comprising a plurality of storage devices, the method comprising: The trap file is stored in the trap area of ​​each of the plurality of storage devices; The operation of the multiple storage devices is controlled based on multiple commands received from the host. When an access to the trap region of the first storage device among the plurality of storage devices is detected, the operating speed of the first storage device is reduced; as well as Malware detection is performed based on a predetermined number of commands, among the plurality of commands, corresponding to the time point at which access to the trap region is detected.

18. The method of claim 17, wherein: Each of the plurality of storage devices operates in one of a plurality of power states with different operating speeds; and Reducing the operating speed includes modifying the power state of the first storage device.

19. The method of claim 17, comprising: Information about the multiple commands is stored using a sliding window of a predetermined size. in: Performing the malware detection operation includes: Multiple features are extracted from information regarding the command included in the sliding window at the time point when access to the trap region is detected; and The extracted features are applied to a machine learning-based malware detection algorithm to perform the malware detection operation.

20. The method of claim 19, comprising: Provide the host with information related to access to the trap area. in: Information relating to access to the trap area includes at least one of the following: information about the group that includes the first storage device, information about the storage devices included in the group, information about the command included in the sliding window at the time when access to the trap area was detected, command input / output history information of the first storage device, and telemetry data of the first storage device.