A storage system, including a host device; and a storage device including a memory and at least one processor configured to implement a storage internal protection (SIP) module, wherein the SIP module is configured to: obtain, from the host device, a plurality of storage commands corresponding to the memory, filter the plurality of storage commands to obtain a filtered plurality of storage commands, apply information about the filtered plurality of storage commands to a machine-learning ransomware detection algorithm, and based on the machine-learning ransomware detection algorithm indicating that a ransomware operation is detected, provide a notification to the host device.