CN116415240A - Lexovirus detection method and related system - Google Patents

Lexovirus detection method and related system Download PDF

Info

Publication number
CN116415240A
CN116415240A CN202111679456.1A CN202111679456A CN116415240A CN 116415240 A CN116415240 A CN 116415240A CN 202111679456 A CN202111679456 A CN 202111679456A CN 116415240 A CN116415240 A CN 116415240A
Authority
CN
China
Prior art keywords
file
bait
decoy
directory
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111679456.1A
Other languages
Chinese (zh)
Inventor
刘剑波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Priority to CN202111679456.1A priority Critical patent/CN116415240A/en
Priority to PCT/CN2022/107828 priority patent/WO2023124041A1/en
Publication of CN116415240A publication Critical patent/CN116415240A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a method for detecting the Lecable virus, which comprises the following steps: generating a decoy file according to the application or the system catalog, detecting access behaviors to the decoy file, acquiring attribute changes of the decoy file before and after the access behaviors, and determining the Leuco virus according to the attribute changes. According to the method, the decoy file with higher similarity with the real service/data file is generated according to the application or system catalog, and the file type, the file size, the file name and the deployment position of the decoy file are not fixed, so that the condition that the Leuch virus skips the decoy file according to the fixed file size, the file type, the file name or the deployment position is avoided, the abnormal behavior of the Leuch virus encrypted file can be effectively and timely discovered, the Leuch virus is timely blocked, and the damage caused by the Leuch virus is reduced.

Description

Lexovirus detection method and related system
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for detecting a lux virus, a computer cluster, a computer readable storage medium, and a computer program product.
Background
With the development of the internet, especially the development of the mobile internet, malicious codes such as vulnerability scanning, viruses and other attack codes can be widely spread in the network, and attack or infect devices in the network, so that network security is severely challenged. At present, the lux virus attack is one of the most serious network security threats, and the lux virus attack is continuously growing, so that great influence is caused to clients.
The lux virus typically traverses all directories of the client host by way of deep traversal and encrypts critical business/data files (e.g., database files, office documents, compressed files, video, pictures, and source code). A part of the lux viruses can encrypt the files of the appointed type exceeding the fixed size under the specific directory, so that the encrypted files cannot be read normally, and the normal operation of the service is affected. Meanwhile, the luxury virus generates a luxury description file under the directory where the encrypted file is located, and a customer can acquire a decryption password/tool or acquire a method for recovering the normal operation of the system after paying redemption based on the luxury description file.
How to detect the lux virus rapidly and effectively, and further reduce the influence caused by the lux virus has become a key technology and challenge in the field of network security.
Disclosure of Invention
According to the method, the decoy file with higher similarity with the real service/data file is generated according to the application or system catalog, the file type, the file size, the file name and the deployment position of the decoy file are not fixed, so that the decoy file is prevented from being skipped according to the fixed file size, the file type, the file name or the deployment position, the abnormal behavior of the encrypted file of the Leuch virus can be effectively and timely discovered, the Leuch virus is timely blocked, and damage caused by the Leuch virus is reduced. The application also provides a system, a computer cluster, a computer readable storage medium and a computer program product corresponding to the method.
In a first aspect, the present application provides a method of detecting a lux virus. The method may be performed by a lux virus detection system. For convenience of description, the present embodiment may also refer to the lux virus detection system simply as a detection system. In some embodiments, the detection system may be a software system that may be deployed in a computer cluster that executes a program code of the software system to perform the lux virus detection method. In other embodiments, the detection system may also be a hardware system for detecting the Leucasian virus. The embodiment of the application uses the Leucavirus detection system as a software system for illustration.
Specifically, the detection system generates a decoy file according to an application or a system catalog, then the detection system can detect access behaviors to the decoy file, acquire attribute changes of the decoy file before and after the access behaviors, and then the detection system determines the Leucasian virus according to the attribute changes.
In the method, the detection system generates the decoy file with higher similarity with the real service/data file according to the application or system catalog, the file type, the file size, the file name and the deployment position of the decoy file are not fixed, so that the condition that the Leuch virus skips the decoy file according to the fixed file size, the file type, the file name or the deployment position to encrypt the applied service/data file can be avoided, the abnormal behavior of the Leuch virus encrypted file can be effectively and timely discovered, the Leuch virus is timely blocked, and the damage caused by the Leuch virus is reduced.
In some possible implementations, the detection system may also present alert information to the user. The alarm information comprises one or more of an identification of a lux process, a path of the lux virus, a hash of the lux virus, a command line of the lux virus, an access path of the lux process and an access behavior of the lux process, wherein the lux process is a process corresponding to the lux virus.
The realization can carry out alarm prompt on the user so that the user can take corresponding measures in time to ensure the safety of equipment or data and ensure the normal operation of the service.
In some possible implementations, the detection system may further stop a lux process, and block the lux virus, where the lux process is a process corresponding to the lux virus. The detection system can automatically stop the lux process after the lux virus is identified, and block the lux virus, or can present alarm information to the user, the user confirms the alarm information, and then stops the lux process after the authorization or permission of the user is obtained, and blocks the lux virus.
In the method, the detection system stops the Leucasian process to block the Leucasian virus, so that damage caused by the Leucasian virus is reduced, and the data safety is ensured.
In some possible implementations, the detection system may also update the decoy file based on a change in the application or a change in the system catalog. Specifically, when the detection system detects the new application, a new bait file can be generated according to the access information of the new application; when the detection system detects that the existing application is uninstalled, the corresponding decoy file can be deleted according to the related information of the uninstalled application.
In the method, the detection system dynamically updates the bait file to prevent the Leucovirus from bypassing the fixed bait file, encrypt the service/data file and prevent the detection method from being invalid.
In some possible implementations, the detection system may present an update interface to the user based on a change in the application or a change in the system catalog, and then update the decoy file based on an update operation triggered by the user through the update interface.
Therefore, the bait file can be selectively updated according to the personalized requirements of the user, the updating frequency is reduced, and the user experience is improved.
In some possible implementations, the detection system may generate the decoy file based on access information of the application. Therefore, the generation of the decoy file with higher similarity with the application of the real business/data file can be realized, the deception of the decoy file is improved, the decoy file is difficult to be bypassed by the luxury virus, and the effectiveness of the detection method is ensured.
In some possible implementations, the access information of the application includes a file type accessed by the application. The detection system may generate the decoy file based on the file type accessed by the application. Wherein the decoy file has the same file type as the file accessed by the application. For example, the file type accessed by the application may include a plurality of file types, and the detection system may generate a plurality of decoy files having file types consistent with the file type accessed by the application.
In this way, the Leucovirus is prevented from detecting a specific file type, thereby bypassing the decoy file of the file type, and disabling the detection method based on the decoy file.
In some possible implementations, the decoy file includes a plurality of files, and the plurality of files differ in file size. In this way, the Leucovirus is prevented from detecting a specific file size, thereby bypassing the bait file with the same size, and disabling the detection method based on the bait file.
In some possible implementations, the detection system may further generate a bait directory according to the access information of the application, where the bait directory is a directory where the bait file is located. Therefore, the method can avoid the Leucovirus from bypassing a specific deployment position, and directly encrypts the service/data file, so that the detection method based on the bait file is invalid.
In some possible implementations, the access information of the application includes a file directory accessed by the application. The detection system may generate a bait directory from the file directory accessed by the application. The decoy catalog can be a target under a file catalog accessed by an application, and is like a service file catalog and a data file catalog actually accessed by the application from the perspective of the lux virus, so that the decoy catalog has stronger deception, can avoid the lux virus from bypassing the catalog, directly encrypts service/data files, and leads to failure of a detection method based on the decoy file.
In some possible implementations, the detection system may generate a plurality of the decoy files under the system directory according to the randomly selected file types, the plurality of the decoy files having different file sizes. In this way, the Leucovirus can be avoided from detecting specific file types and file sizes to bypass the decoy file, resulting in failure of the decoy file-based detection method.
In some possible implementations, the detection system may also present a configuration interface to the user and then receive detection parameters configured by the user through the configuration interface. The detection parameters include a target file type. The detection system may generate a plurality of said decoy files under said system directory according to a file type randomly selected from said target file types.
Therefore, the detection system can combine detection parameters configured by a user to generate a more accurate and deceptive bait file, ensure that the bait file can be preferentially accessed by the lux virus, and avoid the lux virus from bypassing the bait file, so that the detection method based on the bait file is invalid.
In some possible implementations, the detection parameter further includes at least one of an exclusion directory, which is a directory in the system directory where the decoy file does not need to be deployed, and a target key used to generate a name of the decoy file.
The exclusion directory can be used for eliminating unnecessary directories, so that resource waste caused by deploying the bait files in the directories is avoided. The target key may be used to provide a reference for generating the name of the decoy file, thereby further enhancing the fraudulence of the decoy file.
In some possible implementations, the detection system may further generate a bait directory according to the system directory, where the bait directory is a directory where the bait file is located. Compared with a fixed deployment position, the method can avoid the Leucavirus from bypassing the bait directory to encrypt the service/data file, so that the detection method based on the bait file is invalid.
In some possible implementations, the bait directory includes at least one of a first bait directory, a second bait directory, and a third bait directory. The name of the first bait directory includes a first prefix such that the first bait directory is preferentially accessed in a positive sequence traversal; the name of the second bait directory includes a second prefix such that the second bait directory is preferentially accessed in an inverted sequence traversal; the name of the third bait directory includes a third prefix such that the third bait directory is preferentially accessed at a default traversal of the system disk.
According to the method, the bait catalogue with the specific prefix is generated, so that the bait catalogue and the bait files in the bait catalogue can be accessed preferentially in different traversing scenes, and the failure of the Leuch virus detection method caused by the fact that the Leuch virus accesses the service/data files first is avoided.
In some possible implementations, the detection system may also monitor the decoy file and restore the decoy file when the decoy file is modified or deleted by mistake. Therefore, the problem that the detection method based on the decoy file is invalid due to the fact that the service/data file is directly encrypted by the Leucovirus when the decoy file is deleted or modified by mistake can be avoided.
In a second aspect, the present application provides a lux virus detection system. The system comprises:
the bait file management module is used for generating a bait file according to the application or the system catalog;
the bait access behavior detection module is used for detecting the access behavior of the bait file and acquiring the attribute change of the bait file before and after the access behavior;
the bait behavior access detection module is also used for determining the Leucasian virus according to the attribute change.
In some possible implementations, the system further includes:
the security response module is used for presenting alarm information to the user, wherein the alarm information comprises one or more of an identification of a lux process, a path of the lux virus, hash of the lux virus, a command line of the lux virus, an access path of the lux process and an access behavior of the lux process, and the lux process is a process corresponding to the lux virus.
In some possible implementations, the system further includes:
and the safety response module is used for stopping the Leuch process and blocking the Leuch virus, wherein the Leuch process is a process corresponding to the Leuch virus.
In some possible implementations, the bait file management module is further to:
updating the decoy file according to the change of the application or the change of the system catalog.
In some possible implementations, the bait file management module is specifically configured to:
presenting an update interface to a user according to the change of the application or the change of the system catalog;
and updating the bait file according to the updating operation triggered by the user through the updating interface.
In some possible implementations, the bait file management module is specifically configured to:
and generating the decoy file according to the access information of the application.
In some possible implementations, the access information of the application includes a file type accessed by the application;
the bait file management module is specifically used for:
and generating the decoy file according to the file type accessed by the application, wherein the file type of the decoy file is the same as the file type accessed by the application.
In some possible implementations, the decoy file includes a plurality of files, and the plurality of files differ in file size.
In some possible implementations, the bait file management module is further to:
And generating a bait catalog according to the access information of the application, wherein the bait catalog is the catalog of the bait file.
In some possible implementations, the access information of the application includes a file directory accessed by the application;
the bait file management module is specifically used for:
and generating a decoy catalog according to the file catalog accessed by the application.
In some possible implementations, the bait file management module is specifically configured to:
and generating a plurality of decoy files under the system directory according to the randomly selected file types, wherein the decoy files are different in file size.
In some possible implementations, the system further includes:
the bait detection configuration module is used for presenting a configuration interface to the user, receiving detection parameters configured by the user through the configuration interface, wherein the detection parameters comprise a target file type;
the bait file management module is specifically used for:
and generating a plurality of decoy files under the system catalog according to the file types randomly selected from the target file types.
In some possible implementations, the detection parameter further includes at least one of an exclusion directory, which is a directory in the system directory where the decoy file does not need to be deployed, and a target key used to generate a name of the decoy file.
In some possible implementations, the bait file management module is further to:
and generating a bait catalog according to the system catalog, wherein the bait catalog is the catalog of the bait file.
In some possible implementations, the bait directory includes at least one of a first bait directory, a second bait directory, and a third bait directory;
the name of the first bait directory includes a first prefix such that the first bait directory is preferentially accessed in a positive sequence traversal;
the name of the second bait directory includes a second prefix such that the second bait directory is preferentially accessed in an inverted sequence traversal;
the name of the third bait directory includes a third prefix such that the third bait directory is preferentially accessed at a default traversal of the system disk.
In some possible implementations, the bait access behavior detection module is further to:
and monitoring the decoy file, and recovering the decoy file when the decoy file is modified or deleted by mistake.
In a third aspect, the present application provides a computer cluster. The computer cluster includes at least one computer including a processor and a memory. The processor and the memory communicate with each other. The processor is configured to execute instructions stored in the memory to cause the computer cluster to perform the method of detecting the lux virus as in the first aspect or any implementation of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium having stored therein instructions for instructing a computer cluster to execute the method for detecting the lux virus according to the first aspect or any implementation manner of the first aspect.
In a fifth aspect, the present application provides a computer program product comprising instructions which, when run on a computer cluster, cause the computer cluster to perform the method of detecting the lux virus according to the first aspect or any implementation manner of the first aspect.
Further combinations of the present application may be made to provide further implementations based on the implementations provided in the above aspects.
Drawings
In order to more clearly illustrate the technical method of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below.
Fig. 1 is a system architecture diagram of a lux virus detection system according to an embodiment of the present application;
fig. 2 is a flowchart of a method for detecting a lux virus according to an embodiment of the present application;
FIG. 3 is an interface schematic diagram of a configuration interface according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a system directory according to an embodiment of the present application;
FIG. 5A is a schematic diagram of an update interface according to an embodiment of the present application;
FIG. 5B is a schematic diagram of an update interface according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a lux virus detection system according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a computer cluster according to an embodiment of the present application.
Detailed Description
The terms "first", "second" in the embodiments of the present application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.
Some technical terms related to the embodiments of the present application will be first described.
The lux virus, also known as lux software, is a special type of malware that is commonly categorized as a "blocking-of-access attack". The biggest difference between the lux virus and other viruses is the manipulation and poisoning pattern. One typical lux virus is a file stored by a systematically encrypted computing device, such as an encryption critical business/data file, which may be one or more of a database file, office document, compressed file, video, picture, and source code, and then requiring the victim to pay a redemption to retrieve the decryption password/tool that the victim does not have access to self-help in order to decrypt the file.
The lux virus is usually transmitted through the form of the Trojan virus. In particular, the lux virus masks itself as a seemingly harmless file. For example, the lux virus may spoof victim click link downloads through socioeconomic methods such as impersonating ordinary emails, or may be spread among networked computing devices using software vulnerabilities as many other worm viruses.
In order to reduce the damage of the lux virus, some lux virus detection schemes are provided in the industry to detect the lux virus in advance and then block the lux virus. The mainstream detection scheme comprises a Lesovirus detection method based on a bait file. Specifically, fixed-type and fixed-size bait files are deployed in a designated directory, and the known or unknown Leucovirus is identified by monitoring access operations of processes to the bait files.
However, the above-described scheme requires specifying the deployment location of the decoy file, and the file size, file type, file content, file name of the decoy file are relatively fixed. The Leucavirus may bypass the bait file based on the fixed file size, file type, file name, or specified deployment location, encrypting the application service/data file, thereby rendering the Leucavirus detection method based on the bait file ineffective.
In view of the foregoing, embodiments of the present application provide a method for detecting a lux virus. The method may be performed by a lux virus detection system. For convenience of description, the present embodiment may also refer to the lux virus detection system simply as a detection system. In some embodiments, the detection system may be a software system that may be deployed in a computer cluster that executes a program code of the software system to perform the lux virus detection method. In other embodiments, the detection system may also be a hardware system for detecting the Leucasian virus. The embodiment of the application uses the Leucavirus detection system as a software system for illustration.
Specifically, the detection system generates a decoy file according to an application or a system catalog, then the detection system can detect access behaviors to the decoy file, acquire attribute changes of the decoy file before and after the access behaviors, and then the detection system determines the Leucasian virus according to the attribute changes.
In the method, the detection system generates the decoy file with higher similarity with the real service/data file according to the application or system catalog, the file type, the file size, the file name and the deployment position of the decoy file are not fixed, so that the condition that the Leuch virus skips the decoy file according to the fixed file size, the file type, the file name or the deployment position to encrypt the applied service/data file can be avoided, the abnormal behavior of the Leuch virus encrypted file can be effectively and timely discovered, the Leuch virus is timely blocked, and the damage caused by the Leuch virus is reduced.
It should be noted that the method for detecting the lux virus according to the embodiments of the present application may be applicable to a scenario of rapidly detecting the known/unknown lux virus on a terminal (e.g. host)/server. Particularly, in a 'cloud' scene, when a large amount of businesses are operated on a cloud server leased or purchased by a tenant and key business/data files are stored, the method for detecting the Leuch virus can rapidly detect the Leuch virus based on lightweight resource occupation, so that the requirements on timeliness of detection and lightweight resource occupation are met.
In order to make the technical solution of the present application clearer and easier to understand, the system architecture of the embodiments of the present application is described below with reference to the accompanying drawings.
Referring to the system architecture diagram of the Leucasian virus detection system described in FIG. 1, in this example, a tenant (which may be, for example, a person, enterprise, or other corporate organization) may rent or purchase one or more cloud servers in the cloud computing cluster 10 to deploy the tenant's applications, such as deploying application 1 through application N, where N is a positive integer. Fig. 1 illustrates the deployment of multiple applications, and in some embodiments, a tenant may deploy one application. The cloud computing cluster 10 further has a lux virus detection system 100 disposed therein, which is hereinafter referred to as the detection system 100 for convenience of description.
The cloud computing cluster 10 establishes a communication connection with the terminal 20. The terminal 20 is provided with a client, which may be a general client such as a browser or a detection client dedicated to the detection of the lux virus. The detection system 100 in the cloud computing cluster 10 may generate a decoy file according to an application or a system directory, where the decoy file is fraudulent, and the detection system 100 may detect an access behavior to the decoy file, obtain an attribute change of the decoy file before and after the access behavior, and then determine the lux virus according to the attribute change.
Further, the detection system 100 may generate alarm information according to the detected lux virus, and send the alarm information to the terminal 20, so that the terminal presents the alarm information to the user. The alarm information comprises one or more of an identification of the lux process, a path of the lux virus, a hash (hash) of the lux virus, a command line of the lux virus, an access path of the lux process and an access behavior of the lux process. In this embodiment, the lux process is a process corresponding to the lux virus.
It should be noted that, when the lux virus is detected, the detection system 100 may also stop the lux process and block the lux virus, that is, isolate the executable file of the lux virus. In this way, the encryption of the business/data files of the application by the luxury process can be avoided, thereby resulting in the infringement of the user's interests.
The embodiment shown in fig. 1 is illustrated by using a detection system 100 deployed in a cloud computing cluster and detecting whether an application deployed in the cloud computing cluster includes a lux virus, and in some possible implementations, the detection system 100 may also be deployed in a local computing device, such as a desktop computer, a notebook computer, or the like, in the terminal 20, for performing lux virus detection on the application deployed in the terminal 20.
Next, a method for detecting the lux virus according to the embodiment of the present application will be described in detail from the perspective of the detection system 100.
Referring to the flow chart of the method for detecting the Leucavirus shown in FIG. 2, the method comprises:
s202: the detection system 100 presents a configuration interface to the user.
The configuration interface may be used to configure detection parameters for detecting the lux virus. The detection parameter may include a detection mode. When the detection mode is a detection mode based on the decoy file, the detection parameters may further include one or more of a target file type, an exclusion directory, and a target keyword. The target file type is used for providing a reference for generating the file type of the decoy file, and the target keyword is used for providing a reference for naming the decoy file. Exclusion directory refers to a directory that does not require deployment of decoy files. For example, the exclusion directory may be a directory that does not affect the business.
Referring to the schematic diagram of the configuration interface shown in fig. 3, the configuration interface 300 includes a plurality of parameter configuration controls for configuring different detection parameters, respectively. Specifically, the detection mode configuration control 302 in the configuration interface 300 is used for configuring the detection mode of the lux virus, where the detection mode configuration control 302 may include two selection controls, where a user selects the selection control corresponding to "yes" to enable the detection mode based on the bait file (specifically, the bait file generated according to the application or the system catalog), and a user selects the selection control corresponding to "no" to enable the detection mode based on the bait file.
An exclude directory configuration control 304 in the configuration interface 300 is used to configure an exclude directory. Specifically, the exclude catalog configuration control 304 may be a text box in which the user may directly enter the exclude catalog, thereby enabling configuration of the exclude catalog. The file type configuration control 306 in the configuration interface 300 is used to configure the target file type for generating the bait file and the keyword configuration control 308 is used to configure the target keywords for generating the bait file. The target keywords may include dates, or keywords representing functions, such as reports, and the like. Similar to the exclude directory configuration control 304, the file type configuration control 306 and the keyword configuration control 308 may also be text boxes, where a user may implement corresponding detection parameter configurations by entering a target file type, a target keyword, in the text box.
S204: the detection system 100 receives detection parameters configured by the user through the configuration interface.
Specifically, after the user configures the detection parameters through the configuration interface, the user may trigger a submitting operation, and the terminal 20 may generate the detection parameters to the detection system 100 in response to the submitting operation of the user, so that the detection system 100 may receive the detection parameters sent by the terminal.
Still illustrated in fig. 3, the user may trigger a commit operation by clicking on the determine control 307. Accordingly, the detection system 100 receives the detection parameters submitted by the terminal 20 in response to the user-triggered submitting operation. In some embodiments, the user may also trigger the cancel control 309, thereby canceling the configuration detection parameter.
Further, the detection system 100 may initiate a bait detection task based on the received detection parameters. For example, the detection parameters may include initiating a bait-based detection mode, and the detection system 100 may initiate a bait detection task and then perform S206 and/or S212 to generate a bait file from an application or system catalog, and then perform a lux virus detection from the bait file.
It should be noted that, S202 to S204 are optional steps in the embodiments of the present application, and the method for detecting the lux virus according to the embodiments of the present application may be performed without performing the steps, for example, the detection system 100 may also directly generate the bait file according to the access information and/or the system directory of the application.
S206: the detection system 100 obtains access information for the application.
The application may generate at least one process at runtime. The detection system 100 may monitor the running process, specifically, the access behavior of the process, so as to obtain the access information of the application. The access behavior may include a behavior to read data and/or write data.
The detection system 100 may traverse the running process, identify the application according to the command line of the process, the path of the file corresponding to the process, and the configuration file related to the process, and then monitor the file directory, the file type, the file size, the file name, and the like accessed by the process, to obtain the access information of the application. The access information of the application may include attributes of a file accessed by the application, for example, the access information of the application may include one or more of a file directory, a file type, a file size, and a file name accessed by the application.
S208: the detection system 100 generates a bait directory based on the access information of the application.
The access information of the application includes a file directory accessed by the application, which may be, for example, a service file directory and/or a data file directory, and the detection system 100 may generate the decoy directory according to the file directory accessed by the application. For example, the decoy directory may be at least one directory under a file directory accessed by the application. The bait directory is used for storing bait files.
Because the bait catalog is under the file catalog accessed by the application, the bait catalog has higher confusion as the service file catalog or the data file catalog accessed by the application from the perspective of the lux virus, and can avoid the lux virus from bypassing the bait catalog or the bait files stored in the bait catalog and encrypt the real service/data files.
It should be noted that, the method for detecting the lux virus according to the embodiment of the present application may not be executed S208, that is, the detection system 100 may not additionally generate the bait directory to store the bait file. For example, the detection system 100 may use an existing directory for storing bait files.
S208: the detection system 100 generates a bait file from the access information of the application.
The access information of the application includes a file type accessed by the application. The detection system 100 may generate the decoy file based on the file type accessed by the application. The detection system 100 may generate a plurality of decoy files according to a plurality of file types accessed by the application. The decoy file has the same file type as the application accesses. In this way, the Leucovirus is prevented from bypassing fixed file type bait files.
Further, the detection system 100 may generate a plurality of decoy files of different file sizes when generating the decoy file. For example, the detection system 100 may randomly generate a plurality of decoy files of different file sizes, or the detection system 100 may generate a plurality of decoy files of different file sizes based on the file sizes accessed by the application. In this way, the lux virus can be prevented from bypassing fixed file size bait files.
In some possible implementations, the detection system 100 may also determine a file name key commonly used by the application based on the file name accessed by the application, and then generate the name of the decoy file based on the file name key commonly used by the application. Further, where the detection parameters include a target key, the detection system 100 may also determine the name of the decoy file in conjunction with the target key. Similarly, where the detection parameters include a target file type, the detection system 100 may generate a decoy file in conjunction with the target file type. For example, the detection system 100 may randomly select a number of file types from an intersection of file types accessed by an application and target file types, generating decoy files of the respective types.
The following description is made in connection with a specific example. In this example, the application is a MySQL application, and the detection system 100 may generate decoy files of file types such as log, frm, myd, myi, ibd with extensions respectively associated with the MySQL application, where the decoy files of the file types are different in file size. For data files (e.g., files with extensions myd and ibd), the detection system 100 may generate decoy files with file sizes of 1MB, 5MB, and for other types of files, the detection system 100 may generate decoy files with file sizes of 64KB, 128 KB. The detection system 100 may also name the decoy files described above according to file name keywords commonly used by the application.
In this embodiment, the detection system 100 may prevent the lux virus from bypassing the decoy file according to the specific application, the specific file type, the specific file size, and the specific file name by generating the decoy file, and encrypting the service/data file of the application first, thereby affecting the service operation.
In some possible implementations, the detection system 100 may also generate a decoy file based on file content accessed by the application, thereby preventing the lux virus from bypassing the decoy file based on the particular content, while first encrypting the service/data file of the application, affecting service operation.
S210: the detection system 100 obtains a system catalog.
The system directory refers to a directory of a file system. The system catalog may be represented in a tree structure. Different computing devices may employ different file systems and, accordingly, system directories may be different. The present embodiment is illustrated with a Linux system catalog.
Referring to the schematic structure of the system directory shown in fig. 4, the system directory includes a directory such as bin, boot, dev, etc, home, root, run, sbin, tmp, usr, var. Where bin is an abbreviation for binary file bins, the directory holds the most frequently used commands. The boot stores some core files used when Linux is started, including some connection files and mirror image files. dev is an abbreviation of Device, which is a Linux external Device stored under the directory, and in Linux, the manner of accessing the external Device and the manner of accessing the file are the same. etc is an abbreviation for Etcetera, which is used to store all configuration files and subdirectories required for system management. home is the user's home directory, and in Linux, each user has its own directory, typically named by the user's account number, such as alice, bob, and eve in the above figures. root is the user's home directory of the system administrator (also called super-authorizer), sbin is an abbreviation of Superuser Binaries (binary file of super-user) which is used to store the hypervisor used by the system administrator. tmp is an abbreviation for temporal, and the directory is used to store some temporary files. usr is an abbreviation for shared resource unix shared resources, which is used to store applications and files, similar to program files directories under windows. The usr directory specifically comprises a bin, sbin, src directory, wherein the bin stores application programs used by common users, the sbin stores higher-level management programs and system daemons used by super users, and the src stores kernel source codes. var is an abbreviation for variable, which is a directory that holds ever expanding things, such as various log files. run is a temporary file system that stores information since the system was started. When the system is restarted, the files under the directory should be deleted or purged.
The detection system 100 may obtain a system catalog by traversing the file system. In some possible implementations, the file system may support different traversal modes, for example, one or more of a forward traversal mode, an inverse traversal mode, or a system disk default traversal mode. The detection system 100 may traverse the file system to obtain the system catalog using one or more of the traversal methods described above.
S212: the detection system 100 generates a bait directory from the system directory.
The bait directory is a directory for storing bait files. The detection system 100 may generate a bait directory under the system directory.
It should be noted that, the method for detecting the lux virus according to the embodiment of the present application may not be executed S212, that is, the detection system 100 may not additionally generate the bait directory to store the bait file. For example, the detection system 100 may use an existing directory for storing bait files.
When the detection system 100 generates a bait catalog, at least one bait catalog may be generated, e.g., the detection system 100 may generate at least one of a first bait catalog, a second bait catalog, and a third bait catalog. The name of the first bait directory includes a first prefix such that the first bait directory is preferentially accessed in a positive sequence traversal. The name of the second bait directory includes a second prefix such that the second bait directory is preferentially accessed in an inverted sequence traversal. The name of the third bait directory includes a third prefix such that the third bait directory is preferentially accessed at a default traversal of the system disk.
In some embodiments, the first prefix may be a top-ranked character of the printable characters, such as "+|! ", such that the first bait directory is preferentially accessed in a forward sequence traversal; the second prefix may be a later ordered character of the printable characters, such as "-", such that the second bait directory is preferentially accessed in an inverted sequence traversal; the third prefix may be a character representing a hidden directory, such as "," such that the third bait directory is preferentially accessed at a default traversal of the system disk.
Wherein the detection system 100 may generate at least one of the first bait directory, the second bait directory, and the third bait directory by performing S208 and/or S212. When the file system supports a positive sequence traversal, the detection system 100 can generate the first bait directory by performing S208 and/or S212. Similarly, when the file system supports reverse order traversal, the detection system 100 can generate a second bait directory by performing S208 and/or S212. When the file system supports the default traversal mode of the system disk, the detection system 100 may generate a third bait directory by executing S208 and/or S212.
S214: the detection system 100 generates a plurality of decoy files under the system catalog according to the detection parameters.
Specifically, the detection parameters include a target file type, and the detection system 100 may randomly select a plurality of file types from the target file types, and generate a plurality of decoy files under the system directory, where the file types of the decoy files are consistent with the selected file types. Where the detection parameters include a file size range, the detection system 100 may randomly generate decoy files of different file sizes according to the file size range.
In some possible implementations, the detection system 100 may also randomly select multiple file types directly from among the commonly used file types that may be encrypted with a luxury, specifically, when selecting a file type, as shown in table 1, the detection system 100 may randomly select a portion of each type from among a large class of files (including databases, text/documents, compressed files, videos, pictures, code source files, virtualization/container files, backup files, etc.) as an extension of a decoy file, and then randomly generate decoy files of different file sizes. Wherein the name of the bait file may be randomly generated.
Table 1 common file types
Figure BDA0003453558240000111
In other possible implementations, the detection system 100 may randomly select a number of file types from the target file types, generate a partial decoy file, randomly select a number of file types from the common file types, and generate another partial decoy file. The names of the partial decoy files may be randomly generated, and the names of the remaining decoy files may be selectively generated from the target keywords.
The method can prevent the full disc traversal of the Leucavirus from only aiming at a specific file type or checking the file size, thereby bypassing the encryption of the movable bait file, ensuring that the bait file is encrypted by the Leucavirus preferentially and detecting the Leucavirus in advance.
S216: the detection system 100 detects access behaviors to the decoy file and obtains attribute changes of the decoy file before and after the access behaviors.
Wherein the access behavior to the decoy file comprises a behavior of reading data and/or writing data. When the detection system 100 detects a read and/or write behavior of a process on a decoy file, the change in the attribute of the decoy file before and after the access behavior may be obtained.
Wherein the attributes of the decoy file include one or more of hash, file size, entropy, file type of the decoy file. The detection system 100 may obtain one or more of a hash, a file size, an entropy value, a file type of the decoy file before and after the access action. The detection system 100 may then determine a hash change of the bait file before and after the access activity based on the hashes of the bait file before and after the access activity. Similarly, the detection system 100 may determine file size changes, entropy changes, file type changes based on the file size, file type, entropy values of the decoy file before and after the access activity.
S218: the detection system 100 determines the lux virus based on the change in the attribute.
The detection system 100 may compare the attribute change with a preset condition, and when the attribute change meets the preset condition, the detection system 100 may determine that a suspicious lux encryption behavior exists, and the detection system 100 may identify a process implementing the access behavior as a lux process, and determine a file corresponding to the process (specifically, a file that generates the process when executed) as a lux virus.
Wherein the preset condition may be set according to an empirical value. For quantifiable attributes, such as file size and entropy, attribute changes may be compared by differences or change ratios, and accordingly, preset conditions may be set such that differences reach preset values or change ratios reach preset ratios. For example, the preset condition may be set such that the file size changes by up to 5MB. For properties that cannot be quantified, such as file types, the preset condition may be for the property to change from one property value to another. For example, the preset condition may be that the file type is changed from doc to exe.
In some possible implementations, the detection system 100 may also present alert information to the user after the lux virus is identified. The alarm information may include one or more of an identifier of a lux process, a path of the lux virus, a hash of the lux virus, a command line of the lux virus, an access path of the lux process, and an access action of the lux process, where the lux process is a process corresponding to the lux virus.
Further, the detection system 100 may stop the process of the lux virus after identifying the lux virus, and block the lux virus. The detection system 100 may automatically stop the lux process after identifying the lux virus, and block the lux virus, or present the alarm information to the user, and confirm the alarm information by the user, and then stop the lux process after obtaining the authorization or permission of the user, and block the lux virus.
In view of the fact that the decoy directory, the decoy file may be deleted by a user, for example, when the user cleans up a service/data file, the detection system 100 may also monitor the decoy file and restore the decoy file when the decoy file is modified by mistake or deleted by mistake. The detection system 100 may periodically monitor the decoy file, and when the decoy file is modified or deleted, but the corresponding application is not uninstalled, it indicates that the decoy file may be modified by mistake or deleted by mistake, and the detection system 100 may restore the decoy file from the memory. In some embodiments, when the decoy file is modified or deleted, but the detection system 100 does not generate the corresponding alarm information, then the decoy file is also modified or deleted with a high probability, and the detection system 100 may restore the decoy file that was deleted or modified from the memory.
In some possible implementations, the detection system 100 may also monitor changes to the application or changes to the system catalog, and then update the decoy file based on the changes to the application or changes to the system catalog. In particular, the detection system 100 may periodically monitor the running process and identify the process, and if a new application is found, the detection system 100 may create a new bait file based on the access information of the new application, optionally the detection system 100 may also create a new bait directory based on the access information of the new application. If an application is found to be uninstalled and the corresponding decoy file still exists, the detection system 100 may delete the corresponding decoy file. Optionally, in the event that the application is uninstalled, the bait directory also exists, and the detection system 100 may delete the corresponding bait directory. Similarly, the detection system 100 may also create new bait directories/bait files or delete existing bait directories/bait files based on system directory changes.
Further, the detection system 100 may also present an update interface to the user upon detecting a change in the application or a change in the system catalog, based on the change in the application or the change in the system catalog. And then updating the decoy file according to the updating operation triggered by the user through the updating interface.
Referring to the schematic diagrams of the update interfaces shown in fig. 5A and 5B, the update interface 500 presents therein the change information detected by the detection system 100, such as a change in an application or a change in a system catalog. The present embodiment is illustrated with updating the bait file based on changes in the application. The update interface 500 shown in fig. 5A illustrates information about the newly added application presented when the detection system 100 detects the newly added application, for example, access information 502 of the newly added application; FIG. 5B is an update interface 500 that is used to illustrate information 504 about an offloaded application, including, for example, the name of the offloaded application, presented when the detection system 100 detects that the application is offloaded.
The update interface 500 also displays a prompt 506 for prompting the newly added application or the application to be uninstalled, and the user may trigger an update control 508 to trigger an operation of updating the bait file. Wherein, when the update control 508 is triggered in the update interface 500 shown in fig. 5A, the detection system 100 may generate a new decoy file, and when the update control 508 is triggered in the update interface 500 shown in fig. 5B, the detection system 100 may delete the decoy file corresponding to the uninstalled application.
Further, the update interface 500 also includes a cancel control 509, and when the cancel control 509 is triggered, the detection system 100 can cancel updating the bait file.
Based on the above description, the embodiments of the present application provide a method for detecting a lux virus. In the method, the detection system 100 generates the decoy file with higher similarity with the real service/data file according to the application or system catalog, so that the condition that the lux virus skips the decoy file according to the fixed file size, file type, file name or deployment position is avoided, the applied service/data file is encrypted, and the abnormal behavior of the lux virus encrypted file can be effectively and timely discovered, thereby timely blocking the lux virus and reducing the damage caused by the lux virus.
In addition, the method can ensure that the bait catalogue and the bait files in the bait catalogue can be accessed preferentially in different traversing scenes by generating the bait catalogue with the specific prefix, thereby avoiding the failure of the Leuch virus detection method caused by the fact that the Leuch virus accesses the service/data files first.
The method for detecting the lux virus according to the embodiments of the present application is described in detail above with reference to fig. 1 to 5B, and the system 100 according to the embodiments of the present application will be described below with reference to the accompanying drawings.
Referring to the schematic structure of the Leucavirus detection system 100 shown in FIG. 6, the system 100 comprises:
A decoy file management module 102 for generating a decoy file according to an application or system directory;
the bait access behavior detection module 104 is configured to detect an access behavior to the bait file, and obtain an attribute change of the bait file before and after the access behavior;
the bait behavior access detection module 104 is further configured to determine a lux virus according to the attribute change.
In some possible implementations, the system 100 further includes:
and the security response module 106 is configured to present alarm information to the user, where the alarm information includes one or more of an identifier of a lux process, a path of the lux virus, a hash of the lux virus, a command line of the lux virus, an access path of the lux process, and an access behavior of the lux process, and the lux process is a process corresponding to the lux virus.
In some possible implementations, the system 100 further includes:
and the safety response module 106 is used for stopping the lux process and blocking the lux virus, wherein the lux process is a process corresponding to the lux virus.
In some possible implementations, the bait file management module 102 is further configured to:
Updating the decoy file according to the change of the application or the change of the system catalog.
The system 100 may further include an application monitoring module 103, where the application monitoring module 103 is configured to monitor changes of an application. When the application monitoring module 103 detects an application change, such as detecting a new application or when the application is uninstalled, the change information may be reported to the bait file management module 102, so that the bait file management module 102 updates the bait file according to the change information.
In some possible implementations, the bait file management module 102 is specifically configured to:
presenting an update interface to a user according to the change of the application or the change of the system catalog;
and updating the bait file according to the updating operation triggered by the user through the updating interface.
In some possible implementations, the bait file management module 102 is specifically configured to:
and generating the decoy file according to the access information of the application.
In some possible implementations, the access information of the application includes a file type accessed by the application;
the bait file management module 102 is specifically configured to:
and generating the decoy file according to the file type accessed by the application, wherein the file type of the decoy file is the same as the file type accessed by the application.
In some possible implementations, the decoy file includes a plurality of files, and the plurality of files differ in file size.
In some possible implementations, the bait file management module 102 is further configured to:
and generating a bait catalog according to the access information of the application, wherein the bait catalog is the catalog of the bait file.
In some possible implementations, the access information of the application includes a file directory accessed by the application;
the bait file management module 102 is specifically configured to:
and generating a decoy catalog according to the file catalog accessed by the application.
In some possible implementations, the bait file management module 102 is specifically configured to:
and generating a plurality of decoy files under the system directory according to the randomly selected file types, wherein the decoy files are different in file size.
In some possible implementations, the system 100 further includes:
a bait detection configuration module 108, configured to present a configuration interface to the user, and receive detection parameters configured by the user through the configuration interface, where the detection parameters include a target file type;
the bait file management module 102 is specifically configured to:
And generating a plurality of decoy files under the system catalog according to the file types randomly selected from the target file types.
In some possible implementations, the detection parameter further includes at least one of an exclusion directory, which is a directory in the system directory where the decoy file does not need to be deployed, and a target key used to generate a name of the decoy file.
In some possible implementations, the bait file management module 102 is further configured to:
and generating a bait catalog according to the system catalog, wherein the bait catalog is the catalog of the bait file.
In some possible implementations, the bait directory includes at least one of a first bait directory, a second bait directory, and a third bait directory;
the name of the first bait directory includes a first prefix such that the first bait directory is preferentially accessed in a positive sequence traversal;
the name of the second bait directory includes a second prefix such that the second bait directory is preferentially accessed in an inverted sequence traversal;
the name of the third bait directory includes a third prefix such that the third bait directory is preferentially accessed at a default traversal of the system disk.
In some possible implementations, the bait access behavior detection module 104 is further configured to:
and monitoring the decoy file, and recovering the decoy file when the decoy file is modified or deleted by mistake.
The lux virus detection system 100 according to the embodiments of the present application may correspond to performing the methods described in the embodiments of the present application, and the above and other operations and/or functions of the respective modules/units of the lux virus detection system 100 are respectively for implementing the respective flows of the respective methods in the embodiments shown in fig. 2, and are not repeated herein for brevity.
The embodiment of the application also provides a computer cluster. The computer cluster comprises at least one computer, which may be a server, for example. The computer cluster is specifically configured to implement the functionality of the lux virus detection system 100 in the embodiment shown in fig. 6.
Fig. 7 provides a schematic diagram of a computer cluster, and as shown in fig. 7, the computer cluster 70 includes a plurality of computers 700, and the computers 700 include a bus 701, a processor 702, a communication interface 703, and a memory 704. Communication between processor 702, memory 704 and communication interface 703 is via bus 701.
Bus 701 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 7, but not only one bus or one type of bus.
The processor 702 may be any one or more of a central processing unit (central processing unit, CPU), a graphics processor (graphics processing unit, GPU), a Microprocessor (MP), or a digital signal processor (digital signal processor, DSP).
The communication interface 703 is used for communication with the outside. For example, the communication interface 703 is used to receive detection parameters configured by the user through the configuration interface, present alert information to the user, and so forth.
The memory 704 may include volatile memory (RAM), such as random access memory (random access memory). The memory 704 may also include a non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, hard Disk Drive (HDD), or solid state drive (solid state drive, SSD).
The memory 704 has stored therein computer readable instructions that are executed by the processor 702 to cause the computer cluster 70 to perform the previously described methods of detecting the lux virus (or to perform the functions of the previously described lux virus detection system 100).
In particular, in the case of implementing the embodiment of the system shown in fig. 6, and in the case where the functions of the modules or units of the lux virus detection system 100 described in fig. 6 are implemented by software, software or program code required to perform the functions of the respective modules or units in fig. 6 may be stored in at least one memory 704 in the computer cluster 70. The at least one processor 702 executes program code stored in the memory 704 to cause the computer cluster 70 to perform the aforementioned method of lux virus detection.
Embodiments of the present application also provide a computer-readable storage medium. The computer readable storage medium may be any available medium that can be stored by a computer or a data storage device such as a data center containing one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), etc. The computer readable storage medium includes instructions that instruct a computer or cluster of computers to perform the above-described method of detecting the Leucasian virus.
Embodiments of the present application also provide a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, or data center to another website, computer, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer program product may be a software installation package, which may be downloaded and executed on a computer or cluster of computers in case any one of the methods of the aforementioned methods of the lux virus detection is required.
The descriptions of the processes or structures corresponding to the drawings have emphasis, and the descriptions of other processes or structures may be referred to for the parts of a certain process or structure that are not described in detail.

Claims (35)

1. A method for detecting a lux virus, the method comprising:
generating a decoy file according to the application or system catalog;
detecting access behaviors of the decoy file, and acquiring attribute changes of the decoy file before and after the access behaviors;
and determining the Leucavirus according to the attribute change.
2. The method according to claim 1, wherein the method further comprises:
and presenting alarm information to the user, wherein the alarm information comprises one or more of an identification of a lux process, a path of the lux virus, a hash of the lux virus, a command line of the lux virus, an access path of the lux process and an access behavior of the lux process, and the lux process is a process corresponding to the lux virus.
3. The method according to claim 1 or 2, characterized in that it comprises:
stopping the Leucasian process, and blocking the Leucasian virus, wherein the Leucasian process is a process corresponding to the Leucasian virus.
4. A method according to any one of claims 1 to 3, further comprising:
updating the decoy file according to the change of the application or the change of the system catalog.
5. The method of claim 4, wherein updating the bait file based on the change in the application or the change in the system catalog comprises:
presenting an update interface to a user according to the change of the application or the change of the system catalog;
and updating the bait file according to the updating operation triggered by the user through the updating interface.
6. The method of any one of claims 1 to 5, wherein generating the bait file from the application comprises:
and generating the decoy file according to the access information of the application.
7. The method of claim 6, wherein the access information of the application includes a file type accessed by the application;
the generating the decoy file according to the access information of the application comprises the following steps:
and generating the decoy file according to the file type accessed by the application, wherein the file type of the decoy file is the same as the file type accessed by the application.
8. The method of claim 7, wherein the decoy file comprises a plurality of files, and wherein the plurality of files differ in file size.
9. The method according to any one of claims 1 to 8, further comprising:
and generating a bait catalog according to the access information of the application, wherein the bait catalog is the catalog of the bait file.
10. The method of claim 9, wherein the access information of the application includes a file directory accessed by the application;
the generating a bait catalog according to the access information of the application comprises the following steps:
and generating a decoy catalog according to the file catalog accessed by the application.
11. The method of any one of claims 1 to 5, wherein generating the bait file from the system catalog comprises:
and generating a plurality of decoy files under the system directory according to the randomly selected file types, wherein the decoy files are different in file size.
12. The method of claim 11, wherein the method further comprises:
presenting a configuration interface to the user;
receiving detection parameters configured by the user through the configuration interface, wherein the detection parameters comprise a target file type;
The generating a plurality of decoy files under the system directory according to the randomly selected file types comprises the following steps:
and generating a plurality of decoy files under the system catalog according to the file types randomly selected from the target file types.
13. The method of claim 12, wherein the detection parameters further comprise at least one of an exclusion directory, the exclusion directory being a directory in the system directory where the decoy file need not be deployed, and a target key for generating a name of the decoy file.
14. The method according to any one of claims 11 to 13, further comprising:
and generating a bait catalog according to the system catalog, wherein the bait catalog is the catalog of the bait file.
15. The method of claim 9, 10 or 14, wherein the bait directory comprises at least one of a first bait directory, a second bait directory, and a third bait directory;
the name of the first bait directory includes a first prefix such that the first bait directory is preferentially accessed in a positive sequence traversal;
the name of the second bait directory includes a second prefix such that the second bait directory is preferentially accessed in an inverted sequence traversal;
The name of the third bait directory includes a third prefix such that the third bait directory is preferentially accessed at a default traversal of the system disk.
16. The method according to any one of claims 1 to 15, further comprising:
and monitoring the decoy file, and recovering the decoy file when the decoy file is modified or deleted by mistake.
17. A lux virus detection system, the system comprising:
the bait file management module is used for generating a bait file according to the application or the system catalog;
the bait access behavior detection module is used for detecting the access behavior of the bait file and acquiring the attribute change of the bait file before and after the access behavior;
the bait behavior access detection module is also used for determining the Leucasian virus according to the attribute change.
18. The system of claim 17, wherein the system further comprises:
the security response module is used for presenting alarm information to the user, wherein the alarm information comprises one or more of an identification of a lux process, a path of the lux virus, hash of the lux virus, a command line of the lux virus, an access path of the lux process and an access behavior of the lux process, and the lux process is a process corresponding to the lux virus.
19. The system according to claim 17 or 18, wherein the system further comprises:
and the safety response module is used for stopping the Leuch process and blocking the Leuch virus, wherein the Leuch process is a process corresponding to the Leuch virus.
20. The system of any one of claims 17 to 19, wherein the bait file management module is further configured to:
updating the decoy file according to the change of the application or the change of the system catalog.
21. The system of claim 20, wherein the bait file management module is specifically configured to:
presenting an update interface to a user according to the change of the application or the change of the system catalog;
and updating the bait file according to the updating operation triggered by the user through the updating interface.
22. The system according to any one of claims 17 to 21, wherein the bait file management module is specifically configured to:
and generating the decoy file according to the access information of the application.
23. The system of claim 22, wherein the access information of the application includes a file type accessed by the application;
The bait file management module is specifically used for:
and generating the decoy file according to the file type accessed by the application, wherein the file type of the decoy file is the same as the file type accessed by the application.
24. The system of claim 23, wherein the decoy file comprises a plurality of files, and wherein the plurality of files differ in file size.
25. The system of any one of claims 17 to 24, wherein the bait file management module is further configured to:
and generating a bait catalog according to the access information of the application, wherein the bait catalog is the catalog of the bait file.
26. The system of claim 25, wherein the access information of the application includes a file directory accessed by the application;
the bait file management module is specifically used for:
and generating a decoy catalog according to the file catalog accessed by the application.
27. The system according to any one of claims 17 to 21, wherein the bait file management module is specifically configured to:
and generating a plurality of decoy files under the system directory according to the randomly selected file types, wherein the decoy files are different in file size.
28. The system of claim 27, wherein the system further comprises:
the bait detection configuration module is used for presenting a configuration interface to the user, receiving detection parameters configured by the user through the configuration interface, wherein the detection parameters comprise a target file type;
the bait file management module is specifically used for:
and generating a plurality of decoy files under the system catalog according to the file types randomly selected from the target file types.
29. The system of claim 28, wherein the detection parameters further comprise at least one of an exclusion directory, a target key, the exclusion directory being a directory in the system directory where the decoy file need not be deployed, the target key being used to generate a name of the decoy file.
30. The system of any one of claims 27 to 29, wherein the bait file management module is further configured to:
and generating a bait catalog according to the system catalog, wherein the bait catalog is the catalog of the bait file.
31. The system of claim 25, 26 or 30, wherein the bait directory comprises at least one of a first bait directory, a second bait directory, and a third bait directory;
The name of the first bait directory includes a first prefix such that the first bait directory is preferentially accessed in a positive sequence traversal;
the name of the second bait directory includes a second prefix such that the second bait directory is preferentially accessed in an inverted sequence traversal;
the name of the third bait directory includes a third prefix such that the third bait directory is preferentially accessed at a default traversal of the system disk.
32. The system of any one of claims 17 to 31, wherein the bait access behavior detection module is further configured to:
and monitoring the decoy file, and recovering the decoy file when the decoy file is modified or deleted by mistake.
33. A computer cluster comprising at least one computer, the computer comprising a processor and a memory, the memory storing computer readable instructions that are executed by the processor to cause the computer cluster to perform the method of any one of claims 1 to 16.
34. A computer readable storage medium comprising computer readable instructions which, when run on a computer cluster, cause the computer cluster to perform the method of any of claims 1 to 16.
35. A computer program product comprising computer readable instructions which, when run on a computer cluster, cause the computer cluster to perform the method of any of claims 1 to 16.
CN202111679456.1A 2021-12-31 2021-12-31 Lexovirus detection method and related system Pending CN116415240A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111679456.1A CN116415240A (en) 2021-12-31 2021-12-31 Lexovirus detection method and related system
PCT/CN2022/107828 WO2023124041A1 (en) 2021-12-31 2022-07-26 Ransomware detection method and related system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111679456.1A CN116415240A (en) 2021-12-31 2021-12-31 Lexovirus detection method and related system

Publications (1)

Publication Number Publication Date
CN116415240A true CN116415240A (en) 2023-07-11

Family

ID=86997357

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111679456.1A Pending CN116415240A (en) 2021-12-31 2021-12-31 Lexovirus detection method and related system

Country Status (2)

Country Link
CN (1) CN116415240A (en)
WO (1) WO2023124041A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663005A (en) * 2023-08-01 2023-08-29 长扬科技(北京)股份有限公司 Method, device, equipment and storage medium for defending composite Lesu virus

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616510A (en) * 2018-03-24 2018-10-02 张瑜 It is a kind of that virus detection techniques are extorted based on digital immune reclusion
CN109413048B (en) * 2018-09-30 2021-06-04 上海观安信息技术股份有限公司 Method for detecting luxo software based on file-type honeypot, electronic device and program product
CN110851833A (en) * 2019-11-18 2020-02-28 深信服科技股份有限公司 Lesovirus detection method, device and related equipment
CN113360909B (en) * 2021-06-17 2022-10-28 深圳融安网络科技有限公司 Lesovirus defense method, lesovirus defense apparatus, and readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663005A (en) * 2023-08-01 2023-08-29 长扬科技(北京)股份有限公司 Method, device, equipment and storage medium for defending composite Lesu virus
CN116663005B (en) * 2023-08-01 2023-10-13 长扬科技(北京)股份有限公司 Method, device, equipment and storage medium for defending composite Lesu virus

Also Published As

Publication number Publication date
WO2023124041A1 (en) 2023-07-06

Similar Documents

Publication Publication Date Title
US11343280B2 (en) System and method for identifying and controlling polymorphic malware
JP7402183B2 (en) Small footprint endpoint data loss prevention (DLP)
US9888032B2 (en) Method and system for mitigating the effects of ransomware
US10664592B2 (en) Method and system to securely run applications using containers
US10291634B2 (en) System and method for determining summary events of an attack
US9846776B1 (en) System and method for detecting file altering behaviors pertaining to a malicious attack
EP3430559B1 (en) Systems and methods for generating tripwire files
KR101928908B1 (en) Systems and Methods for Using a Reputation Indicator to Facilitate Malware Scanning
US20160180087A1 (en) Systems and methods for malware detection and remediation
US9147073B2 (en) System and method for automatic generation of heuristic algorithms for malicious object identification
US20130298128A1 (en) Managed control of processes including privilege escalation
EP2920737B1 (en) Dynamic selection and loading of anti-malware signatures
US11928206B2 (en) Selective import/export address table filtering
CN109997138A (en) For detecting the system and method for calculating the malicious process in equipment
US11636219B2 (en) System, method, and apparatus for enhanced whitelisting
US11507675B2 (en) System, method, and apparatus for enhanced whitelisting
WO2023124041A1 (en) Ransomware detection method and related system
CN116611058A (en) Lexovirus detection method and related system
US20220215095A1 (en) Detecting and Preventing Installation and Execution of Malicious Browser Extensions
US9904602B1 (en) Secure search
JP7255681B2 (en) Execution control system, execution control method, and program
JP2014096143A (en) Information processing device, information processing system and information processing method
US20220188409A1 (en) System, Method, and Apparatus for Enhanced Blacklisting
US20230038774A1 (en) System, Method, and Apparatus for Smart Whitelisting/Blacklisting
US11714907B2 (en) System, method, and apparatus for preventing ransomware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication