CN116662075A - Data protection method, system, equipment and storage medium - Google Patents
Data protection method, system, equipment and storage medium Download PDFInfo
- Publication number
- CN116662075A CN116662075A CN202310936971.6A CN202310936971A CN116662075A CN 116662075 A CN116662075 A CN 116662075A CN 202310936971 A CN202310936971 A CN 202310936971A CN 116662075 A CN116662075 A CN 116662075A
- Authority
- CN
- China
- Prior art keywords
- data
- disk
- backup
- target host
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 88
- 230000008569 process Effects 0.000 claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 27
- 230000000694 effects Effects 0.000 claims abstract description 23
- 230000006399 behavior Effects 0.000 claims description 83
- 238000011084 recovery Methods 0.000 claims description 31
- 230000015654 memory Effects 0.000 claims description 16
- 230000004048 modification Effects 0.000 claims description 14
- 238000012986 modification Methods 0.000 claims description 14
- 230000009471 action Effects 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 abstract description 6
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1448—Management of the data involved in backup or backup restore
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1456—Hardware arrangements for backup
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention relates to the field of data processing, and discloses a data protection method, a system, equipment and a storage medium, wherein the method comprises the following steps: performing data encryption risk detection according to the process activity and/or file operation behavior of the target host; when the data encryption risk exists, capturing the disk data writing behavior of the target host in real time; and carrying out CDP backup based on the original disk data corresponding to the disk data writing behavior. Because the invention carries out data encryption risk detection according to the process activity and/or the file operation behavior of the target host, captures the disk data writing behavior of the target host in real time when the data encryption risk exists, and backs up the original disk data corresponding to the disk data writing behavior.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to a data protection method, system, device, and storage medium.
Background
With the rapid development of internet information technology, on one hand, convenient and efficient office flow and business mode are brought, and on the other hand, safety problems are also caused. The lux software refers to encrypting user data with symmetric and/or asymmetric encryption algorithms. The method of encrypting user data by the luxury software is very various, for example, the simplest and most common method is to read a file, encrypt the read data, then write the encrypted data into a source file, and finally change the file name into a special extension; in addition, the encrypted data can be encoded by BASE64 and then written into a source file for renaming; in addition, the encryption can be performed after the renaming; the files can also be mapped into virtual memories by mmap (Linux) or MapViewOfFile (Windows), and the mapped virtual memories are encrypted to realize the encryption of the files; only part of key areas of the file can be encrypted to achieve the purpose that the user cannot use the file; alternatively, a file may be created to identify or record without changing the name of the original file; the source file is not modified, and the encrypted data is written into a new file; even multiple files may be encrypted into one file; even only a random encryption of part of the file is possible.
Because the method for encrypting the user data by the luxury software is various, 100% of the luxury software is difficult to identify and intercept the luxury software to encrypt the user data, once the identification and interception failure occurs, important files cannot be read, the key data are damaged, and a hacker takes decrypted data as a condition to luxury the user money, so that the normal work of the user is greatly influenced. The prior art only allows the computer to process CDP protection until the user data is restored to unencrypted state, so that an equal or larger storage area for backup is configured for each computer to store the data, which is costly.
Therefore, a data protection method is needed to reduce the input cost of data recovery after the computer is overseeed.
Disclosure of Invention
The invention mainly aims to provide a data protection method, a system, equipment and a storage medium, which aim to solve the technical problem of how to reduce the input cost of data recovery after a computer is luxated.
To achieve the above object, the present invention provides a data protection method, including the steps of:
performing data encryption risk detection according to the process activity and/or file operation behavior of the target host;
capturing the disk data writing behavior of the target host in real time when the target host has a data encryption risk;
and carrying out CDP backup based on the original disk data corresponding to the disk data writing behavior.
Optionally, the step of performing CDP backup on the original disk data corresponding to the disk data writing behavior includes:
obtaining the write offset, the data write length and the write operation occurrence time of the disk according to the disk data write behavior;
acquiring original disk data corresponding to the disk before the disk writing action according to the writing offset and the data writing length;
and carrying out CDP backup on the write operation occurrence time and the original disk data.
Optionally, after the step of performing CDP backup on the original disk data corresponding to the disk data writing behavior, the method further includes:
determining data encryption occurrence time when the data of the target host is encrypted;
acquiring backup data from the data encryption occurrence time to a final backup time according to the data encryption occurrence time;
and carrying out data recovery on the target host based on the backup data.
Optionally, the step of determining the data encryption occurrence time when the data of the target host is encrypted includes:
scanning an encrypted file on the target host when the data of the target host is encrypted;
acquiring the last modification time of each encrypted file;
and comparing the last modification time to determine the data encryption occurrence time.
Optionally, the step of recovering data from the target host based on the backup data includes:
sequentially determining backup data with the latest occurrence time of the writing operation;
and carrying out data recovery on the target host according to the backup data with the latest occurrence time of the writing operation.
Optionally, before the step of recovering the data of the target host based on the backup data, the method further includes:
sequentially analyzing the backup data to obtain first backup data with a disk offset overlapping area;
selecting second backup data with earliest disk writing time from the first backup data;
and taking the second backup data and the backup data without the disk offset overlapping area as new backup data.
Optionally, the step of performing data encryption risk detection according to the process activity and/or the file operation behavior of the target host includes:
counting file operation behaviors of all processes on the target host within preset time;
judging whether the file operation behavior is greater than a preset threshold value or not;
and if the file operation behavior is greater than a preset threshold, performing risk detection on the process activity corresponding to the file operation behavior.
In addition, to achieve the above object, the present invention also proposes a data protection system, the system comprising:
the risk detection module is used for carrying out data encryption risk detection according to the process activity and/or the file operation behavior of the target host;
the write-in monitoring module is used for capturing the disk data write-in behavior of the target host in real time when the target host has data encryption risk;
and the real-time backup module is used for carrying out CDP backup on the basis of the original disk data corresponding to the disk data writing behavior.
In addition, to achieve the above object, the present invention also proposes a data protection device, the device comprising: a memory, a processor and a data protection program stored on the memory and executable on the processor, the data protection program configured to implement the steps of the data protection method as described above.
In addition, in order to achieve the above object, the present invention also proposes a storage medium having stored thereon a data protection program which, when executed by a processor, implements the steps of the data protection method as described above.
According to the method, data encryption risk detection is carried out according to the process activity and/or file operation behavior of the target host; capturing the disk data writing behavior of the target host in real time when the target host has a data encryption risk; and carrying out CDP backup based on the original disk data corresponding to the disk data writing behavior. Because the invention carries out data encryption risk detection according to the process activity and/or the file operation behavior of the target host, then captures the disk data writing behavior of the target host in real time when the target host has data encryption risk, and then carries out CDP backup based on the original disk data corresponding to the disk data writing behavior.
Drawings
FIG. 1 is a schematic diagram of a data protection device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of a data protection method according to the present invention;
FIG. 3 is a flowchart illustrating a data protection method according to a second embodiment of the present invention;
FIG. 4 is a flowchart of a third embodiment of a data protection method according to the present invention;
fig. 5 is a block diagram of a first embodiment of the data protection system of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a data protection device structure of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the data protection apparatus may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
It will be appreciated by those skilled in the art that the structure shown in fig. 1 does not constitute a limitation of the data protection apparatus and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a data protection program may be included in the memory 1005 as one type of storage medium.
In the data protection device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the data protection apparatus of the present invention may be disposed in the data protection apparatus, and the data protection apparatus calls the data protection program stored in the memory 1005 through the processor 1001 and executes the data protection method provided by the embodiment of the present invention.
An embodiment of the present invention provides a data protection method, referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the data protection method of the present invention.
In this embodiment, the data protection method includes the following steps:
step S10: and carrying out data encryption risk detection according to the process activity and/or the file operation behavior of the target host.
It should be noted that, the execution body of the embodiment may be a computing service device having functions of data processing, network communication and program running, such as a server, a tablet computer, a personal computer, or an electronic device, a data protection device, or the like, which can implement the above functions. The present embodiment and the following embodiments will be described by taking a data protection device as an example.
It should be appreciated that although there are many ways in which the lux software encrypts user data, in any event one of the following events occurs: the large batch of files is overwritten, the large batch of files is deleted, or the large batch of files is renamed, and only if one of these events occurs, the user's data may be encrypted.
It is understood that the target host may be an intelligent terminal device with data storage and network communication, such as a tablet computer, a personal computer, etc.
It should be understood that the operation actions of the files of the target host include opening the files, creating the files, modifying the files, reading the files, writing the files, deleting the files, etc., and the process activities of the target host include process start-up, new process, closing the processes, file operations, etc.
It should be noted that, the activities of the process activity, the thread start, the module loading, the file operation and the like on the host can be monitored through the technologies of process creation, thread creation, module loading callback technology, file filtering driving and the like. Whether the windows system or the linux system can monitor the starting and the exiting of a process on a host computer in real time, the starting and the exiting of a thread, the loading and the unloading of a module, a file filtering driver can track a specific process and which files the thread operates, and specific operation behaviors (such as rewriting, deleting and renaming the files … …). For example, the WRITE of the FILE of Windows is indicated by the modified WRITE when the IRP_MJ_WRITE behavior is received when the information is File_OPENED at the time of returning IRP_MJ_CREATE. The deletion is detected by using the FileDissitionInformationInformationFunctions in IRP_MJ_SET_INFORMATION or the FileRenameinformation function in IRP_MJ_CREATE with the FileDELETE_ON_CLOSE mark, and the modification is detected by using the FileRenameinformation function in IRP_MJ_SET_INFORMATION.
It is to be explained that the data encryption risk detection for the target host can be performed by counting the file operation behaviors in the preset time of all processes on the target host; judging whether the file operation behavior is greater than a preset threshold value or not; and if the file operation behavior is greater than a preset threshold, performing risk detection on the process activity corresponding to the file operation behavior. The preset threshold may be user-defined, e.g., 15, 20, etc.
In a specific implementation, by counting the file operation behaviors (opening a file, creating a file, modifying a file, reading a file, writing a file, deleting a file … …) of all processes in unit time on the host in real time, when the file operation behaviors in unit time are greater than a certain threshold, risk detection is performed on the process, including whether the process belongs to a recently created new thread or not and whether a new loading module … … exists, and if one of the behaviors exists, the risk of data encryption can be considered.
Step S20: and capturing the disk data writing behavior of the target host in real time when the target host has data encryption risk.
It will be readily appreciated that disk data writing actions include operations actions in which disk data changes, such as modification, deletion, addition, etc. of data.
It should be noted that, by capturing the disk writing behavior of the host in real time, the writing offset of the disk, the data writing length, and the time of the writing operation can be obtained, then the original data in the corresponding area of the disk is read out, and stored in other storage media together with the time of the disk data writing behavior, and then the corresponding writing operation is performed.
Step S30: and carrying out CDP backup based on the original disk data corresponding to the disk data writing behavior.
It should be understood that, since the disk writing behavior will cover the original data of the disk, when recognizing that the host has the data encryption behavior, it is necessary to capture the disk writing behavior, backup the original disk data related to the disk writing behavior, and then release the disk writing behavior. Taking a Windows system as an example, in the IRP_MJ_WRITE processing function, irpSp- > parameters.write.ByteOffset is the offset of disk writing, irpSp- > parameters.write.length is the length of disk writing data, and original disk data corresponding to the disk data writing behavior can be read from a disk according to the 2 parameters, and then backup is performed.
In a specific implementation, in order to backup a part of disk data of a disk that is modified, a part of the disk data that is not related to a disk writing behavior is not partially backed up, so that a space for storing backup data is saved, and a step of CDP backup based on original disk data corresponding to the disk data writing behavior includes: obtaining the write offset, the data write length and the write operation occurrence time of the disk according to the disk data write behavior; acquiring original disk data corresponding to the disk before the disk writing action according to the writing offset and the data writing length; and carrying out CDP backup on the original disk data according to the occurrence time sequence of the writing operation, and recording the writing offset, the data writing length and the occurrence time of the writing operation of the original disk data.
According to the embodiment, file operation behaviors in preset time of all processes on the target host are counted; judging whether the file operation behavior is greater than a preset threshold value or not; if the file operation behavior is greater than a preset threshold, risk detection is carried out on the process activity corresponding to the file operation behavior; capturing the disk data writing behavior of the target host in real time when the target host has a data encryption risk; obtaining the write offset, the data write length and the write operation occurrence time of the disk according to the disk data write behavior; acquiring original disk data corresponding to the disk before the disk writing action according to the writing offset and the data writing length; and carrying out CDP backup on the write operation occurrence time and the original disk data. Because the invention carries on the data encryption risk detection according to the process activity and/or file operation behavior of the target host, then when the target host has the data encryption risk, catch the disk data write-in behavior of the target host in real time, then carry on CDP backup based on the original disk data that the disk data write-in behavior corresponds to, compared with the prior art, the invention does not need to dispose the storage area used for backup for the computer in advance, only after the risk of the trade-off happens, begin to keep protecting the computer, and the invention only backs up the modified part of data in the disk, the unmodified data is not backed up, has saved the space to store backup data, thus has reduced the investment cost of data recovery after the computer is trade-off.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the data protection method according to the present invention.
Based on the first embodiment, in this embodiment, after step S30, the method further includes:
step S40: and determining the data encryption occurrence time when the data of the target host is encrypted.
The data encryption occurrence time may be a time when the target host generates data encryption. The encrypted file on the target host can be scanned while the data of the target host is encrypted in order to obtain the target host data encryption occurrence time; acquiring the last modification time of each encrypted file; and comparing the last modification time to determine the data encryption occurrence time.
It should be understood that when the data of the target host is encrypted and data recovery is needed, the time when the data encryption of the target host occurs is obtained first, which may be manually specified or automatically obtained by analysis. For automatic analysis, the specific way is to scan all the encrypted files of the target host to obtain the "last modification time" of all the encrypted files (which can be obtained by the GetFileTime system function for windows systems and by the fstat system function for linux systems), wherein the last "last modification time" can be regarded as the earliest occurrence time of data encryption, and then the time is regarded as the occurrence time of data encryption.
Step S50: and acquiring backup data from the data encryption occurrence time to the final backup time according to the data encryption occurrence time.
It is easy to understand that the backup data in the final backup time is the backup data at the latest moment, and the backup data from the moment to the latest moment is obtained from the backup data according to the time of data encryption, and is written back to the host disk, so as to complete data recovery.
Step S60: and carrying out data recovery on the target host based on the backup data.
It should be explained that, when the backup data is previously made, the backup is the original data before the disk write (not the data to be written, which may be encrypted data, and the backup is meaningless), so when the data recovery is performed, the reverse recovery (the last modified disk data, the first recovery, the earliest modified disk data, and the last recovery) is required according to the sequence of the disk write time.
In a specific implementation, in order to restore data to the target host, the backup data with the latest occurrence time of the writing operation needs to be determined in sequence; and then, carrying out data recovery on the target host according to the backup data with the latest occurrence time of the writing operation. For example, the following backup data is stored through CDP backup as shown in the original disk data backup table of table 1, and when data recovery is performed, the backup data of No. 3 is recovered, the backup data of No. 2 is recovered, and the backup data of No. 1 is recovered.
Table 1 original disk data backup table
In this embodiment, when the data of the target host is encrypted, the encrypted file on the target host is scanned; acquiring the last modification time of each encrypted file; comparing the last modification time to determine the data encryption occurrence time; acquiring backup data from the data encryption occurrence time to a final backup time according to the data encryption occurrence time; sequentially determining backup data with the latest occurrence time of the writing operation; and carrying out data recovery on the target host according to the backup data with the latest occurrence time of the writing operation. Compared with the prior art, when the data of the target host is encrypted, the data encryption occurrence time is determined, then the backup data from the data encryption occurrence time to the final backup time is acquired according to the data encryption occurrence time, and finally the data recovery is carried out on the target host based on the backup data, so that the backup of the original disk data based on the modified part of the data in the disk is realized.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of a data protection method according to the present invention.
Based on the above embodiments, in this embodiment, before step S60, the method further includes:
step S501: and sequentially analyzing the backup data to obtain first backup data with a disk offset overlapping area.
Step S502: and selecting second backup data with earliest disk writing time from the first backup data.
For example, as shown in the original disk data backup table in table 1, when data recovery is performed, the disk area is about to be recovered 2 times of data from 0x1001000 to 0x1002000, wherein the data recovery performed by the backup data No. 3 is meaningless, and the backup data recovery nos. 2 and 1 will cover the recovery of the backup data No. 3. Therefore, the backup data No. 3 and the backup data No. 2 and No. 1 are the first backup data having the disk offset overlap region and the backup data No. 1 and No. 2 do not have the disk offset overlap region. Therefore, the backup data No. 1 and No. 2 are the second backup data whose disk write time is earliest.
Step S503: and taking the second backup data and the backup data without the disk offset overlapping area as new backup data.
In a specific implementation, the backup data is analyzed before the data recovery is performed, the area with overlapping disk offset is found, and for the area with overlapping disk offset, the backup data with the forefront disk writing time (namely the data with the forefront disk) is selected for the recovery, and the data with the forefront disk writing time is directly ignored, so that the optimization of the recovery data quantity is realized, the efficiency is improved, and the time is saved.
In this embodiment, after the backup data are analyzed sequentially, first backup data in which a disk offset overlapping area exists is obtained; selecting second backup data with earliest disk writing time from the first backup data; and taking the second backup data and the backup data without the disk offset overlapping area as new backup data. Compared with the prior art, the method and the device analyze the backup data before data recovery, find out the areas with overlapping disk offset, select the backup data with the forefront disk writing time (namely the data with the forefront disk) for recovery in the areas with overlapping disk offset, and directly ignore the data at the rear part, thereby realizing the optimization of the recovery data quantity and improving the data recovery efficiency.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium stores a data protection program, and the data protection program realizes the steps of the data protection method when being executed by a processor.
Referring to fig. 5, fig. 5 is a block diagram illustrating a first embodiment of a data protection system according to the present invention.
As shown in fig. 5, the data protection system according to the embodiment of the present invention includes: a risk detection module 501, a write monitoring module 502, and a real-time backup module 503.
The risk detection module 501 is configured to perform data encryption risk detection according to process activity and/or file operation behavior of the target host.
The write monitoring module 502 is configured to capture, in real time, a disk data write behavior of the target host when the target host has a data encryption risk.
The real-time backup module 503 is configured to perform CDP backup based on original disk data corresponding to the disk data writing behavior.
The risk detection module 501 is further configured to count file operation behaviors in a preset time of all processes on the target host; judging whether the file operation behavior is greater than a preset threshold value or not; and if the file operation behavior is greater than a preset threshold, performing risk detection on the process activity corresponding to the file operation behavior.
The real-time backup module 503 is further configured to obtain a write offset, a data write length, and a write operation occurrence time of the disk according to the disk data write behavior; acquiring original disk data corresponding to the disk before the disk writing action according to the writing offset and the data writing length; and carrying out CDP backup on the write operation occurrence time and the original disk data.
The system counts the file operation behaviors of all processes on the target host within preset time; judging whether the file operation behavior is greater than a preset threshold value or not; if the file operation behavior is greater than a preset threshold, risk detection is carried out on the process activity corresponding to the file operation behavior; capturing the disk data writing behavior of the target host in real time when the target host has a data encryption risk; obtaining the write offset, the data write length and the write operation occurrence time of the disk according to the disk data write behavior; acquiring original disk data corresponding to the disk before the disk writing action according to the writing offset and the data writing length; and carrying out CDP backup on the write operation occurrence time and the original disk data. Because the invention carries out data encryption risk detection according to the process activity and/or the file operation behavior of the target host, then captures the disk data writing behavior of the target host in real time when the target host has data encryption risk, and then carries out CDP backup based on the original disk data corresponding to the disk data writing behavior.
Based on the above-mentioned first embodiment of the data protection system of the present invention, a second embodiment of the data protection system of the present invention is presented.
In this embodiment, the real-time backup module 503 is further configured to determine a data encryption occurrence time when the data of the target host is encrypted; acquiring backup data from the data encryption occurrence time to a final backup time according to the data encryption occurrence time; and carrying out data recovery on the target host based on the backup data.
The real-time backup module 503 is further configured to scan an encrypted file on the target host when the data of the target host is encrypted; acquiring the last modification time of each encrypted file; and comparing the last modification time to determine the data encryption occurrence time.
The real-time backup module 503 is further configured to sequentially determine backup data with the latest occurrence time of the write operation; and carrying out data recovery on the target host according to the backup data with the latest occurrence time of the writing operation.
Other embodiments or specific implementations of the data protection system of the present invention may refer to the above method embodiments, and are not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of embodiments, it will be clear to a person skilled in the art that the above embodiment method may be implemented by means of software plus a necessary general hardware platform, but may of course also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read-only memory/random-access memory, magnetic disk, optical disk), comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. A data protection method, characterized in that the data protection method comprises the steps of:
performing data encryption risk detection according to the process activity and/or file operation behavior of the target host;
capturing the disk data writing behavior of the target host in real time when the target host has a data encryption risk;
and carrying out CDP backup based on the original disk data corresponding to the disk data writing behavior.
2. The data protection method as claimed in claim 1, wherein the step of performing CDP backup on the original disk data corresponding to the disk data writing behavior comprises:
obtaining the write offset, the data write length and the write operation occurrence time of the disk according to the disk data write behavior;
acquiring original disk data corresponding to the disk before the disk writing action according to the writing offset and the data writing length;
and carrying out CDP backup on the write operation occurrence time and the original disk data.
3. The data protection method as claimed in claim 1, wherein after the step of CDP backing up the original disk data corresponding to the disk data writing behavior, the method further comprises:
determining data encryption occurrence time when the data of the target host is encrypted;
acquiring backup data from the data encryption occurrence time to a final backup time according to the data encryption occurrence time;
and carrying out data recovery on the target host based on the backup data.
4. A data protection method according to claim 3, wherein the step of determining the data encryption occurrence time when the data of the target host is encrypted comprises:
scanning an encrypted file on the target host when the data of the target host is encrypted;
acquiring the last modification time of each encrypted file;
and comparing the last modification time to determine the data encryption occurrence time.
5. The data protection method of claim 3, wherein the step of recovering data from the target host based on the backup data comprises:
sequentially determining backup data with the latest occurrence time of the writing operation;
and carrying out data recovery on the target host according to the backup data with the latest occurrence time of the writing operation.
6. The data protection method of claim 5, wherein prior to the step of recovering data from the target host based on the backup data, further comprising:
sequentially analyzing the backup data to obtain first backup data with a disk offset overlapping area;
selecting second backup data with earliest disk writing time from the first backup data;
and taking the second backup data and the backup data without the disk offset overlapping area as new backup data.
7. The method according to any one of claims 1 to 6, wherein the step of performing data encryption risk detection according to process activity and/or file operation behavior of the target host includes:
counting file operation behaviors of all processes on the target host within preset time;
judging whether the file operation behavior is greater than a preset threshold value or not;
and if the file operation behavior is greater than a preset threshold, performing risk detection on the process activity corresponding to the file operation behavior.
8. A data protection system, the system comprising:
the risk detection module is used for carrying out data encryption risk detection according to the process activity and/or the file operation behavior of the target host;
the write-in monitoring module is used for capturing the disk data write-in behavior of the target host in real time when the target host has data encryption risk;
and the real-time backup module is used for carrying out CDP backup on the basis of the original disk data corresponding to the disk data writing behavior.
9. A data protection device, the device comprising: a memory, a processor and a data protection program stored on the memory and executable on the processor, the data protection program being configured to implement the steps of the data protection method of any one of claims 1 to 7.
10. A storage medium having stored thereon a data protection program which, when executed by a processor, implements the steps of the data protection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310936971.6A CN116662075B (en) | 2023-07-28 | 2023-07-28 | Data protection method, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310936971.6A CN116662075B (en) | 2023-07-28 | 2023-07-28 | Data protection method, system, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116662075A true CN116662075A (en) | 2023-08-29 |
| CN116662075B CN116662075B (en) | 2024-03-22 |
Family
ID=87715724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310936971.6A Active CN116662075B (en) | 2023-07-28 | 2023-07-28 | Data protection method, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116662075B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005031576A2 (en) * | 2003-09-23 | 2005-04-07 | Revivio, Inc. | Systems and methods for time dependent data storage and recovery |
| CN101477486A (en) * | 2009-01-22 | 2009-07-08 | 中国人民解放军国防科学技术大学 | File backup recovery method based on sector recombination |
| CN103617101A (en) * | 2013-12-12 | 2014-03-05 | 北京旋极信息技术股份有限公司 | Power fail safeguard method and device |
| US20180157834A1 (en) * | 2016-12-02 | 2018-06-07 | Politecnico Di Milano | Protection system and method for protecting a computer system against ransomware attacks |
| CN110443033A (en) * | 2018-05-04 | 2019-11-12 | 陕西思科锐迪网络安全技术有限责任公司 | A kind of file backup method based on Minifilter frame |
| CN114117436A (en) * | 2022-01-27 | 2022-03-01 | 奇安信科技集团股份有限公司 | Lasso program identification method, lasso program identification device, electronic equipment, storage medium and product |
| CN114756859A (en) * | 2020-12-25 | 2022-07-15 | 网神信息技术(北京)股份有限公司 | File protection processing method and device |
-
2023
- 2023-07-28 CN CN202310936971.6A patent/CN116662075B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005031576A2 (en) * | 2003-09-23 | 2005-04-07 | Revivio, Inc. | Systems and methods for time dependent data storage and recovery |
| CN101477486A (en) * | 2009-01-22 | 2009-07-08 | 中国人民解放军国防科学技术大学 | File backup recovery method based on sector recombination |
| CN103617101A (en) * | 2013-12-12 | 2014-03-05 | 北京旋极信息技术股份有限公司 | Power fail safeguard method and device |
| US20180157834A1 (en) * | 2016-12-02 | 2018-06-07 | Politecnico Di Milano | Protection system and method for protecting a computer system against ransomware attacks |
| CN110443033A (en) * | 2018-05-04 | 2019-11-12 | 陕西思科锐迪网络安全技术有限责任公司 | A kind of file backup method based on Minifilter frame |
| CN114756859A (en) * | 2020-12-25 | 2022-07-15 | 网神信息技术(北京)股份有限公司 | File protection processing method and device |
| CN114117436A (en) * | 2022-01-27 | 2022-03-01 | 奇安信科技集团股份有限公司 | Lasso program identification method, lasso program identification device, electronic equipment, storage medium and product |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116662075B (en) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7673324B2 (en) | Method and system for tracking an operating performed on an information asset with metadata associated therewith | |
| US11675672B2 (en) | Automation and optimization of data recovery after a ransomware attack | |
| US7540027B2 (en) | Method/system to speed up antivirus scans using a journal file system | |
| CN115136134A (en) | System and method for protecting SSDs from threats | |
| US20100241739A1 (en) | Mitigations for potentially compromised electronic devices | |
| CN107563192B (en) | Lesso software protection method and device, electronic equipment and storage medium | |
| KR101033511B1 (en) | Method for protecting private information and computer readable recording medium therefor | |
| Baek et al. | SSD-assisted ransomware detection and data recovery techniques | |
| CN111400714B (en) | Virus detection method, device, equipment and storage medium | |
| WO2007091652A1 (en) | Tally information management method and management device | |
| CN106844185A (en) | The storage method and device of a kind of journal file | |
| JP2001142764A (en) | Log file protecting system | |
| KR20090064699A (en) | Digital forensic server for investigating digital evidence and method therefor | |
| CN109766215B (en) | Data processing method and device | |
| May et al. | Combating ransomware using content analysis and complex file events | |
| CN109214204A (en) | Data processing method and storage equipment | |
| US20100138932A1 (en) | Data protecting method and computing apparatus | |
| CN111382126B (en) | System and method for deleting file and preventing file recovery | |
| CN116662075B (en) | Data protection method, system, equipment and storage medium | |
| CN111159109A (en) | Method and system for detecting file occupied by disk space | |
| Parekh et al. | Memory forensic: acquisition and analysis of memory and its tools comparison | |
| CN109145602B (en) | Lesso software attack protection method and device | |
| CN114117436A (en) | Lasso program identification method, lasso program identification device, electronic equipment, storage medium and product | |
| CN111125701B (en) | File detection method, equipment, storage medium and device | |
| Ojo et al. | Secondhand smart IoT devices data recovery and digital investigation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |