WO2023124041A1

WO2023124041A1 - Ransomware detection method and related system

Info

Publication number: WO2023124041A1
Application number: PCT/CN2022/107828
Authority: WO
Inventors: 刘剑波
Original assignee: 华为云计算技术有限公司
Priority date: 2021-12-31
Filing date: 2022-07-26
Publication date: 2023-07-06
Also published as: CN116415240A

Abstract

Provided in the present application is a ransomware detection method, comprising: generating a bait file according to an application or a system directory, detecting an access behavior to the bait file, acquiring an attribute change of the bait file before and after the access behavior, and determining ransomware according to the attribute change. In the method, a bait file with relatively high similarity in a real service/data file is generated according to an application or a system directory, and the file type, file size, file name and deployment location of the bait file are not fixed, such that ransomware is prevented from skipping the bait file according to a fixed file size, file type, file name or deployment location, and an abnormal behavior of a ransomware encrypted file can be found effectively and in a more timely manner, thereby blocking the ransomware in a timely manner, and reducing damage caused by the ransomware.

Description

A kind of blackmail virus detection method and related system

This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office of China on December 31, 2021, with application number 202111679456.1, and the title of the invention is "A Ransomware Detection Method and Related System", the entire contents of which are incorporated by reference in this application.

technical field

The present application relates to the technical field of network security, and in particular to a ransomware virus detection method, system, computer cluster, computer-readable storage medium, and computer program product.

Background technique

With the development of the Internet, especially the development of the mobile Internet, malicious codes such as vulnerability scanning, virus and other attack codes can be widely spread in the network, and attack or infect the devices in the network, causing serious challenges to network security. At present, ransomware attacks have become one of the most serious network security threats, and ransomware attacks continue to grow, causing a huge impact on customers.

Ransomware generally traverses all directories of the client host through deep traversal, and encrypts key business/data files (such as database files, office documents, compressed files, videos, pictures, and source codes). Some ransomware will encrypt specified types of files exceeding a fixed size in a specific directory, making the encrypted files unable to be read normally and affecting the normal operation of the business. At the same time, the ransomware virus generates a ransom note file in the directory where the encrypted file is located. The customer can only obtain the decryption password/tool or the method to restore the normal operation of the system after paying the ransom based on the ransom note file.

How to quickly and effectively detect ransomware, and then reduce the impact of ransomware has become a key technology and challenge in the field of network security.

Contents of the invention

This application provides a method for detecting ransomware, which generates a decoy file with a high degree of similarity to a real business/data file based on an application or system directory. The location is not fixed, thereby preventing the ransomware from skipping the bait file according to the fixed file size, file type, file name or deployment location, and can effectively and more timely discover the abnormal behavior of the ransomware encrypted files, thereby blocking the ransomware in time , to reduce the damage caused by ransomware. The present application also provides a system, a computer cluster, a computer-readable storage medium, and a computer program product corresponding to the above method.

In the first aspect, the present application provides a method for detecting ransomware. The method can be executed by a ransomware detection system. For ease of description, the embodiment of the present application may also simply refer to the ransomware detection system as the detection system. In some embodiments, the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system. In other embodiments, the detection system may also be a hardware system for detecting ransomware. The embodiment of this application uses the ransomware detection system as an example for illustration.

Specifically, the detection system generates a decoy file according to the application or system directory, and then the detection system can detect the access behavior to the decoy file, obtain the attribute change of the decoy file before and after the access behavior, and then the detection system can Variation identified ransomware.

In this method, the detection system generates a decoy file with a high degree of similarity with the real business/data file according to the application or system directory. The file type, file size, file name, and deployment location of the decoy file are not fixed, so it can Prevent ransomware from skipping decoy files based on fixed file size, file type, file name, or deployment location, and encrypt application business/data files, so that abnormal behaviors of ransomware encrypted files can be found effectively and in a timely manner, thereby Block the ransomware in time to reduce the damage caused by the ransomware.

In some possible implementation manners, the detection system may also present warning information to the user. The alarm information includes the identifier of the ransomware process, the path of the ransomware virus, the hash of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access behavior of the ransomware process One or more, the ransomware process is a process corresponding to the ransomware virus.

In this way, an alarm can be given to the user, so that the user can take corresponding measures in time to ensure the security of the equipment or data, and ensure the normal operation of the business.

In some possible implementation manners, the detection system may also stop the ransomware process and block the ransomware virus, and the ransomware process is a process corresponding to the ransomware virus. Among them, the detection system can automatically stop the ransomware process after identifying the ransomware virus, block the ransomware virus, or present the warning information to the user, and the user confirms the warning information, and then after obtaining the authorization or permission of the user, Stop the ransomware process and block the ransomware.

In this method, the detection system blocks the ransomware by stopping the ransomware process, thereby reducing the damage caused by the ransomware and ensuring data security.

In some possible implementation manners, the detection system may also update the decoy file according to a change of the application or a change of the system directory. Specifically, when the detection system detects a new application, it can generate a new decoy file according to the access information of the new application; when the detection system detects that an existing application has been uninstalled, it can delete the corresponding decoy file according to the relevant information of the uninstalled application. document.

In this method, the detection system dynamically updates the bait file to prevent the ransomware from bypassing the fixed bait file, encrypts the business/data file, and prevents the detection method from failing.

In some possible implementations, the detection system may present an update interface to the user according to the change of the application or the change of the system directory, and then update the decoy according to the update operation triggered by the user through the update interface. document.

In this way, the decoy file can be selectively updated according to the individual needs of the user, the frequency of updating can be reduced, and the user experience can be improved.

In some possible implementation manners, the detection system may generate the decoy file according to the access information of the application. In this way, it is possible to generate a decoy file with a high degree of similarity with the real business/data file of the application, improve the deception of the decoy file, and make it difficult for the ransomware virus to bypass the decoy file, thereby ensuring the effectiveness of the detection method.

In some possible implementation manners, the access information of the application includes a file type accessed by the application. The detection system may generate the decoy file according to the file type accessed by the application. Wherein, the file type of the decoy file is the same as the file type accessed by the application. For example, there are multiple types of files accessed by the application, and the detection system may generate multiple decoy files, and the file types of the multiple decoy files are consistent with the file types accessed by the application.

This can prevent the ransomware from detecting a specific file type, thereby bypassing the decoy file of this file type, and causing the detection method based on the decoy file to fail.

In some possible implementation manners, the decoy file includes multiple files, and the file sizes of the multiple files are different. This can prevent the ransomware virus from detecting a specific file size, thereby bypassing the decoy file of the same size, and causing the detection method based on the decoy file to fail.

In some possible implementation manners, the detection system may also generate a decoy directory according to the access information of the application, where the decoy directory is a directory where the decoy file is located. This can prevent ransomware from bypassing specific deployment locations and directly encrypting business/data files, resulting in the failure of detection methods based on decoy files.

In some possible implementation manners, the access information of the application includes a file directory accessed by the application. The detection system may generate a decoy directory according to the file directory accessed by the application. The decoy directory can be the target under the file directory accessed by the application. From the perspective of the ransomware virus, the decoy directory is like the business file directory and data file directory actually accessed by the application. It is highly deceptive and can prevent the ransomware virus from bypassing this Directory, directly encrypts business/data files, resulting in the failure of detection methods based on decoy files.

In some possible implementation manners, the detection system may generate multiple decoy files under the system directory according to randomly selected file types, and the multiple decoy files have different file sizes. In this way, it is possible to prevent the ransomware from detecting specific file types and file sizes so as to bypass the decoy file and cause the detection method based on the decoy file to fail.

In some possible implementation manners, the detection system may also present a configuration interface to the user, and then receive detection parameters configured by the user through the configuration interface. The detection parameters include the target file type. The detection system may generate multiple decoy files under the system directory according to a file type randomly selected from the target file types.

In this way, the detection system can combine the detection parameters configured by the user to generate a more accurate and deceptive bait file, ensuring that the bait file can be accessed by the ransomware first, and preventing the ransomware from bypassing the bait file, resulting in a detection method based on the bait file invalidated.

In some possible implementations, the detection parameters further include at least one of an exclusion directory and a target keyword, the exclusion directory is a directory in the system directory that does not need to deploy the decoy file, and the target keyword is used to generate the name of the decoy file.

Among them, the exclusion directory can be used to exclude unnecessary directories, so as to avoid resource waste caused by deploying decoy files in the directory. The target keyword can be used to provide a reference for the name of the generated lure file, thereby further improving the deception of the lure file.

In some possible implementation manners, the detection system may also generate a decoy directory according to the system directory, where the decoy directory is a directory where the decoy file is located. Compared with the fixed deployment location, this method can prevent the ransomware virus from bypassing the decoy directory to encrypt business/data files, resulting in the failure of the detection method based on the decoy file.

In some possible implementation manners, the lure catalog includes at least one of a first lure catalog, a second lure catalog and a third lure catalog. The name of the first decoy directory includes a first prefix, so that the first decoy directory is preferentially accessed during forward order traversal; the name of the second decoy directory includes a second prefix, so that the second decoy directory is accessed in the It is accessed preferentially when traversing in reverse order; the name of the third decoy directory includes a third prefix, so that the third decoy directory is preferentially accessed when the system disk is traversed by default.

The method generates a bait directory with a specific prefix, so that the bait directory and the bait files in the bait directory can be accessed preferentially in different traversal scenarios, avoiding the failure of the ransomware detection method caused by the ransomware virus first accessing the business/data files.

In some possible implementation manners, the detection system may also monitor the decoy file, and restore the decoy file when the decoy file is mistakenly modified or deleted. In this way, when the decoy file is mistakenly deleted or modified, the ransomware virus directly encrypts the business/data file, resulting in the failure of the detection method based on the decoy file.

In the second aspect, the present application provides a ransomware detection system. The system includes:

A decoy file management module, configured to generate a decoy file according to an application or system directory;

A decoy access behavior detection module, configured to detect an access behavior to the decoy file, and acquire attribute changes of the decoy file before and after the access behavior;

The decoy behavior access detection module is also used to determine the ransomware according to the attribute change.

In some possible implementations, the system also includes:

A security response module, configured to present warning information to the user, the warning information including the identity of the ransomware process, the path of the ransomware virus, the hash of the ransomware virus, the command line of the ransomware virus, the ransomware virus One or more of the access path of the process and the access behavior of the ransomware process, where the ransomware process is a process corresponding to the ransomware virus.

In some possible implementations, the system also includes:

The security response module is configured to stop the ransomware process and block the ransomware virus, and the ransomware process is a process corresponding to the ransomware virus.

In some possible implementations, the decoy file management module is also used for:

The decoy file is updated according to the change of the application or the change of the system directory.

In some possible implementation manners, the decoy file management module is specifically configured to:

Presenting an update interface to the user according to changes in the application or changes in the system catalog;

The decoy file is updated according to an update operation triggered by the user through the update interface.

The decoy file is generated according to the access information of the application.

In some possible implementation manners, the access information of the application includes the file type accessed by the application;

The decoy file management module is specifically used for:

The decoy file is generated according to the file type accessed by the application, and the file type of the decoy file is the same as the file type accessed by the application.

In some possible implementation manners, the decoy file includes multiple files, and the file sizes of the multiple files are different.

A decoy directory is generated according to the access information of the application, and the decoy directory is a directory where the decoy file is located.

In some possible implementation manners, the access information of the application includes a file directory accessed by the application;

The decoy file management module is specifically used for:

According to the file directory accessed by the application, a decoy directory is generated.

Multiple decoy files under the system directory are generated according to a randomly selected file type, and the multiple decoy files have different file sizes.

In some possible implementations, the system also includes:

A decoy detection configuration module, configured to present a configuration interface to the user, and receive detection parameters configured by the user through the configuration interface, where the detection parameters include the target file type;

The decoy file management module is specifically used for:

A plurality of decoy files under the system directory are generated according to a file type randomly selected from the target file types.

A decoy directory is generated according to the system directory, and the decoy directory is a directory where the decoy file is located.

In some possible implementations, the lure list includes at least one of a first lure list, a second lure list, and a third lure list;

The name of the first decoy directory includes a first prefix, so that the first decoy directory is preferentially accessed during forward order traversal;

The name of the second decoy directory includes a second prefix, so that the second decoy directory is preferentially accessed when traversing in reverse order;

The name of the third decoy directory includes a third prefix, so that the third decoy directory is preferentially accessed when the system disk is traversed by default.

In some possible implementation manners, the decoy access behavior detection module is also used for:

The decoy file is monitored, and when the decoy file is mistakenly modified or deleted, the decoy file is restored.

In a third aspect, the present application provides a computer cluster. The computer cluster includes at least one computer, and the at least one computer includes a processor and a memory. The processor and the memory communicate with each other. The processor is configured to execute instructions stored in the memory, so that the computer cluster executes the ransomware detection method in the first aspect or any implementation manner of the first aspect.

In a fourth aspect, the present application provides a computer-readable storage medium, where an instruction is stored in the computer-readable storage medium, and the instruction instructs the computer cluster to execute the above-mentioned first aspect or any implementation manner of the first aspect. ransomware detection method.

In the fifth aspect, the present application provides a computer program product containing instructions, which, when run on a computer cluster, causes the computer cluster to perform the ransomware detection described in the first aspect or any implementation of the first aspect method.

On the basis of the implementation manners provided in the foregoing aspects, the present application may further be combined to provide more implementation manners.

Description of drawings

In order to more clearly illustrate the technical methods of the embodiments of the present application, the following will briefly introduce the drawings required in the embodiments.

Fig. 1 is a system architecture diagram of a ransomware detection system provided in the embodiment of the present application;

Fig. 2 is the flowchart of a kind of blackmail virus detection method that the embodiment of the present application provides;

FIG. 3 is an interface schematic diagram of a configuration interface provided by an embodiment of the present application;

FIG. 4 is a schematic structural diagram of a system directory provided by an embodiment of the present application;

FIG. 5A is a schematic diagram of an update interface provided by an embodiment of the present application;

FIG. 5B is a schematic diagram of an update interface provided by the embodiment of the present application;

FIG. 6 is a schematic structural diagram of a ransomware detection system provided in an embodiment of the present application;

FIG. 7 is a schematic structural diagram of a computer cluster provided by an embodiment of the present application.

Detailed ways

The terms "first" and "second" in the embodiments of the present application are used for description purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features.

First, some technical terms involved in the embodiments of the present application are introduced.

Ransomware, also known as ransomware or ransomware, is a special type of malware that is usually classified as a denial-of-access attack. The biggest difference between ransomware and other viruses lies in the method and poisoning method. Among them, a typical ransomware is to systematically encrypt files stored in computing devices, such as encrypting key business/data files, which can be database files, office documents, compressed files, videos, pictures and source files. One or more of the codes, and then ask the victim to pay a ransom to get back the decryption password/tool that the victim has no way of obtaining by himself in order to decrypt the file.

Ransomware usually spreads in the form of Trojan horse viruses. Specifically, ransomware disguises itself as seemingly harmless files. For example, ransomware can trick victims into clicking links to download through social engineering methods such as pretending to be ordinary emails, or, like many other worms, exploit software vulnerabilities to spread among networked computing devices.

In order to reduce the damage of ransomware, the industry provides some ransomware detection schemes to detect ransomware in advance, and then block the ransomware. The mainstream detection schemes include ransomware detection methods based on decoy files. Specifically, deploy a decoy file of a fixed type and size in a specified directory, and identify known or unknown ransomware by monitoring the access operation of the process to the decoy file.

However, the above solution needs to specify the deployment location of the decoy file, and the file size, file type, file content, and file name of the decoy file are relatively fixed. The ransomware can bypass the decoy file based on the above-mentioned fixed file size, file type, file name or specified deployment location, and encrypt the business/data files of the application, thus making the ransomware detection method based on the decoy file invalid.

In view of this, the embodiment of the present application provides a ransomware detection method. The method can be executed by a ransomware detection system. For ease of description, the embodiment of the present application may also simply refer to the ransomware detection system as the detection system. In some embodiments, the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system. In other embodiments, the detection system may also be a hardware system for detecting ransomware. The embodiment of this application uses the ransomware detection system as an example for illustration.

It should be noted that the ransomware detection method of the embodiment of the present application is applicable to the scenario of quickly detecting known/unknown ransomware on a terminal (for example, a host)/server. Especially in the "cloud" scenario, when a large amount of business is run on the cloud server leased or purchased by the tenant and key business/data files are saved, the ransomware detection method in the embodiment of the present application can quickly occupy light-weight resources. Detect ransomware, so as to meet the timeliness of detection and light-weight resource consumption requirements.

In order to make the technical solution of the present application clearer and easier to understand, the system architecture of the embodiment of the present application will be introduced below with reference to the accompanying drawings.

Referring to the system architecture diagram of the ransomware detection system described in Fig. 1, in this example, tenants (such as individuals, enterprises or other group organizations) can lease or purchase one or more cloud servers in the cloud computing cluster 10 , to deploy tenant applications, for example, to deploy application 1 to application N, where N is a positive integer. FIG. 1 illustrates by deploying multiple applications. In some embodiments, a tenant may also deploy one application. A ransomware detection system 100 is also deployed in the cloud computing cluster 10 , which is referred to as the detection system 100 hereinafter for convenience of description.

The cloud computing cluster 10 establishes a communication connection with the terminal 20 . The terminal 20 is installed with a client, which may be, for example, a general client such as a browser, or a detection client specially used for ransomware detection. The detection system 100 in the cloud computing cluster 10 can generate a decoy file according to the application or system directory, and the decoy file is deceptive. The detection system 100 can detect the access behavior to the decoy file, and obtain the Before and after attribute changes, and then determine the ransomware virus according to the attribute changes.

Further, the detection system 100 may generate warning information according to the detected ransomware virus, and send the warning information to the terminal 20, so that the terminal presents the warning information to the user. Wherein, the warning information includes the identification of the ransomware process, the path of the ransomware virus, the hash of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access path of the ransomware process. one or more of the behaviors. In this embodiment, the ransomware process is a process corresponding to the ransomware virus.

It should be noted that when a ransomware is detected, the detection system 100 can also stop the ransomware process and block the ransomware, that is, isolate the executable file of the ransomware. In this way, it is possible to prevent the ransomware process from encrypting the business/data files of the application, thereby causing the user's interests to be infringed.

The embodiment shown in FIG. 1 is an example of deploying the detection system 100 in a cloud computing cluster and detecting whether the application deployed in the cloud computing cluster includes a ransomware virus. In some possible implementations, the detection system 100 can also be deployed in A local computing device, such as a desktop computer or a notebook computer, is used to detect ransomware on the applications deployed in the terminal 20 .

Next, from the perspective of the detection system 100, the ransomware detection method provided in the embodiment of the present application will be described in detail.

Referring to the flowchart of the ransomware detection method shown in Figure 2, the method includes:

S202: The detection system 100 presents a configuration interface to the user.

The configuration interface can be used to configure detection parameters for ransomware detection. The detection parameter may include a detection method. When the detection method is based on a decoy file, the detection parameters may also include one or more of target file type, excluded directory and target keyword. Among them, the target file type is used to provide a reference for the file type that generates the decoy file, and the target keyword is used to provide a reference for the naming of the decoy file. Excluded directories are directories that do not need to deploy decoy files. For example, an excluded directory may be a directory that does not affect services.

Referring to the schematic diagram of the configuration interface shown in FIG. 3 , the configuration interface 300 includes a plurality of parameter configuration controls, and the plurality of parameter configuration controls are respectively used to configure different detection parameters. Specifically, the detection mode configuration control 302 in the configuration interface 300 is used to configure the detection mode of the ransomware virus. The detection mode configuration control 302 may include two selection controls. If the user selects the selection control corresponding to "Yes", it means that the bait-based For the detection method of the file (specifically, the decoy file generated according to the application or system directory), if the user selects the selection control corresponding to "No", it means that the detection method based on the decoy file is not enabled.

The exclusion directory configuration control 304 in the configuration interface 300 is used to configure the exclusion directory. Specifically, the exclusion directory configuration control 304 may be a text box, and the user may directly input the exclusion directory in the text box, thereby realizing the configuration of the exclusion directory. The file type configuration control 306 in the configuration interface 300 is used to configure the target file type for generating the decoy file, and the keyword configuration control 308 is used for configuring the target keyword for generating the decoy file. Wherein, the target keyword may include a date, or include a keyword representing a function, for example, a report, a report, and the like. Similar to the exclusion directory configuration control 304, the file type configuration control 306 and the keyword configuration control 308 can also be text boxes, and the user can enter the target file type and target keyword in the text boxes to realize the corresponding detection parameter configuration.

S204: The detection system 100 receives the detection parameters configured by the user through the configuration interface.

Specifically, after the user configures the detection parameters through the configuration interface, the user can trigger a submission operation, and the terminal 20 can respond to the user's submission operation, and send the detection parameters to the detection system 100. In this way, the detection system 100 can receive the detection parameters sent by the terminal. parameter.

Still using FIG. 3 as an example, the user may click the OK control 307 to trigger the submission operation. Correspondingly, the detection system 100 receives the detection parameters submitted by the terminal 20 in response to the submission operation triggered by the user. In some embodiments, the user may also toggle the cancel control 309, thereby canceling configuration detection parameters.

Further, the detection system 100 may start a decoy detection task based on the received detection parameters. For example, when the detection parameters include starting a decoy-based detection method, the detection system 100 can start a decoy detection task, and then perform S206 and/or S212, so as to generate a decoy file according to the application or system directory, and then perform ransomware detection according to the decoy file.

It should be noted that the above steps from S202 to S204 are optional steps in the embodiment of the present application, and the above steps may not be executed when performing the ransomware detection method in the embodiment of the present application. Or a system directory to generate a decoy file.

S206: The detection system 100 acquires the access information of the application.

When the application is running, at least one process can be generated. The detection system 100 can monitor the running process, specifically monitor the access behavior of the process, so as to obtain the access information of the application. An access action may include an action of reading data and/or writing data.

Among them, the detection system 100 can traverse the running process, identify the application according to the command line of the process, the path of the file corresponding to the process, and the configuration file related to the process, and then check the file directory, file type, file size, file name, etc. accessed by the process. Monitor and obtain application access information. The access information of the application may include attributes of files accessed by the application, for example, the access information of the application may include one or more of file directories, file types, file sizes and file names accessed by the application.

S208: The detection system 100 generates a decoy directory according to the access information of the application.

The access information of the application includes a file directory accessed by the application. The file directory may be, for example, a business file directory and/or a data file directory. The detection system 100 may generate a decoy directory according to the file directory accessed by the application. For example, the decoy directory may be at least one directory under the file directory accessed by the application. The bait directory is used to store bait files.

Since the decoy directory is under the file directory accessed by the application, from the perspective of the ransomware virus, the decoy directory is like the business file directory or data file directory accessed by the application, which is highly confusing and can prevent the ransomware from bypassing the decoy directory or decoy The decoy files stored in the directory encrypt real business/data files.

It should be noted that the execution of the ransomware detection method of the embodiment of the present application may not execute S208, that is, the detection system 100 may not additionally generate a decoy directory to store decoy files. For example, the detection system 100 may use an existing directory to store decoy files.

S208: The detection system 100 generates a decoy file according to the access information of the application.

The access information of the application includes the types of files accessed by the application. The detection system 100 can generate a decoy file according to the file type accessed by the application. Wherein, the detection system 100 may respectively generate multiple decoy files according to multiple file types accessed by the application. The file type of the decoy file is the same as the file type accessed by the application. In this way, ransomware can be prevented from bypassing decoy files of fixed file types.

Further, when the detection system 100 generates a decoy file, it may generate multiple decoy files with different file sizes. For example, the detection system 100 may randomly generate multiple decoy files with different file sizes, or the detection system 100 may generate multiple decoy files with different file sizes according to the file size accessed by the application. In this way, it is possible to prevent ransomware from bypassing decoy files with a fixed file size.

In some possible implementation manners, the detection system 100 may also determine the file name keywords commonly used by the application according to the file name accessed by the application, and then generate the name of the decoy file according to the file name keywords commonly used by the application. Further, when the detection parameter includes the target keyword, the detection system 100 may also determine the name of the decoy file in combination with the target keyword. Similarly, when the detection parameter includes the type of the target file, the detection system 100 may combine the type of the target file to generate a decoy file. For example, the detection system 100 may randomly select several file types from the intersection of file types accessed by applications and target file types, and generate corresponding types of decoy files.

The following will describe with a specific example. In this example, the application is a MySQL application, and the detection system 100 can generate decoy files related to the MySQL application with file extensions such as log, frm, myd, myi, ibd, etc., and the decoy files of these file types The file sizes are different. For data files (such as files with extensions myd and ibd), the detection system 100 can generate decoy files with a file size of 1MB and 5MB, and for other types of files, the detection system 100 can generate decoy files with a file size of 64KB and 128KB . The detection system 100 can also name the above-mentioned decoy files according to the commonly used file name keywords of applications.

In this embodiment, the detection system 100 can prevent the ransomware from bypassing the decoy file according to the specific application, specific file type, specific file size, and specific file name by generating the above-mentioned decoy file, and first encrypt the business/data file of the application, affecting business run.

In some possible implementations, the detection system 100 can also generate a decoy file according to the content of the file accessed by the application, so as to prevent the ransomware from bypassing the decoy file according to the specific content, and first encrypt the business/data file of the application to affect the business operation.

S210: The detection system 100 acquires a system directory.

A system directory refers to a directory of the file system. System catalogs can be represented in a tree structure. Different computing devices may adopt different file systems, and correspondingly, system directories may be different. In this embodiment, a Linux system directory is used as an example for description.

Referring to the structural diagram of the system directory shown in FIG. 4 , the system directory includes directories such as bin, boot, dev, etc, home, root, run, sbin, tmp, usr, and var. Among them, bin is the abbreviation of the binary file Binaries, and this directory stores the most frequently used commands. Boot stores some core files used when starting Linux, including some connection files and image files. dev is the abbreviation of Device, and the external devices of Linux are stored in this directory. The way of accessing external devices in Linux is the same as the way of accessing files. etc is the abbreviation of Etcetera. This directory is used to store all configuration files and subdirectories required for system management. home is the user's home directory. In Linux, each user has its own directory. Generally, the directory is named after the user's account, such as alice, bob, and eve in the above figure. root is the user home directory of the system administrator (also known as a super-authorized person), and sbin is the abbreviation of Superuser Binaries (superuser binary files), which is used to store the system management program used by the system administrator. tmp is the abbreviation of temporary (temporary), this directory is used to store some temporary files. usr is the abbreviation of unix shared resources, which is used to store applications and files, similar to the program files directory under windows. Among them, the usr directory specifically includes bin, sbin, and src directories. Among them, bin stores applications used by ordinary users, sbin stores relatively advanced management programs and system daemons used by super users, and src stores kernel source codes. var is the abbreviation of variable variable, and this directory stores things that are constantly expanding, such as various log files. run is a temporary file system that stores information since the system was started. When the system restarts, the files in this directory should be deleted or cleared.

The detection system 100 can obtain the system directory by traversing the file system. In some possible implementation manners, the file system may support different traversal manners, for example, may support one or more of forward-order traversal manners, reverse-order traversal manners, or system disk default traversal manners. The detection system 100 may use one or more of the above traversal methods to traverse the file system to obtain the system directory.

S212: The detection system 100 generates a decoy list according to the system list.

The lure directory is a directory for storing lure files. The detection system 100 can generate a decoy directory under the system directory.

It should be noted that the execution of the ransomware detection method of the embodiment of the present application may not execute S212, that is, the detection system 100 may not additionally generate a decoy directory to store decoy files. For example, the detection system 100 may use an existing directory to store decoy files.

When the detection system 100 generates the lure list, at least one lure list may be generated, for example, the detection system 100 may generate at least one of the first lure list, the second lure list and the third lure list. The name of the first decoy directory includes a first prefix, so that the first decoy directory is preferentially accessed during forward order traversal. The name of the second decoy directory includes a second prefix, so that the second decoy directory is preferentially accessed when traversing in reverse order. The name of the third decoy directory includes a third prefix, so that the third decoy directory is preferentially accessed when the system disk is traversed by default.

In some embodiments, the first prefix can be the character at the top of the printable characters, such as "!", so that the first decoy directory can be accessed preferentially when traversing in the forward order; the second prefix can be the printable character The lower-ordered characters in , such as "~", can make the second decoy directory preferentially accessed when traversing in reverse order; the third prefix can be a character indicating a hidden directory, such as ".", so that the third bait Directories are accessed first when traversing system disks by default.

Wherein, the detection system 100 may execute S208 and/or S212 to generate at least one of the first decoy category, the second decoy category and the third decoy category. When the file system supports forward order traversal, the detection system 100 may generate the first decoy directory by executing S208 and/or S212. Similarly, when the file system supports reverse order traversal, the detection system 100 may generate the second decoy directory by executing S208 and/or S212. When the file system supports the default traversal mode of the system disk, the detection system 100 may generate a third decoy directory by executing S208 and/or S212.

S214: The detection system 100 generates multiple decoy files under the system directory according to the detection parameters.

Specifically, the detection parameters include the target file type, and the detection system 100 can randomly select several file types from the target file types to generate multiple decoy files in the system directory, and the file type of the decoy files is consistent with the selected file type. Wherein, when the detection parameter includes a file size range, the detection system 100 may randomly generate decoy files of different file sizes according to the file size range.

In some possible implementations, the detection system 100 may also randomly select multiple file types directly from common file types that may be encrypted by ransomware. Specifically, when selecting a file type, as shown in Table 1, the detection system 100 can Randomly select some types from the file categories (including database, text/document, compressed file, video, picture, code source file, virtualization/container file, backup file, etc.) as the extension of the decoy file, and then randomly generate different The file size of the decoy file. Among them, the name of the decoy file can be randomly generated.

Table 1 Common file types

In other possible implementation manners, the detection system 100 may randomly select several file types from target file types to generate some decoy files, and randomly select several file types from common file types to generate another part of decoy files. The names of some decoy files can be randomly generated, and the names of the rest of the decoy files can be selected from target keywords.

This method can prevent the ransomware from only targeting specific file types or checking the file size when traversing the entire disk, thereby bypassing the encryption of the dynamic bait file, so as to ensure that the bait file is first encrypted by the ransomware, and then the ransomware can be detected in advance.

S216: The detection system 100 detects the access behavior to the decoy file, and acquires the attribute change of the decoy file before and after the access behavior.

Wherein, the behavior of accessing the decoy file includes the behavior of reading data and/or writing data. After the detection system 100 detects the read behavior and/or write behavior of the decoy file by the process, it can obtain the attribute changes of the decoy file before and after the access behavior.

Wherein, the attributes of the lure file include one or more of the hash of the lure file, the file size, the entropy value, and the file type. The detection system 100 may acquire one or more of the hash, file size, entropy value, and file type of the decoy file before and after the access action. Then the detection system 100 can determine the hash changes of the decoy file before and after the access behavior according to the hashes of the decoy file before and after the access behavior. Similarly, the detection system 100 can determine the file size change, entropy value change, and file type change according to the file size, file type, and entropy value of the decoy file before and after the access behavior.

S218: The detection system 100 determines the ransomware virus according to the attribute change.

The detection system 100 can compare the above-mentioned attribute change with the preset condition, and when the attribute change meets the preset condition, the detection system 100 can determine that there is a suspicious ransomware encryption behavior, and the detection system 100 can identify the process that implements the above-mentioned access behavior as The ransomware process determines the file corresponding to the process (specifically, the file that generates the process when it is executed) as a ransomware virus.

Wherein, the preset condition can be set according to experience value. For quantifiable attributes, such as file size and entropy, attribute changes can be compared by difference or change ratio. Correspondingly, the preset condition can be set so that the difference reaches the preset value, or the change ratio reaches the preset ratio. For example, a preset condition can be set such that the file size varies up to 5MB. For an attribute that cannot be quantified, such as a file type, the preset condition can be that the attribute changes from one attribute value to another attribute value. For example, the preset condition may be that the file type is changed from doc to exe.

In some possible implementation manners, the detection system 100 may also present warning information to the user after identifying the ransomware virus. Wherein, the warning information may include the identification of the ransomware process, the path of the ransomware virus, the hash of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access action of the ransomware process One or more, the ransomware process is the process corresponding to the ransomware virus.

Further, the detection system 100 can also stop the ransomware process and block the ransomware after identifying the ransomware. Among them, the detection system 100 may automatically stop the ransomware process after identifying the ransomware virus, block the ransomware virus, or present the warning information to the user, and the user confirms the warning information, and then obtains the authorization or permission of the user. , stop the ransomware process and block the ransomware virus.

Considering that the bait directory and bait files may be accidentally deleted by the user, for example, when the user deletes the above-mentioned bait files by mistake when cleaning up business/data files, the detection system 100 can also monitor the bait files, and when the bait files are mistakenly deleted When modifying or accidentally deleting, restore the decoy file. Wherein, the detection system 100 can periodically monitor the decoy file. When the decoy file is modified or deleted, but the corresponding application is not uninstalled, it indicates that the decoy file may be modified or deleted by mistake. The detection system 100 The decoy file can be recovered from memory. In some embodiments, when the decoy file is modified or deleted, but the detection system 100 does not generate corresponding alarm information, then the decoy file also has a high probability of being modified or deleted by mistake, and the detection system 100 can restore it from the memory. Decoy files that have been deleted or modified by mistake.

In some possible implementation manners, the detection system 100 may also monitor application changes or system directory changes, and then update the decoy file according to the application changes or system directory changes. Specifically, the detection system 100 can periodically monitor the running process and identify the process. If a new application is found, the detection system 100 can create a new decoy file according to the access information of the new application. Optionally, the detection system 100 can also create a new bait directory according to the access information of the new application. If it is found that the application is uninstalled and the corresponding decoy file still exists, the detection system 100 may delete the corresponding decoy file. Optionally, when the application is uninstalled and the decoy directory still exists, the detection system 100 may also delete the corresponding decoy directory. Similarly, the detection system 100 may also create a new decoy directory/decoy file or delete an existing decoy directory/decoy file according to changes in the system directory.

Further, when the detection system 100 detects the change of the application or the change of the system directory, according to the change of the application or the change of the system directory, an update interface can be presented to the user. Then update the decoy file according to the update operation triggered by the user through the update interface.

Referring to the schematic diagrams of the update interface shown in FIG. 5A and FIG. 5B , the update interface 500 presents change information detected by the detection system 100 , such as a change of an application or a change of a system directory. This embodiment is described by taking an example of updating a decoy file based on application changes. Among them, the update interface 500 shown in FIG. 5A shows the relevant information of the new application presented when the detection system 100 detects the new application, for example, the access information 502 of the new application; FIG. 5B is used for the update interface 500 shown in FIG. The relevant information 504 of the uninstalled application presented when the detection system 100 detects that the application is uninstalled is shown, including, for example, the name of the uninstalled application.

The update interface 500 also displays prompt information 506 for prompting that an application has been added or that the application has been uninstalled. The user can trigger the update control 508 to trigger the operation of updating the decoy file. Wherein, when the update control 508 is triggered in the update interface 500 shown in FIG. 5A, the detection system 100 can generate a new decoy file, and when the update control 508 is triggered in the update interface 500 shown in FIG. 5B, the detection system 100 can delete the The decoy file corresponding to the uninstalled application.

Further, the update interface 500 also includes a cancel control 509, and when the cancel control 509 is triggered, the detection system 100 can cancel updating the decoy file.

Based on the above description, the embodiment of the present application provides a ransomware detection method. In this method, the detection system 100 generates decoy files with a high degree of similarity with real business/data files according to the application or system directory, so as to prevent the ransomware from jumping according to the fixed file size, file type, file name or deployment location. By encrypting the business/data files of the application through the bait file, the abnormal behavior of the ransomware encrypted file can be found effectively and more timely, so as to block the ransomware in time and reduce the damage caused by the ransomware.

Moreover, the method generates a decoy directory with a specific prefix, so that the decoy directory and the decoy files in the decoy directory can be accessed preferentially in different traversal scenarios, avoiding the failure of the ransomware detection method caused by the ransomware virus first accessing the business/data files.

The ransomware detection method provided by the embodiment of the present application is described in detail above with reference to FIG. 1 to FIG. 5B , and the system 100 provided by the embodiment of the present application will be introduced below in conjunction with the accompanying drawings.

Referring to the schematic structural diagram of the ransomware detection system 100 shown in FIG. 6, the system 100 includes:

A decoy file management module 102, configured to generate a decoy file according to an application or a system directory;

A decoy access behavior detection module 104, configured to detect an access behavior to the decoy file, and acquire attribute changes of the decoy file before and after the access behavior;

The decoy behavior access detection module 104 is also used to determine the ransomware according to the attribute change.

In some possible implementations, the system 100 further includes:

The security response module 106 is configured to present warning information to the user, and the warning information includes the identification of the ransomware process, the path of the ransomware virus, the hash of the ransomware virus, the command line of the ransomware virus, the One or more of the access path of the ransomware process and the access behavior of the ransomware process, where the ransomware process is a process corresponding to the ransomware virus.

In some possible implementations, the system 100 further includes:

The security response module 106 is configured to stop the ransomware process and block the ransomware virus, and the ransomware process is a process corresponding to the ransomware virus.

In some possible implementations, the decoy file management module 102 is also used for:

Wherein, the system 100 may further include an application monitoring module 103, and the application monitoring module 103 is used for monitoring changes of applications. When the application monitoring module 103 detects an application change, such as detecting a new application or an application being uninstalled, it can report the change information to the decoy file management module 102, so that the decoy file management module 102 can update the decoy file according to the change information.

In some possible implementations, the decoy file management module 102 is specifically configured to:

The decoy file management module 102 is specifically used for:

In some possible implementations, the system 100 further includes:

A decoy detection configuration module 108, configured to present a configuration interface to the user, and receive detection parameters configured by the user through the configuration interface, the detection parameters including the target file type;

The decoy file management module 102 is specifically used for:

In some possible implementations, the decoy access behavior detection module 104 is also used to:

The ransomware detection system 100 according to the embodiment of the present application may correspond to the implementation of the method described in the embodiment of the present application, and the above-mentioned and other operations and/or functions of the various modules/units of the ransomware detection system 100 are respectively in order to realize the The corresponding flow of each method in the embodiment is shown, and for the sake of brevity, details are not repeated here.

The embodiment of the present application also provides a computer cluster. The computer cluster includes at least one computer, which may be a server, for example. The computer cluster is specifically used to implement the functions of the ransomware detection system 100 in the embodiment shown in FIG. 6 .

FIG. 7 provides a schematic structural diagram of a computer cluster. As shown in FIG. 7 , the computer cluster 70 includes multiple computers 700 , and the computers 700 include a bus 701 , a processor 702 , a communication interface 703 and a memory 704 . The processor 702 , the memory 704 and the communication interface 703 communicate through the bus 701 .

The bus 701 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, etc. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 7 , but it does not mean that there is only one bus or one type of bus.

The processor 702 may be a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU), a microprocessor (micro processor, MP) or a digital signal processor (digital signal processor, DSP) etc. Any one or more of them.

The communication interface 703 is used for communicating with the outside. For example, the communication interface 703 is used to receive detection parameters configured by the user through the configuration interface, and present warning information to the user, and so on.

The memory 704 may include a volatile memory (volatile memory), such as a random access memory (random access memory, RAM). Memory 704 can also include non-volatile memory (non-volatile memory), such as read-only memory (read-only memory, ROM), flash memory, hard disk drive (hard disk drive, HDD) or solid state drive (solid state drive) , SSD).

Computer-readable instructions are stored in the memory 704 , and the processor 702 executes the computer-readable instructions, so that the computer cluster 70 executes the aforementioned ransomware detection method (or realizes the functions of the aforementioned ransomware detection system 100 ).

Specifically, in the case of implementing the embodiment of the system shown in FIG. 6, and the functions of the modules or units of the ransomware detection system 100 described in FIG. 6 are implemented by software, each module or unit in FIG. 6 is executed Software or program codes required for the functioning of the units may be stored in at least one memory 704 in the computer cluster 70 . At least one processor 702 executes the program code stored in the memory 704, so that the computer cluster 70 executes the aforementioned ransomware detection method.

The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium may be any available medium that can be stored by a computer, or a data storage device such as a data center including one or more available media. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state hard disk), etc. The computer-readable storage medium includes instructions, and the instructions instruct a computer or a computer cluster to execute the above ransomware detection method.

The embodiment of the present application also provides a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wirelessly (such as infrared, wireless, microwave, etc.) to another website site, computer or data center. The computer program product may be a software installation package, and if any method of the aforementioned ransomware detection method needs to be used, the computer program product may be downloaded and executed on a computer or a computer cluster.

The description of the process or structure corresponding to each of the above drawings has its own emphasis. For the part that is not described in detail in a certain process or structure, you can refer to the relevant description of other processes or structures.

Claims

A method for detecting ransomware, characterized in that the method comprises:

Generate decoy files based on application or system directories;

Detecting the access behavior to the decoy file, and obtaining the attribute change of the decoy file before and after the access behavior;

Determine the ransomware according to the property change.
The method according to claim 1, further comprising:

Presenting warning information to the user, the warning information including the identity of the ransomware process, the path of the ransomware virus, the hash of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, the One or more of the access behaviors of the ransomware process, where the ransomware process is a process corresponding to the ransomware virus.
The method according to claim 1 or 2, characterized in that, the method:

Stop the ransomware process, block the ransomware virus, and the ransomware process is a process corresponding to the ransomware virus.
The method according to any one of claims 1 to 3, wherein the method further comprises:

The decoy file is updated according to the change of the application or the change of the system directory.
The method according to claim 4, wherein updating the decoy file according to the change of the application or the change of the system directory includes:

Presenting an update interface to the user according to changes in the application or changes in the system catalog;

The decoy file is updated according to an update operation triggered by the user through the update interface.
The method according to any one of claims 1 to 5, wherein the generating the decoy file according to the application includes:

The decoy file is generated according to the access information of the application.
The method according to claim 6, wherein the access information of the application includes the file type accessed by the application;

The generating the decoy file according to the access information of the application includes:

The decoy file is generated according to the file type accessed by the application, and the file type of the decoy file is the same as the file type accessed by the application.
The method according to claim 7, wherein the decoy file includes multiple files, and the file sizes of the multiple files are different.
The method according to any one of claims 1 to 8, further comprising:

A decoy directory is generated according to the access information of the application, and the decoy directory is a directory where the decoy file is located.
The method according to claim 9, wherein the access information of the application includes the file directory accessed by the application;

The decoy directory is generated according to the access information of the application, including:

According to the file directory accessed by the application, a decoy directory is generated.
The method according to any one of claims 1 to 5, wherein the generating the decoy file according to the system directory includes:

Multiple decoy files under the system directory are generated according to a randomly selected file type, and the multiple decoy files have different file sizes.
The method according to claim 11, characterized in that the method further comprises:

presenting a configuration interface to the user;

receiving detection parameters configured by the user through the configuration interface, where the detection parameters include target file types;

According to the randomly selected file type, generating a plurality of decoy files under the system directory, including:

A plurality of decoy files under the system directory are generated according to a file type randomly selected from the target file types.
The method according to claim 12, wherein the detection parameters further include at least one of an exclusion directory and a target keyword, the exclusion directory is a directory in the system directory that does not need to deploy the decoy file, so The target keyword is used to generate the name of the decoy file.
The method according to any one of claims 11 to 13, further comprising:

A decoy directory is generated according to the system directory, and the decoy directory is a directory where the decoy file is located.
The method according to claim 9, 10 or 14, wherein the bait list includes at least one of a first bait list, a second bait list and a third bait list;

The name of the first decoy directory includes a first prefix, so that the first decoy directory is preferentially accessed during forward order traversal;

The name of the second decoy directory includes a second prefix, so that the second decoy directory is preferentially accessed when traversing in reverse order;

The name of the third decoy directory includes a third prefix, so that the third decoy directory is preferentially accessed when the system disk is traversed by default.
The method according to any one of claims 1 to 15, further comprising:

The decoy file is monitored, and when the decoy file is mistakenly modified or deleted, the decoy file is restored.
A ransomware detection system, characterized in that the system includes:

A decoy file management module, configured to generate a decoy file according to an application or system directory;

A decoy access behavior detection module, configured to detect an access behavior to the decoy file, and acquire attribute changes of the decoy file before and after the access behavior;

The decoy behavior access detection module is also used to determine the ransomware according to the attribute change.
The system according to claim 17, further comprising:

A security response module, configured to present warning information to the user, the warning information including the identity of the ransomware process, the path of the ransomware virus, the hash of the ransomware virus, the command line of the ransomware virus, the ransomware virus One or more of the access path of the process and the access behavior of the ransomware process, where the ransomware process is a process corresponding to the ransomware virus.
The system according to claim 17 or 18, wherein the system further comprises:

The security response module is configured to stop the ransomware process and block the ransomware virus, and the ransomware process is a process corresponding to the ransomware virus.
The system according to any one of claims 17 to 19, wherein the decoy file management module is also used for:

The decoy file is updated according to the change of the application or the change of the system directory.
The system according to claim 20, wherein the decoy file management module is specifically used for:

Presenting an update interface to the user according to changes in the application or changes in the system catalog;

The decoy file is updated according to an update operation triggered by the user through the update interface.
The system according to any one of claims 17 to 21, wherein the decoy file management module is specifically used for:

The decoy file is generated according to the access information of the application.
The system according to claim 22, wherein the access information of the application includes the file type accessed by the application;

The decoy file management module is specifically used for:

The decoy file is generated according to the file type accessed by the application, and the file type of the decoy file is the same as the file type accessed by the application.
The system according to claim 23, wherein the decoy file includes multiple files, and the file sizes of the multiple files are different.
The system according to any one of claims 17 to 24, wherein the decoy file management module is also used for:

A decoy directory is generated according to the access information of the application, and the decoy directory is a directory where the decoy file is located.
The system according to claim 25, wherein the application access information includes the file directory accessed by the application;

The decoy file management module is specifically used for:

According to the file directory accessed by the application, a decoy directory is generated.
The system according to any one of claims 17 to 21, wherein the decoy file management module is specifically used for:

Multiple decoy files under the system directory are generated according to a randomly selected file type, and the multiple decoy files have different file sizes.
The system according to claim 27, further comprising:

A decoy detection configuration module, configured to present a configuration interface to the user, and receive detection parameters configured by the user through the configuration interface, where the detection parameters include the target file type;

The decoy file management module is specifically used for:

A plurality of decoy files under the system directory are generated according to a file type randomly selected from the target file types.
The system according to claim 28, wherein the detection parameters further include at least one of an exclusion directory and a target keyword, the exclusion directory is a directory in the system directory that does not need to deploy the decoy file, so The target keyword is used to generate the name of the decoy file.
The system according to any one of claims 27 to 29, wherein the decoy file management module is also used for:

A decoy directory is generated according to the system directory, and the decoy directory is a directory where the decoy file is located.
The system according to claim 25, 26 or 30, wherein the bait list includes at least one of a first bait list, a second bait list and a third bait list;

The name of the first decoy directory includes a first prefix, so that the first decoy directory is preferentially accessed during forward order traversal;

The name of the second decoy directory includes a second prefix, so that the second decoy directory is preferentially accessed when traversing in reverse order;

The name of the third decoy directory includes a third prefix, so that the third decoy directory is preferentially accessed when the system disk is traversed by default.
The system according to any one of claims 17 to 31, wherein the decoy access behavior detection module is also used for:

The decoy file is monitored, and when the decoy file is mistakenly modified or deleted, the decoy file is restored.
A computer cluster, characterized in that it includes at least one computer, the computer includes a processor and a memory, the memory stores computer-readable instructions, the processor executes the computer-readable instructions, so that the A cluster of computers executing the method of any one of claims 1-16.
A computer-readable storage medium, characterized in that it includes computer-readable instructions, and when the computer-readable instructions are run on a computer cluster, the computer cluster executes the method according to any one of claims 1 to 16. method.
A computer program product, characterized by comprising computer readable instructions, when the computer readable instructions are run on a computer cluster, the computer cluster is made to execute the method according to any one of claims 1 to 16.