CN107506642A - The method and system for preventing file from being damaged by malicious operation behavior - Google Patents

The method and system for preventing file from being damaged by malicious operation behavior Download PDF

Info

Publication number
CN107506642A
CN107506642A CN201710681523.0A CN201710681523A CN107506642A CN 107506642 A CN107506642 A CN 107506642A CN 201710681523 A CN201710681523 A CN 201710681523A CN 107506642 A CN107506642 A CN 107506642A
Authority
CN
China
Prior art keywords
file
operation behavior
malicious operation
malicious
filename
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710681523.0A
Other languages
Chinese (zh)
Inventor
李成东
常清雪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201710681523.0A priority Critical patent/CN107506642A/en
Publication of CN107506642A publication Critical patent/CN107506642A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Abstract

The invention discloses a kind of method and system for preventing file from being damaged by malicious operation behavior; if the process for deleting file be present, white list is let pass, and blacklist directly prevents operation file from reading and writing; gray list process is then hung up and backs up file to readable protection zone, the process of being let pass after the completion of backup;If the process of modification file be present, white list is let pass, and blacklist directly prevents, and gray list then hangs up process and backs up file to readable protection zone, the process of being let pass after the completion of backup;Judge whether operating frequency of the process for file in preset time exceedes given threshold if it encryption/compression cryptographic operation be present, if being then determined as doubtful file malicious operation behavior.Technical scheme described in the technology of the present invention can effectively identify file malicious operation behavior, while reduce the risk frequency that vital document is deleted modification by malice.

Description

The method and system for preventing file from being damaged by malicious operation behavior
Technical field
The present invention relates to field of information security technology, and in particular to a kind of side for preventing file from being damaged by malicious operation behavior Method and system.
Background technology
As internet is popularized and flourished rapidly, it is various extort, the illegal operation computer such as encryption software, illegal program Text, document files, picture file, installation procedure associated documents, movie file etc. of system, cause a large amount of computer texts Part is by illegal deletion, illegal encryption.When running into illegal blackmailer, it can use the rivest, shamir, adelman of seniority top digit to enter file Row encryption, recovery file could be decrypted by illegal person after the data recovery amount of money only by paying great number.It is right These data are perhaps at all inessential for domestic consumer, but this is for a big commercial company, related data It is the core asset of an incorporated business with file, is vital.Such as film company, bank finance enterprise, state's housekeeping Mansion enterprise, military service, scientific research department, Large-Scale Interconnected net company etc., once core document is encrypted or deleted or core The file of heart program, which is deleted, leads to not normal operation, a undoubtedly bad dream.
The security guard of many main flows and antivirus software contain file safeguard function at present, but many domestic consumers Do not opened, and even if opening can ensure that file is not maliciously tampered, but still can influence normal software to file yet Operation, even if ensureing operation behavior of the normal procedure to file by white list mechanism, but it can not still ensure all white Normal operating behavior of the list program to file, while also illegal operation of the uncontrollable all illegal programs to file.For Many Linux servers are fitted without security guard and antivirus software, and the core application of many business units is all disposed In Linux server, once server is attacked, data file is encrypted, deleted, and suffers heavy losses, consequence is hardly imaginable.
The content of the invention
Instant invention overcomes the deficiencies in the prior art, there is provided a kind of method for preventing file from being damaged by malicious operation behavior with System, it is intended to gone by change of the analysis program to file before and after the operation behavior of file and operation to judge that current file operates For with the presence or absence of malice, and then lifted to the recall rate of rogue program and malicious code.
In view of the above mentioned problem of prior art, according to one side disclosed by the invention, the present invention uses following technology Scheme:
A kind of method for preventing file from being damaged by malicious operation behavior, including:
Blacklist, white list and gray list authority will be divided into the operation of file, and sentence knowledge and file is modified, deleted Or the program of the process of compression belongs to blacklist or white list or gray list;
Modification, deletion or the operation of compressed file, Yi Jizhi are directly made in instruction according to white list Rights Program is possessed Connect process of the refusal for the modification of blacklist Rights Program, deletion or compressed file;
The process of the modification, deletion or the compressed file that are carried out to gray list Rights Program, then suspend gray list program process And file is backed up to the readable protection zone of file, the program process of being let pass after the completion of backup.
In order to which the present invention is better achieved, further technical scheme is:
According to one embodiment of the invention, in addition to:
Judge whether operation is malice according to the entropy of backup file and modification file.
According to another embodiment of the invention, the entropy judges to include:
Original path, filename or the file suffixes name of the file changed, compressed or deleted are collected, and judges to be grasped Whether the filename of work, the ratio of file suffixes name exceed the threshold value of setting;And
Judge whether original is whether identical file folder or file path include same section according to original path; Or
Also by the source file path of collection, filename, file suffixes name and file same section file path with character The form deposit feature database of string, for subsequent data analysis.
According to another embodiment of the invention, including:
By the entropy comparing result for backing up file with changing file, judge whether current process is encrypted to file Operation;
Judge whether operating frequency of the process for file in preset time exceedes setting if it cryptographic operation be present Threshold value, if being then determined as doubtful file malicious operation behavior, then record blacklist.
According to another embodiment of the invention, including:
By the entropy comparing result for backing up file with changing file, judge whether current process is compressed to file Operation and source file are deleted;
Judge that the process is directed to the operating frequency of file in preset time if it squeeze operation and source file deletion be present Whether exceed given threshold, if being then determined as doubtful file malicious operation behavior, then record blacklist.
According to another embodiment of the invention, including:
Before doubtful file malicious operation behavior is judged, if in file where being encrypted file or compressed document file Web page files or text be present, then further record filename, the suffix name of web page files or text, MD5 values Enter feature database, and determine whether containing URL link address, if in the presence of record URL addresses enter feature database in the lump.
According to another embodiment of the invention, including:
After doubtful file malicious operation behavior is determined as, logging program process title, the fixed port taken, process Outside access domain name, IP, port, interface message;For subsequent data analysis.
According to another embodiment of the invention, including:
After doubtful file malicious operation behavior is judged, encrypted file is deleted, and by the original of file protection zone Return under original route, if directly deleted file is then directly returned under original path.
A kind of system for preventing file from being damaged by malicious operation behavior, including:
File permission module:Blacklist, white list, gray list, blacklist possess can not direct operation file authority, in vain List possesses the direct operating right of file, and gray list needs progress malicious file operation behavior to judge flow;
File backup module:If the process that file is deleted, changed be present, the process of hang-up simultaneously backs up source file to readable guarantor Area is protected, the process of being let pass after the completion of backup carries out associative operation;
File analyzing module:Whether entropy, Study document coding before and after comparative analysis encryption file, judge current file Cryptographic operation is carried out;Encryption whether is employed after analysis compressed file and is deleted by compressed file;
Behavior frequency module:For judging file encryption operation behavior, compressing file behavior, file act of deleting default Predetermined threshold value is reached to the operating frequency of file in time.
The present invention can also be:
According to another embodiment of the invention, in addition to:
Fileinfo collection module:Collect encrypted, compression, the source file path for the All Files deleted, filename, text Part suffix name, and whether the filename of malicious operation, the ratio of file suffixes name are judged more than the threshold value set, while according to source File path judges whether source file is whether identical file folder or file path include same section.By the source file of collection Path, filename, file suffixes name and file same section file path are stored in fileinfo feature in the form of character string Storehouse, for subsequent analysis;
Fallacious message collection module:If be encrypted to exist in file or file where compressed document file web page files or Person's text, then filename, the suffix name of web page files or text are further recorded, MD5 values enter feature database, and judge Whether URL link address is contained, if in the presence of record URL addresses enter fallacious message feature database in the lump;
Routine data collection module:Record rogue program process title, the port taken, process access outside domain name, outer Portion IP, outside port and external interface information.
Compared with prior art, one of beneficial effects of the present invention are:
A kind of method and system for preventing file from being damaged by malicious operation behavior of the present invention, it can effectively identify file Malicious operation behavior, while reduce the risk frequency that vital document is deleted modification by malice.
Brief description of the drawings
, below will be to embodiment for clearer explanation present specification embodiment or technical scheme of the prior art Or the required accompanying drawing used is briefly described in the description of prior art, it should be apparent that, drawings in the following description are only It is the reference to some embodiments in present specification, for those skilled in the art, is not paying creative work In the case of, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is to implement block diagram according to the detecting system of the file malicious operation behavior of one embodiment of the invention.
Embodiment
The present invention is described in further detail with reference to embodiment, but the implementation of the present invention is not limited to this.
A kind of method for preventing file from being damaged by malicious operation behavior, including:
If the process for deleting file be present, white list program can directly delete file, and blacklist program directly prevents text Part is deleted, and gray list program process is then hung up and backs up file to readable protection zone, the process of being let pass after the completion of backup.
If the process of modification file be present, white list program is let pass, and blacklist program directly prevents file modification, gray list Then hang up process and back up file to readable protection zone, the process of being let pass after the completion of backup;By backing up file and modification file Entropy comparing result, judge current process whether cryptographic operation has been carried out to file;Judge that this enters if it cryptographic operation be present Whether journey exceedes given threshold in preset time for the operating frequency of file, if being then determined as doubtful file malicious operation Behavior;By the entropy comparing result for backing up file with changing file, judge whether current process has carried out compression behaviour to file Make and source file is deleted;Judge that the process is directed to the behaviour of file in preset time if it squeeze operation and source file deletion be present Whether working frequency exceedes given threshold, if being then determined as doubtful file malicious operation behavior.
Before doubtful file malicious operation behavior is judged, in addition to:
The source file path for being encrypted, compressing, deleting, source filename, source file suffix name are collected, and judges malicious operation Filename, file suffixes name ratio whether exceed setting threshold value, while according to source file path judge source file whether It is whether identical file folder or file path include same section.
By the source file path of collection, filename, file suffixes name and file same section file path with character string Form deposit feature database, for subsequent data analysis.
Before doubtful file malicious operation behavior is judged, in addition to:
If web page files or text be present in the file where being encrypted file or compressed document file, enter one Filename, the suffix name of step record web page files or text, MD5 values enter feature database, and determine whether containing URL link Location, if in the presence of record URL addresses enter feature database in the lump.
Further, after doubtful file malicious operation behavior is determined as, in addition to:
Logging program process title, the fixed port taken, process outside access domain name, IP, port, interface message.With In subsequent data analysis.
Further, after doubtful file malicious operation behavior is judged, in addition to:
Encrypted file is deleted, and the source file of file protection zone is returned under original route, if being directly deleted File be then directly returned under original path.
In the above method, the file includes but is not limited to:Text, document files, picture file, audio/video file.
The present invention can be realized using following system, including:
File permission module:Blacklist, white list, gray list, blacklist possess can not direct operation file authority, in vain List possesses the direct operating right of file, and gray list needs progress malicious file operation behavior to judge flow.
File backup module:If the process that file is deleted, changed be present, the process of hang-up simultaneously backs up source file to readable guarantor Area is protected, the process of being let pass after the completion of backup carries out associative operation;
File analyzing module:Whether entropy, Study document coding before and after comparative analysis encryption file, judge current file Cryptographic operation is carried out;Encryption whether is employed after analysis compressed file and is deleted by compressed file;
Behavior frequency module:For judging file encryption operation behavior, compressing file behavior, file act of deleting default Predetermined threshold value is reached to the operating frequency of file in time.
Come preliminary judgement whether it is file malicious operation behavior by system above module, if then carrying out further system Module realizes, including:
Fileinfo collection module:Collect encrypted, compression, the source file path for the All Files deleted, filename, text Part suffix name, and whether the filename of malicious operation, the ratio of file suffixes name are judged more than the threshold value set, while according to source File path judges whether source file is whether identical file folder or file path include same section.By the source file of collection Path, filename, file suffixes name and file same section file path are stored in fileinfo feature in the form of character string Storehouse, for subsequent analysis;
Fallacious message collection module:If be encrypted to exist in file or file where compressed document file web page files or Person's text, then filename, the suffix name of web page files or text are further recorded, MD5 values enter feature database, and judge Whether URL link address is contained, if in the presence of record URL addresses enter fallacious message feature database in the lump;
Routine data collection module:Record rogue program process title, the port taken, process access outside domain name, outer Portion IP, outside port and external interface information.
Last the system also includes:
File access pattern removing module:The file of encryption or compression is deleted, source file of the source file from readable protection zone is extensive Answer under original route.
In said system, the file includes but is not limited to:Text, document files, picture file, audio/video file.
To sum up, The present invention gives a kind of detection method and system of the behavior of file malicious operation.The technical scheme passes through Monitoring file operated behavior, fileinfo, file path, file operation frequency, documents entropy, document No., from And whether accurate judgement is file malicious operation behavior.
As shown in figure 1, a kind of testing process of file malicious operation behavior, including:
BWG1:This step belongs to file permission module, it is therefore an objective to obtains the file operation authority of program process, is broadly divided into Blacklist, white list, gray list.
BWG2:This step belongs to file permission module, it is therefore an objective to the operating right of determining program process file, if black name It is single, then B3 is directly entered, directly refuses file operation behavior;If white list, then W3 is directly entered, direct clearance program is entered Journey, associative operation is carried out to file;If gray list, then into G3.
G3:This step belongs to file backup module, mainly judges meeting list with the presence or absence of modification, deletion, compressed file Operation, if exist delete, modification, compressed file operation, into G4, hang up current process, source file write-in file protected Area is protected, afterwards into G5.
G5:This step source file information collection module, it is main collect modification source file path, filename, file suffixes name, Same section information in path, for subsequent analysis, the process of being let pass after having collected.
Behavior frequency module:After clearance, the currently associated program process operation file deletion of the system module essential record, Modification, the number of compression encryption, for follow-up contrast judgement.Program process deletion action is then directly entered G9, program process text Part encryption, compressing file then enter G6.
G6:This step belongs to file analyzing module, mainly for file encryption and compressing file, before being encrypted or compressing Afterwards file entropy compare, encoding ratio pair, by the way that entropy difference is big, document No. inconsequent and the file after encoding, for Big file, comparative analysis before and after the property value according to file can be selected, improve Inspection and analysis efficiency;For unencryption and not by The process of ciphered compressed is directly entered G12, deletes protection area file;Enter G8 for encrypted file;For adding Close compressed file operation process, judges whether source file is deleted into G7.
G7:Judge whether compressed file operation process is deleted source file, if not deleted, into G12, is deleted Except protection area file;Otherwise G8 is entered.
G8:This step belongs to fallacious message collection module, and main encryption file place file of searching obtains ciphered compressed With the presence or absence of newly-increased web page files or text under file where file, if in the presence of, record associated documents filename, Suffix name, file MD5 values and existing URL address informations, for subsequent analysis.
G9:The information material collected for deletion action, judges whether source file identical part exceedes given threshold, not More than G12 is then entered, protection area file is deleted;More than doubtful file malice act of deleting is then determined as, program process is charged to black List.For the program process of file encryption, judge that file is encrypted whether number exceedes given threshold, if not exceeded, then counting Enter G12, delete protection area file;Otherwise G10, and the doubtful file malice cryptographic operation behavior of decision procedure process are entered.For The compressed file operation sequence process encrypted, judges whether its compression encryption file exceedes given threshold, if entering not less than if Enter G12, delete protection area file;Otherwise enter G10 and be determined as doubtful file malice ciphered compressed operation behavior.
G10:This step belongs to routine data collection module, essential record program process title, takes port, accesses outside Domain name, IP, port, interface message, for subsequent analysis.Enter G11 afterwards.
G11:Blacklist is recorded, afterwards into G12.
G12:This step belongs to file access pattern removing module, mainly deletes protection area file or by file from can read protection After area is recovered, protection area file is deleted.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other The difference of embodiment, identical similar portion cross-reference between each embodiment.
" one embodiment " for being spoken of in this manual, " another embodiment ", " embodiment ", etc., refer to tying Specific features, structure or the feature for closing embodiment description are included at least one embodiment of the application generality description In.It is not necessarily to refer to same embodiment that statement of the same race, which occur, in multiple places in the description.Appoint furthermore, it is understood that combining When one embodiment describes a specific features, structure or feature, what is advocated is this to realize with reference to other embodiment Feature, structure or feature are also fallen within the scope of the present invention.
Although reference be made herein to invention has been described for multiple explanatory embodiments of the invention, however, it is to be understood that Those skilled in the art can be designed that a lot of other modifications and embodiment, and these modifications and embodiment will fall in this Shen Please be within disclosed spirit and spirit.More specifically, can be to master in the range of disclosure and claim The building block and/or layout for inscribing composite configuration carry out a variety of variations and modifications.Except what is carried out to building block and/or layout Outside variations and modifications, to those skilled in the art, other purposes also will be apparent.

Claims (10)

  1. A kind of 1. method for preventing file from being damaged by malicious operation behavior, it is characterised in that including:
    Blacklist, white list and gray list authority will be divided into the operation of file, and sentence knowledge and file is modified, delete or pressed The program of the process of contracting belongs to blacklist or white list or gray list;
    Modification, deletion or the operation of compressed file are directly made in instruction according to white list Rights Program is possessed, and directly refuse It is absolutely the process of the modification of blacklist Rights Program, deletion or compressed file;
    The modification that is carried out to gray list Rights Program, the process of deletion or compressed file, then suspend gray list program process and standby Part file is to the readable protection zone of file, the program process of being let pass after the completion of backup.
  2. 2. the method according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that also include:
    Judge whether operation is malice according to the entropy of backup file and modification file.
  3. 3. the method according to claim 2 for preventing file from being damaged by malicious operation behavior, it is characterised in that the entropy Judgement includes:
    Original path, filename or the file suffixes name of the file changed, compressed or deleted are collected, and judges what is operated Whether filename, the ratio of file suffixes name exceed the threshold value of setting;And
    Judge whether original is whether identical file folder or file path include same section according to original path;Or
    Also by the source file path of collection, filename, file suffixes name and file same section file path with character string Form is stored in feature database, for subsequent data analysis.
  4. 4. the method according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that including:
    By the entropy comparing result for backing up file with changing file, judge whether current process has carried out encryption behaviour to file Make;
    Judge whether operating frequency of the process for file in preset time exceedes given threshold if it cryptographic operation be present, If being then determined as doubtful file malicious operation behavior, then blacklist is recorded.
  5. 5. the method according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that including:
    By the entropy comparing result for backing up file with changing file, judge whether current process has carried out squeeze operation to file And source file is deleted;
    Judge if it squeeze operation and source file be present and delete the process in preset time for file operating frequency whether More than given threshold, if being then determined as doubtful file malicious operation behavior, then blacklist is recorded.
  6. 6. the detection method of file malicious operation behavior according to claim 1, it is characterised in that including:
    Before doubtful file malicious operation behavior is judged, if the interior presence of file where being encrypted file or compressed document file Web page files or text, then further filename, the suffix name of record web page files or text, MD5 values enter spy Storehouse is levied, and is determined whether containing URL link address, if in the presence of record URL addresses enter feature database in the lump.
  7. 7. the detection method of file malicious operation behavior according to claim 1, it is characterised in that including:
    After doubtful file malicious operation behavior is determined as, logging program process title, the fixed port taken, outside process Access domain name, IP, port, interface message;For subsequent data analysis.
  8. 8. the detection method of file malicious operation behavior according to claim 1, it is characterised in that including:
    After doubtful file malicious operation behavior is judged, encrypted file is deleted, and the original of file protection zone is recovered To under original route, if directly deleted file is then directly returned under original path.
  9. A kind of 9. system for preventing file from being damaged by malicious operation behavior, it is characterised in that including:
    File permission module:Blacklist, white list, gray list, blacklist possess can not direct operation file authority, white list Possess the direct operating right of file, gray list needs progress malicious file operation behavior to judge flow;
    File backup module:If exist file delete, modification process, hang up process and back up source file extremely can read protection Area, the process of being let pass after the completion of backup carry out associative operation;
    File analyzing module:Entropy, Study document coding before and after comparative analysis encryption file, judge whether current file is carried out Cryptographic operation;Encryption whether is employed after analysis compressed file and is deleted by compressed file;
    Behavior frequency module:For judging file encryption operation behavior, compressing file behavior, file act of deleting in preset time The interior operating frequency to file reaches predetermined threshold value.
  10. 10. the system according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that also include:
    Fileinfo collection module:After collecting encrypted, compression, the source file path for the All Files deleted, filename, file Sew name, and whether judge the filename of malicious operation, the ratio of file suffixes name more than the threshold value set, while according to source file Path judges whether source file is whether identical file folder or file path include same section.By the source file road of collection Footpath, filename, file suffixes name and file same section file path are stored in fileinfo feature database in the form of character string, For subsequent analysis;
    Fallacious message collection module:If web page files or text be present in the file where being encrypted file or compressed document file This document, then filename, the suffix name of web page files or text are further recorded, MD5 values enter feature database, and determine whether Containing URL link address, if in the presence of record URL addresses enter fallacious message feature database in the lump;
    Routine data collection module:Record rogue program process title, the port taken, process access outside domain name, external IP, Outside port and external interface information.
CN201710681523.0A 2017-08-10 2017-08-10 The method and system for preventing file from being damaged by malicious operation behavior Pending CN107506642A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710681523.0A CN107506642A (en) 2017-08-10 2017-08-10 The method and system for preventing file from being damaged by malicious operation behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710681523.0A CN107506642A (en) 2017-08-10 2017-08-10 The method and system for preventing file from being damaged by malicious operation behavior

Publications (1)

Publication Number Publication Date
CN107506642A true CN107506642A (en) 2017-12-22

Family

ID=60689642

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710681523.0A Pending CN107506642A (en) 2017-08-10 2017-08-10 The method and system for preventing file from being damaged by malicious operation behavior

Country Status (1)

Country Link
CN (1) CN107506642A (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108038379A (en) * 2017-12-29 2018-05-15 北京长御科技有限公司 A kind of anti-method and system for extorting software attacks
CN108063771A (en) * 2017-12-29 2018-05-22 北京长御科技有限公司 The monitoring method and device of ciphered compressed file
CN108280238A (en) * 2018-03-02 2018-07-13 于刚 Computer shared file emergency backup method
CN108549698A (en) * 2018-04-16 2018-09-18 Oppo广东移动通信有限公司 Document handling method, device, mobile terminal and computer readable storage medium
CN108563754A (en) * 2018-04-16 2018-09-21 Oppo广东移动通信有限公司 Document handling method, device, mobile terminal and computer readable storage medium
CN108985095A (en) * 2018-07-05 2018-12-11 深圳市网心科技有限公司 A kind of non-public file access method, system and electronic equipment and storage medium
CN108985051A (en) * 2018-08-02 2018-12-11 郑州云海信息技术有限公司 A kind of intrusion prevention method and system of Behavior-based control tracking
CN109117303A (en) * 2018-03-02 2019-01-01 于刚 Computer shared file emergency backup platform
CN109325358A (en) * 2018-08-22 2019-02-12 深圳点猫科技有限公司 Method, electronic equipment based on linux system definition application permission
CN109472144A (en) * 2017-12-29 2019-03-15 北京安天网络安全技术有限公司 It is a kind of to defend the viral method, apparatus operated to file and storage medium
CN109784037A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 The safety protecting method and device of document files, storage medium, computer equipment
CN110443033A (en) * 2018-05-04 2019-11-12 陕西思科锐迪网络安全技术有限责任公司 A kind of file backup method based on Minifilter frame
CN111600893A (en) * 2020-05-19 2020-08-28 山石网科通信技术股份有限公司 Lexus software defense method, device, storage medium, processor and host
CN111639336A (en) * 2020-04-16 2020-09-08 中国科学院信息工程研究所 Lesog software real-time detection method and defense method based on virtual read-write of file system
CN111931171A (en) * 2020-08-10 2020-11-13 深信服科技股份有限公司 Shared file security protection method, device, equipment and storage medium
CN111967058A (en) * 2020-07-28 2020-11-20 浙江军盾信息科技有限公司 Tamper-proof method supporting user white list, electronic device and storage medium
US11113391B2 (en) 2018-10-23 2021-09-07 Industrial Technology Research Institute Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium
CN113609478A (en) * 2021-07-16 2021-11-05 浙江吉利控股集团有限公司 IOS platform application program tampering detection method and device
CN113672925A (en) * 2021-08-26 2021-11-19 安天科技集团股份有限公司 Method, device, storage medium and electronic equipment for preventing lasso software attack
US20220269807A1 (en) * 2021-02-22 2022-08-25 EMC IP Holding Company LLC Detecting unauthorized encryptions in data storage systems

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760759A (en) * 2015-12-08 2016-07-13 哈尔滨安天科技股份有限公司 Method and system for protecting documents based on process monitoring
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760759A (en) * 2015-12-08 2016-07-13 哈尔滨安天科技股份有限公司 Method and system for protecting documents based on process monitoring
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109472144A (en) * 2017-12-29 2019-03-15 北京安天网络安全技术有限公司 It is a kind of to defend the viral method, apparatus operated to file and storage medium
CN108038379B (en) * 2017-12-29 2020-06-23 北京长御科技有限公司 Method and system for preventing lasso software attack
CN109472144B (en) * 2017-12-29 2021-09-28 北京安天网络安全技术有限公司 Method, device and storage medium for operating file by defending virus
CN108063771A (en) * 2017-12-29 2018-05-22 北京长御科技有限公司 The monitoring method and device of ciphered compressed file
CN108038379A (en) * 2017-12-29 2018-05-15 北京长御科技有限公司 A kind of anti-method and system for extorting software attacks
CN108280238B (en) * 2018-03-02 2019-04-19 上海棉联电子商务有限公司 Computer shared file emergency backup method
CN108280238A (en) * 2018-03-02 2018-07-13 于刚 Computer shared file emergency backup method
CN109117303A (en) * 2018-03-02 2019-01-01 于刚 Computer shared file emergency backup platform
CN108563754A (en) * 2018-04-16 2018-09-21 Oppo广东移动通信有限公司 Document handling method, device, mobile terminal and computer readable storage medium
CN108549698B (en) * 2018-04-16 2021-07-09 Oppo广东移动通信有限公司 File processing method and device, mobile terminal and computer readable storage medium
CN108549698A (en) * 2018-04-16 2018-09-18 Oppo广东移动通信有限公司 Document handling method, device, mobile terminal and computer readable storage medium
CN110443033A (en) * 2018-05-04 2019-11-12 陕西思科锐迪网络安全技术有限责任公司 A kind of file backup method based on Minifilter frame
CN108985095B (en) * 2018-07-05 2022-04-01 深圳市网心科技有限公司 Non-public file access method, system, electronic equipment and storage medium
CN108985095A (en) * 2018-07-05 2018-12-11 深圳市网心科技有限公司 A kind of non-public file access method, system and electronic equipment and storage medium
CN108985051A (en) * 2018-08-02 2018-12-11 郑州云海信息技术有限公司 A kind of intrusion prevention method and system of Behavior-based control tracking
CN109325358A (en) * 2018-08-22 2019-02-12 深圳点猫科技有限公司 Method, electronic equipment based on linux system definition application permission
US11113391B2 (en) 2018-10-23 2021-09-07 Industrial Technology Research Institute Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium
CN109784037B (en) * 2018-12-29 2021-04-23 360企业安全技术(珠海)有限公司 Security protection method and device for document file, storage medium and computer equipment
CN109784037A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 The safety protecting method and device of document files, storage medium, computer equipment
CN111639336A (en) * 2020-04-16 2020-09-08 中国科学院信息工程研究所 Lesog software real-time detection method and defense method based on virtual read-write of file system
CN111600893A (en) * 2020-05-19 2020-08-28 山石网科通信技术股份有限公司 Lexus software defense method, device, storage medium, processor and host
CN111967058A (en) * 2020-07-28 2020-11-20 浙江军盾信息科技有限公司 Tamper-proof method supporting user white list, electronic device and storage medium
CN111931171A (en) * 2020-08-10 2020-11-13 深信服科技股份有限公司 Shared file security protection method, device, equipment and storage medium
US20220269807A1 (en) * 2021-02-22 2022-08-25 EMC IP Holding Company LLC Detecting unauthorized encryptions in data storage systems
CN113609478A (en) * 2021-07-16 2021-11-05 浙江吉利控股集团有限公司 IOS platform application program tampering detection method and device
CN113672925A (en) * 2021-08-26 2021-11-19 安天科技集团股份有限公司 Method, device, storage medium and electronic equipment for preventing lasso software attack
CN113672925B (en) * 2021-08-26 2024-01-26 安天科技集团股份有限公司 Method and device for preventing lux software attack, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN107506642A (en) The method and system for preventing file from being damaged by malicious operation behavior
CN103226675B (en) A kind of traceability system and method analyzing intrusion behavior
CN102739774B (en) Method and system for obtaining evidence under cloud computing environment
JP2006504178A (en) Comprehensive infringement accident response system in IT infrastructure and its operation method
CN112241543A (en) Sensitive data combing method based on data middling stage
CN114584405B (en) Electric power terminal safety protection method and system
CN104881483B (en) Automatic detection evidence collecting method for the attack of Hadoop platform leaking data
KR101503701B1 (en) Method and Apparatus for Protecting Information Based on Big Data
CN106845222A (en) A kind of detection method and system of blackmailer's virus
CN107563192A (en) A kind of means of defence for extorting software, device, electronic equipment and storage medium
CN107154939A (en) A kind of method and system of data tracing
KR101256507B1 (en) An malicious insider detection system via user behavior analysis and method thereof
CN111931239A (en) Data leakage prevention system for database security protection
Raju et al. SNAPS: Towards building snapshot based provenance system for virtual machines in the cloud environment
CN105912946A (en) Document detection method and device
CN105550573B (en) The method and apparatus for intercepting bundled software
CN110363002A (en) A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing
CN116389148B (en) Network security situation prediction system based on artificial intelligence
CN106682504A (en) Method and device for preventing file from being maliciously edited and electronic equipment
CN109067587B (en) Method and device for determining key information infrastructure
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application
KR102294926B1 (en) Automated system for forming analyzed data by extracting original data
WO2020102925A1 (en) Method for monitoring tampering of static objects in mixed environment
seok Kang et al. Companies Entering the Metabus Industry-Major Big Data Protection with Remote-based Hard Disk Memory Analysis Audit (AUDIT) System
Ratti et al. The gaps of identity management in fulfilling personal data protection regulations’ requirements and research opportunities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171222