CN107506642A - The method and system for preventing file from being damaged by malicious operation behavior - Google Patents
The method and system for preventing file from being damaged by malicious operation behavior Download PDFInfo
- Publication number
- CN107506642A CN107506642A CN201710681523.0A CN201710681523A CN107506642A CN 107506642 A CN107506642 A CN 107506642A CN 201710681523 A CN201710681523 A CN 201710681523A CN 107506642 A CN107506642 A CN 107506642A
- Authority
- CN
- China
- Prior art keywords
- file
- operation behavior
- malicious operation
- malicious
- filename
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Abstract
The invention discloses a kind of method and system for preventing file from being damaged by malicious operation behavior; if the process for deleting file be present, white list is let pass, and blacklist directly prevents operation file from reading and writing; gray list process is then hung up and backs up file to readable protection zone, the process of being let pass after the completion of backup;If the process of modification file be present, white list is let pass, and blacklist directly prevents, and gray list then hangs up process and backs up file to readable protection zone, the process of being let pass after the completion of backup;Judge whether operating frequency of the process for file in preset time exceedes given threshold if it encryption/compression cryptographic operation be present, if being then determined as doubtful file malicious operation behavior.Technical scheme described in the technology of the present invention can effectively identify file malicious operation behavior, while reduce the risk frequency that vital document is deleted modification by malice.
Description
Technical field
The present invention relates to field of information security technology, and in particular to a kind of side for preventing file from being damaged by malicious operation behavior
Method and system.
Background technology
As internet is popularized and flourished rapidly, it is various extort, the illegal operation computer such as encryption software, illegal program
Text, document files, picture file, installation procedure associated documents, movie file etc. of system, cause a large amount of computer texts
Part is by illegal deletion, illegal encryption.When running into illegal blackmailer, it can use the rivest, shamir, adelman of seniority top digit to enter file
Row encryption, recovery file could be decrypted by illegal person after the data recovery amount of money only by paying great number.It is right
These data are perhaps at all inessential for domestic consumer, but this is for a big commercial company, related data
It is the core asset of an incorporated business with file, is vital.Such as film company, bank finance enterprise, state's housekeeping
Mansion enterprise, military service, scientific research department, Large-Scale Interconnected net company etc., once core document is encrypted or deleted or core
The file of heart program, which is deleted, leads to not normal operation, a undoubtedly bad dream.
The security guard of many main flows and antivirus software contain file safeguard function at present, but many domestic consumers
Do not opened, and even if opening can ensure that file is not maliciously tampered, but still can influence normal software to file yet
Operation, even if ensureing operation behavior of the normal procedure to file by white list mechanism, but it can not still ensure all white
Normal operating behavior of the list program to file, while also illegal operation of the uncontrollable all illegal programs to file.For
Many Linux servers are fitted without security guard and antivirus software, and the core application of many business units is all disposed
In Linux server, once server is attacked, data file is encrypted, deleted, and suffers heavy losses, consequence is hardly imaginable.
The content of the invention
Instant invention overcomes the deficiencies in the prior art, there is provided a kind of method for preventing file from being damaged by malicious operation behavior with
System, it is intended to gone by change of the analysis program to file before and after the operation behavior of file and operation to judge that current file operates
For with the presence or absence of malice, and then lifted to the recall rate of rogue program and malicious code.
In view of the above mentioned problem of prior art, according to one side disclosed by the invention, the present invention uses following technology
Scheme:
A kind of method for preventing file from being damaged by malicious operation behavior, including:
Blacklist, white list and gray list authority will be divided into the operation of file, and sentence knowledge and file is modified, deleted
Or the program of the process of compression belongs to blacklist or white list or gray list;
Modification, deletion or the operation of compressed file, Yi Jizhi are directly made in instruction according to white list Rights Program is possessed
Connect process of the refusal for the modification of blacklist Rights Program, deletion or compressed file;
The process of the modification, deletion or the compressed file that are carried out to gray list Rights Program, then suspend gray list program process
And file is backed up to the readable protection zone of file, the program process of being let pass after the completion of backup.
In order to which the present invention is better achieved, further technical scheme is:
According to one embodiment of the invention, in addition to:
Judge whether operation is malice according to the entropy of backup file and modification file.
According to another embodiment of the invention, the entropy judges to include:
Original path, filename or the file suffixes name of the file changed, compressed or deleted are collected, and judges to be grasped
Whether the filename of work, the ratio of file suffixes name exceed the threshold value of setting;And
Judge whether original is whether identical file folder or file path include same section according to original path;
Or
Also by the source file path of collection, filename, file suffixes name and file same section file path with character
The form deposit feature database of string, for subsequent data analysis.
According to another embodiment of the invention, including:
By the entropy comparing result for backing up file with changing file, judge whether current process is encrypted to file
Operation;
Judge whether operating frequency of the process for file in preset time exceedes setting if it cryptographic operation be present
Threshold value, if being then determined as doubtful file malicious operation behavior, then record blacklist.
According to another embodiment of the invention, including:
By the entropy comparing result for backing up file with changing file, judge whether current process is compressed to file
Operation and source file are deleted;
Judge that the process is directed to the operating frequency of file in preset time if it squeeze operation and source file deletion be present
Whether exceed given threshold, if being then determined as doubtful file malicious operation behavior, then record blacklist.
According to another embodiment of the invention, including:
Before doubtful file malicious operation behavior is judged, if in file where being encrypted file or compressed document file
Web page files or text be present, then further record filename, the suffix name of web page files or text, MD5 values
Enter feature database, and determine whether containing URL link address, if in the presence of record URL addresses enter feature database in the lump.
According to another embodiment of the invention, including:
After doubtful file malicious operation behavior is determined as, logging program process title, the fixed port taken, process
Outside access domain name, IP, port, interface message;For subsequent data analysis.
According to another embodiment of the invention, including:
After doubtful file malicious operation behavior is judged, encrypted file is deleted, and by the original of file protection zone
Return under original route, if directly deleted file is then directly returned under original path.
A kind of system for preventing file from being damaged by malicious operation behavior, including:
File permission module:Blacklist, white list, gray list, blacklist possess can not direct operation file authority, in vain
List possesses the direct operating right of file, and gray list needs progress malicious file operation behavior to judge flow;
File backup module:If the process that file is deleted, changed be present, the process of hang-up simultaneously backs up source file to readable guarantor
Area is protected, the process of being let pass after the completion of backup carries out associative operation;
File analyzing module:Whether entropy, Study document coding before and after comparative analysis encryption file, judge current file
Cryptographic operation is carried out;Encryption whether is employed after analysis compressed file and is deleted by compressed file;
Behavior frequency module:For judging file encryption operation behavior, compressing file behavior, file act of deleting default
Predetermined threshold value is reached to the operating frequency of file in time.
The present invention can also be:
According to another embodiment of the invention, in addition to:
Fileinfo collection module:Collect encrypted, compression, the source file path for the All Files deleted, filename, text
Part suffix name, and whether the filename of malicious operation, the ratio of file suffixes name are judged more than the threshold value set, while according to source
File path judges whether source file is whether identical file folder or file path include same section.By the source file of collection
Path, filename, file suffixes name and file same section file path are stored in fileinfo feature in the form of character string
Storehouse, for subsequent analysis;
Fallacious message collection module:If be encrypted to exist in file or file where compressed document file web page files or
Person's text, then filename, the suffix name of web page files or text are further recorded, MD5 values enter feature database, and judge
Whether URL link address is contained, if in the presence of record URL addresses enter fallacious message feature database in the lump;
Routine data collection module:Record rogue program process title, the port taken, process access outside domain name, outer
Portion IP, outside port and external interface information.
Compared with prior art, one of beneficial effects of the present invention are:
A kind of method and system for preventing file from being damaged by malicious operation behavior of the present invention, it can effectively identify file
Malicious operation behavior, while reduce the risk frequency that vital document is deleted modification by malice.
Brief description of the drawings
, below will be to embodiment for clearer explanation present specification embodiment or technical scheme of the prior art
Or the required accompanying drawing used is briefly described in the description of prior art, it should be apparent that, drawings in the following description are only
It is the reference to some embodiments in present specification, for those skilled in the art, is not paying creative work
In the case of, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is to implement block diagram according to the detecting system of the file malicious operation behavior of one embodiment of the invention.
Embodiment
The present invention is described in further detail with reference to embodiment, but the implementation of the present invention is not limited to this.
A kind of method for preventing file from being damaged by malicious operation behavior, including:
If the process for deleting file be present, white list program can directly delete file, and blacklist program directly prevents text
Part is deleted, and gray list program process is then hung up and backs up file to readable protection zone, the process of being let pass after the completion of backup.
If the process of modification file be present, white list program is let pass, and blacklist program directly prevents file modification, gray list
Then hang up process and back up file to readable protection zone, the process of being let pass after the completion of backup;By backing up file and modification file
Entropy comparing result, judge current process whether cryptographic operation has been carried out to file;Judge that this enters if it cryptographic operation be present
Whether journey exceedes given threshold in preset time for the operating frequency of file, if being then determined as doubtful file malicious operation
Behavior;By the entropy comparing result for backing up file with changing file, judge whether current process has carried out compression behaviour to file
Make and source file is deleted;Judge that the process is directed to the behaviour of file in preset time if it squeeze operation and source file deletion be present
Whether working frequency exceedes given threshold, if being then determined as doubtful file malicious operation behavior.
Before doubtful file malicious operation behavior is judged, in addition to:
The source file path for being encrypted, compressing, deleting, source filename, source file suffix name are collected, and judges malicious operation
Filename, file suffixes name ratio whether exceed setting threshold value, while according to source file path judge source file whether
It is whether identical file folder or file path include same section.
By the source file path of collection, filename, file suffixes name and file same section file path with character string
Form deposit feature database, for subsequent data analysis.
Before doubtful file malicious operation behavior is judged, in addition to:
If web page files or text be present in the file where being encrypted file or compressed document file, enter one
Filename, the suffix name of step record web page files or text, MD5 values enter feature database, and determine whether containing URL link
Location, if in the presence of record URL addresses enter feature database in the lump.
Further, after doubtful file malicious operation behavior is determined as, in addition to:
Logging program process title, the fixed port taken, process outside access domain name, IP, port, interface message.With
In subsequent data analysis.
Further, after doubtful file malicious operation behavior is judged, in addition to:
Encrypted file is deleted, and the source file of file protection zone is returned under original route, if being directly deleted
File be then directly returned under original path.
In the above method, the file includes but is not limited to:Text, document files, picture file, audio/video file.
The present invention can be realized using following system, including:
File permission module:Blacklist, white list, gray list, blacklist possess can not direct operation file authority, in vain
List possesses the direct operating right of file, and gray list needs progress malicious file operation behavior to judge flow.
File backup module:If the process that file is deleted, changed be present, the process of hang-up simultaneously backs up source file to readable guarantor
Area is protected, the process of being let pass after the completion of backup carries out associative operation;
File analyzing module:Whether entropy, Study document coding before and after comparative analysis encryption file, judge current file
Cryptographic operation is carried out;Encryption whether is employed after analysis compressed file and is deleted by compressed file;
Behavior frequency module:For judging file encryption operation behavior, compressing file behavior, file act of deleting default
Predetermined threshold value is reached to the operating frequency of file in time.
Come preliminary judgement whether it is file malicious operation behavior by system above module, if then carrying out further system
Module realizes, including:
Fileinfo collection module:Collect encrypted, compression, the source file path for the All Files deleted, filename, text
Part suffix name, and whether the filename of malicious operation, the ratio of file suffixes name are judged more than the threshold value set, while according to source
File path judges whether source file is whether identical file folder or file path include same section.By the source file of collection
Path, filename, file suffixes name and file same section file path are stored in fileinfo feature in the form of character string
Storehouse, for subsequent analysis;
Fallacious message collection module:If be encrypted to exist in file or file where compressed document file web page files or
Person's text, then filename, the suffix name of web page files or text are further recorded, MD5 values enter feature database, and judge
Whether URL link address is contained, if in the presence of record URL addresses enter fallacious message feature database in the lump;
Routine data collection module:Record rogue program process title, the port taken, process access outside domain name, outer
Portion IP, outside port and external interface information.
Last the system also includes:
File access pattern removing module:The file of encryption or compression is deleted, source file of the source file from readable protection zone is extensive
Answer under original route.
In said system, the file includes but is not limited to:Text, document files, picture file, audio/video file.
To sum up, The present invention gives a kind of detection method and system of the behavior of file malicious operation.The technical scheme passes through
Monitoring file operated behavior, fileinfo, file path, file operation frequency, documents entropy, document No., from
And whether accurate judgement is file malicious operation behavior.
As shown in figure 1, a kind of testing process of file malicious operation behavior, including:
BWG1:This step belongs to file permission module, it is therefore an objective to obtains the file operation authority of program process, is broadly divided into
Blacklist, white list, gray list.
BWG2:This step belongs to file permission module, it is therefore an objective to the operating right of determining program process file, if black name
It is single, then B3 is directly entered, directly refuses file operation behavior;If white list, then W3 is directly entered, direct clearance program is entered
Journey, associative operation is carried out to file;If gray list, then into G3.
G3:This step belongs to file backup module, mainly judges meeting list with the presence or absence of modification, deletion, compressed file
Operation, if exist delete, modification, compressed file operation, into G4, hang up current process, source file write-in file protected
Area is protected, afterwards into G5.
G5:This step source file information collection module, it is main collect modification source file path, filename, file suffixes name,
Same section information in path, for subsequent analysis, the process of being let pass after having collected.
Behavior frequency module:After clearance, the currently associated program process operation file deletion of the system module essential record,
Modification, the number of compression encryption, for follow-up contrast judgement.Program process deletion action is then directly entered G9, program process text
Part encryption, compressing file then enter G6.
G6:This step belongs to file analyzing module, mainly for file encryption and compressing file, before being encrypted or compressing
Afterwards file entropy compare, encoding ratio pair, by the way that entropy difference is big, document No. inconsequent and the file after encoding, for
Big file, comparative analysis before and after the property value according to file can be selected, improve Inspection and analysis efficiency;For unencryption and not by
The process of ciphered compressed is directly entered G12, deletes protection area file;Enter G8 for encrypted file;For adding
Close compressed file operation process, judges whether source file is deleted into G7.
G7:Judge whether compressed file operation process is deleted source file, if not deleted, into G12, is deleted
Except protection area file;Otherwise G8 is entered.
G8:This step belongs to fallacious message collection module, and main encryption file place file of searching obtains ciphered compressed
With the presence or absence of newly-increased web page files or text under file where file, if in the presence of, record associated documents filename,
Suffix name, file MD5 values and existing URL address informations, for subsequent analysis.
G9:The information material collected for deletion action, judges whether source file identical part exceedes given threshold, not
More than G12 is then entered, protection area file is deleted;More than doubtful file malice act of deleting is then determined as, program process is charged to black
List.For the program process of file encryption, judge that file is encrypted whether number exceedes given threshold, if not exceeded, then counting
Enter G12, delete protection area file;Otherwise G10, and the doubtful file malice cryptographic operation behavior of decision procedure process are entered.For
The compressed file operation sequence process encrypted, judges whether its compression encryption file exceedes given threshold, if entering not less than if
Enter G12, delete protection area file;Otherwise enter G10 and be determined as doubtful file malice ciphered compressed operation behavior.
G10:This step belongs to routine data collection module, essential record program process title, takes port, accesses outside
Domain name, IP, port, interface message, for subsequent analysis.Enter G11 afterwards.
G11:Blacklist is recorded, afterwards into G12.
G12:This step belongs to file access pattern removing module, mainly deletes protection area file or by file from can read protection
After area is recovered, protection area file is deleted.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other
The difference of embodiment, identical similar portion cross-reference between each embodiment.
" one embodiment " for being spoken of in this manual, " another embodiment ", " embodiment ", etc., refer to tying
Specific features, structure or the feature for closing embodiment description are included at least one embodiment of the application generality description
In.It is not necessarily to refer to same embodiment that statement of the same race, which occur, in multiple places in the description.Appoint furthermore, it is understood that combining
When one embodiment describes a specific features, structure or feature, what is advocated is this to realize with reference to other embodiment
Feature, structure or feature are also fallen within the scope of the present invention.
Although reference be made herein to invention has been described for multiple explanatory embodiments of the invention, however, it is to be understood that
Those skilled in the art can be designed that a lot of other modifications and embodiment, and these modifications and embodiment will fall in this Shen
Please be within disclosed spirit and spirit.More specifically, can be to master in the range of disclosure and claim
The building block and/or layout for inscribing composite configuration carry out a variety of variations and modifications.Except what is carried out to building block and/or layout
Outside variations and modifications, to those skilled in the art, other purposes also will be apparent.
Claims (10)
- A kind of 1. method for preventing file from being damaged by malicious operation behavior, it is characterised in that including:Blacklist, white list and gray list authority will be divided into the operation of file, and sentence knowledge and file is modified, delete or pressed The program of the process of contracting belongs to blacklist or white list or gray list;Modification, deletion or the operation of compressed file are directly made in instruction according to white list Rights Program is possessed, and directly refuse It is absolutely the process of the modification of blacklist Rights Program, deletion or compressed file;The modification that is carried out to gray list Rights Program, the process of deletion or compressed file, then suspend gray list program process and standby Part file is to the readable protection zone of file, the program process of being let pass after the completion of backup.
- 2. the method according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that also include:Judge whether operation is malice according to the entropy of backup file and modification file.
- 3. the method according to claim 2 for preventing file from being damaged by malicious operation behavior, it is characterised in that the entropy Judgement includes:Original path, filename or the file suffixes name of the file changed, compressed or deleted are collected, and judges what is operated Whether filename, the ratio of file suffixes name exceed the threshold value of setting;AndJudge whether original is whether identical file folder or file path include same section according to original path;OrAlso by the source file path of collection, filename, file suffixes name and file same section file path with character string Form is stored in feature database, for subsequent data analysis.
- 4. the method according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that including:By the entropy comparing result for backing up file with changing file, judge whether current process has carried out encryption behaviour to file Make;Judge whether operating frequency of the process for file in preset time exceedes given threshold if it cryptographic operation be present, If being then determined as doubtful file malicious operation behavior, then blacklist is recorded.
- 5. the method according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that including:By the entropy comparing result for backing up file with changing file, judge whether current process has carried out squeeze operation to file And source file is deleted;Judge if it squeeze operation and source file be present and delete the process in preset time for file operating frequency whether More than given threshold, if being then determined as doubtful file malicious operation behavior, then blacklist is recorded.
- 6. the detection method of file malicious operation behavior according to claim 1, it is characterised in that including:Before doubtful file malicious operation behavior is judged, if the interior presence of file where being encrypted file or compressed document file Web page files or text, then further filename, the suffix name of record web page files or text, MD5 values enter spy Storehouse is levied, and is determined whether containing URL link address, if in the presence of record URL addresses enter feature database in the lump.
- 7. the detection method of file malicious operation behavior according to claim 1, it is characterised in that including:After doubtful file malicious operation behavior is determined as, logging program process title, the fixed port taken, outside process Access domain name, IP, port, interface message;For subsequent data analysis.
- 8. the detection method of file malicious operation behavior according to claim 1, it is characterised in that including:After doubtful file malicious operation behavior is judged, encrypted file is deleted, and the original of file protection zone is recovered To under original route, if directly deleted file is then directly returned under original path.
- A kind of 9. system for preventing file from being damaged by malicious operation behavior, it is characterised in that including:File permission module:Blacklist, white list, gray list, blacklist possess can not direct operation file authority, white list Possess the direct operating right of file, gray list needs progress malicious file operation behavior to judge flow;File backup module:If exist file delete, modification process, hang up process and back up source file extremely can read protection Area, the process of being let pass after the completion of backup carry out associative operation;File analyzing module:Entropy, Study document coding before and after comparative analysis encryption file, judge whether current file is carried out Cryptographic operation;Encryption whether is employed after analysis compressed file and is deleted by compressed file;Behavior frequency module:For judging file encryption operation behavior, compressing file behavior, file act of deleting in preset time The interior operating frequency to file reaches predetermined threshold value.
- 10. the system according to claim 1 for preventing file from being damaged by malicious operation behavior, it is characterised in that also include:Fileinfo collection module:After collecting encrypted, compression, the source file path for the All Files deleted, filename, file Sew name, and whether judge the filename of malicious operation, the ratio of file suffixes name more than the threshold value set, while according to source file Path judges whether source file is whether identical file folder or file path include same section.By the source file road of collection Footpath, filename, file suffixes name and file same section file path are stored in fileinfo feature database in the form of character string, For subsequent analysis;Fallacious message collection module:If web page files or text be present in the file where being encrypted file or compressed document file This document, then filename, the suffix name of web page files or text are further recorded, MD5 values enter feature database, and determine whether Containing URL link address, if in the presence of record URL addresses enter fallacious message feature database in the lump;Routine data collection module:Record rogue program process title, the port taken, process access outside domain name, external IP, Outside port and external interface information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710681523.0A CN107506642A (en) | 2017-08-10 | 2017-08-10 | The method and system for preventing file from being damaged by malicious operation behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710681523.0A CN107506642A (en) | 2017-08-10 | 2017-08-10 | The method and system for preventing file from being damaged by malicious operation behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107506642A true CN107506642A (en) | 2017-12-22 |
Family
ID=60689642
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710681523.0A Pending CN107506642A (en) | 2017-08-10 | 2017-08-10 | The method and system for preventing file from being damaged by malicious operation behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107506642A (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108038379A (en) * | 2017-12-29 | 2018-05-15 | 北京长御科技有限公司 | A kind of anti-method and system for extorting software attacks |
CN108063771A (en) * | 2017-12-29 | 2018-05-22 | 北京长御科技有限公司 | The monitoring method and device of ciphered compressed file |
CN108280238A (en) * | 2018-03-02 | 2018-07-13 | 于刚 | Computer shared file emergency backup method |
CN108549698A (en) * | 2018-04-16 | 2018-09-18 | Oppo广东移动通信有限公司 | Document handling method, device, mobile terminal and computer readable storage medium |
CN108563754A (en) * | 2018-04-16 | 2018-09-21 | Oppo广东移动通信有限公司 | Document handling method, device, mobile terminal and computer readable storage medium |
CN108985095A (en) * | 2018-07-05 | 2018-12-11 | 深圳市网心科技有限公司 | A kind of non-public file access method, system and electronic equipment and storage medium |
CN108985051A (en) * | 2018-08-02 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of intrusion prevention method and system of Behavior-based control tracking |
CN109117303A (en) * | 2018-03-02 | 2019-01-01 | 于刚 | Computer shared file emergency backup platform |
CN109325358A (en) * | 2018-08-22 | 2019-02-12 | 深圳点猫科技有限公司 | Method, electronic equipment based on linux system definition application permission |
CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
CN109784037A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The safety protecting method and device of document files, storage medium, computer equipment |
CN110443033A (en) * | 2018-05-04 | 2019-11-12 | 陕西思科锐迪网络安全技术有限责任公司 | A kind of file backup method based on Minifilter frame |
CN111600893A (en) * | 2020-05-19 | 2020-08-28 | 山石网科通信技术股份有限公司 | Lexus software defense method, device, storage medium, processor and host |
CN111639336A (en) * | 2020-04-16 | 2020-09-08 | 中国科学院信息工程研究所 | Lesog software real-time detection method and defense method based on virtual read-write of file system |
CN111931171A (en) * | 2020-08-10 | 2020-11-13 | 深信服科技股份有限公司 | Shared file security protection method, device, equipment and storage medium |
CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
US11113391B2 (en) | 2018-10-23 | 2021-09-07 | Industrial Technology Research Institute | Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium |
CN113609478A (en) * | 2021-07-16 | 2021-11-05 | 浙江吉利控股集团有限公司 | IOS platform application program tampering detection method and device |
CN113672925A (en) * | 2021-08-26 | 2021-11-19 | 安天科技集团股份有限公司 | Method, device, storage medium and electronic equipment for preventing lasso software attack |
US20220269807A1 (en) * | 2021-02-22 | 2022-08-25 | EMC IP Holding Company LLC | Detecting unauthorized encryptions in data storage systems |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105760759A (en) * | 2015-12-08 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Method and system for protecting documents based on process monitoring |
CN106611123A (en) * | 2016-12-02 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for detecting 'Harm. Extortioner. a' virus |
-
2017
- 2017-08-10 CN CN201710681523.0A patent/CN107506642A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105760759A (en) * | 2015-12-08 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Method and system for protecting documents based on process monitoring |
CN106611123A (en) * | 2016-12-02 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for detecting 'Harm. Extortioner. a' virus |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
CN108038379B (en) * | 2017-12-29 | 2020-06-23 | 北京长御科技有限公司 | Method and system for preventing lasso software attack |
CN109472144B (en) * | 2017-12-29 | 2021-09-28 | 北京安天网络安全技术有限公司 | Method, device and storage medium for operating file by defending virus |
CN108063771A (en) * | 2017-12-29 | 2018-05-22 | 北京长御科技有限公司 | The monitoring method and device of ciphered compressed file |
CN108038379A (en) * | 2017-12-29 | 2018-05-15 | 北京长御科技有限公司 | A kind of anti-method and system for extorting software attacks |
CN108280238B (en) * | 2018-03-02 | 2019-04-19 | 上海棉联电子商务有限公司 | Computer shared file emergency backup method |
CN108280238A (en) * | 2018-03-02 | 2018-07-13 | 于刚 | Computer shared file emergency backup method |
CN109117303A (en) * | 2018-03-02 | 2019-01-01 | 于刚 | Computer shared file emergency backup platform |
CN108563754A (en) * | 2018-04-16 | 2018-09-21 | Oppo广东移动通信有限公司 | Document handling method, device, mobile terminal and computer readable storage medium |
CN108549698B (en) * | 2018-04-16 | 2021-07-09 | Oppo广东移动通信有限公司 | File processing method and device, mobile terminal and computer readable storage medium |
CN108549698A (en) * | 2018-04-16 | 2018-09-18 | Oppo广东移动通信有限公司 | Document handling method, device, mobile terminal and computer readable storage medium |
CN110443033A (en) * | 2018-05-04 | 2019-11-12 | 陕西思科锐迪网络安全技术有限责任公司 | A kind of file backup method based on Minifilter frame |
CN108985095B (en) * | 2018-07-05 | 2022-04-01 | 深圳市网心科技有限公司 | Non-public file access method, system, electronic equipment and storage medium |
CN108985095A (en) * | 2018-07-05 | 2018-12-11 | 深圳市网心科技有限公司 | A kind of non-public file access method, system and electronic equipment and storage medium |
CN108985051A (en) * | 2018-08-02 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of intrusion prevention method and system of Behavior-based control tracking |
CN109325358A (en) * | 2018-08-22 | 2019-02-12 | 深圳点猫科技有限公司 | Method, electronic equipment based on linux system definition application permission |
US11113391B2 (en) | 2018-10-23 | 2021-09-07 | Industrial Technology Research Institute | Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium |
CN109784037B (en) * | 2018-12-29 | 2021-04-23 | 360企业安全技术(珠海)有限公司 | Security protection method and device for document file, storage medium and computer equipment |
CN109784037A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The safety protecting method and device of document files, storage medium, computer equipment |
CN111639336A (en) * | 2020-04-16 | 2020-09-08 | 中国科学院信息工程研究所 | Lesog software real-time detection method and defense method based on virtual read-write of file system |
CN111600893A (en) * | 2020-05-19 | 2020-08-28 | 山石网科通信技术股份有限公司 | Lexus software defense method, device, storage medium, processor and host |
CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
CN111931171A (en) * | 2020-08-10 | 2020-11-13 | 深信服科技股份有限公司 | Shared file security protection method, device, equipment and storage medium |
US20220269807A1 (en) * | 2021-02-22 | 2022-08-25 | EMC IP Holding Company LLC | Detecting unauthorized encryptions in data storage systems |
CN113609478A (en) * | 2021-07-16 | 2021-11-05 | 浙江吉利控股集团有限公司 | IOS platform application program tampering detection method and device |
CN113672925A (en) * | 2021-08-26 | 2021-11-19 | 安天科技集团股份有限公司 | Method, device, storage medium and electronic equipment for preventing lasso software attack |
CN113672925B (en) * | 2021-08-26 | 2024-01-26 | 安天科技集团股份有限公司 | Method and device for preventing lux software attack, storage medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107506642A (en) | The method and system for preventing file from being damaged by malicious operation behavior | |
CN103226675B (en) | A kind of traceability system and method analyzing intrusion behavior | |
CN102739774B (en) | Method and system for obtaining evidence under cloud computing environment | |
JP2006504178A (en) | Comprehensive infringement accident response system in IT infrastructure and its operation method | |
CN112241543A (en) | Sensitive data combing method based on data middling stage | |
CN114584405B (en) | Electric power terminal safety protection method and system | |
CN104881483B (en) | Automatic detection evidence collecting method for the attack of Hadoop platform leaking data | |
KR101503701B1 (en) | Method and Apparatus for Protecting Information Based on Big Data | |
CN106845222A (en) | A kind of detection method and system of blackmailer's virus | |
CN107563192A (en) | A kind of means of defence for extorting software, device, electronic equipment and storage medium | |
CN107154939A (en) | A kind of method and system of data tracing | |
KR101256507B1 (en) | An malicious insider detection system via user behavior analysis and method thereof | |
CN111931239A (en) | Data leakage prevention system for database security protection | |
Raju et al. | SNAPS: Towards building snapshot based provenance system for virtual machines in the cloud environment | |
CN105912946A (en) | Document detection method and device | |
CN105550573B (en) | The method and apparatus for intercepting bundled software | |
CN110363002A (en) | A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing | |
CN116389148B (en) | Network security situation prediction system based on artificial intelligence | |
CN106682504A (en) | Method and device for preventing file from being maliciously edited and electronic equipment | |
CN109067587B (en) | Method and device for determining key information infrastructure | |
CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
KR102294926B1 (en) | Automated system for forming analyzed data by extracting original data | |
WO2020102925A1 (en) | Method for monitoring tampering of static objects in mixed environment | |
seok Kang et al. | Companies Entering the Metabus Industry-Major Big Data Protection with Remote-based Hard Disk Memory Analysis Audit (AUDIT) System | |
Ratti et al. | The gaps of identity management in fulfilling personal data protection regulations’ requirements and research opportunities |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171222 |