CN109145602B - Lesso software attack protection method and device - Google Patents
Lesso software attack protection method and device Download PDFInfo
- Publication number
- CN109145602B CN109145602B CN201810736474.0A CN201810736474A CN109145602B CN 109145602 B CN109145602 B CN 109145602B CN 201810736474 A CN201810736474 A CN 201810736474A CN 109145602 B CN109145602 B CN 109145602B
- Authority
- CN
- China
- Prior art keywords
- user equipment
- file
- current user
- equipment file
- backup
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1448—Management of the data involved in backup or backup restore
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Abstract
The embodiment of the invention discloses a method and a device for protecting Legionella software attacks, relates to the technical field of network security, and can reduce the loss of Legionella software to the user equipment file attacks in a mode of carrying out Hash DPH processing, backup and recovery on the user equipment file. The method comprises the following steps: determining that the application program accesses a current user equipment file; the application comprises an untrusted application; the current user equipment file is an identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information comprises a file header and modification time; when the format of the file header of the current user equipment file is not damaged and the modification time is inconsistent with the modification time of the current user equipment file stored in the DPH list, backing up the current user equipment file; and when the format of the file header of the current user equipment file is determined to be damaged, restoring the current user equipment file according to the current user equipment file backed up in the backup list. The embodiment of the invention is applied to a network system.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a device for protecting Lesox software attack.
Background
The lasso software is that various files such as documents, mails, databases, source codes, pictures, compressed files and the like on a user system are usually encrypted in a certain form to be unavailable; or by modifying the system configuration file, interfering with the normal use of the system by the user, thereby reducing the usability of the system. And then sends out a lasso notice to the user by a pop-up window, a dialog box or a text file generation mode, and the like, and asks the user to remit money to a specified account to obtain a password for decrypting the file or obtain a method for restoring the normal operation of the system.
In the prior art, a typical solution for the luxo software attack on the user system file is based on a sample library of luxo software binaries. Antivirus vendors collect as many lemonades and their variant files as possible and extract samples of these malware. The disadvantage of this approach is that any new Lesog software can easily bypass the detection of the sample library; another solution is based on the sensitive system APIs (Application programming interfaces) commonly used by the lasso software, and intercepting the use of these APIs by hooks (Hook), such as encryption/decryption related APIs. Once these APIs are called, the defense solution begins monitoring and detecting its subsequent behavior. However, this solution is very prone to generate false-positive information; and if the lasso software does not call the system encryption API but uses its own encryption algorithm, this method fails.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for protecting a lasso software attack, which can reduce a loss of the lasso software to a user equipment file attack by performing hash DPH processing, backup, and recovery on the user equipment file.
The first aspect provides a protection method for Lesox software attack, which determines that an application program accesses a current user equipment file; the application comprises an untrusted application; the current user equipment file is an identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information comprises a file header and modification time; when the format of the file header of the current user equipment file is not damaged and the modification time is inconsistent with the modification time of the current user equipment file stored in the DPH list, backing up the current user equipment file; when the format of the file header of the current user equipment file is determined to be damaged, restoring the current user equipment file according to the current user equipment file backed up in the backup list; if the current user equipment file backup fails, alarming or logging is carried out, and an application program is allowed to access the current user equipment file; if the recovery of the current user equipment file fails, the application program is refused to access other marked user equipment files except the current user equipment file in the user equipment; and if the current user equipment file is successfully backed up or successfully restored, allowing the application program to access the current user equipment file.
In the protection method of the Lesox software attack, firstly, when an application program accesses a current user equipment file is confirmed; when the application program is an untrusted application program; when the current user equipment file is the identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information includes a header and a modification time. And judging whether the format of the file header of the current user equipment file is damaged or not. If the current user equipment file is not damaged and the modification time is not consistent with the modification time of the current user equipment file stored in the DPH list, backing up the current user equipment file; otherwise, the current user equipment file is restored according to the current user equipment file backed up in the backup list. And finally, according to the success or failure of the current user equipment file backup, whether to alarm or record logs is determined, and then the application program is allowed to access the current user equipment file. And according to the success or failure of the recovery of the current user equipment file, determining whether to allow the application program to access the current user equipment file or to deny the application program to access other marked user equipment files except the current user equipment file in the user equipment. Therefore, the method and the device can reduce the loss caused by further attacks of the Legioner software on the user equipment files by carrying out Hash DPH processing, backup and recovery on the user equipment files.
Optionally, judging whether the backup and recovery functions are started; if the backup and recovery functions are confirmed to be started, the format of the file header of the current user equipment file is not damaged, and the modification time is inconsistent with the modification time of the current user equipment file stored in the DPH list, backing up the current user equipment file; and if the backup and recovery functions are confirmed to be started and the format of the file header of the current user equipment file is damaged, recovering the current user equipment file according to the current user equipment file backed up in the backup list.
Optionally, if it is determined that the backup and restore functions are turned on, and the format of the file header of the current ue file is not damaged, and the modification time is consistent with the modification time of the current ue file stored in the DPH list, the application program is allowed to access the current ue file.
Optionally, if it is determined that the backup and restore functions are closed and the format of the file header of the current user equipment file is not damaged, allowing the application program to access the current user equipment file; and if the backup and recovery functions are confirmed to be closed and the format of the file header of the current user equipment file is damaged, refusing the application program to access other marked user equipment files except the current user equipment file in the user equipment.
Optionally, judging whether the current user equipment file is the identification user equipment file; if the file is the marked user equipment file, judging whether the format of the file header of the current user equipment file is damaged; otherwise, allowing the application program to access the current user equipment file.
Optionally, backing up the current user equipment file specifically includes: storing the latest changed version into a backup list according to the modification time of the current user equipment file, and modifying the key information of the DPH list; the key information also includes the file size, the complete path of the file + the file name.
Optionally, confirming that the application accesses the current user equipment file, and then: judging the application program according to the application program feature library, wherein the judgment result comprises a trusted application program or an untrusted application program; and if the judgment result is the trust application program, allowing the application program to access the current user equipment file.
Optionally, the determining whether the current ue file is the identified ue file further includes: confirming whether a DPH list function is started, if so, judging whether the current user equipment file is an identification user equipment file; otherwise, the application program is refused to access the current user equipment file.
In a second aspect, a protection device for a lasso software attack is provided, which includes:
the confirming module is used for confirming that the application program accesses the current user equipment file; the application comprises an untrusted application; the current user equipment file is an identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information includes a header and a modification time.
And the backup and recovery module is used for backing up the current user equipment file when the format of the file header of the current user equipment file is not damaged and the modification time is inconsistent with the modification time of the current user equipment file stored in the DPH list according to the judgment module.
And the backup and recovery module is also used for recovering the current user equipment file according to the current user equipment file backed up in the backup list when the format of the file header of the current user equipment file is determined to be damaged by the judgment module.
And the processing module is used for giving an alarm or recording a log according to the failure of the backup and recovery module to the current user equipment file and allowing the application program to access the current user equipment file.
And the processing module is also used for refusing the application program to access other marked user equipment files except the current user equipment file in the user equipment according to the failure of the backup and recovery module in recovering the current user equipment file.
And the processing module is also used for allowing the application program to access the current user equipment file when the backup and recovery module successfully backs up the current user equipment file or successfully recovers the current user equipment file.
Optionally, the determining module is configured to determine whether the backup and recovery functions are turned on.
And the backup and recovery module is used for backing up the current user equipment file when the backup and recovery function is started according to the confirmation of the judgment module, the format of the file header of the current user equipment file is not damaged, and the modification time is not consistent with the modification time of the current user equipment file stored in the DPH list.
And the backup and recovery module is used for determining that the backup and recovery function is started according to the judgment module, and recovering the current user equipment file according to the current user equipment file backed up in the backup list when the format of the file header of the current user equipment file is damaged.
Optionally, the processing module is configured to allow the application program to access the current ue file when the backup and restore functions are determined to be enabled according to the determining module, and when the format of the file header of the current ue file is not damaged and the modification time is consistent with the modification time of the current ue file stored in the DPH list.
Optionally, the processing module is configured to, when the determining module determines that the backup and recovery function is closed and the format of the file header of the current user equipment file is not damaged, allow the application program to access the current user equipment file.
And the processing module is also used for determining that the backup and recovery functions are closed according to the judging module, and refusing the application program to access other marked user equipment files except the current user equipment file in the user equipment when the format of the file header of the current user equipment file is damaged.
Optionally, the determining module is configured to determine whether the current ue file is the identified ue file.
The judging module is further used for judging whether the format of the file header of the current user equipment file is damaged or not when the current user equipment file is determined to be the identified user equipment file.
And the processing module is used for allowing the application program to access the current user equipment file when the judgment module confirms that the user equipment file is not the current user equipment file.
Optionally, backing up the current user equipment file specifically includes: the backup and recovery module stores the latest changed version into a backup list according to the modification time of the current user equipment file and modifies the key information of the DPH list; the key information also includes the file size, the complete path of the file + the file name.
Optionally, the determining module is configured to determine the application according to the application feature library, where the determination result includes a trusted application or an untrusted application.
And the processing module is used for allowing the application program to access the current user equipment file according to the fact that the judgment result of the judgment module is the trust application program.
Optionally, the determining module is configured to determine whether a DPH list function is turned on.
And the judging module is used for judging whether the current user equipment file is the current user equipment file or not when the DPH list function is confirmed to be started.
And the processing module is used for refusing the application program to access the current user equipment file when the judging module confirms that the DPH list function is closed.
It can be understood that, the protection device for lasso software attack is used to execute the method according to the first aspect, and therefore, the beneficial effects that can be achieved by the protection device for lasso software attack may refer to the beneficial effects of the method according to the first aspect and the corresponding scheme in the following detailed description, and are not repeated herein.
Drawings
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a method for protecting against a lasso software attack according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for protecting against a lasso software attack for online backup according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a method for protecting against a lasso software attack for offline backup according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for backup and restore using manual scanning according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a protection device against a lasso software attack according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Lemonade is becoming more popular because of its relatively low technical threshold, high revenue availability, and low risk of being tracked or traced back among various types of malware. A victim user may easily become infected with Lesog software through traditional attack methods, such as automated attack suites based on Water hole (Water hole) spoofing, spearfishing, spam, etc. attack techniques; hackers can also infect lasso software to users by social engineering means. After a user is deceived, and an executable ransom is run on his computer, the malicious ransom will search for and encrypt each regular document (e.g., docx, pptx, pdf, txt, etc.) using an encryption algorithm (e.g., AES, RSA, etc.) and delete the original document. Since the private key used for encryption is sent back to the C & C server, the victim user is forced to pay the redemption (usually bitcoin for anonymous payment) to obtain the key. The victim user cannot open the original documents containing important information before paying for the redemption, causing loss to the user. As shown in fig. 1, an embodiment of the present invention provides a protection method for a lasso software attack, where the method includes:
101. determining that the application program accesses a current user equipment file; the application comprises an untrusted application; the current user equipment file is an identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information includes a header and a modification time.
After confirming that the application program accesses the current user equipment file, judging the application program according to the application program feature library, wherein the judgment result comprises a trusted application program or an untrusted application program; and if the judgment result is the trust application program, allowing the application program to access the current user equipment file.
In addition, after the application program is judged according to the application program feature library, whether the current user equipment file is the identification user equipment file is judged; if the file is the current user equipment file, judging whether the format of the file header of the current user equipment file is damaged; otherwise, allowing the application program to access the current user equipment file.
In addition, before judging whether the current user equipment file is the marked user equipment file, whether a DPH list function is started is confirmed, and if yes, whether the current user equipment file is the marked user equipment file is judged; otherwise, the application program is refused to access the current user equipment file.
102. And when the format of the file header of the current user equipment file is not damaged and the modification time is inconsistent with the modification time of the current user equipment file stored in the DPH list, backing up the current user equipment file.
The backing up of the current user equipment file specifically comprises the following steps: and storing the latest changed version into a backup list according to the modification time of the current user equipment file, and modifying key information of the DPH list, wherein the key information also comprises the file size, the complete path of the file and the file name.
103. And when the format of the file header of the current user equipment file is determined to be damaged, restoring the current user equipment file according to the current user equipment file backed up in the backup list.
Before step 102 and step 103, it is further required to determine whether the backup and restore functions are turned on, and the following five cases S1 to S5 are specifically included according to whether the backup and restore functions are turned on.
And S1, if the backup and recovery functions are confirmed to be started, the format of the file header of the current user equipment file is not damaged, and the modification time is inconsistent with the modification time of the current user equipment file stored in the DPH list, backing up the current user equipment file.
And S2, if the backup and recovery functions are confirmed to be started and the format of the file header of the current user equipment file is damaged, recovering the current user equipment file according to the current user equipment file backed up in the backup list.
And S3, if the backup and recovery function is confirmed to be started, the format of the file header of the current user equipment file is not damaged, and the modification time is consistent with the modification time of the current user equipment file stored in the DPH list, allowing the application program to access the current user equipment file.
And S4, if the backup and recovery function is confirmed to be closed and the format of the file header of the current user equipment file is not damaged, allowing the application program to access the current user equipment file.
And S5, if the backup and recovery functions are confirmed to be closed and the format of the file header of the current user equipment file is damaged, refusing the application program to access other marked user equipment files in the user equipment except the current user equipment file.
104. If the current user equipment file backup fails, alarming or logging is carried out, and an application program is allowed to access the current user equipment file; if the recovery of the current user equipment file fails, the application program is refused to access other marked user equipment files except the current user equipment file in the user equipment; and if the current user equipment file is successfully backed up or successfully restored, allowing the application program to access the current user equipment file.
Exemplarily, referring to fig. 2, a detailed description is given for a method for protecting a lasso software attack of an online backup according to an embodiment of the present invention, where the method includes the following specific steps:
201. confirming that the application accesses the current user device file. It jumps to step 202.
202. It is determined whether the application is a trusted application. If so, go to step 210, otherwise, go to step 203.
Wherein the application is determined according to trusted application characteristics recorded in the application characteristics library.
203. And judging whether the DPH list function is started or not. If so, go to step 204, otherwise, go to step 214.
204. And judging whether the current user equipment file accessed by the application program is the identification user equipment file. If yes, go to step 205, otherwise go to step 209.
Specifically, whether the current user equipment file accessed by the application program is the identified user equipment file is judged according to the DPH list.
205. And judging whether the backup and recovery functions are started or not. If yes, go to step 206, otherwise, go to step 211.
206. And checking whether the file header and the modification time of the current user equipment file are completely consistent with those of the current user equipment file in the DPH list. If yes, go to step 209, otherwise go to step 207.
207. And judging whether the format of the file header of the current user equipment file is damaged or not. If so, go to step 208, otherwise, go to step 212.
208. And restoring the current user equipment file according to the current user equipment file backed up in the backup list. If the recovery is successful, go to step 209, and if the recovery is failed, go to step 210.
209. Allowing the application to access the current user device files.
210. The application is denied access to other identified user device files in the user device than the current user device file.
211. And judging whether the format of the file header of the current user equipment file is damaged or not. If so, go to step 210, otherwise, go to step 209.
212. And carrying out online backup on the current user equipment file. And jumping to step 209 if the backup is successful, otherwise, jumping to step 213.
Specifically, the online backup of the current user equipment file specifically includes: and storing the latest changed version into a backup list according to the modification time of the current user equipment file, and modifying key information of the DPH list, wherein the key information also comprises the file size, the complete path of the file and the file name.
213. And alarming or recording a log for the current user equipment file with the backup failure. It jumps to step 209.
214. The application is denied access to the current user device files.
Exemplarily, referring to fig. 3, a detailed description is given for a protection method for a lasso software attack of an offline backup according to an embodiment of the present invention, where the specific steps are as follows:
301. confirming that the application accesses the current user device file. It jumps to step 302.
302. It is determined whether the application is a trusted application. If so, go to step 310, otherwise, go to step 303.
Wherein the application is determined according to trusted application characteristics recorded in the application characteristics library.
303. And judging whether the DPH list function is started or not. If so, go to step 304, otherwise, go to step 315.
304. And judging whether the current user equipment file accessed by the application program is the identification user equipment file. If so, go to step 305, otherwise, go to step 309.
Specifically, whether the current user equipment file accessed by the application program is the identified user equipment file is judged according to the DPH list.
305. And judging whether the backup and recovery functions are started or not. If so, go to step 306, otherwise, go to step 311.
306. And checking whether the file header and the modification time of the current user equipment file are completely consistent with those of the current user equipment file in the DPH list. If so, go to step 309, otherwise, go to step 307.
307. And judging whether the format of the file header of the current user equipment file is damaged or not. If yes, go to step 308, otherwise go to step 312.
308. And restoring the current user equipment file according to the current user equipment file backed up in the backup list. If the recovery is successful, go to step 309, and if the recovery is failed, go to step 310.
309. Allowing the application to access the current user device files.
310. And refusing the application program to access other marked user equipment files in the user equipment except the current user equipment file.
311. And judging whether the format of the file header of the current user equipment file is damaged or not. If so, go to step 310, otherwise, go to step 309.
312. And performing offline backup on the current user equipment file. If the backup is successful, go to step 314, otherwise go to step 313.
Specifically, the offline backup of the current user equipment file specifically includes: and the asynchronous thread pool stores the latest changed version into a backup list according to the modification time of the current user equipment file in an offline mode, and modifies the key information of the DPH list, wherein the key information further comprises the file size, the complete path of the file and the file name.
313. And alarming or recording a log for the current user equipment file with the backup failure. Jump to step 314.
314. And finishing, and waiting for the next access.
315. The application is denied access to the current user device files.
For example, referring to fig. 4, the backup and restore function is implemented by a manual scan mode, and it should be noted that the manual scan mode performs an unscheduled manual scan mode on all identified user equipment files in the user equipment. The time can be set according to the actual requirements of the user, and can be, for example, one week or one month or three months. In detail, all the identified user device files in the user device need to be enumerated first, and from the current user device file, the specific steps are as follows:
401. a current user device file is determined. Jump to step 402.
402. And checking whether the file header and the modification time of the current user equipment file are completely consistent with those of the current user equipment file in the DPH list. If so, go to step 407, otherwise, go to step 403.
403. And judging whether the format of the file header of the current user equipment file is damaged or not. If so, go to step 404, otherwise, go to step 405.
404. And restoring the current user equipment file according to the current user equipment file backed up in the backup list. And jumping to step 407 if the backup is successful, otherwise, jumping to step 406.
405. And backing up the current user equipment file. And jumping to step 407 if the backup is successful, otherwise, jumping to step 406.
Specifically, backing up a file of a current user equipment includes: and the asynchronous thread pool stores the latest changed version into a backup list according to the modification time of the current user equipment file in an offline mode, and modifies the key information of the DPH list, wherein the key information further comprises the file size, the complete path of the file and the file name.
406. And alarming or logging. Jump to step 407.
407. The operation of the next file is performed. Jump to step 401.
In the protection method of the Lesox software attack, firstly, when an application program accesses a current user equipment file is confirmed; when the application program is an untrusted application program; when the current user equipment file is the identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information includes a header and a modification time. And judging whether the format of the file header of the current user equipment file is damaged or not. If the current user equipment file is not damaged and the modification time is not consistent with the modification time of the current user equipment file stored in the DPH list, backing up the current user equipment file; otherwise, the current user equipment file is restored according to the current user equipment file backed up in the backup list. And finally, according to the success or failure of the current user equipment file backup, whether to alarm or record logs is determined, and then the application program is allowed to access the current user equipment file. And according to the success or failure of the recovery of the current user equipment file, determining whether to allow the application program to access the current user equipment file or to deny the application program to access other marked user equipment files except the current user equipment file in the user equipment. And the protection method against the lasso software attack is exemplarily described, and is not described herein again. Therefore, the method and the device can reduce the loss caused by further attacks of the Legioner software on the user equipment files by carrying out Hash DPH processing, backup and recovery on the user equipment files.
As shown in fig. 5, an embodiment of the present invention provides a protection device 50 for a lasso software attack, including:
a confirming module 501, configured to confirm that the application accesses a current user equipment file; the application comprises an untrusted application; the current user equipment file is an identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information includes a header and a modification time.
The backup and recovery module 502 is configured to backup the current ue file when the determining module 503 determines that the format of the file header of the current ue file is not damaged and the modification time is not consistent with the modification time of the current ue file stored in the DPH list.
The backup and recovery module 502 is further configured to recover the current user equipment file according to the current user equipment file backed up in the backup list when the determining module 503 determines that the format of the file header of the current user equipment file is damaged.
The processing module 504 is configured to perform an alarm or log recording according to the failure of the backup of the current user equipment file by the backup and recovery module 502, and allow the application program to access the current user equipment file.
The processing module 504 is further configured to deny the application program from accessing other identified user equipment files in the user equipment other than the current user equipment file according to a failure of the backup and recovery module 502 in recovering the current user equipment file.
The processing module 504 is further configured to allow the application program to access the current user device file according to the fact that the backup and recovery module 502 successfully backs up the current user device file or successfully recovers the current user device file.
In an exemplary scenario, the determining module 503 is configured to determine whether the backup and restore functions are turned on.
The backup and recovery module 502 is configured to, according to the determination module 503, determine that the backup and recovery function is started, and when the format of the file header of the current ue file is not damaged and the modification time is not consistent with the modification time of the current ue file stored in the DPH list, backup the current ue file.
The backup and recovery module 502 is configured to determine, according to the determining module 503, that the backup and recovery function is turned on, and when the format of the file header of the current user equipment file is damaged, recover the current user equipment file according to the current user equipment file backed up in the backup list.
In an exemplary scenario, the processing module 504 is configured to allow the application program to access the current user equipment file when the backup and restore function is turned on according to the determining module 503, and the format of the file header of the current user equipment file is not damaged, and the modification time is consistent with the modification time of the current user equipment file stored in the DPH list.
In an exemplary scenario, the processing module 504 is configured to, according to the determining module 503, confirm that the backup and restore function is turned off and the format of the file header of the current user device file is not damaged, then allow the application program to access the current user device file.
The processing module 504 is further configured to, according to the determination module 503, determine that the backup and recovery function is closed, and when the format of the file header of the current user equipment file is damaged, deny the application program from accessing other identified user equipment files in the user equipment other than the current user equipment file.
In an exemplary scenario, the determining module 503 is configured to determine whether the current ue file is an id ue file.
The determining module 503 is further configured to determine whether the format of the file header of the current user equipment file is damaged when the current user equipment file is the identified user equipment file.
The processing module 504 is configured to allow the application program to access the current user device file when the determining module 503 determines that the user device file is not the current user device file.
In an exemplary scheme, backing up a current user equipment file specifically includes: the backup and restore module 502 stores the latest changed version into the backup list according to the modification time of the current ue file, and modifies the key information of the DPH list; the key information also includes the file size, the complete path of the file + the file name.
In an exemplary scheme, the determining module 503 is configured to determine the application according to the application feature library, where the determination result includes a trusted application or an untrusted application.
A processing module 504, configured to allow the application program to access the current user equipment file according to the determination result of the determining module 503 as a trusted application program.
In an exemplary scheme, the determining module 503 is configured to determine whether the DPH list function is turned on.
The determining module 503 is configured to determine whether the current ue file is the identified ue file when the DPH list function is determined to be turned on.
The processing module 504 is configured to deny the application program from accessing the current ue file when the determining module 503 determines that the DPH list function is closed.
The content related to the method embodiment and the technical effect achieved by the method embodiment may directly refer to the description in the corresponding functional module in the system embodiment, and details are not repeated.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. For example: the backup and recovery module, the judgment module, the confirmation module and the processing module are realized by independent processors or are realized by being integrated in the same processor. An embodiment of the present invention further provides a storage medium, where the storage medium may include a memory, and is configured to store computer software instructions for a protection apparatus against a ransom software attack, where the computer software instructions include program codes designed to perform a protection method against a ransom software attack. Specifically, the software instructions may be composed of corresponding software modules, and the software modules may be stored in a Random Access Memory (RAM), a flash Memory, a Read Only Memory (ROM), an Erasable Programmable Read Only Memory (EPROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a register, a hard disk, a removable hard disk, a compact disc Read Only Memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor.
The embodiment of the present invention further provides a computer program, where the computer program may be directly loaded into the memory and contains a software code, and the computer program is loaded and executed by a computer, so as to implement the above protection method for a ransom software attack.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (16)
1. A method for protecting Lexu software attack is characterized by comprising the following steps:
confirming that the application program accesses the current user equipment file; the application comprises an untrusted application; the current user equipment file is an identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information comprises a file header and modification time;
when the format of the file header of the current user equipment file is not damaged and the modification time is inconsistent with the modification time of the current user equipment file stored in a DPH list, backing up the current user equipment file;
when the file header format of the current user equipment file is determined to be damaged, restoring the current user equipment file according to the current user equipment file backed up in a backup list;
if the current user equipment file is failed to be backed up, alarming or logging is carried out, and the application program is allowed to access the current user equipment file; if the current user equipment file is failed to be recovered, the application program is refused to access other marked user equipment files except the current user equipment file in the user equipment; and if the current user equipment file is successfully backed up or the current user equipment file is successfully restored, allowing the application program to access the current user equipment file.
2. The method of protecting against lasso software attack as recited in claim 1, further comprising: judging whether the backup and recovery functions are started or not;
if the backup and recovery function is confirmed to be started, the format of the file header of the current user equipment file is not damaged, and the modification time is inconsistent with the modification time for storing the current user equipment file in the DPH list, backing up the current user equipment file;
and if the backup and recovery functions are confirmed to be started and the format of the file header of the current user equipment file is damaged, recovering the current user equipment file according to the current user equipment file backed up in the backup list.
3. The method of protecting against luxo software attack according to claim 2, further comprising:
and if the backup and recovery function is confirmed to be started, the format of the file header of the current user equipment file is not damaged, and the modification time is consistent with the modification time of the current user equipment file stored in the DPH list, allowing the application program to access the current user equipment file.
4. The method of protecting against luxo software attack according to claim 2, further comprising:
if the backup and recovery function is confirmed to be closed and the format of the file header of the current user equipment file is not damaged, allowing the application program to access the current user equipment file;
and if the backup and recovery functions are confirmed to be closed and the format of the file header of the current user equipment file is damaged, the application program is refused to access other marked user equipment files except the current user equipment file in the user equipment.
5. The method of protecting against lasso software attack as recited in claim 1, further comprising:
judging whether the current user equipment file is the identification user equipment file;
if the file is the identified user equipment file, judging whether the format of the file header of the current user equipment file is damaged; otherwise, allowing the application program to access the current user equipment file.
6. The method for protecting against luxo software attack according to claim 1, wherein said backing up said current user device file specifically comprises:
storing the latest changed version into the backup list according to the modification time of the current user equipment file, and modifying the key information of the DPH list; wherein the key information further comprises a file size and a complete path of the file + a file name.
7. The method of protecting against luxo software attack according to claim 1, wherein said confirming application accesses current user device files, further comprising:
judging the application program according to the application program feature library, wherein the judgment result comprises a trusted application program or an untrusted application program;
and if the judgment result is a trusted application program, allowing the application program to access the current user equipment file.
8. The method of claim 5, wherein said determining whether the current ue file is the identified ue file further comprises:
confirming whether the DPH list function is started, if so, judging whether the current user equipment file is the identification user equipment file; and if not, refusing the application program to access the current user equipment file.
9. A protection device against a lasso software attack, comprising:
the confirming module is used for confirming that the application program accesses the current user equipment file; the application comprises an untrusted application; the current user equipment file is an identification user equipment file; the key information for identifying the user equipment file is processed by Hash DPH; the key information comprises a file header and modification time;
the backup and recovery module is used for backing up the current user equipment file when the format of the file header of the current user equipment file is not damaged and the modification time is inconsistent with the modification time of the current user equipment file stored in the DPH list according to the judgment module;
the backup and recovery module is further configured to recover the current user equipment file according to the current user equipment file backed up in the backup list when the judging module determines that the format of the file header of the current user equipment file is damaged;
the processing module is used for giving an alarm or recording a log according to the failure of the backup and recovery module to the current user equipment file and allowing the application program to access the current user equipment file;
the processing module is further configured to deny the application program from accessing other identified user equipment files in the user equipment except the current user equipment file according to the failure of the backup and recovery module in recovering the current user equipment file;
the processing module is further configured to allow the application program to access the current user equipment file according to the success of the backup of the current user equipment file or the success of the recovery of the current user equipment file by the backup and recovery module.
10. The apparatus of claim 9, further comprising: the judging module is used for judging whether the backup and recovery functions are started or not;
the backup and recovery module is configured to, when the judging module determines that the backup and recovery function is on, and the format of the file header of the current ue file is not damaged, and the modification time is not consistent with the modification time of the current ue file stored in the DPH list, backup the current ue file;
and the backup and recovery module is used for determining that the backup and recovery function is started according to the judgment module, and recovering the current user equipment file according to the current user equipment file backed up in the backup list when the format of the file header of the current user equipment file is damaged.
11. The apparatus of claim 10, further comprising:
and the processing module is configured to allow the application program to access the current ue file when the determining module determines that the backup and restore function is on, and the format of the header of the current ue file is not damaged, and the modification time is consistent with the modification time of the current ue file stored in the DPH list.
12. The apparatus of claim 10, further comprising:
the processing module is used for allowing the application program to access the current user equipment file when the judging module confirms that the backup and recovery function is closed and the format of the file header of the current user equipment file is not damaged;
the processing module is further configured to, when the judging module determines that the backup and restore functions are closed and the format of the file header of the current user equipment file is damaged, deny the application program from accessing other identified user equipment files in the user equipment other than the current user equipment file.
13. The apparatus of claim 9, further comprising:
the judging module is used for judging whether the current user equipment file is the identification user equipment file;
the judging module is further configured to judge whether the format of the file header of the current user equipment file is damaged when the current user equipment file is determined to be the identified user equipment file;
and the processing module is used for allowing the application program to access the current user equipment file when the judging module confirms that the current user equipment file is not the identification user equipment file.
14. The apparatus according to claim 9, wherein the backup and restore module is specifically configured to store a latest changed version in the backup list according to a modification time of the current ue file, and modify the key information of the DPH list; wherein the key information further comprises a file size and a complete path of the file + a file name.
15. The apparatus of claim 9, comprising:
the judging module is used for judging the application program according to the application program feature library, and the judging result comprises a trusted application program or an untrusted application program;
and the processing module is used for allowing the application program to access the current user equipment file according to the fact that the judgment result of the judgment module is a trusted application program.
16. The apparatus of claim 13, comprising:
the judging module is used for judging whether the DPH list function is started or not;
the judging module is configured to judge whether the current ue file is the identified ue file when the DPH list function is determined to be turned on;
and the processing module is used for refusing the application program to access the current user equipment file when the judging module confirms that the DPH list function is closed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810736474.0A CN109145602B (en) | 2018-07-06 | 2018-07-06 | Lesso software attack protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810736474.0A CN109145602B (en) | 2018-07-06 | 2018-07-06 | Lesso software attack protection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109145602A CN109145602A (en) | 2019-01-04 |
| CN109145602B true CN109145602B (en) | 2020-06-02 |
Family
ID=64799797
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810736474.0A Active CN109145602B (en) | 2018-07-06 | 2018-07-06 | Lesso software attack protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109145602B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115168908B (en) * | 2022-09-05 | 2022-12-06 | 深圳市科力锐科技有限公司 | File protection method, device, equipment and storage medium |
| CN117077180B (en) * | 2023-10-11 | 2024-01-26 | 北京安天网络安全技术有限公司 | Lesu encrypted data recovery feasibility assessment and processing device, method, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5832493A (en) * | 1997-04-24 | 1998-11-03 | Trimble Navigation Limited | Flash file management system |
| CN101414299A (en) * | 2008-10-20 | 2009-04-22 | 腾讯科技(深圳)有限公司 | Method and apparatus for repairing composite document |
| CN102982121A (en) * | 2012-11-12 | 2013-03-20 | 北京奇虎科技有限公司 | File scanning method and file scanning device and file detecting system |
| CN103123675A (en) * | 2013-01-24 | 2013-05-29 | 北京奇虎科技有限公司 | Method and device for scanning computer virus |
| CN103207970A (en) * | 2013-04-28 | 2013-07-17 | 北京奇虎科技有限公司 | Virus file scanning method and device |
| CN104468664A (en) * | 2013-09-18 | 2015-03-25 | 中兴通讯股份有限公司 | Method and device for uploading files to cloud storage system, and method and device for downloading files from cloud storage system |
| CN104573518A (en) * | 2015-01-23 | 2015-04-29 | 百度在线网络技术(北京)有限公司 | Method, device, server and system for scanning files |
| CN107341371A (en) * | 2017-07-04 | 2017-11-10 | 北京工业大学 | A kind of script control method suitable for web configurations |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9477555B1 (en) * | 2015-11-16 | 2016-10-25 | International Business Machines Corporation | Optimized disaster-recovery-as-a-service system |
-
2018
- 2018-07-06 CN CN201810736474.0A patent/CN109145602B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5832493A (en) * | 1997-04-24 | 1998-11-03 | Trimble Navigation Limited | Flash file management system |
| CN101414299A (en) * | 2008-10-20 | 2009-04-22 | 腾讯科技(深圳)有限公司 | Method and apparatus for repairing composite document |
| CN102982121A (en) * | 2012-11-12 | 2013-03-20 | 北京奇虎科技有限公司 | File scanning method and file scanning device and file detecting system |
| CN103123675A (en) * | 2013-01-24 | 2013-05-29 | 北京奇虎科技有限公司 | Method and device for scanning computer virus |
| CN103207970A (en) * | 2013-04-28 | 2013-07-17 | 北京奇虎科技有限公司 | Virus file scanning method and device |
| CN104468664A (en) * | 2013-09-18 | 2015-03-25 | 中兴通讯股份有限公司 | Method and device for uploading files to cloud storage system, and method and device for downloading files from cloud storage system |
| CN104573518A (en) * | 2015-01-23 | 2015-04-29 | 百度在线网络技术(北京)有限公司 | Method, device, server and system for scanning files |
| CN107341371A (en) * | 2017-07-04 | 2017-11-10 | 北京工业大学 | A kind of script control method suitable for web configurations |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109145602A (en) | 2019-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10303877B2 (en) | Methods of preserving and protecting user data from modification or loss due to malware | |
| US10169586B2 (en) | Ransomware detection and damage mitigation | |
| US9852289B1 (en) | Systems and methods for protecting files from malicious encryption attempts | |
| EP3479280B1 (en) | Ransomware protection for cloud file storage | |
| US9846776B1 (en) | System and method for detecting file altering behaviors pertaining to a malicious attack | |
| US10839072B2 (en) | Ransomware resetter | |
| US10375086B2 (en) | System and method for detection of malicious data encryption programs | |
| US20190158512A1 (en) | Lightweight anti-ransomware system | |
| US8046592B2 (en) | Method and apparatus for securing the privacy of sensitive information in a data-handling system | |
| US20090220088A1 (en) | Autonomic defense for protecting data when data tampering is detected | |
| RU2491615C1 (en) | System and method of creating software detection records | |
| KR101700552B1 (en) | Context based switching to a secure operating system environment | |
| Hassan | Ransomware revealed | |
| WO2019153857A1 (en) | Asset protection method and apparatus for digital wallet, electronic device, and storage medium | |
| WO2017107896A1 (en) | Document protection method and device | |
| CN109214204B (en) | Data processing method and storage device | |
| US11520886B2 (en) | Advanced ransomware detection | |
| US8108935B1 (en) | Methods and systems for protecting active copies of data | |
| Ami et al. | Ransomware prevention using application authentication-based file access control | |
| CN109145602B (en) | Lesso software attack protection method and device | |
| TW201804354A (en) | Storage device, data protection method therefor, and data protection system | |
| CN113452717B (en) | Method and device for communication software safety protection, electronic equipment and storage medium | |
| US10032022B1 (en) | System and method for self-protecting code | |
| JP2013164732A (en) | Information processor | |
| US9811659B1 (en) | Systems and methods for time-shifted detection of security threats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |