CN112861133A - Lesog software judgment and detection method based on randomness threshold - Google Patents
Lesog software judgment and detection method based on randomness threshold Download PDFInfo
- Publication number
- CN112861133A CN112861133A CN202110188775.6A CN202110188775A CN112861133A CN 112861133 A CN112861133 A CN 112861133A CN 202110188775 A CN202110188775 A CN 202110188775A CN 112861133 A CN112861133 A CN 112861133A
- Authority
- CN
- China
- Prior art keywords
- randomness
- file
- files
- detection
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims description 42
- 238000000034 method Methods 0.000 claims abstract description 26
- 238000005259 measurement Methods 0.000 claims abstract description 20
- 230000006399 behavior Effects 0.000 claims abstract description 15
- 238000012544 monitoring process Methods 0.000 claims abstract description 14
- 235000015122 lemonade Nutrition 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 8
- 244000035744 Hura crepitans Species 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
A method for judging and detecting Lesox software based on a randomness threshold value comprises the steps of monitoring operation behaviors of created files in a system to be detected, measuring randomness of the newly created files, judging the newly created files to be random data type files when a randomness measurement result exceeds a first numerical value threshold value, counting the number of the random data type files, and judging that Lesox software attack behaviors occur in the system to be detected when the number of the random data type files exceeds a second numerical value threshold value. The invention can realize the monitoring of the generation of the large-scale random file in a short time by occupying less system resources, reduce the risk of the file on the memory being damaged by lasso software and improve the safety of the information system.
Description
Technical Field
The invention relates to a technology in the field of information security, in particular to a lasso software judgment and detection method based on a randomness threshold.
Background
Luxo software is malicious code that encrypts files in an information system and then destroys the original files. After the user file is encrypted, the attacker may make various forms of extortion to the victim. It is not until the victim pays the high redemption that the attacker sends the decryption key to the victim so that the victim can restore the original file. The propagation mode of the lasso software is similar to that of a common computer virus, and the lasso software can be propagated through the Internet, an enterprise intranet and a portable mobile storage medium and can also be propagated through the Internet of things, an industrial control network, a mobile communication network and the like. The conventional common method for detecting the Lesog software has the following defects: the traditional feature code detection of antivirus software is adopted, the recognition rate of the known Lesox software is high, but the Lesox software variety or the unknown novel Lesox software is difficult to recognize; the adoption of a legal software white list or a Legioner software black list limits that only legal programs or processes can be allowed to run, but when the content of the list is incomplete, Legioner software can escape detection; detecting by observing whether the bait file is tampered by adopting a honeypot bait technology, but when the type of the bait file is not in the range of an encryption object of the lasso software, the lasso software cannot be detected; the method comprises the steps that a sandbox or virtual machine technology is adopted, file encryption and deletion operations are subjected to virtualization processing, detection is carried out by monitoring abnormal operation behaviors of files, however, if the sandbox or virtual machine is only deployed for detecting Legioner software, a large amount of system resources are consumed, and the method is difficult to realize on an industrial control system, an Internet of things sensor node and a mobile intelligent terminal with limited software and hardware resources; the file deletion operation is monitored, and the detection is carried out by judging whether abnormal file deletion exists or not, but when the lasso software does not delete the original file and writes a part or all of the original file content in other data into the original file, the lasso software cannot be detected.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a lasso software judgment and detection method based on a randomness threshold, which can monitor the behavior of generating random files in a large scale in a short time by occupying less system resources, reduce the risk of damaging the file on a memory by lasso software and improve the safety of an information system.
The invention is realized by the following technical scheme:
the invention relates to a method for judging and detecting Lesox software based on a randomness threshold value, which comprises the steps of monitoring the operation behavior of creating files in a system to be detected, measuring the randomness of the newly created files, marking the newly created files as random data type files when the result of the randomness measurement exceeds a first numerical threshold value, counting the number of the random data type files, and judging that Lesox software attack behavior occurs in the system to be detected when the number of the random data type files exceeds a second numerical threshold value.
The monitoring of the file creating operation is realized by using, but not limited to, a file Hook (Hook) technology.
The randomness measurement is realized by adopting but not limited to single-bit frequency detection, grouping frequency detection, run detection, poker detection and autocorrelation detection, and the above 5 randomness detection modes are realized by adopting the method defined in the national standard GB/T32915-2016 binary sequence randomness detection method for information security technology.
The randomness measurement is used for measuring the randomness of all or part of the contents of the file, and preferably comprises the following steps: when the file size does not exceed 128000 bytes (this value can be adjusted according to the average size of the file on the memory), the randomness measure is carried out on the whole content of the file; when the file size exceeds 128000 bytes, a segment with the length of 128000 bytes is randomly intercepted from the file, and the randomness measurement is carried out on the segment.
The counting of the number of the random data type files is as follows: and when the number of the random data type files newly created in the monitoring period exceeds a second number threshold, judging that the Lesojour software attack behavior currently occurs.
The first value threshold is Int (randomness detection method ÷ 2), wherein: int () denotes an integer part.
For example: in 5 detection modes, the first threshold value is Int (5 ÷ 2) ═ Int (2.5) ═ 2.
The second numerical threshold is related to the number of files which can be generated in unit time on the disk, and the preferred estimation method is as follows: disk write speed x detection period ÷ disk file average size.
For example: the writing speed of the 7200-revolution mechanical hard disk is generally 100 megabytes/second, the writing speed of the SSD solid state disk is generally 200 megabytes/second, and when the detection period is 1 minute/time and the average file size of the disk is 30 megabytes, the second threshold value of the mechanical hard disk is: 100 × 60 ÷ 30 ÷ 200, and the second numerical threshold of the SSD hard disk is: 200 × 60 ÷ 30 ÷ 400.
The monitoring period is preferably in minutes, with one test per minute.
Technical effects
The invention integrally solves the defect that the prior art can not detect and judge the lasso software; compared with the prior art, the invention adopts a brand-new detection idea, namely the Lego software detection method is based on an inevitable behavior characteristic of Lego software (user files are necessarily encrypted), and can detect known Lego software and unknown Lego software only by the characteristic that the encrypted files have strong randomness without knowing an encryption algorithm and an encryption mode used by Lego software in advance.
The method does not adopt software feature codes, and does not need to upgrade a feature library; the method does not adopt a blacklist or white list mechanism of software or process, and can avoid missed detection caused by incomplete list; the method does not adopt decoy files, and can avoid the problem that the alarm cannot be triggered in time when the decoy file types are too few and are not in the range of the file types attacked by Lesoh software; according to the method, a sandbox or virtual machine technology is not adopted for detecting the lasso software requirement, and compared with the technical scheme of using the technologies for detecting the lasso software, the method has the advantages that less system resources are occupied; the method does not take the action of deleting the file as one of the detection bases, and even if the lasso software destroys the original file by writing data, covering part of or all the file content, the lasso software cannot escape the detection.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
As shown in fig. 1, the present embodiment relates to a method for detecting lasso software, which includes the following steps:
step S101: whether file creation behavior occurs in a file system on a memory is monitored through a file Hook (Hook) technology.
Step S102: when a file creation action occurs, the name of the file being created, the path, and the name of the program that created the file are recorded.
Step S103: after the file is created, a randomness measure is performed on part or all of the contents of the file.
For example: when the size of the file does not exceed 128000 bytes, performing randomness measurement on the whole content of the file; when the file size exceeds 128000 bytes, a segment with the length of 128000 bytes is randomly intercepted from the file, and the randomness measurement is carried out on the segment.
The dimension of the randomness measure can be selected according to requirements, and the first quantity threshold value can also be set according to requirements.
For example: the randomness measurement can select 5 dimensions of single bit frequency detection, grouping frequency detection, run detection, poker detection and autocorrelation detection, and the numerical index of the randomness significance level of the data to be measured is calculated in each dimension. When the calculated significance level index value is greater than or equal to 0.01, randomness in the dimension is considered to be qualified. The first number threshold is set to be a maximum integer less than or equal to half the number of dimensions, and is 2 when randomness is measured using 5 dimensions.
Step S104: and when the qualified dimension number in the randomness measurement result exceeds a first number threshold, judging the file as a random data type file.
For example: when the numerical indexes of the randomness significance level of the data to be measured are respectively calculated on 5 dimensions of single-bit frequency detection, grouping frequency detection, run detection, poker detection and autocorrelation detection, if the randomness on not less than 3 dimensions is qualified, the file to be detected is judged to be a random data type file.
Step S105: and when the number of the random data type files newly created in the monitoring period exceeds a second number threshold, judging that the Lesojour software attack behavior currently occurs.
The duration of the monitoring period can be preset or dynamically adjusted. The second number threshold may also be set as desired.
For example: the monitoring period is set to 1 minute and the second quantity threshold is set to 200. And if the number of the random data type files newly created on the mechanical hard disk is monitored to be 215 in the monitoring period, and the second number threshold is exceeded, judging that the Lesojous software attack behavior occurs.
Step S106: and judging the program for creating the random data type file as lasso software, and further optionally performing alarm notification or network disconnection processing.
In this embodiment, on a computer with a 64-bit Winodws 10 operating system installed, in C: 547 files are randomly selected under the directory of \ Windows \ SysWOW64, randomness measurement is directly carried out on the files in a mode 1), 165 files which can pass through measurement and 382 files which do not pass through the randomness measurement exist, and the passing rate is 30%; mode 2) the files are encrypted by using the most common AES encryption algorithm of the Lexovirus, then randomness measurement is carried out, 306 files which can pass through measurement exist, 241 files which do not pass through the randomness measurement exist, and the passing rate is 56% and exceeds half.
According to the simulation experiment, randomness measurement is respectively carried out on the unencrypted file and the encrypted file, and the comparison result shows that the randomness statistical result of the file set is increased by 26% due to the fact that encryption operation is carried out, so that the detection of the lasso software with the encryption behavior characteristic by using the randomness measurement is effective.
The foregoing embodiments may be modified in many different ways by those skilled in the art without departing from the spirit and scope of the invention, which is defined by the appended claims and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims (9)
1. A method for judging and detecting Lesox software based on a randomness threshold is characterized in that an operation behavior of creating files is monitored in a system to be detected, randomness measurement is conducted on the newly created files, when a randomness measurement result exceeds a first numerical threshold, the newly created files are judged to be random data type files, the number of the random data type files is counted, and when the number of the random data type files exceeds a second numerical threshold, Lesox software attack behaviors are judged to occur in the system to be detected.
2. The method as claimed in claim 1, wherein said monitoring of said act of creating said file is performed by file hooking techniques.
3. The lemonade software decision detection method based on randomness threshold as claimed in claim 1, wherein said randomness measure is implemented by single bit frequency detection, block frequency detection, run detection, poker detection and auto-correlation detection.
4. The method as claimed in claim 1 or 3, wherein the randomness measure is a randomness measure of all or part of the contents of the file.
5. The method of claim 4 wherein the randomness metric is measured over the entire contents of the file when the file size does not exceed 128000 bytes; when the file size exceeds 128000 bytes, a segment with the length of 128000 bytes is randomly intercepted from the file, and the randomness measurement is carried out on the segment.
6. The method as claimed in claim 1, wherein said counting the number of random data type files comprises: and when the number of the random data type files newly created in the monitoring period exceeds a second number threshold, judging that the Lesojour software attack behavior currently occurs.
7. The method of claim 1, wherein said first threshold is Int (randomness detection method ÷ 2), and wherein: int () denotes an integer part.
8. The method as claimed in claim 1, wherein said second threshold value is related to the number of files that can be generated per unit time on the disk, and the estimation method comprises: disk write speed x detection period ÷ disk file average size.
9. The method as claimed in claim 6, wherein said monitoring period is in minutes and each minute is performed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110188775.6A CN112861133A (en) | 2021-02-19 | 2021-02-19 | Lesog software judgment and detection method based on randomness threshold |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110188775.6A CN112861133A (en) | 2021-02-19 | 2021-02-19 | Lesog software judgment and detection method based on randomness threshold |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112861133A true CN112861133A (en) | 2021-05-28 |
Family
ID=75988201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110188775.6A Pending CN112861133A (en) | 2021-02-19 | 2021-02-19 | Lesog software judgment and detection method based on randomness threshold |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112861133A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108932428A (en) * | 2017-05-25 | 2018-12-04 | 腾讯科技(深圳)有限公司 | A kind of processing method that extorting software, device, equipment and readable storage medium storing program for executing |
| CN110502894A (en) * | 2018-05-18 | 2019-11-26 | 阿里巴巴集团控股有限公司 | Recognition methods, equipment and the system of operation behavior |
| US20200097650A1 (en) * | 2018-09-26 | 2020-03-26 | EMC IP Holding Company LLC | Enterprise Non-Encryption Enforcement And Detection of Ransomware |
| US20200097653A1 (en) * | 2018-09-26 | 2020-03-26 | Mcafee, Llc | Detecting ransomware |
| CN111919427A (en) * | 2018-03-30 | 2020-11-10 | 微软技术许可有限责任公司 | Account level Lego software affected service identification |
-
2021
- 2021-02-19 CN CN202110188775.6A patent/CN112861133A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108932428A (en) * | 2017-05-25 | 2018-12-04 | 腾讯科技(深圳)有限公司 | A kind of processing method that extorting software, device, equipment and readable storage medium storing program for executing |
| CN111919427A (en) * | 2018-03-30 | 2020-11-10 | 微软技术许可有限责任公司 | Account level Lego software affected service identification |
| CN110502894A (en) * | 2018-05-18 | 2019-11-26 | 阿里巴巴集团控股有限公司 | Recognition methods, equipment and the system of operation behavior |
| US20200097650A1 (en) * | 2018-09-26 | 2020-03-26 | EMC IP Holding Company LLC | Enterprise Non-Encryption Enforcement And Detection of Ransomware |
| US20200097653A1 (en) * | 2018-09-26 | 2020-03-26 | Mcafee, Llc | Detecting ransomware |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Morato et al. | Ransomware early detection by the analysis of file sharing traffic | |
| US10951647B1 (en) | Behavioral scanning of mobile applications | |
| US8336100B1 (en) | Systems and methods for using reputation data to detect packed malware | |
| US10037425B2 (en) | Detecting suspicious file prospecting activity from patterns of user activity | |
| CN110851833A (en) | Lesovirus detection method, device and related equipment | |
| JP2016152594A (en) | Network attack monitoring device, network attack monitoring method, and program | |
| EP2588984A1 (en) | Systems and methods for creating customized confidence bands for use in malware detection | |
| CN102111400B (en) | Trojan horse detection method, device and system | |
| Ariyapala et al. | A host and network based intrusion detection for android smartphones | |
| CN113632432A (en) | Method and device for judging attack behavior and computer storage medium | |
| Tabrizi et al. | A model-based intrusion detection system for smart meters | |
| CN109784055A (en) | A kind of method and system of quick detection and preventing malice software | |
| WO2023185549A1 (en) | Method for detecting ransomware, and related system and storage medium | |
| CN113449302A (en) | Method for detecting malicious software | |
| US20140208427A1 (en) | Apparatus and methods for detecting data access | |
| CN112861133A (en) | Lesog software judgment and detection method based on randomness threshold | |
| CN113672925A (en) | Method, device, storage medium and electronic equipment for preventing lasso software attack | |
| CN110795730A (en) | Method, system and storage medium for thoroughly eliminating malicious files | |
| JP7152657B2 (en) | Monitoring device, monitoring method and monitoring program | |
| US9607152B1 (en) | Detect encrypted program based on CPU statistics | |
| JP2019220132A (en) | System and method of adapting patterns of dangerous behavior of programs to computer systems of users | |
| US20240143761A1 (en) | Detection of ransomware attack using entropy values | |
| CN111131248B (en) | Website application security defect detection model modeling method and defect detection method | |
| CN117290823B (en) | APP intelligent detection and safety protection method, computer equipment and medium | |
| WO2005116798A1 (en) | Method and systems for computer security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210528 |
|
| RJ01 | Rejection of invention patent application after publication |