CN112906001B - Linux lasso virus prevention method and system - Google Patents

Linux lasso virus prevention method and system Download PDF

Info

Publication number
CN112906001B
CN112906001B CN202110275566.5A CN202110275566A CN112906001B CN 112906001 B CN112906001 B CN 112906001B CN 202110275566 A CN202110275566 A CN 202110275566A CN 112906001 B CN112906001 B CN 112906001B
Authority
CN
China
Prior art keywords
file
area
backup
files
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110275566.5A
Other languages
Chinese (zh)
Other versions
CN112906001A (en
Inventor
陆天和
朱成晨
朱天杰
王绍源
刘功申
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN202110275566.5A priority Critical patent/CN112906001B/en
Publication of CN112906001A publication Critical patent/CN112906001A/en
Application granted granted Critical
Publication of CN112906001B publication Critical patent/CN112906001B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • G06F11/1469Backup restoration techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Abstract

The invention provides a system and a method for preventing Linux Lesox virus, comprising the following steps: a trapping module: monitoring the honeypot area file by using a trapping module, detecting and comparing the file characteristics of the current honeypot area file when finding that a process carries out corresponding operation on the current honeypot area file, judging whether the current process has a threat or not, stopping the related process when confirming that the current process has the threat, and feeding alarm information back to the front-end platform in time; a backup module: carrying out backup protection on the modified file in the selected area to realize file recovery after the file is attacked by the Linux lasso virus; a scanning module: and scanning the files suspected of being attacked by the Leso program in the selected area, and feeding back the scanning result to the user. The detection rate, the false alarm rate and the accuracy rate of the method are compared with those of the traditional honey pot file detection method, and the method is proved to be capable of accurately detecting the encryption type Lessox software.

Description

Linux lasso virus prevention method and system
Technical Field
The invention relates to the technical field of virus prevention, in particular to a method and a system for preventing Linux ransom virus, and more particularly relates to a method for realizing Linux ransom virus prevention software.
Background
The Lessovirus, also called Lesso software (Ransomware), is a computer virus with poor properties newly emerging in recent years, and is mainly spread in the forms of mails, program trojans and web page hanging horses. When a user computer is invaded by the Leso virus, the Leso virus encrypts important files on a user system and takes decryption of the important files as a sorrow user, and an encryption means adopted by the Leso virus cannot be cracked, so that a victim can only choose to give up the files or pay high redemption.
The Lexovirus mainly has the following characteristics:
lesox viruses on Windows operating systems are typically propagated with 445 port holes. The 445 port is a common TCP port, but the port has higher access authority, and once the lasso virus acquires the 445 port authority, the lasso virus can easily access a shared folder or a shared printer in a local area network, so that the lasso virus can be spread.
And after the Leso virus invades the server or the host, encrypting the hard disk file. The Lexovirus generally adopts an AES algorithm to encrypt files and then uses an RSA encryption key, the encryption algorithm still has no effective decryption method at present, and the time required by violent decryption is often millions of years.
The Lesox virus is a worm virus, has all characteristics of common worm viruses, can be self-replicated and self-propagated, can be subjected to variety updating by virtue of a network, and has a high propagation speed.
The method for encrypting the Lessovirus comprises the steps of firstly copying a file to be encrypted, then encrypting the copy and finally deleting the original file. And secondly, directly writing the encrypted file into the original file. Thirdly, writing the encrypted file in the temporary file and then covering the original file. The current file types with the highest frequency of Lesovirus attack are PDF, ODT, DOCX, XLS, JPG and the like.
Currently, the main defense against the lemonavirus is the detection and protection using feature codes: whether the file is the known Lesox virus or not is judged in a mode of extracting feature codes and then comparing based on analysis of malicious samples.
This defense method can only detect known Lessoviruses, and for new Lessoviruses it is extremely difficult to obtain characteristics before they are outbreaked; the feature library also becomes larger with the increase of Lesovirus samples, and finally the performance is seriously reduced.
However, this killing scheme can only be used for known Lessoviruses, and for new or variant unknown Lessoviruses, Lessoviruses cannot be detected by matching the feature codes in the virus library. If the user has an unknown Lesso virus in his system, this post-killing cannot recover the loss of the user's files encrypted. Thus, this defense has limited effectiveness. For avoiding the loss caused by encrypting the important files, the current scheme is that the user actively backs up the important files at regular time or irregular time so as to recover the important files when the important files are encrypted, and the loss is reduced.
The method for preventing the Leso virus is most similar to the thought of the invention, and has the Leso software protection function of the Windows10 security center, and according to the disclosed principle, the method comprises the steps of limiting access of a folder so as to prevent an unfriendly application program from carrying out unauthorized changes on files, folders and memory areas on equipment; and the Lexus software data recovery uses OneDrive software provided by Microsoft to backup important data so as to recover the files when the Lexus software attack is encountered.
However, the lasso software protection function of the Windows10 security center is specific to the Windows operating system, and is a closed source item due to copyright and other problems, which is only similar to the present invention in terms of implementation effect, but the technical route is not similar to the present invention.
The invention is suitable for the Linux system, and is pioneering work.
Patent document CN107480527A (application No. 201710655812.3) discloses a prevention method and system for lasso software, the method includes: creating a bait file in a system; monitoring the bait file in real time; if the bait file is searched and written by the same process, marking a program corresponding to the process as the suspected stranger software; programs marked as suspected lasso software are prevented from writing to all files.
Patent document CN106096397A (application number: 201610362406.3) discloses a precautionary method and system of lasso software. Constructing at least one decoy file which accords with the encryption type of the Lexong software and inserting the decoy file into an original file sequence of a disk to be protected; judging whether the bait file changes or not; and under the condition that the bait file is changed, prohibiting the preset operation of the disk to be protected. The method utilizes the characteristic that the lasso software can necessarily traverse the disk file to search the file type suitable for encryption, constructs the decoy file conforming to the encryption type of the lasso software, places the decoy file in the original file sequence of the disk to be protected, plays the roles of early warning the lasso software and protecting other files of the disk by monitoring the decoy file, has high early warning accuracy, can detect the known and unknown lasso software because the invention is a targeted scheme designed based on an inevitable general behavior of the lasso software, and the disk space occupied by the constructed decoy file can be almost ignored.
The functions of the invention include trapping, backup and scanning, etc., the identification of the lasso software is carried out by depending on the calculation information entropy, when the lasso software is monitored to modify the file, the file is backed up to a safety area constructed by mounting a disk, and then the user determines whether to recover or not, thereby realizing the real-time monitoring and prevention of the lasso software and ensuring the data safety of the user. The main functions of the invention are as follows:
1. designing a file monitoring program, monitoring the change condition of the file in the trap region by using the information entropy of the file, and killing the process judged as the malicious program.
2. And establishing a disk safety area, and establishing a safety area which cannot be accessed by the lasso software by using disk mounting to realize the safe storage of the backup file.
3. And designing a backup program, and temporarily mounting the mounting point when dangerous operation is performed on the files in the target directory, backing up the files and writing the files into the mounting area.
4. The scanning program is designed to scan the file characteristics of the whole disk or the critical area to find out the potential Lesog virus threat.
5. The auxiliary functions are as follows: and compiling a user-oriented visual page to meet the requirement of preventing the Lesox virus of a common user.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a Linux lasso virus precaution system and a Linux lasso virus precaution method.
The invention provides a Linux lasso virus precaution system, which comprises:
a trapping module: and monitoring the honeypot area file by using a trapping module, detecting and comparing the file characteristics of the current honeypot area file when finding that a process carries out corresponding operation on the current honeypot area file, judging whether the current process has a threat, stopping the related process when confirming that the current process has the threat, and feeding alarm information back to the front-end platform in time.
Preferably, the method further comprises the following steps: a backup module: and carrying out backup protection on the modified file in the selected area, and realizing the file recovery after the file is attacked by the Linux lasso virus.
Preferably, the method further comprises the following steps: a scanning module: and scanning the files suspected to be attacked by the Lesog program in the selected area, and feeding back the scanning result to the front-end platform.
Preferably, the trap module comprises:
trap module M1: setting a honey pot file path to generate a honey pot area file;
trap module M2: when the trapping module is started for the first time, checking the current honeypot area directory, calculating the average information entropy and storing the average information entropy;
trap module M3: the trapping module starts a watchdog library and continuously monitors honeypot area files, and judges whether corresponding operations including that files under a directory are moved, new files under the directory are created, files under the directory are deleted and/or files under the directory are modified exist; if yes, detecting and comparing the file characteristics of the current honeypot area file;
trap module M4: and judging whether the current process has a threat or not by using the file characteristics of the honey pot area files through detection and comparison, feeding alarm information back to the front-end platform in time when the threat is confirmed, and acquiring a process tree of the current dangerous program by using a psutil library to check and kill.
Preferably, the step of averaging the entropy of information in the trap module M2 includes:
Figure BDA0002976496140000041
Figure BDA0002976496140000042
Figure BDA0002976496140000043
wherein the content of the first and second substances,
Figure BDA0002976496140000044
representing the mean information entropy; e' j Representing the comprehensive information entropy of the jth file, wherein the comprehensive information entropy is the comprehensive of the information entropy of the file header and the rest part of the file; m represents the total number of files in the honeypot area;
Figure BDA0002976496140000045
represents a scaling factor; e j1 Information entropy representing the jth file header; e j2 Entropy of information representing the remainder of the jth file; p is a radical of ji Representing the probability of the ith information of the jth file; n is a radical of an alkyl radical j1 、n j2 The number of categories of information representing the presence of the header and the remainder of the file for the jth file.
Preferably, the detecting and comparing of the file characteristics of the current honeypot area in the trap module M3 includes:
calculating the average information entropy under the current catalogue, comparing the average information entropy with the average information entropy calculated when the trapping module is started for the first time, and determining that the current process has a threat when the difference between the average information entropy and the average information entropy exceeds a preset value;
detecting a suffix name of a file in a directory, and confirming that the current process has a threat when finding an unidentified suffix;
and detecting whether a single file in the directory has a duplicate file, and if the duplicate file exists, determining that the current process has a threat.
Preferably, the backup module comprises:
backup module M1: the monitor program detects that the file is accessed by using a pyinotify library, checks a suffix, and does not operate when the suffix is swp or swx; otherwise, writing the file copy into the temporary area;
backup module M2: the monitor program detects that the file is modified or deleted by using the pyinotify library, checks the suffix, and does not operate when swp or swx is judged; otherwise, checking the temporary area, if the temporary area has a copy, writing the backup into the backup area, and reserving the original directory structure;
backup module M3: if the files which are not detected to be modified or deleted within the preset time after the access are judged not to be required to be backed up, and the overtime files in the temporary area are automatically cleared by utilizing the monitoring process;
backup module M4: when files attacked by Linux Lesovirus need to be restored, all files in the backup area are read into the restoration area according to the original structure, and corresponding files are selected to be restored according to needs.
Preferably, the backup module M4 includes: the restored file is copied from the backup area to the restored path using the method of the shutil library.
Preferably, the backup area includes: the size of the backup area is determined according to the distribution density of the trapping files, so that when the Linux lasso virus attacks, the backup area can contain all files encrypted by the Linux lasso virus before the Linux lasso virus is captured by the trapping module.
The invention provides a method for preventing Linux lasso virus, which comprises the following steps:
a trapping step: monitoring the honeypot area file by using a trapping module, detecting and comparing the file characteristics of the current honeypot area file when finding that a process carries out corresponding operation on the current honeypot area file, judging whether the current process has a threat, stopping the relevant process when confirming that the current process has the threat, and feeding alarm information back to the front-end platform in time;
a backup step: carrying out backup protection on the modified file in the selected area to realize file recovery after the file is attacked by the Linux lasso virus;
a scanning step: and scanning the file suspected to be attacked by the Lesog program in the selected area, and feeding back the scanning result to the front-end platform.
Compared with the prior art, the invention has the following beneficial effects:
1. the software has stable functions, and can discover unknown viruses: currently, there are two types of detection and identification for the lasso software, namely static detection and static detection, wherein the static detection is to match a feature code in a captured application program with a feature code in a feature library to judge whether the lasso software is the lasso software, the feature code needs to be manually analyzed and added into the feature library, and the lasso software is complex and cannot identify newly appeared lasso software. The invention adopts a dynamic monitoring method based on file characteristics, which not only avoids the manual introduction of characteristic codes, but also can identify new Leso software, and the software function is more stable;
2. the identification algorithm is accurate, and the false alarm rate is low: the traditional dynamic detection method mainly comprises two methods of setting honeypot files and monitoring system operation, wherein the two methods are rough and difficult to distinguish users, normal program operation and malicious software operation. In order to solve the problem of overhigh false alarm rate caused by the coarse-granularity detection mode, the invention adopts a dynamic monitoring method based on file characteristics, namely, the threat degree of the current system is quantitatively calculated by analyzing data such as information entropy of honey pot files before and after sample execution, so as to judge whether the current system is attacked by encryption type Lesog software. Through tests, the detection rate, the false alarm rate and the accuracy rate of the method are compared with those of a traditional honeypot file detection method, and the method is proved to be capable of accurately detecting the encryption type Lessox software;
3. the method is suitable for the Linux operating system: the method is mainly suitable for the Linux platform, and has two main reasons: firstly, the comprehensive prevention software aiming at the Lesovirus of the Linux operating system is few, and secondly, the domestic operating system is mainly based on the Linux kernel, so that the domestic operating system can be better supported.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a sequence diagram of a Lesog virus operation on a file;
FIG. 2 is a general structure diagram of a Linux Lesox virus prevention system;
FIG. 3 is a trap module operation;
FIG. 4 is a file backup flow diagram;
fig. 5 is a scan module workflow.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
Example 1
The invention provides a Linux lasso virus precaution system, which comprises:
a trapping module: monitoring the honeypot area file by using a trapping module, detecting and comparing the file characteristics of the current honeypot area file when finding that other processes of Linux Lesog virus or non-virus carry out corresponding operation on the current honeypot area file, judging whether the current process has a threat or not, stopping the related process when confirming that the current process has the threat, and feeding alarm information back to the front-end platform in time;
specifically, the system further comprises a backup module: carrying out backup protection on the modified file in the area (the area expected to be protected) selected by the user, and realizing the file recovery after the file is attacked by the Linux lasso virus; the size of the area selected by the user may be determined by the number of files that the user desires to protect.
Specifically, the device further comprises a scanning module: and scanning the file suspected to be attacked by the Lesog program in the selected area, and feeding back the scanning result to the user.
The scanning module judges whether the file is possible to be encrypted by the Lesovirus according to the file suffix name generated by the known Lesovirus. The scanning module can be manually started by a user at any time, and after the scanning module is started, the scanning module scans the files in the area selected by the user and judges whether the files in the scanning module are possibly modified by the Leso virus.
In particular, the trap module comprises:
trap module M1: setting a honey pot file path to generate a honey pot area file;
trap module M2: when the trapping module is started for the first time, checking the current honeypot area directory, calculating the average information entropy and storing the average information entropy;
trap module M3: the trapping module starts a watchdog library and continuously monitors honeypot area files, and judges whether corresponding operations including that files under a directory are moved, new files under the directory are created, files under the directory are deleted and/or files under the directory are modified exist; if yes, detecting and comparing the file characteristics of the current honeypot area file;
trap module M4: and judging whether the current process has a threat or not by using the file characteristics of the honeypot area files through detection and comparison, feeding alarm information back to the front-end platform in time when the threat is confirmed, and acquiring the process tree of the current dangerous program by using a psutil library for searching and killing.
Specifically, the average entropy of information in the step trapping module M2 includes:
Figure BDA0002976496140000071
Figure BDA0002976496140000072
Figure BDA0002976496140000073
wherein, the first and the second end of the pipe are connected with each other,
Figure BDA0002976496140000074
representing the mean information entropy; e' j Representing the comprehensive information entropy of the jth file, wherein the comprehensive information entropy is the comprehensive of the information entropy of the file header and the rest part of the file; m represents the total number of files in the honeypot area;
Figure BDA0002976496140000075
the scale factor is represented, the value of the software is 0.643, the software can be modified according to the statistics of the program running effect, the larger the value is, the more the file head part is seen, the value range is 0 to 1, but in order to increase the influence effect of the file head, the value is more than 0.5, the size of the file head part adopted by the software is 45 bytes, and the modification can be carried out according to the size of the file head part of an actual file; e j1 Information entropy representing the head of the jth file; e j2 Entropy of information representing the remainder of the jth file (except for the header); p is a radical of ji The probability of the ith information of the jth file is shown, and the total number of the information is 2 by taking every 8 bits as one information 8 256 possible messages; n is j1 、n j2 The number of types of information representing the presence of the header and remainder of the file for the jth file (since of the 256 possible information, there may be p that is not present, not present i 0, the logarithm is not meaningful).
Specifically, the detecting and comparing the file characteristics of the current honeypot area in the trapping module M3 includes:
calculating the average information entropy under the current directory, comparing the average information entropy with the average information entropy calculated when the trapping module is started for the first time, and determining that the current process has a threat when the difference between the average information entropy and the average information entropy exceeds a preset value;
detecting a suffix name of a file in a directory, and confirming that the current process has a threat when finding an unidentified suffix; suffixes adopted when the honeypot area file is set are docx, txt, pdf, doc and odt; therefore, all but these suffixes are considered to be unidentified suffixes.
And detecting whether a single file in the directory has a duplicate file, and confirming that the current process has a threat when the duplicate file exists.
Specifically, the backup module includes:
backup module M1: the monitor program detects that the file which is expected to be protected is accessed by using a pyinotify library, checks a suffix, and does not operate when the suffix is swp or swx; otherwise, writing the file copy into the temporary area;
backup module M2: the monitor program detects that the file is modified or deleted by using the pyinotify library, checks the suffix, and does not operate when swp or swx is judged; otherwise, checking the temporary area, if the temporary area has a copy, writing the backup into the backup area, and reserving the original directory structure;
backup module M3: if the files which are not detected to be modified or deleted within the preset time after the access are judged not to be required to be backed up, and the overtime files in the temporary area are automatically cleared by utilizing the monitoring process;
backup module M4: when files attacked by Linux luxo virus need to be restored, reading all files in the backup area to the restoration area according to the original structure, and selecting corresponding files to restore according to the needs.
Specifically, the backup module M4 includes: the restored file is copied from the backup area to the restored path using the method of the shutil library.
Specifically, the backup area includes: the size of the backup area is determined according to the distribution density of the trapping files, so that when the Linux lasso virus attacks, the backup area can contain all files encrypted by the Linux lasso virus before the Linux lasso virus is captured by the trapping module.
The invention provides a method for preventing Linux lasso virus, which comprises the following steps:
a trapping step: monitoring the honeypot area file by using a trapping module, detecting and comparing the file characteristics of the current honeypot area file when finding that other processes of Linux Lesog virus or non-virus carry out corresponding operation on the current honeypot area file, judging whether the current process has a threat or not, stopping the related process when confirming that the current process has the threat, and feeding alarm information back to the front-end platform in time;
specifically, the method further comprises the following backup steps: carrying out backup protection on the modified file in the area (the area expected to be protected) selected by the user, and realizing the file recovery after the file is attacked by the Linux lasso virus; the size of the area selected by the user may be determined by the number of files that the user desires to protect.
Specifically, the method further comprises the following scanning steps: and scanning the file suspected to be attacked by the Lesog program in the selected area, and feeding back the scanning result to the user.
The scanning step determines whether a file encrypted by a Lesovirus is possible based on a file suffix name generated by a known Lesovirus. The scanning module can be manually started by a user at any time, and after the scanning module is started, the scanning module scans the files in the area selected by the user and judges whether the files in the scanning module are possibly modified by the Leso virus.
Specifically, the trapping step comprises:
trapping step M1: setting a honey pot file path to generate a honey pot area file;
trapping step M2: when the trapping module is started for the first time, checking the current honeypot area directory, calculating the average information entropy and storing the average information entropy;
trapping step M3: the trapping module starts a watchdog library and continuously monitors honeypot area files, and judges whether corresponding operations including that files under a directory are moved, new files under the directory are created, files under the directory are deleted and/or files under the directory are modified exist; if yes, detecting and comparing the file characteristics of the current honeypot area file;
trapping step M4: and judging whether the current process has a threat or not by using the file characteristics of the honey pot area files through detection and comparison, feeding alarm information back to the front-end platform in time when the threat is confirmed, and acquiring a process tree of the current dangerous program by using a psutil library to check and kill.
Specifically, the step of trapping the average information entropy in step M2 includes:
Figure BDA0002976496140000091
Figure BDA0002976496140000092
Figure BDA0002976496140000093
wherein the content of the first and second substances,
Figure BDA0002976496140000094
representing the mean information entropy; e' j Representing the comprehensive information entropy of the jth file, wherein the comprehensive information entropy is the comprehensive of the information entropy of the file header and the rest part of the file; m represents the total number of files in the honey pot area;
Figure BDA0002976496140000095
the scale factor is represented, the value of the software is 0.643, the software can be modified according to the statistics of the program running effect, the larger the value is, the more the file head part is seen, the value range is 0 to 1, but in order to increase the influence effect of the file head, the value is more than 0.5, the size of the file head part adopted by the software is 45 bytes, and the modification can be carried out according to the size of the file head part of an actual file; e j1 Information entropy representing the jth file header; e j2 Entropy of information representing the remainder of the jth file (except for the header); p is a radical of ji The probability of the ith information of the jth file is shown, and the total number of the information is 2 by taking every 8 bits as one information 8 256 possible messages; n is j1 、n j2 The number of types of information representing the presence of the header and remainder of the file for the jth file (since of the 256 possible information, there may be p that is not present, not present i 0, the logarithm is not meaningful).
Specifically, the detecting and comparing the file characteristics of the current honeypot area in the trapping step M3 includes:
calculating the average information entropy under the current directory, comparing the average information entropy with the average information entropy calculated when the trapping module is started for the first time, and determining that the current process has a threat when the difference between the average information entropy and the average information entropy exceeds a preset value;
detecting a suffix name of a file in a directory, and confirming that the current process has a threat when finding an unidentified suffix; suffixes adopted when the honeypot area file is set are docx, txt, pdf, doc and odt; therefore, all but these suffixes are considered to be unidentified suffixes.
And detecting whether a single file in the directory has a duplicate file, and confirming that the current process has a threat when the duplicate file exists.
Specifically, the backup step includes:
backup step M1: the monitoring process detects that a file which is expected to be protected is accessed by using a pyinotify library, checks a suffix, and does not operate when the suffix is swp or swx; otherwise, writing the file copy into the temporary area;
backup step M2: the monitor program detects that the file is modified or deleted by using the pyinotify library, checks the suffix, and does not operate when swp or swx is judged; otherwise, checking the temporary area, if the temporary area has a copy, writing the backup into the backup area, and reserving the original directory structure;
backup step M3: if the files which are not detected to be modified or deleted within the preset time after the access are judged not to be required to be backed up, and the overtime files in the temporary area are automatically cleared by utilizing the monitoring process;
backup step M4: when files attacked by Linux Lesovirus need to be restored, all files in the backup area are read into the restoration area according to the original structure, and corresponding files are selected to be restored according to needs.
Specifically, the backup step M4 includes: the restored file is copied from the backup area to the restored path using the method of the shutil library.
Specifically, the backup area includes: the size of the backup area is determined according to the distribution density of the trapping files, so that when the Linux lasso virus attacks, the backup area can contain all files encrypted by the Linux lasso virus before the Linux lasso virus is captured by the trapping module.
Example 2
Example 2 is a modification of example 1
The method mainly solves the problem that the current Linux operating system has no effective lasso virus protection means, simultaneously finds a method capable of preventing the lasso viruses of unknown types, and improves the trouble that manual operation or networking online backup is needed for preventing the lasso viruses at present.
Setting a honeypot file, and judging the change of the file information entropy to judge whether known or unknown Lesoo software exists;
and (3) adopting real-time backup to perform real-time backup on any suspected file encrypted by the lasso software, and storing the file content before modification or deletion for later recovery.
Through tests, the software realized by the invention can prevent malicious software of any encrypted file type, and can backup and restore the file before being encrypted.
The front-end platform realized by the method is Ubuntu 18.04, the using language is python3, the used external library is pyinotify, and the method is used for monitoring the change and the shutil of a file, for copying and other operations of the file, configparser, for configuring relevant operations and the psutil of the file, acquiring process relevant information and watchdog, for monitoring the process state, PyQt5 and for writing a graphical interface.
The system implemented by the invention comprises a front-end platform, a trapping module, a backup module and a scanning module, which are shown in figures 1 to 2. The front-end platform is a GUI interface written by PyQt5, and comprises a trap protection switch, a real-time backup switch, a threat scanning start button, a backup function setting (including setting such as selection of a protection area), a data recovery start button and other settings, and mainly undertakes interaction with a user. The trapping module is responsible for monitoring the trap area and feeding alarm information back to a user in time. The backup module mainly functions to perform backup protection on files which are modified in the area selected by the user. The scanning module is responsible for scanning files suspected to be attacked by the lasso program in the selected area and feeding back results to the user.
The detailed implementation is as follows:
1. the front-end platform is written by adopting PyQt5 and runs in a Linux environment.
S1: the front-end platform is provided with a switch button with four functions of trapping protection, real-time backup, threat scanning and data recovery. And the user can use different function modules by clicking the corresponding graphical interface.
S2: and the front-end platform calls a corresponding processing function to start a corresponding module after receiving the user operation, is responsible for receiving the processing result of the background, and returns the operation result and the alarm information to the user.
2. Trapping protection module
S3: initializing honey pot file paths needed by the trapping protection module and honey pot files in the honey pot file paths.
S3.1: and setting a honey pot file path. One implementation method is that the user clicks the button of the module in the interactive interface and then jumps out of the input box for the user to input the honey pot file path, and if the user does not input the honey pot file path, the default path is used.
S3.2: after the honey pot file path is set, the honey pot area files are automatically and randomly generated.
Honeypot area files are files within a honeypot area (within a honeypot folder). The honeypot files are arranged with hosts, network services or information serving as baits to induce attackers to attack the hosts, so that attack behaviors can be captured and analyzed, namely, the files in the honeypot area are used for trapping Lessovirus and cannot be operated by a computer user under normal conditions, and the processes for operating the files are considered to be malicious processes of the Lessovirus, so that the malicious processes are terminated.
Honeypot files are generated under a set monitoring file path, and a process for operating the files in the honeypot files is ensured to be a malicious process according to the set honeypot file path which is ensured not to be operated theoretically.
One way to achieve this is to generate fixed files and random files.
The fixed file is written when the code of the program of the invention is written, namely, the name suffix and the content of the file are determined by an implementer. The random file is generated by selecting a generation suffix from a series of specific suffixes, selecting a generation file name from a numeric letter, and randomly selecting a generation file from a series of preset sentences as file contents according to a random number function. The random number is typically generated as a seed based on the current time.
For randomly generated files, when the generation program is called, a suffix (a suffix of a normal application program, such as docx) is randomly selected from the secure suffixes, and then file names with random lengths are generated and combined together. For the file content, in order to ensure certain orderliness and differentiation, a json file which stores a plurality of preset short sentences is used, and then the sentences in the json file are randomly combined to generate a random file. The number of the files is within the range of 5-10, so that the honeypot area is not too large, and the relative stability of the average information entropy is ensured.
S4: if the user turns on the trap function, the files of the honeypot area will be continuously monitored. Because the honeypot technology is adopted, the files in the area can not be opened, modified and the like under normal conditions. If the process operates the area, the file characteristics of the area are detected, and if the process is detected to be dangerous operation, the relevant process is terminated. And reports to the user through a front-end page, one way of implementation is popup.
S4.1: feature detection method in S4
The file characteristics comprise information entropy, file name and the like of the file. Analysis of a large number of damaged target files shows that the information entropy, the file name and the file type header identification of the encrypted files are changed to a large extent, so that the danger degree of the current system can be calculated through the 3 indexes, and whether the attack of the Lessovirus is encountered or not is judged.
S4.1.1: information entropy: the shannon proposes that the uncertainty of the information source is described by using the concept of information entropy, and after the information is encrypted, the chaos degree of the information entropy can be greatly changed, namely, the obvious difference of the information entropy is brought.
The entropy of the average information in the step trapping module S2 includes:
Figure BDA0002976496140000131
Figure BDA0002976496140000132
Figure BDA0002976496140000133
wherein the content of the first and second substances,
Figure BDA0002976496140000134
representing the mean information entropy; e' j Representing the comprehensive information entropy of the jth file, wherein the comprehensive information entropy is the comprehensive of the information entropy of the file header and the rest part of the file; m represents the total number of files in the honeypot area;
Figure BDA0002976496140000135
the scale factor is represented, the value of the software is 0.643, the software can be modified according to the statistics of the program running effect, the larger the value is, the more the file head part is seen, the value range is 0 to 1, but in order to increase the influence effect of the file head, the value is more than 0.5, the size of the file head part adopted by the software is 45 bytes, and the modification can be carried out according to the size of the file head part of an actual file; e j1 Information entropy representing the jth file header; e j2 Entropy of information representing the remainder of the jth file (except for the header); p is a radical of ji The probability of the ith information of the jth file is shown, and the total number of the information is 2 by taking every 8 bits as one information 8 256 possible messages; n is j1 、n j2 The number of types of information representing the presence of the header and remainder of the file for the jth file (since of the 256 possible information, there may be p that is not present, not present i 0, the logarithm is not meaningful).
S4.1.2: file name: lexovirus generally has three operations when encrypting a file. One is to keep the original file name unchanged, the second is to add an extension name on the basis of the original file name, and the third is to adopt a random naming mode. If the normal files in the honey pot area are encrypted, multiple extensions or dangerous extensions can appear, so that the whole area is detected, and whether the file name of a file has multiple extensions or the extension of a known file encrypted by some Lecuso viruses is judged.
As shown in fig. 3, the trap module works:
s4.2: when the trapping module is started for the first time, the current honeypot catalog is checked for one time, and the average information entropy is calculated and stored.
S4.3: the trapping module opens a watchdog library and continuously monitors the honeypot area, and mainly comprises the following four behaviors:
(1) moved: whether a file is moved under the directory or not;
(2) created: whether a new file is created under the directory;
(3) deleted: whether a file is deleted under the directory;
(4) modified: whether a file is modified under the directory or not;
once a program performs the above operation on the files in the honeypot area directory, the watchdog module determines that a threat is found and triggers the detection of the honeypot area.
S4.3.1: the detection of the honeypot area triggered in S4.3 is then divided into three parts
Firstly, calculating the average information entropy under the current catalogue, comparing the average information entropy with the result of the last detection, and judging as dangerous if the difference between the average information entropy and the result of the last detection is too large. Through experiments, the safety information entropy difference value is set to be 0.15.
And detecting suffix names of the files in the directory, and if no suffix is identified in danger, judging that the file is an alarm.
Checking whether the single file in the catalogue has the duplicate file, if so, judging as an alarm.
S5: after the detection, the result is finally sent to a trapping module to send out an alarm, and a process tree of the dangerous program is obtained by using a psutill library to check and kill.
3. File backup module
The module is used for continuously and actively backing up the key area selected by the user. When detecting the change of the file in the backup area, the program immediately and automatically copies the file before being modified to the backup area. The user can select the restored file according to the requirement, so that the file restoration after the attack of the lasso software is realized.
As shown in FIG. 4, a file backup flow chart
S6: and carrying out mounting initialization operation on the backup area of the file backup module. The backup area of the file backup module is realized based on Linux disk mounting, namely a part of area is divided on the disk, the area is separated from other areas under normal condition, and the backup area is immediately disconnected after short-time interaction during reading and writing so as to achieve the effect of preventing the Lesso virus infection.
The mounting method under VMware comprises the following steps: virtual machine- > setup- > add- > hard disk- > SCSI- > create a new virtual disk- > store as a single file- > complete.
After the system is restarted, the following instructions are sequentially input to perform partition operation:
fdisk/dev/sdb
m (help check)
n (creating a new partition)
1 (selection partition number)
w (write result)
Looking using instruction lsblk-f, sdb1 appears, i.e., the partition was successful.
And finally formatting: mkfs-text4/dev/sdb1
S7: backup module workflow
S7.1: writing temporary area
The monitoring process detects that the file is accessed by using a pyinotify library; checking the suffix, if swp/swx, not operating; otherwise, the file copy is written into the temporary area.
S7.2: final backup
The monitoring process detects that the file is modified/deleted by using a pyinotify library; checking for suffixes, swp/swx do not operate; otherwise, checking the temporary area, if the temporary area has a copy, writing the backup into the backup area.
S7.3: cleaning of temporary backup areas
Since the luxo software encrypts a single file on the order of seconds or even milliseconds, it is considered unnecessary to back up files that have not been detected as modified or deleted within ten seconds after access. The monitoring process will automatically clear the files that are timed out (i.e., delete). If not cleaned, the occupied space will be too large.
S7.4: when the backup area is written in, the original directory structure is reserved, when the recovery module is called, all files in the backup area are read into the recovery area according to the original structure, and a user selects corresponding files to recover according to needs. The restored file is copied from the backup area to the restored path using the method of the shutil library.
S7.5: the size of the backup area is mainly determined according to the density of the trapping files, and the backup area can contain all files encrypted by the Lesox software before the Lesox software is captured by the trapping module when the Lesox software is attacked. An alternative approach is to use disk size 1/10.
As shown in fig. 5, the scan module workflow:
s8: scanning detection module
The scanning detection module is based on the encryption characteristics of most of the existing Lessovirus, namely, the suffix of the encrypted file is changed into a specific value or added with the suffix, the path appointed by a user can be scanned, the file encrypted by the suspected Lessovirus program is searched, and the result is fed back to the user.
The scanning detection module firstly traverses the folders and files under the appointed folders, extracts a file list, then detects dangerous suffixes and abnormal suffixes, and informs a user of dangerous file addresses and the like in a popup window or other ways if dangerous files are found.
Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and various modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps such that the systems, apparatus, and various modules thereof are provided in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.
The foregoing description has described specific embodiments of the present invention. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims (6)

1. A Linux lasso virus containment system, comprising:
a trapping module: monitoring the honeypot area file by using a trapping module, detecting and comparing the file characteristics of the current honeypot area file when finding that a process carries out corresponding operation on the current honeypot area file, judging whether the current process has a threat or not, stopping the related process when confirming that the current process has the threat, and feeding alarm information back to the front-end platform in time;
a backup module: carrying out backup protection on the modified file in the selected area to realize file recovery after the file is attacked by the Linux lasso virus;
the backup module includes:
backup module a 1: the monitor program detects that the file is accessed by using a pyinotify library, checks a suffix, and does not operate when the suffix is swp or swx; otherwise, writing the file copy into a temporary area;
backup module a 2: the monitor detects that the file is modified or deleted by using the pyinotify library, checks the suffix, and does not operate when swp or swx is detected; otherwise, checking the temporary area, if the temporary area has a copy, writing the backup into the backup area, and reserving the original directory structure;
backup module a 3: if the files which are not detected to be modified or deleted within the preset time after the access are judged not to be required to be backed up, and the overtime files in the temporary area are automatically cleared by utilizing the monitoring process;
backup module a 4: when files attacked by Linux luxo virus need to be restored, reading all files in the backup area to the restoration area according to the original structure, and selecting corresponding files to restore as required;
the backup module A4 comprises: the restored file is copied from the backup area to the restored path by using a method of a shutil library;
the backup area includes: the size of the backup area is determined according to the distribution density of the trapping files, so that when the Linux lasso virus attacks, the backup area can contain all files encrypted by the Linux lasso virus before the Linux lasso virus is captured by the trapping module.
2. The Linux lasso virus containment system of claim 1, further comprising: a scanning module: and scanning the file suspected to be attacked by the Lesog program in the selected area, and feeding back the scanning result to the front-end platform.
3. The Linux lasso virus containment system of claim 1, wherein the trap module comprises:
trap module M1: setting a honey pot file path and generating a honey pot area file;
trap module M2: when the trapping module is started for the first time, checking the current honeypot area directory, calculating the average information entropy and storing the average information entropy;
trap module M3: the trapping module starts a watchdog library and continuously monitors honeypot area files, and judges whether corresponding operations including that files under a directory are moved, new files under the directory are created, files under the directory are deleted and/or files under the directory are modified exist; if yes, detecting and comparing the file characteristics of the current honeypot area file;
trap module M4: and judging whether the current process has a threat or not by using the file characteristics of the honeypot area files through detection and comparison, feeding alarm information back to the front-end platform in time when the threat is confirmed, and acquiring the process tree of the current dangerous program by using a psutil library for searching and killing.
4. The Linux luxo virus containment system of claim 3, wherein the average entropy of information in the mousetrap module M2 comprises:
Figure 938558DEST_PATH_IMAGE001
Figure 143275DEST_PATH_IMAGE002
Figure 552563DEST_PATH_IMAGE003
wherein the content of the first and second substances,
Figure 955863DEST_PATH_IMAGE004
representing the mean information entropy;
Figure 136177DEST_PATH_IMAGE005
representing the comprehensive information entropy of the jth file, wherein the comprehensive information entropy is the comprehensive of the information entropy of the file header and the rest part of the file; m represents the total number of files in the honeypot area;
Figure 31452DEST_PATH_IMAGE006
represents a scale factor;
Figure 220994DEST_PATH_IMAGE007
information entropy representing the jth file header;
Figure 947641DEST_PATH_IMAGE008
information entropy representing the residual part of the jth file;
Figure 236540DEST_PATH_IMAGE009
representing the probability of the ith information of the jth file;
Figure 743745DEST_PATH_IMAGE010
Figure 471398DEST_PATH_IMAGE011
indicating presence of header and remainder of file for jth fileThe number of categories of information.
5. The Linux luxo virus prevention system of claim 3, wherein the checking and comparing of the file characteristics of the current honeypot area in the trap module M3 comprises:
calculating the average information entropy under the current catalogue, comparing the average information entropy with the average information entropy calculated when the trapping module is started for the first time, and determining that the current process has a threat when the difference between the average information entropy and the average information entropy exceeds a preset value;
detecting a suffix name of a file in a directory, and confirming that the current process has a threat when finding an unidentified suffix;
and detecting whether a single file in the directory has a duplicate file, and confirming that the current process has a threat when the duplicate file exists.
6. A method for preventing Linux lasso virus, comprising:
a trapping step: monitoring the honeypot area file by using a trapping module, detecting and comparing the file characteristics of the current honeypot area file when finding that a process carries out corresponding operation on the current honeypot area file, judging whether the current process has a threat or not, stopping the related process when confirming that the current process has the threat, and feeding alarm information back to the front-end platform in time;
a backup step: carrying out backup protection on the modified file in the selected area to realize file recovery after the file is attacked by the Linux lasso virus;
a scanning step: scanning files suspected to be attacked by the Lesog program in the selected area, and feeding back a scanning result to the front-end platform;
the backup step comprises:
backup step a 1: the monitor program detects that the file is accessed by using a pyinotify library, checks a suffix, and does not operate when the suffix is swp or swx; otherwise, writing the file copy into the temporary area;
backup step a 2: the monitor detects that the file is modified or deleted by using the pyinotify library, checks the suffix, and does not operate when swp or swx is detected; otherwise, checking the temporary area, if the temporary area has a copy, writing the backup into the backup area, and reserving the original directory structure;
backup step a 3: if the files which are not detected to be modified or deleted within the preset time after the access are judged not to be required to be backed up, and the overtime files in the temporary area are automatically cleared by utilizing the monitoring process;
backup step a 4: when files attacked by Linux Lesovirus need to be restored, reading all files in the backup area into the restoration area according to the original structure, and selecting corresponding files to restore as required;
the backup step a4 includes: the restored files are copied from the backup area to the restored path by using a method of a shutil library;
the backup area includes: the size of the backup area is determined according to the distribution density of the trapping files, so that when the Linux lasso virus attacks, the backup area can contain all files encrypted by the Linux lasso virus before the Linux lasso virus is captured by the trapping module.
CN202110275566.5A 2021-03-15 2021-03-15 Linux lasso virus prevention method and system Active CN112906001B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110275566.5A CN112906001B (en) 2021-03-15 2021-03-15 Linux lasso virus prevention method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110275566.5A CN112906001B (en) 2021-03-15 2021-03-15 Linux lasso virus prevention method and system

Publications (2)

Publication Number Publication Date
CN112906001A CN112906001A (en) 2021-06-04
CN112906001B true CN112906001B (en) 2022-09-06

Family

ID=76105713

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110275566.5A Active CN112906001B (en) 2021-03-15 2021-03-15 Linux lasso virus prevention method and system

Country Status (1)

Country Link
CN (1) CN112906001B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609483A (en) * 2021-07-16 2021-11-05 山东云海国创云计算装备产业创新中心有限公司 Server virus processing method, device, equipment and readable medium
CN113626811A (en) * 2021-07-19 2021-11-09 武汉大学 Lured-software early detection method and system based on decoy file
CN113672925B (en) * 2021-08-26 2024-01-26 安天科技集团股份有限公司 Method and device for preventing lux software attack, storage medium and electronic equipment
CN113779576A (en) * 2021-09-09 2021-12-10 安天科技集团股份有限公司 Identification method and device for executable file infected virus and electronic equipment
CN114553524B (en) * 2022-02-21 2023-10-10 北京百度网讯科技有限公司 Traffic data processing method and device, electronic equipment and gateway
CN114969772B (en) * 2022-03-03 2022-11-29 北京天融信网络安全技术有限公司 Recovery method and device of encrypted file, electronic equipment and storage medium
CN116663005B (en) * 2023-08-01 2023-10-13 长扬科技(北京)股份有限公司 Method, device, equipment and storage medium for defending composite Lesu virus

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009230407A (en) * 2008-03-21 2009-10-08 Toshiba Corp Data update method, memory system and memory device
CN105656886A (en) * 2015-12-29 2016-06-08 北京邮电大学 Method and device for detecting website attack behaviors based on machine learning
US9888032B2 (en) * 2016-05-03 2018-02-06 Check Point Software Technologies Ltd. Method and system for mitigating the effects of ransomware
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus
US11003775B2 (en) * 2017-09-11 2021-05-11 Carbon Black, Inc. Methods for behavioral detection and prevention of cyberattacks, and related apparatus and techniques
CN111970329A (en) * 2020-07-24 2020-11-20 苏州浪潮智能科技有限公司 Method, system, equipment and medium for deploying cluster service

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于文件特征的加密型勒索软件检测方法;徐兵等;《数据通信》;20190428;摘要以及正文第1-5节 *
针对勒索软件的数据灾备体系研究;周滔等;《通信技术》;20210309;全文 *

Also Published As

Publication number Publication date
CN112906001A (en) 2021-06-04

Similar Documents

Publication Publication Date Title
CN112906001B (en) Linux lasso virus prevention method and system
US11379582B2 (en) Methods and apparatus for malware threat research
US10169586B2 (en) Ransomware detection and damage mitigation
EP1751649B1 (en) Systems and method for computer security
US5440723A (en) Automatic immune system for computers and computer networks
JP5897132B2 (en) Dynamic malware removal using cloud technology
US8776236B2 (en) System and method for providing storage device-based advanced persistent threat (APT) protection
CN107851155A (en) For the system and method across multiple software entitys tracking malicious act
EP2642715A1 (en) Method and system for malicious code detection
US20080016564A1 (en) Information protection method and system
EP1915719B1 (en) Information protection method and system
CN109784055B (en) Method and system for rapidly detecting and preventing malicious software
Almutairi et al. Innovative signature based intrusion detection system: Parallel processing and minimized database
Villalba et al. Ransomware automatic data acquisition tool
CN102592078B (en) Method for identifying self-propagation of malicious software by extracting function call sequence chacteristics
US20060015939A1 (en) Method and system to protect a file system from viral infections
Chakraborty A comparison study of computer virus and detection techniques
Sainju et al. An experimental analysis of Windows log events triggered by malware
KR101725670B1 (en) System and method for malware detection and prevention by checking a web server
Kaur Network Security: Anti-virus.
Wolf Ransomware detection
Dewanjee Intrusion Filtration System (IFS)-mapping network security in new way
CN113722705B (en) Malicious program clearing method and device
RU2802539C1 (en) Method for identifying information security threats (options)
Al-Sofyani et al. A Survey off Malware Forensics Analysis Techniques And Tools

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant