CN114077735A - Malicious software defense method, device and system - Google Patents

Malicious software defense method, device and system Download PDF

Info

Publication number
CN114077735A
CN114077735A CN202011104675.2A CN202011104675A CN114077735A CN 114077735 A CN114077735 A CN 114077735A CN 202011104675 A CN202011104675 A CN 202011104675A CN 114077735 A CN114077735 A CN 114077735A
Authority
CN
China
Prior art keywords
file
files
original
file name
name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011104675.2A
Other languages
Chinese (zh)
Inventor
杨利东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2020/136435 priority Critical patent/WO2022032950A1/en
Publication of CN114077735A publication Critical patent/CN114077735A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application discloses a method, a device and a system for defending malicious software, which are used for reducing the cost and difficulty of defending the malicious software and improving the effectiveness of defending the malicious software. The defense equipment adds M element files in a protected folder comprising N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged in front of the N original files, M is more than or equal to 1, and N is more than or equal to 1; monitoring whether the M element files are accessed; if an element file of the M element files is accessed, the process accessing the element file is terminated, the process being deemed to be associated with malware.

Description

Malicious software defense method, device and system
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a method, a device, and a system for defending against malicious software.
Background
Malware refers to any software that is harmful to the interests of a user. Malware may affect not only infected computers or devices, but other devices that communicate with the infected devices. Some malware may encrypt or modify files on the victim disk drive.
These malware are often spread in the form of trojan viruses, such as social engineering methods like spoofing as ordinary email that spoofs the victim to click on a link download, and possibly as many other worm viruses between vulnerable computers that utilize the operating system or application software.
In order to reduce the damage of the malicious software to the file, researchers propose to copy a plurality of protected files, and respectively store the protected files in different storage locations to realize backup. Thus, even if a file on one storage location is modified or encrypted by malware, a backed up file can be obtained from another storage location. However, this approach will greatly increase the storage cost and the management and maintenance difficulty of the file, which is very costly.
Disclosure of Invention
The embodiment of the application provides a method for defending malicious software, which is used for reducing the cost and difficulty in defending the malicious software and improving the effectiveness of defending the malicious software.
In a first aspect, a method for defending against malware is provided. The method is performed by a defense system for malware. The defense system adds M element files in a protected folder comprising N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged in front of the N original files, M is more than or equal to 1, and N is more than or equal to 1. The defense system monitors whether the M element files are accessed. If an element file of the M element files is accessed, the defense system terminates the process of accessing the element file, which process is deemed to be associated with malware.
The embodiment of the application protects the original file in the protected folder through the element file. When a suspicious process accesses files in a protected folder, the element files are accessed firstly, and at the moment, the defense system can terminate the suspicious process in time, so that original files in the protected folder are protected from being encrypted or modified by the suspicious process. When the defense scheme is implemented, a large amount of copying and distributed storage of original files are not needed, a large amount of storage resources are avoided to be occupied, processing resources consumed for maintaining and managing a plurality of original file copies are saved, and accordingly defense cost is reduced.
Optionally, in a possible implementation manner of the first aspect, when the defense system generates the element file, the defense system determines a file name of the element file according to a file name of an original file in the protected folder. That is, the file name of each element file in the M element files is determined according to the file name of at least one original file in the N original files.
Since the default sorting manner of the file names in the file name list of one folder is to sort according to the file names, generating the file names of the element files according to the file names of the original files can ensure that one element file in the M element files is arranged in front of all the original files of the protected folder. Thus, the element files arranged in front of all original files in the protected folder can protect all original files in the protected folder, and perfect defense effect is achieved.
Optionally, in a possible implementation manner of the first aspect, the element file arranged before the N original files is generated according to a reference original file, wherein the reference original file is arranged at a first one of the N original files based on a default file name sorting manner of the defense system. Before determining the element files, the reference original files are determined from the N original files, and then the file names of the element files are generated according to the file names of the reference original files and the default file name sorting mode, so that the efficiency of generating the element files can be improved.
Optionally, in a possible implementation manner of the first aspect, the defense system determines a target original file belonging to a target category among the N original files. And then the defense system obtains a first original file from the target original file, wherein the file name of the first original file is arranged in the first file name of the target original file based on the default file name sorting mode of the defense system. And the defense system generates a first element file, the first element file belongs to the target category, and the file name of the first element file is arranged before the file name of the first original file based on the default file name sorting mode.
The original files in the protected folder are classified into a number of different categories according to the first character of the file name. Although different operating systems may use different default sorting manners when sorting all files in the protected folder according to the file names, the sorting manners of the same type of file names have similarity, namely, the sorting manners are in the order of the size of the corresponding numerical value of the first character in the ASCII table. Therefore, the element file generating mode of generating the element file according to the category of the original file has better universality.
Optionally, when the operating system sorts all files in the protected folder according to file names, the default file name sorting manner is an order of small to large values of the first characters of the file names of the same type in an American Standard Code for Information Interchange (ASCII) table, or the default file name sorting manner is an order of large to small values of the first characters of the file names of the same type in an ASCII table.
Optionally, in a possible implementation manner of the first aspect, the defense system monitors a predetermined Application Programming Interface (API) in the defense system in a hook manner. If the preset API is called through monitoring in a hook mode, the defense system obtains parameters when the preset API is called; if the parameter comprises the file name of an element file in the at least one element file, determining that the element file is accessed; and if the file name of the element file is not included in the parameters, determining that the element file in the M element files is not accessed. Optionally, the monitored API is an API for obtaining a list of filenames, such as FindFirstFile (), findnextfile () in the Windows operating system, etc.
By means of the hook mechanism, the defense system can reliably monitor that the element file is accessed by a running process, thereby facilitating subsequent termination of the suspicious process.
Optionally, in a possible implementation manner of the first aspect, the defense system detects the validity of a process when it is monitored that a process is accessing the element file, and then determines whether to terminate the process according to a detection result, so that it can be avoided that normal functions of the operating system and normal operations of a person are not blocked by mistake. Specifically, the defense system obtains access parameters of the process, wherein the access parameters comprise a process name, a program name for generating the process, access time, or a file name of an accessed element file. And the defense system compares the access parameter of the process with a set access parameter range, and terminates the process if the access parameter of the process does not belong to the access parameter range. Wherein the set access parameter range is obtained according to the access behavior of the normal process to the at least one element file, which is historically run due to the normal function of the operating system and the normal operation of the person.
In a second aspect, an embodiment of the present application further provides a system for defending against malware. The defense system includes a memory for storing instructions and at least one processor. The at least one processor invokes instructions stored in the memory to cause the defense system to perform the method described in the first aspect above or any one of the possible implementations of the first aspect.
In a third aspect, an embodiment of the present application further provides a malicious software defense device, where the malicious software defense device has a function of implementing the method of the first aspect or any one of the possible implementation manners of the first aspect. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions.
In a fourth aspect, the present application further provides a computer-readable storage medium, where the computer-readable storage medium is used to store computer software instructions for the defense system, where the instructions include a program designed to execute the first aspect or any one of the possible implementation manners of the foregoing aspects.
In a fifth aspect, the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to perform the method described in the first aspect or any one of the possible implementation manners of the first aspect.
In a sixth aspect, an embodiment of the present application provides a chip, which includes a memory and a processor, where the memory is used to store computer instructions, and the processor is used to call and execute the computer instructions from the memory, so as to perform the method in the first aspect and any possible implementation manner of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of a malicious software defense scheme according to an embodiment of the present disclosure;
fig. 2 is a schematic view of an application scenario of another malware protection scheme according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a method for defending against malware according to an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of an ASCII table in an embodiment of the present application;
fig. 5 is a flowchart illustrating a method for defending against malware according to an embodiment of the present disclosure;
FIG. 6 is a diagram of a protected folder containing a number of original files in one example provided by an embodiment of the present application;
FIG. 7 is a diagram of a plurality of element files generated for the protected folder shown in FIG. 6 in an example provided by an embodiment of the present application;
FIG. 8 is a schematic diagram of a protected folder after adding the element file shown in FIG. 7 in an example provided by an embodiment of the present application;
fig. 9 is a schematic structural diagram of a defense system according to an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of a defense apparatus according to an embodiment of the present application.
Detailed Description
The main implementation principle, the specific implementation mode and the corresponding beneficial effects of the technical scheme of the embodiment of the invention are explained in detail with reference to the drawings.
The embodiment of the application provides a malicious software defense scheme, which protects a file serving as a protected object through a well-constructed element file. The basic idea of the embodiment of the present application is to generate an element file for a protected folder (i.e., a folder in which the protected file is located), and add the element file to a target folder. Such that when all files in the protected folder are ordered according to file name, there is one element file that is ordered before all original files. In the embodiment of the present application, the original file refers to a file existing in the protected folder before the element file is added in the protected folder.
The files in the protected folder need to be accessed before a process encrypts the protected folder as a whole. Since the element file is ordered before all the original files, the element file is accessed earlier than the original files. Therefore, whether the element file is accessed or not is monitored, and the suspicious process for accessing the element file is stopped in time when the element file is monitored to be accessed, so that the original file in the protected folder can be prevented from being encrypted by the suspicious process. The suspicious process is related to malware, for example, the process is generated by running the malware. One example of malware that corrupts a victim computer system by encrypting or modifying files on the victim disk drive is Leuso software (Ransomware), also known as Leuso virus.
The defense scheme of the malicious software provided by the embodiment of the application is executed by a defense system. The scheme has wide application scenes. For example, a defense system is a system of many different types of computing devices or computing devices at arbitrary locations on a network. The present application is not limited to the operating system of each computing device. Fig. 1-2 are examples of two typical application scenarios, and are not limiting.
Fig. 1 is a schematic illustration of an application scenario. The defense system is a personal computer, a server, a notebook computer, a virtual machine, a wearable device, a smart phone, a smart screen television, a sweeping robot, a projector, a tablet computer, a switch, a wireless Access Point (AP) device, a smart car and other devices which are connected with the Internet through a wireless network and have computing capability and network connection capability. Optionally, the wireless network includes a mobile network, a Wireless Local Area Network (WLAN), a wireless hotspot (wifi) network, or the like. The mobile network includes a Long Term Evolution (LTE) network, a new radio access technology (NR) network, and the like. The defense systems are, for example, smartphones 101 and 103, projector 104, printer 105, smart car 102 in fig. 1.
Fig. 2 is a schematic diagram of another application scenario. The defense system is a personal computer, a server or an internet of things device (such as a cabinet type acquisition station and an intelligent camera) in a park network connected to the internet through an access switch or an access gateway. Or the defense system is a switch, router, firewall, or the like. The defence system may also be a system consisting of a plurality of devices. For example, the defense system is the host 201, the virtual machine 202, the video telephone terminal 203, the smart camera 204, the cabinet acquisition station 205, the switch 206, the firewall device 207, the gateway 208, or the like in fig. 2, or may be a system composed of some of the devices in fig. 2.
Fig. 3 is a flowchart of a method for defending against malware according to an embodiment of the present application. Fig. 3 illustrates the principle of the defense scheme for malware, primarily from the perspective of a defense system. Optionally, the defense system in fig. 3 is any one of the smart phones 101 and 103, the projector 104, the printer 105, and the smart car 102 in fig. 1, or the host 201, the virtual machine 202, the video phone terminal 203, the smart camera 204, the cabinet acquisition station 205, the switch 206, the firewall device 207, and the gateway 208 in fig. 2.
The process flow shown in fig. 3 includes steps 300-302.
Step 300, adding M element files in a protected folder including N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged in front of the N original files, M is greater than or equal to 1, and N is greater than or equal to 1.
In the embodiments of the present application, a protected folder refers to a folder in which a protected file is located. Protected files refer to files that are valuable to the file owner and that should be prevented from being the subject of a malware attack. Before the protection operation is performed on the protected file, all existing files in the protected folder are original files. In this application, it is assumed that the protected folder includes N original files. Optionally, if all files in the protected folder are protected files, the protected files are identical to the original files; if some of the files in the protected folder are protected files, then the protected files are a subset of the original files. A network administrator or a user of the defense system may set a protected file or a protected folder by means of a command line, a Graphical User Interface (GUI), and the like. A disk drive is also an example of a protected folder, for example, the protected folder is the disk drive "C: \".
In the embodiment of the application, the element file is a file generated for the protected folder by the defense system for the purpose of preventing malicious software. After the element file is saved in the protected folder, the original file in the protected folder can be protected.
The defense system adds the element file in the protected folder, and the element file can be directly generated in the protected folder or generated first and then added into the protected folder. Optionally, when the defense system generates an element file, the defense system may generate the content of the element file in any manner as long as it is ensured that when all files in the protected folder are sorted according to file name, one or more element files of the M element files are arranged before the N original files. For example, the defense system sets the content of the element file to null, or copies a predetermined content to the content of the element file, or copies the content of any one of the defense systems' original files to the content of the element file. Optionally, the element file is similar to the original file in terms of file format, file attribute, file icon, file corresponding content, encoding mode, and the like.
In many scenarios, a process in the operating system needs to obtain a list of filenames for a folder. For example, before a process accesses a file, a file name list of a folder where the file is located is acquired to show a view interface of the folder, so that a user can select the file to be accessed from the view interface; or before the whole folder is encrypted, a file name list of the folder is obtained to determine the file to be encrypted. The file name sorting mode is a sorting mode of the file names in a file name list when a process in a defense system calls an API provided by an operating system to obtain the file name list of a folder. There may be various ways of sorting file names, such as sorting according to file size, sorting according to file creation or last modification time, sorting according to file name, and so on. No matter which sorting mode is adopted, all original files can be protected through the element files as long as one element file is arranged in front of all the original files when the files in the protected folder are sorted. In most operating systems, the default way of ordering file names is usually based on file name.
For example, the defense system may generate the file name of the element file according to the file name of the original file in the protected folder, or may generate the file name of the element file without depending on the file name of the original file in the protected folder.
Step 301, monitoring whether the M element files are accessed.
If one of the M element files is accessed, go to step 302; if none of the M element files have been accessed, then execution continues at step 301.
Accessing a file in the embodiments of the present application includes, but is not limited to, the file name of the file being obtained, the file being read and written, and the like.
Optionally, the defense system monitors whether the element file is accessed by monitoring whether a predetermined API in the defense system is called. When the preset API is monitored to be called, obtaining parameters when the preset API is called, wherein the parameters comprise file names. And if the file name of the element file in the M element files is included in the parameter when the preset API is called, determining that the element file in the M element files is accessed.
Optionally, the predetermined API includes an API for performing operations such as searching and reading on a file. Taking the Windows operating system as an example, these APIs include APIs for obtaining a list of filenames, such as FindFirstFile (), findnextfile (), and the like. Different operating systems, APIs for operating on files may also differ.
Alternatively, the specific monitoring modes that can be used in different operating systems may also vary. For example, windows operating systems, Linux operating systems, airplanes operating systems, and iOS operating systems typically support hook programming (hooking), which can be used to monitor whether a predetermined API is called.
Hooking refers to a technique for modifying or extending the behavior of an operating system, application, or other software component by intercepting function calls, message passing, event passing between software modules. The code for handling intercepted function calls, events, messages is called a hook. In the present embodiment, the intercepted predetermined API includes the above API for performing operations such as searching and reading on a file. When the preset API is intercepted and called in a hooking mode, the following processing is executed on the intercepted function call by using a hook: obtaining parameters when the preset API is called, wherein the parameters comprise file names; and judging whether the file name of the element file in the M element files is included in the parameters when the preset API is called. If the parameters when the preset API is called comprise the file names of the element files in the M element files, determining that the element files in the M element files are accessed; if the file name of the element file of the M element files is not included in the parameters when the predetermined API is called, it is determined that the element file of the M element files is not accessed.
Step 302, if an element file of the M element files is accessed, terminating the process of accessing the element file. The process is associated with malware, e.g., the process is generated by malware execution.
The way in which a defending system terminates a process is dependent on the operating system, and different operating systems have different mechanisms for terminating processes. Taking the windows operating system as an example, the defense system closes a specified process by calling a specific API, for example, the defense system calls TerminateProcess () to instruct the task manager to terminate a process.
In the embodiment of the application, the defense system firstly generates the element file and adds the generated element file to the protected folder, so that when all files in the protected folder are sorted according to the file name, one element file is arranged in front of all original files in the protected folder. Thus, when a suspicious process accesses a file in a protected folder, the element file is accessed first, thereby protecting the original file in the protected folder. The defense system monitors whether the element file is accessed to discover the suspicious process and terminates the suspicious process in time, thereby protecting the original file in the protected folder from being encrypted or modified by the suspicious process. When the defense scheme is implemented, a large amount of copies and distributed storage of original files are not needed, so that a large amount of storage resources are avoided being occupied, and processing resources consumed for maintaining and managing a plurality of original file copies are saved, thereby reducing defense cost.
During the actual operation of the defense system, the element file may be accessed by the normal operation of the system process or personnel. For example: the Windows operating system accesses the element files in the protected folder when initializing the view interface of the protected folder.
Optionally, in order to ensure that the operating system can normally provide functions without affecting user experience, the defense system presets an access parameter range for the process of accessing the element file. The access parameter range essentially functions as a white list. The access parameter ranges are obtained through a pre-learning phase. The learning phase is performed in a relatively secure environment. For example, when the defense system has just run antivirus software and confirms that no potential safety hazard exists in the defense system according to the antivirus software killing result, the defense system is considered to be a relatively safe environment. Optionally, the defense system sets a default duration for the learning phase or allows the administrator to set a duration for the learning phase via the command line interface, for example, the default duration for the learning phase is one week. In the learning phase, the defense system does not execute the process shown in step 302 in fig. 3, i.e., temporarily turns off the defense function, when it is monitored that the element files in the protected folder are accessed. In the working phase, the defense system executes the flow shown in fig. 3, i.e. the defense function is turned on.
In the learning stage, when monitoring that the element file is accessed, the defense system records the related behavior information of the process accessing the element file, such as the program name of the generation process, the access time, which element files are accessed and the like. This recorded information helps to set the access parameter ranges described above. Access parameter ranges are determined based on the recorded information, for example, by manual analysis, or by methods of machine learning. Through the information recorded in the learning stage, the defense system obtains the access parameter range, and the normal function of the operating system and the normal operation of personnel can not be blocked by the defense system in error in the subsequent working stage. For example, when it is monitored that a process accesses one of the M element files, the defense system acquires an access parameter of the process, compares the access parameter of the process with a set access parameter range, and terminates the process if the access parameter of the process does not belong to the access parameter range. The access parameter includes a process name, a program name that generates the process, an access time, or a file name of an element file to be accessed.
Next, the present application will explain in detail a process of generating an element file. Before introducing the process of generating the element file, a simple description is given of a sorting mode adopted for sorting the files in the protected folder according to the file names.
The file names in the operating system are expressed by ASCII. The ASCII table defines the representation in memory of displayable characters in the computer operating system. Fig. 4 is a schematic diagram of an ASCII table. Referring to FIG. 4, the ASCII table specifies which corresponding (binary, decimal, or hexadecimal) values the displayable characters are represented with. The ASCII table uses a specified 7-bit or 8-bit binary number combination to represent 128 or 256 possible characters. For simplicity, the decimal values are used to indicate corresponding characters in the ASCII table in the subsequent description of the embodiments of the present application.
The file name of a file is composed of characters in an ASCII table. Specifically, the file name includes a letter, a symbol, a number, or a combination of any at least two of the letters, the symbols, and the numbers. The letters include 26 letters of english. The numbers include 0 to 9. The symbols include a space character, a! "," # "," & "," - ", etc.
The numerical value ranges corresponding to the symbols in the ASCII table are 32-47 (32 is a blank), 58-64, 91-96 and 123-126. The numerical range corresponding to the ten Arabic numerals from 0 to 9 in the ASCII table is 48-57.
The numerical range corresponding to 26 capital English letters in the ASCII table is 65-90, and the numerical range corresponding to 26 small English letters is 97-122.
When all files in the protected folder are sorted by file name, the default file name sorting mode is usually associated with the corresponding value of the first character of the file name in the ASCII table.
Files managed by a computer file system may be classified into a variety of categories, depending on the category of the first character of the file name, including but not limited to: a file whose first character of the file name is a symbol, a file whose first character of the file name is a number, a file whose first character of the file name is a letter, a file whose first character of the file name is a chinese character, a file whose first character of the file name is a japanese language, and the like.
Optionally, the default file name sorting manner includes a descending order of the numerical values of the first characters of the same kind of file names in the ASCII table, or a descending order of the numerical values of the first characters of the same kind of file names in the ASCII table.
When a plurality of different types of file names exist in the protected folder at the same time, the sequence of the file names of the two different types of files may follow the sequence of the numerical values of the first characters of the file names in the ASCII table from small to large, or may not follow the sequence of the numerical values of the first characters of the file names in the ASCII table from small to large. This is related to the defense system. Although the default file name sorting mode is applicable to most operating systems, other default file name sorting modes are possible in consideration of differences between operating systems in practical application, and are not listed here.
Optionally, the default file name ordering manner is to obtain the second character of the two file names when the first characters of the two file names are the same. And under the condition that the second characters are different, sorting the second characters of the two file names based on corresponding numerical values of the second characters in the ASCII table, and so on until the characters generating the difference in the two file names are found, and sorting the second characters according to the corresponding numerical values of the characters generating the difference in the ASCII table. The suffix name is considered to be part of the file name. The file name is taken as a character string as the basis of the sorting in the whole.
For example, the protected folder includes two original files, and the file names of the two original files are "a network introduction, doc" and "a network introduction, ppt", respectively. When the file name list of the protected folder is acquired, since the first 6 characters of the two original file names are both ' a network introduction ', ' therefore, sorting is performed according to the 7 th character of the file names of the two original files during sorting, wherein the 7 th character of the file name ' a network introduction, doc ' is d, and the character d corresponds to 100 in the ASCII table. The 7 th character of the filename "a web introduction. ppt" is p, which is in the ASCII table 112. Thus, when the file name list of the protected folder is obtained, the "a network introduction. doc" is ranked before the "a network introduction. ppt" in the case that the default file name ordering is in the order of the corresponding numerical values of the first characters in the ASCII table from small to large.
The default filename ordering is described below in several examples.
It is assumed that the protected folder contains 2 original files belonging to files whose first character is a letter. The file names of the two original files are respectively 'a network introduction, ppt' and 'b system description, ppt'. The first character a of the filename "a web introduction. ppt" is in the ASCII table 97, and the first character b of the filename "b System description. ppt" is in the ASCII table 98. Thus, when the list of filenames of the protected folder is obtained, the filenames "a network introduction. ppt" are ranked first and the filenames "b system description. ppt" are ranked second, i.e., the filenames "a network introduction. ppt" are ranked before the filenames "b system description. ppt", based on the default filename ordering.
For another example, assume that 3 original files are contained in the protected folder, the three original files belonging to a file whose first character is a number. The file names of the three original files are respectively '2 _24test1_97 pe9x.pdf', '2 _24test1_ pbc4ip.pdf' and '4.1.67.134 (2018-9-1016_57_59). txt'. The first character 2 of the file names "2 _24test1_97 pe9x.pdf" and "2 _24test1_ pbc4ip.pdf" corresponds to 50 in the ASCII table, and the first character 4 of the file name "4.1.67.134 (2018-9-1016_57_59). txt" corresponds to 52 in the ASCII table. The first 10 characters of the file names "2 _24test1_97 pe9x.pdf" and "2 _24test1_ pbc4ip.pdf" are the same, and the 11 th character generates difference, and the characters generating difference are 9 and p, 9 corresponds to 50 in an ASCII table, and p corresponds to 112 in an ASCII table. Thus, when the list of protected folder filenames is obtained, the filename "2 _24test1_97 peer x. pdf" is ranked first, the filename "2 _24test1_ pbc4ip. pdf" is ranked second, and the filename "4.1.67.134 (2018-9-1016_57_59). txt" is ranked third, based on the default filename ordering.
For another example, assume that the protected folder contains 3 original files belonging to a file whose first character is a chinese character. The file names of the three original files are respectively 'safety report, docx', 'engineering capability automation, ppt' and 'software introduction, docx'. Since the number of chinese characters is much larger than 256, it cannot be directly indicated by numbers in the ASCII table. In the continental area of china, the first pinyin of the first chinese character is sorted in the order of the corresponding numerical values in the ASCII table from small to large, for example, "safety report" docx "wherein the first pinyin of the first chinese character is a," engineering capability automation "ppt" wherein the first pinyin of the first chinese character is g, "software introduction" docx "wherein the first pinyin of the first chinese character is r. Since a corresponds to a value of 98, g corresponds to a value of 103, and r corresponds to a value of 114 in the ASCII table. Then "safety report. docx" line first, "engineering capability automation. ppt" line second, and "software introduction. docx" line third. In hong Kong, the number of first Chinese character strokes is sorted. Other sorting modes of Chinese characters and other languages such as Japanese are not listed.
Of the aforementioned several file categories, a file whose first character of a file name is a symbol, a file whose first character of a file name is a number, and a file whose first character of a file name is a letter, these three categories have high versatility, and therefore, detailed description is made in the embodiments of the present application.
It will be appreciated that the suffix name is located relatively back in the file name, and in most cases, when a plurality of file names are sorted, the precedence order can be obtained only according to the first two characters of the file name, so the suffix name has less influence on the sorting of the file names. Therefore, when generating an element file, the defense system does not have any particular limitation on how to generate the suffix name in the file names of the element file, and for example, randomly selects a suffix name from a suffix name set as the suffix name of the element file, or uses the suffix name in the file name of any one of the original files of the same kind in the protected folder as the suffix name of the element file, or uses the suffix name in the file name including a specified position in a sub-list of the file names of the original files of the same kind in the protected folder as the suffix name of the element file, and the like, and it is difficult to enumerate them one by one.
Optionally, in order to achieve the purpose that after the element file is added to the protected folder, when all files in the protected folder are sorted according to the file name, the element file is arranged at the first position, and when the file name of the element file is generated, one or more of the following naming manners are adopted by the defense system.
In a first mode
The defense system does not need to refer to the file name of the original file in the protected folder, but directly generates the element file according to the ASCII table. For example, due to the symbol "! "the corresponding value in the ASCII table is 33, which is the first displayable character in the ASCII table. The number of symbols "-" in the ASCII table is 126, which is the last displayable character in the ASCII table. The defense system generates a file name "! The element file of. docx ", and generates an element file with a file name of" -. docx ". Optionally, the contents of the two element files are empty or identical to the contents of any one of the original files.
The defense adds these two element files in a protected folder. Then, no matter the default file name ordering mode is the order of the numerical values of the first characters of the same kind in the ASCII table from small to large, or the order of the numerical values of the first characters of the same kind in the ASCII table from large to small, after the two element files are added to the protected folder, the file name of the element file arranged first in the updated protected folder file name list is the first one.
However, in some default file name ordering schemes of the operating system, the sequence of the file names of two different types of files may not follow the sequence of the corresponding numerical values of the first characters in the ASCII table from small to large. For example, an element file named "-. docx" is not arranged in the last 1-digit of all file names, but is arranged before all file names with first character as a number. In other words, if the default file name sorting mode is the order of the numerical values of the first characters of the file names in the ASCII table from large to small, after the element files with the file names "-. docx" are added to the protected folder, the file names "-. docx" of the element files are arranged behind the file names of all original files with the first character being a number in the file name list, and therefore the original files with the file type of the first character being a number cannot be protected.
As can be seen from the above analysis, it may be difficult to achieve the best defense effect for the element file generated in the manner of generating the element file described in the first embodiment.
Optionally, the defense system generates two element files for each category file, wherein the file name of the first element file is the most front and the file name of the second element file is the most rear based on the order of the corresponding numerical values of the same kind of file first characters in the ASCII table from small to large. For example, for a file whose first file name is a number, two element files are generated, a file named "0. docx" and a file named "9. docx", respectively. For other possible file categories, two element files are similarly generated. The method is simple and easy to implement, and the defense effect is good. However, when the file types to which the original files in the protected folder belong are few, some element files which are practically useless may appear, and a small amount of waste is caused to the storage space. For example, files in the protected folder where only the first character is a symbol, then several element files generated for a file category where the first character of the file is a number, and a file category where the first character of the file is a letter, are not necessary.
Mode two
The defense system generates the file name of the element file according to the file name of the original file in the protected folder. In other words, in step 300 of FIG. 3, the file name of each of the M element files is determined based on the file name of at least one of the N original files.
Optionally, in step 300 of fig. 3, the element file arranged before the N original files is generated from the reference original file. The basic original file is a file arranged in the first of the N original files based on a default file name sorting mode of the defense system. As long as it is ensured that one generated element file is arranged before the original reference file according to the default file name sorting mode, it can be ensured that the generated element file is arranged before the N original files.
For example, assume that the protected folder contains 4 original files, and the file names of the four original files are "a network introduction. ppt", "b system description. ppt", "2 _24test1_97pe9x. pdf", and "security report. docx", respectively. Before generating the element file, the defense system sorts 4 original files in the protected folder according to a default file name sorting mode to obtain a file name list. In the filename list, "a network introduction. ppt" ranks first, and "b system description. ppt" ranks second, and "2 _24test1_97 pe9x.pdf" ranks third, and "security report. docx" ranks fourth.
The first filename in the filename list is "a network introduction. ppt". The reference original file is an original file with the file name of 'a network introduction, ppt'. Then, the defense system generates an element file according to the file name of the reference original file, namely 'a.xlsx', and the content of the element file is null. After the element file with the name of a.xlsx and empty content is added into the protected folder, the protection effect on 2 original files in the protected folder can be achieved.
In practice, the protected folder may contain file names of a plurality of different types of files at the same time, such as files containing several file first characters as symbols, and files containing several file first characters as numbers, etc. The default sorting modes of different operating systems are analyzed, and the default sorting modes can be different when different operating systems sort all files in the protected folder according to the file names, but for the same type of file names, the sorting modes of different operating systems are similar, namely according to the size sequence of the corresponding numerical values of the first characters in the ASCII table. Therefore, at least one element file is respectively generated for each different type of files, so that the file name of one element file is arranged at the first position in the file name sub-list corresponding to each type of files. This ensures that the filename of the element file is the first in the list of filenames of the protected folder after the generated element file is added to the protected folder.
For example, the protected folder contains the above three types of files at the same time. According to different file types, the defense system generates three sub-lists according to original files in the protected folder. Based on a default file name sorting mode, the defense system generates a first element file aiming at a first sub-list corresponding to a file with a first file name character as a symbol, wherein the file name of the first element file is before the file names of all original files in the first sub-list. And the defense system generates a second element file aiming at a second sub-list corresponding to the file with the first name character being a number, wherein the file name of the second element file is before the file names of all original files in the second sub-list. And the defense system generates a third element file aiming at a third sub-list corresponding to the file with the first character of the file name being the letter, wherein the file name of the third element file is before the file names of all the original files in the third sub-list. By means of the three newly generated element files, the file names of the element files are guaranteed to be the first in the file name list of the protected folder after the three element files are added to the protected folder.
Optionally, in order to achieve a better protection effect, the defense system additionally generates one more element file for each sub-list, and the file name of the additionally generated element file is after the file names of all the original files in the sub-list. For example, a fourth element file is generated for the first sub-list corresponding to the file whose file name first character is a symbol, the file name of the fourth element file being subsequent to the file names of all the original files in the first sub-list.
Therefore, no matter the default file name sorting mode is the sequence of the numerical values of the first characters of the same type of files in the ASCII table from small to large or the sequence of the numerical values of the first characters of the same type of files in the ASCII table from large to small, after two element files generated aiming at the same type of files are added into the protected folder, the element file arranged at the first position in the file name sub-list is always the element file.
As can be seen from the above description, the file name list of the protected folder is actually composed of sub-lists corresponding to different types of files. The defense system selects the file category ordered top based on the default file name from the file categories of the original files in the protected folder. And further obtaining a first sub-list which comprises the file names of the original files of which the file types in the protected folder are selected.
The defense system generates an element file for the first sublist. The filename of the element file precedes all original filenames contained in the first sublist, based on a default filename ordering. That is, after the generated element file is added to the protected folder, the file name of the element file is arranged first in the updated first sub-list based on the default file name sorting. This ensures that the filename of the element file is the first in the list of filenames of the protected folder after the generated element file is added to the protected folder.
For example, there are two types of files contained in a protected folder, a file whose first character is a number, and a file whose first character is a letter. As the file names of the two types of files have the numerical value range of 48-57 of numbers in an ASCII table and 65-90, 97-122 of letters in the ASCII table. Therefore, only one element file (denoted as element file 1) needs to be generated for a file of which the first character of the file is a number. Based on the default filename ordering, the filenames of element file 1 precede the filenames of all the original files in the sub-list corresponding to the files whose filenames are numeric. In this way, it is ensured that the file name of the element file is the first ranked in the list of file names of the protected folder after the element file 1 is added to the protected folder. Optionally, in order to achieve better protection effect, the defense system additionally generates an element file (denoted as element file 2) for a file whose file name first character is alphabetical, and the file name of the element file 2 is after the file names of all original files whose file name first characters are alphabetical. After the element file 1 and the element file 2 are added to the protected folder, the element file with the first rank in the file name list is always the element file, regardless of whether the default file name ordering mode is the order of the numerical values of the first characters of the same kind in the ASCII table from small to large or the order of the numerical values of the first characters of the same kind in the ASCII table from large to small.
The second method listed above is essentially to generate the element file based on the file name of the original file in the protected folder. First, the element file is generated without referring to the file name of the original file in the protected folder. Both approaches have advantages. The second mode has better defense effect, and the implementation complexity of the second mode is higher than that of the first mode.
The defense system may generate one or more element files based on the file name of the original file in the protected folder.
The process of generating the element file in the second mode will be described in the following embodiments with reference to more detailed examples. In the second embodiment, the defense system generates one or more element files for each of the different categories of file names, and the following description is given by taking the file names of several categories as examples.
FIG. 5 is a process by which a defense system generates an element file in the event that an original file in a protected folder belongs to one or more file categories. In this case, the process of the defense system generating the element file is as shown in fig. 5.
Step 500, the defense system belongs to the original files of the target category from the N original files contained in the protected folder.
For simplicity, the "original file belonging to the target category among the N original files" is referred to as a target original file.
Step 510, the defense system obtains a first original file from the target original file, wherein the file name of the first original file is arranged in the first file name of the target original file based on a default file name sorting mode.
Step 520, the defense system generates a first element file, wherein the first element file belongs to the target category, and the file name of the first element file is arranged before the file name of the first original file based on a default file name sorting mode.
Optionally, in order to accommodate various alternative default file name ordering manners and perform more complete protection on the original file in the protected folder, the flow shown in fig. 5 further includes step 530 and step 540.
Step 530, the defense system obtains a second original file from the target original file, wherein the file name of the second original file is sorted in the last file name of the target original file based on the default file name sorting mode.
And 540, generating a second element file by the defense system, wherein the second element file belongs to the target category, and the file name of the second element file is arranged behind the file name of the second original file based on the default file name sorting mode.
Through the steps 530 to 540, the defense system has better universality, even if another alternative default file name ordering mode exists, namely the sequence of the corresponding numerical values of the first characters of the same kind of file names in the ASCII table is from large to small, the generated second element file is still the first accessed file in the encryption process when the protected folder is encrypted as a whole, so that the defense system is triggered to terminate the process of accessing the second element file, and the purpose of protecting the original file in the protected folder is achieved.
In the flow shown in fig. 5, the object category includes a file whose first character of the file name is a symbol, or a file whose first character of the file name is a number, or a file whose first character of the file name is a letter. Alternatively, the object category also includes a file whose first character of the file name is chinese, a file whose first character of the file name is japanese, and the like.
The following is described with reference to a specific example.
The original files in the protected folder are shown in fig. 6, and contain 9 files in total. The file names of the 9 original files are respectively: "(Business report) v1. docx", "2 _24test1_97 pe9x.pdf", "2 _24test1_ pbc4ip.pdf", "4.1.67.134 (2018-9-1016_57_59). txt", "a network introduction.ppt", "b System description.ppt", "safety report. docx", "engineering capability Automation. ppt" and "software introduction. docx".
Wherein, the original file belonging to the category of the file with the first character being the symbol in the protected folder is the file with the file name "(service report) v1. docx"; original files belonging to the category of files with digital first characters of file names in the protected folder are three files with file names of '2 _24test1_97 pe9x.pdf', '2 _24test1_ pbc4ip.pdf', '4.1.67.134 (2018-9-1016_57_59). txt'; original files belonging to the category of files with letters as first characters of file names in the protected folder are two files with file names of 'a network introduction, ppt' and 'b system description, ppt' respectively; the original files belonging to the category of the file whose first character of the file name is a letter in the protected folder are three files whose file names are "safety report. docx", "engineering capability automation. ppt" and "software introduction. docx", respectively.
The process of generating the element file will be described in detail below for three cases where the target category is a file whose first character of a file name is a symbol, a file whose first character of a file name is a number, or a file whose first character of a file name is a letter, respectively.
(one) case where the object category is a file whose first character of file name is a symbol
The defence system obtains the file with file name "(business report) v1. docx" in the protected folder shown in fig. 6, which is the only original file of the file category of the file in the protected folder belonging to the file with the first character of the file name being the symbol.
The default file name ordering mode is assumed to be the order of the corresponding numerical values of the same kind of file first characters in the ASCII table from small to large. Due to the first character of the file name "(service report) v1. docx" ("40 in the ASCII table, it is guaranteed that the first element file is arranged before the first original file in the default file name ordering manner as long as the first character of the file name of the first element file corresponds to 30-39 in the ASCII table.
Similarly, as long as the first character of the second element file corresponds to any one of 41-47, 58-64, 91-96 and 123-126 in the ASCII table, the second element file can be ensured to be arranged behind the first original file. It is assumed in this embodiment that the generated second element file is an empty file having a file name of "-. txt".
(II) case where the object type is a file whose first character of file name is a number
The defense system obtains three files with file names "2 _24test1_97 pe9x.pdf", "2 _24test1_ pbc4ip.pdf", and "4.1.67.134 (2018-9-1016_57_59). txt", respectively, in the protected folder shown in fig. 6. These three files are original files belonging to the file category of files in the protected folder whose first character of the file name is a number.
The default file name ordering mode is assumed to be the order of the corresponding numerical values of the first characters of the same type of file names in the ASCII table from small to large. Since the first character "2" of the file name "2 _24test1_97 pe9x.pdf", "2 _24test1_ pbc4ip.pdf" corresponds to 50 in the ASCII table, and the first character "4" of the file name "4.1.67.134 (2018-9-1016_57_59). txt" corresponds to 52 in the ASCII table, the file names "2 _24test1_97 pe9x.pdf" and "2 _24test1_ pbcip.pdf" precede the file name "4.1.67.134 (2018-9-1016_57_59). txt".
The first 10 characters of the file name "2 _24test1_97 pe9x.pdf" and "2 _24test1_ pbc4ip.pdf" are the same, and a difference is generated in the 11 th character, the characters generating the difference are 9 and p respectively, 9 corresponds to 50 in the ASCII table, and p corresponds to 112 in the ASCII table, so that the file name "2 _24test1_97 pe9x.pdf" is arranged before "2 _24test1_ pb4ip.pdf".
Based on the default file name ordering manner, the file name "2 _24test1_97 pe9x.pdf" is ranked first among the above three file names, the file name "2 _24test1_ pbc4ip.pdf" is ranked second, and the file name "4.1.67.134 (2018-9-1016_57_59). txt" is ranked third.
Then as long as the first file name character of the first element file corresponds to 48-49 in the ASCII table, the first element file is guaranteed to be arranged before the original file "2 _24test1_97 pe9x.pdf" according to the default file name sorting mode. It is assumed in this embodiment that the first element file generated is an empty file named "0. pptx". In fact, the empty file named "0. pptx" is only an example of the first element file, and any file that is arranged before the original file "2 _24test1_97 pe9x.pdf" in the default file name sorting manner may be used as the first element file. For example, a file with a file name of "2 _24test1_0. pdf" or "2 _1. pdf", etc.
Similarly, as long as the first file name of the second element file corresponds to any one of 53-57 in the ASCII table, the second element file can be guaranteed to be arranged behind the file with the file name "4.1.67.134 (2018-9-1016_57_59). txt". It is assumed in the present embodiment that the generated second element file is an empty file named "9. bmp". In fact, the empty file with the file name "9. bmp" is just an example of the second element file, and any file that is arranged after the original file "4.1.67.134 (2018-9-1016_57_59). txt" in the default file name sorting manner can be used as the second element file. For example, a file having a file name of "4.2. txt" or "5. txt", or the like.
(III) case where the object class is a file whose first character of the file name is a letter
The defense system obtains two files with file names "network introduction a. ppt" and "system description b. ppt", respectively, in the protected folder shown in FIG. 6. These two files are original files of the protected folder belonging to the file category of the file whose first character of the file name is a letter.
The default file name ordering mode is assumed to be the order of the corresponding numerical values of the first characters of the same type of file names in the ASCII table from small to large. Since the first character "a" of the filename "a network introduction. ppt" corresponds to 97 in the ASCII table and the first character "b" of the filename "b System description. ppt" corresponds to 98 in the ASCII table, the filename "a network introduction. ppt" is arranged before the filename "b System description. ppt".
Then the first file name of the first element file needs to be mapped 97 in the ASCII table and the first element file is ordered before the original file "a network introduction. ppt" in the default file name ordering. It is assumed in the present embodiment that the generated first element file is an empty file named "a.xlsx". In fact, the empty file named "a.xlsx" is only an example of the first element file, and any file that is arranged before the original file "a.ppt" in the default file name sorting manner can be used as the first element file. Such as a file with a file name of "a b.xlsx" or "a b.pdf", etc.
Similarly, as long as the first character of the file name of the second element file corresponds to any one of 99 to 122 in the ASCII table, the second element file can be guaranteed to be arranged behind the file with the file name of "b-system description. It is assumed in the present embodiment that the generated second element file is an empty file named "z. Actually, the empty file with the file name "z.rar" is only an example of the second element file, and any file arranged after the original file "b system description" in the default file name sorting manner can be used as the second element file. Such as a file with a file name of "x.ppt" or "y.ppt", etc.
(IV) case where the object class is a file whose first character of the file name is a letter
The protected folder shown in fig. 6 also includes original files belonging to the file category of the file whose first character is a chinese character, i.e., three files whose file names are "security report, docx", "engineering capability automation, ppt", and "software introduction, docx", respectively.
The default sorting mode is assumed to be the order of the corresponding numerical values of the pinyin initials of the first Chinese character in the file name in the ASCII table from small to large. If the corresponding numerical values of the pinyin initials of the two file names in the ASCII table are the same, the corresponding numerical values of the pinyin initials of the second Chinese characters of the two file names in the ASCII table are in the descending order, and so on.
The first character of the file name "safety report. docx" the pinyin initial "a" of the first character "a" corresponds to 97 in the ASCII table, the first character of the file name "engineering capability automation. ppt" the pinyin initial "g" of the first character "i" corresponds to 103 in the ASCII table, and the first character of the file name "software introduction. docx" the pinyin initial "r" of the first character "soft" corresponds to 114 in the ASCII table. Thus, the first of the three file names purchased, file name "Security report. docx" line, file name "engineering capability Automation. ppt" line, second, file name "software introduction. docx" line, third.
The first pinyin letter of the first chinese character of the file name of the first element file is mapped 97 in the ASCII table and the first element file is ordered before the original file security report docx in accordance with the default file name ordering scheme. It is assumed in this embodiment that the first element file generated is an empty file named "a. In fact, the empty file named "a.txt" is only an example of the first element file, and any file that is arranged before the original file "security report. docx" in the default file name sorting manner can be used as the first element file. Such as a file with a file name of "ann. xlsx" or "ann north. pdf", etc.
Similarly, as long as the first pinyin letter of the first Chinese character of the file name of the second element file corresponds to any one of 115-122 in the ASCII table, the second element file can be guaranteed to be arranged behind the file with the file name of' b-system description. In this embodiment, it is assumed that the generated second element file is an empty file named "do. In fact, the empty file with the file name "do. txt" is only an example of the second element file, and any file that belongs to the file category of the file with the file name first character being a Chinese character and is arranged behind the original file "software introduction. Such as a document with a file name of "drawing. ppt" or "future. ppt", etc.
The eight element files generated according to the above four cases are shown in fig. 7. After several element files shown in fig. 7 are added to the protected folder, the files contained in the protected folder are as shown in fig. 8, that is, the protected folder contains both the original files and the newly generated several element files.
Fig. 9 is a schematic structural diagram of a defense system provided in an embodiment of the present application, so as to implement the defense method described in the foregoing embodiment. The defense system is used to protect protected folders from being encrypted by malware. Optionally, the defense system shown in fig. 9 is the defense system in the application scenario shown in fig. 1 and fig. 2, or the defense system in the flow shown in fig. 3 and fig. 5. The defence system shown in fig. 9 comprises a memory 92 and at least one processor 91.
Optionally, the at least one processor 91 is one or more CPUs, or a single-core CPU, or a multi-core CPU.
The memory 112 includes, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, an optical memory, or the like. The memory 92 holds the code of the operating system.
Alternatively, the processor 91 implements the method in the above-described embodiment by reading program instructions stored in the memory 92; alternatively, the processor 91 may implement the method in the above embodiments by internally stored instructions. In the case where the processor 91 implements the method in the above-described embodiment by reading the instructions stored in the memory 92, program instructions implementing the method described in the above-described embodiment of the present application are stored in the memory 92.
The at least one processor 91, upon reading the program instructions stored in the memory 92, causes the defense system to:
adding M element files in a protected folder comprising N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged in front of the N original files, M is more than or equal to 1, and N is more than or equal to 1;
monitoring whether the M element files are accessed;
if an element file of the M element files is accessed, terminating the process of accessing the element file, the process being deemed to be associated with malware.
Optionally, when the processor 91 generates the element file, the file name of the element file is determined according to the file name of at least one original file in the N original files.
Alternatively, the processor 91 monitors the accessed state of the element file through a hook mechanism after reading the program instructions stored in the memory 92. Specifically, monitoring a predetermined API in the defense system in a hook mode; if the preset API is called through monitoring in a hook mode, obtaining parameters when the preset API is called; and if the parameter comprises the file name of the element file in the at least one element file, determining that the element file in the M element files is accessed.
Optionally, the defense system shown in fig. 9 further includes a network interface 93. The network Interface 93 may be a wired Interface, such as a Fiber Distributed Data Interface (FDDI) Interface, Gigabit Ethernet (GE) Interface; the network interface 103 may also be a wireless interface. The network interface 93 is used for data communication with other network devices in the network to which the defense system has access.
For more details of the processor 91 to implement the above functions, reference is made to the previous descriptions of the various method embodiments, which are not repeated here.
Optionally, the defense system further includes a bus 94, and the processor 91 and the memory 92 are generally connected to each other through the bus 94, but may be connected to each other in other manners.
Optionally, the defense system further includes an input/output interface 95, and the input/output interface 95 is configured to connect with an input device and receive the predicted demand input by the user through the input device. Input devices include, but are not limited to, a keyboard, a touch screen, a microphone, and the like. The input/output interface 95 is also used for connecting to an output device, and outputting information of a process terminated by the processor 91, such as an identification (process id, PID) of the process, a program name for running the process, and the like. Output devices include, but are not limited to, a display, a printer, and the like.
The defense system provided by the embodiment of the application is used for executing the defense method provided by each method embodiment. The defense system first generates element files and adds the generated element files to the protected folder, so that when all files in the protected folder are sorted according to file names, there is one element file arranged before all original files in the protected folder. The defense system monitors whether the element file is accessed to find the suspicious process and terminates the suspicious process in time, thereby protecting the original file in the protected folder from being encrypted by the suspicious process. When the defense system defends malicious software, a large amount of original files do not need to be copied and distributed for storage, a large amount of storage resources are avoided to be occupied, processing resources consumed for maintaining and managing a plurality of original file copies are saved, and accordingly defense cost is reduced.
Fig. 10 is a schematic structural diagram of a defense apparatus according to an embodiment of the present application. The defense is used to protect the protected folder from being encrypted or modified by malware. The defense apparatus 100 shown in fig. 10 includes an adding module 101, a monitoring module 102, and a terminating module 103.
An adding module 101, configured to add M element files in a protected folder that includes N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged before the N original files, where M is greater than or equal to 1, and N is greater than or equal to 1.
A monitoring module 102, configured to monitor whether the M element files are accessed.
A termination module 103 for terminating a process accessing the element file if an element file of the M element files is accessed, the process being considered to be associated with malware.
Optionally, when the adding module 101 generates an element file, the file name of the element file is determined according to the file name of at least one original file in the N original files.
Optionally, the monitoring module 102 monitors the accessed status of the element file through a hook mechanism. Specifically, monitoring a predetermined API in the defense system in a hook mode; if the preset API is called through monitoring in a hook mode, obtaining parameters when the preset API is called; and if the parameter comprises the file name of the element file in the at least one element file, determining that the element file in the M element files is accessed.
The apparatus embodiment depicted in fig. 10 is merely illustrative, and for example, the division of the modules is merely a logical division, and in actual implementation, there may be other divisions, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not implemented. The functional modules in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The above modules in fig. 10 may be implemented in the form of hardware, or may be implemented in the form of software functional units. For example, when implemented in software, the adding module 101, the monitoring module 102, and the terminating module 1039 are implemented by software functional modules generated by the at least one processor 91 of fig. 9 after reading the program code 9 stored in the memory 92. The above modules in fig. 10 may also be implemented by different hardware in the defense system, for example, the adding module 101 and the monitoring module 102 are implemented by a part of processing resources (e.g., one core in a multi-core processor) in at least one processor 91 in fig. 9, and the terminating module 103 is implemented by the rest of processing resources (e.g., other cores in the multi-core processor) in at least one processor 91 in fig. 9, or by using a Programmable device such as a Field-Programmable Gate Array (FPGA) or a coprocessor. Obviously, the above functional modules may also be implemented by a combination of software and hardware, for example, the adding module 101 and the monitoring module 102 are implemented by a hardware programmable device, and the terminating module 103 is a software functional module generated by the CPU after reading program codes stored in the memory.
In fig. 10, the module 101, the monitoring module 102, the terminating module 103, and the units in these modules are added to implement the above functions in more detail, please refer to the description of the previous embodiments of the method, and they are not repeated here.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the above embodiments, the method of defending against malware may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product, for example, a piece of malware defense software. When any one of the smart phones 101 and 103, the projector 104, the printer 105, and the smart car 102 in fig. 1, or any one of the host 201, the virtual machine 202, the video phone terminal 203, the smart camera 204, the cabinet type collection station 205, the switch 206, the firewall device 207, and the gateway 208 in fig. 2 is installed with the malware defense software, the system becomes a defense system.
The computer program product includes one or more computer instructions. The procedures or functions described in connection with the embodiments of the invention may be embodied in whole or in part by loading and executing the computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Such as a computer readable storage medium being a RAM, ROM, EPROM or a portable read-only memory (CD-ROM).
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope of the invention. Thus, to the extent that such modifications and variations of the present application fall within the scope of the claims, it is intended that the present invention encompass such modifications and variations as well.

Claims (26)

1. A method of defending against malware, performed by a defense system, the method comprising:
adding M element files in a protected folder comprising N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged in front of the N original files, M is more than or equal to 1, and N is more than or equal to 1;
monitoring whether the M element files are accessed;
if an element file of the M element files is accessed, the process accessing the element file is terminated, the process being deemed to be associated with malware.
2. The defense method in accordance with claim 1, wherein the file name of each of the M element files is determined in accordance with the file name of at least one of the N original files.
3. The defense method of claim 2, wherein the element files that are ranked before the N native files are generated from a baseline native file that is ranked first of the N native files based on a default filename ordering of the defense system.
4. The method of claim 2, further comprising:
determining a target original file belonging to a target category in the N original files;
acquiring a first original file from the target original file, wherein the file name of the first original file is arranged in the first file name of the target original file based on a default file name sorting mode of the defense system;
and generating a first element file, wherein the first element file belongs to the target category, and the file name of the first element file is arranged before the file name of the first original file based on the default file name sorting mode.
5. The method of claim 4, further comprising:
acquiring a second original file from the target original file, wherein the file name of the second original file is sorted to be the last in the file names of the target original files based on the default file name sorting mode;
and generating a second element file, wherein the second element file belongs to the target category, and the file name of the second element file is arranged behind the file name of the second original file based on the default file name sorting mode.
6. The method according to claim 4 or 5, characterized in that the target category comprises files whose first character of the file name is a symbol, or files whose first character of the file name is a number, or files whose first character of the file name is a letter.
7. The method according to any one of claims 4 to 6, wherein the default file name ordering manner is a descending order of the corresponding numerical values of the first characters of the file names of the same type in the ASCII table.
8. The method according to any one of claims 4 to 6, wherein the default file name ordering manner is a descending order of the corresponding numerical values of the first characters of the file names of the same type in the ASCII table.
9. The method according to any one of claims 1 to 8, further comprising:
monitoring a preset Application Programming Interface (API) in the defense system in a hook mode;
the monitoring whether the at least one element file is accessed comprises:
if the preset API is called through monitoring in a hook mode, obtaining parameters when the preset API is called;
and if the parameter comprises the file name of the element file in the at least one element file, determining that the element file is accessed.
10. The method of claim 9, wherein the predetermined API comprises:
an API for obtaining a list of filenames.
11. The method of any one of claims 1-10, wherein the terminating the process comprises:
acquiring access parameters of the process, wherein the access parameters comprise a process name, a program name for generating the process, access time or a file name of an accessed element file;
and comparing the access parameter of the process with a set access parameter range, and if the access parameter of the process does not belong to the access parameter range, terminating the process.
12. A malware defense system comprising a memory and at least one processor,
the memory is for storing program instructions that,
the at least one processor, upon reading program instructions stored in the memory, causes the defense system to:
adding M element files in a protected folder comprising N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged in front of the N original files, M is more than or equal to 1, and N is more than or equal to 1;
monitoring whether the M element files are accessed;
if an element file of the M element files is accessed, the process accessing the element file is terminated, the process being deemed to be associated with malware.
13. The defense system of claim 12, wherein the file name of each of the M element files is determined from the file name of at least one of the N original files.
14. The defense system of claim 13, wherein the element files that are ranked before the N native files are generated from a baseline native file that is ranked first of the N native files based on a default filename ordering of the defense system.
15. The defence system of claim 13 wherein the program instructions, when read by the at least one processor, further cause the defence system to:
determining a target original file belonging to a target category in the N original files;
acquiring a first original file from the target original file, wherein the file name of the first original file is arranged in the first file name of the target original file based on a default file name sorting mode of the defense system;
and generating a first element file, wherein the first element file belongs to the target category, and the file name of the first element file is arranged before the file name of the first original file based on the default file name sorting mode.
16. The defence system of claim 15 wherein the program instructions, when read by the at least one processor, further cause the defence system to:
acquiring a second original file from the target original file, wherein the file name of the second original file is sorted to be the last in the file names of the target original files based on the default file name sorting mode;
and generating a second element file, wherein the second element file belongs to the target category, and the file name of the second element file is arranged behind the file name of the second original file based on the default file name sorting mode.
17. The defence system of claim 15 or 16 wherein the target categories include files with the first character of the file name being a symbol, or files with the first character of the file name being a number, or files with the first character of the file name being a letter.
18. The defense system according to any one of claims 15 to 17, wherein the default file name ordering is a descending order of the corresponding numerical values of the first characters of the file names of the same type in the ASCII table.
19. The defense system according to any one of claims 15 to 17, wherein the default file name ordering is a descending order of the corresponding numerical values of the first characters of the file names of the same type in the ASCII table.
20. The defence system of any one of claims 12 to 19 wherein the program instructions, when read by the at least one processor, further cause the defence system to:
monitoring a predetermined API in the defense system in a hook mode;
if the preset API is called through monitoring in a hook mode, obtaining parameters when the preset API is called;
and if the parameter comprises the file name of the element file in the at least one element file, determining that the element file in the M element files is accessed.
21. The defense system of claim 20, wherein the predetermined API comprises:
an API for obtaining a list of filenames.
22. The defence system of any one of claims 12 to 21 wherein the program instructions, when read by the at least one processor, further cause the defence system to:
acquiring an access parameter of the process;
and comparing the access parameter of the process with a set access parameter range, and if the access parameter of the process does not belong to the access parameter range, terminating the process.
23. A malware protection device, comprising:
an adding module, configured to add M element files in a protected folder including N original files, so that when all files in the protected folder are sorted according to file names, one element file in the M element files is arranged before the N original files, M is greater than or equal to 1, and N is greater than or equal to 1;
the monitoring module is used for monitoring whether the M element files are accessed;
a termination module to terminate a process accessing the element file if an element file of the M element files is accessed, the process being deemed to be associated with malware.
24. The defence apparatus of claim 23 wherein the file name of each of the M element files is determined from the file name of at least one of the N original files.
25. The defence device of claim 23 wherein,
the monitoring module is used for monitoring a preset Application Programming Interface (API) in the defense device in a hook mode;
if the preset API is called through monitoring in a hook mode, obtaining parameters when the preset API is called;
and if the parameter comprises the file name of the element file in the at least one element file, determining that the element file is accessed.
26. A computer program product comprising one or more computer program instructions which, when loaded and executed by a computer, cause the computer to perform the method of malware defense of any one of claims 1 to 11.
CN202011104675.2A 2020-08-10 2020-10-15 Malicious software defense method, device and system Pending CN114077735A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/136435 WO2022032950A1 (en) 2020-08-10 2020-12-15 Defense method, defense apparatus and defense system for malicious software

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2020107928083 2020-08-10
CN202010792808 2020-08-10

Publications (1)

Publication Number Publication Date
CN114077735A true CN114077735A (en) 2022-02-22

Family

ID=80282798

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011104675.2A Pending CN114077735A (en) 2020-08-10 2020-10-15 Malicious software defense method, device and system

Country Status (1)

Country Link
CN (1) CN114077735A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
CN106096397A (en) * 2016-05-26 2016-11-09 倪茂志 A kind of prevention method extorting software and system
CN107169359A (en) * 2017-06-06 2017-09-15 北京奇虎科技有限公司 Utilize the document means of defence and device, electronic equipment for triggering file realization
US20170308711A1 (en) * 2016-04-21 2017-10-26 Cyber Secdo Ltd. System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system
CN107330322A (en) * 2017-06-06 2017-11-07 北京奇虎科技有限公司 File safety protection method, device and equipment
CN111475806A (en) * 2020-03-08 2020-07-31 苏州浪潮智能科技有限公司 Method for detecting and defending Lesso software based on access authority

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
US20170308711A1 (en) * 2016-04-21 2017-10-26 Cyber Secdo Ltd. System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system
CN106096397A (en) * 2016-05-26 2016-11-09 倪茂志 A kind of prevention method extorting software and system
CN107169359A (en) * 2017-06-06 2017-09-15 北京奇虎科技有限公司 Utilize the document means of defence and device, electronic equipment for triggering file realization
CN107330322A (en) * 2017-06-06 2017-11-07 北京奇虎科技有限公司 File safety protection method, device and equipment
CN111475806A (en) * 2020-03-08 2020-07-31 苏州浪潮智能科技有限公司 Method for detecting and defending Lesso software based on access authority

Similar Documents

Publication Publication Date Title
US10320818B2 (en) Systems and methods for detecting malicious computing events
US10614233B2 (en) Managing access to documents with a file monitor
US8806641B1 (en) Systems and methods for detecting malware variants
US10075457B2 (en) Sandboxing protection for endpoints
US10430586B1 (en) Methods of identifying heap spray attacks using memory anomaly detection
US10079835B1 (en) Systems and methods for data loss prevention of unidentifiable and unsupported object types
WO2015096695A1 (en) Installation control method, system and device for application program
EP3756121B1 (en) Anti-ransomware systems and methods using a sinkhole at an electronic device
US9621590B1 (en) Systems and methods for applying data-loss-prevention policies
US10735468B1 (en) Systems and methods for evaluating security services
US9332025B1 (en) Systems and methods for detecting suspicious files
US9984228B2 (en) Password re-usage identification based on input method editor analysis
CN110612731A (en) System and method for enforcing data loss prevention policies
US9483643B1 (en) Systems and methods for creating behavioral signatures used to detect malware
CN114969840A (en) Data leakage prevention method and device
US9646157B1 (en) Systems and methods for identifying repackaged files
US10819748B2 (en) Systems and methods for enforcing data loss prevention policies on endpoint devices
EP3574428B1 (en) Safe data access through any data channel
US10043013B1 (en) Systems and methods for detecting gadgets on computing devices
US9146704B1 (en) Document fingerprinting for mobile phones
US10114944B1 (en) Systems and methods for classifying permissions on mobile devices
CN105791221B (en) Rule issuing method and device
CN114077735A (en) Malicious software defense method, device and system
WO2022032950A1 (en) Defense method, defense apparatus and defense system for malicious software
CN109756539A (en) A kind of screenshotss control method and relevant device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20220222