CN115587360A - Lesovirus identification method and device, electronic equipment and storage medium - Google Patents

Lesovirus identification method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115587360A
CN115587360A CN202211219761.7A CN202211219761A CN115587360A CN 115587360 A CN115587360 A CN 115587360A CN 202211219761 A CN202211219761 A CN 202211219761A CN 115587360 A CN115587360 A CN 115587360A
Authority
CN
China
Prior art keywords
file
accessed
owner
characteristic information
legal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211219761.7A
Other languages
Chinese (zh)
Inventor
马洪祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Baoqu Technology Co Ltd
Original Assignee
Zhuhai Baoqu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Baoqu Technology Co Ltd filed Critical Zhuhai Baoqu Technology Co Ltd
Priority to CN202211219761.7A priority Critical patent/CN115587360A/en
Publication of CN115587360A publication Critical patent/CN115587360A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a Lesox virus identification method, a Lesox virus identification device, electronic equipment and a storage medium, wherein the method comprises the following steps: monitoring the access of the process to the file of the owner; if the access is monitored to occur, judging whether the process is the ownership of the accessed file; if not, backing up the accessed file, and identifying the Lesojous virus according to the access behavior of the process to the accessed file. The technical scheme provided by the embodiment of the invention can be suitable for identifying the scene of Lesovirus which requires money through the encrypted file on the terminal, and can improve the safety of the terminal.

Description

Lesovirus identification method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of computer security, and in particular, to a method and an apparatus for identifying a Lesowe virus, an electronic device, and a storage medium.
Background
Computer viruses are artificially manufactured, destructive, infectious and latent programs that destroy computer information or systems, and are recognized as the first major enemy of data security. Any computer virus will affect the system and the application program to different degrees as long as it invades the system, which will reduce the computer working efficiency and occupy the system resource, and may cause data loss and system crash.
The Lessovirus is a novel computer virus and is mainly transmitted in the forms of mails, program trojans and webpage Trojan horses. The virus is bad in nature and extremely harmful, and once infected, immeasurable loss is brought to users. The virus encrypts the file using various encryption algorithms and then pops up a prompt asking the computer user infected with the virus for the encryption currency. The user generally can not decrypt the file, and can only obtain the decrypted private key for decryption by purchasing the encryption currency, otherwise, the file can not be read and used normally.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for identifying a lemonade virus, an electronic device, and a storage medium, so as to improve security of a terminal.
In a first aspect, an embodiment of the present invention provides a method for identifying a lemonavirus, where the method includes:
monitoring the access of the process to the file of the owner;
if the access is monitored to occur, judging whether the process is the ownership of the accessed file;
if not, backing up the accessed file, and identifying the Lesojous virus according to the access behavior of the process to the accessed file.
Further, determining whether the process is the owner of the accessed file includes:
searching a right owner of the accessed file in a file attribution right library, wherein the file attribution right library records the corresponding relation between a plurality of file identifications and file right owner identifications;
if the search is successful, the process is judged to be the owner of the accessed file.
Further, identifying the Leso virus according to the access behavior of the process to the accessed file comprises the following steps:
and if the characteristic information of the accessed file is damaged or the number of times that the process accesses the file of the owner with the existence right reaches a preset illegal threshold value, determining that the Lesox virus exists.
Further, determining that the characteristic information of the accessed file is damaged comprises:
searching legal characteristic information of the accessed file in a file characteristic library, wherein the file characteristic library records the corresponding relation between a plurality of file identifications and the legal characteristic information of the file;
and matching the found legal characteristic information of the accessed file with the current characteristic information of the accessed file to determine whether the characteristic information of the accessed file is damaged.
Further, the method further comprises:
scanning a local file, and determining a belonger of the local file by inquiring a cloud end;
and establishing a terminal file attribute library, wherein the terminal file attribute library comprises a file characteristic library and a file ownership library, and records the corresponding relationship among a plurality of local file identifications, file ownership person identifications and file legal characteristic information.
Further, scanning the local file, and determining a right owner of the local file by querying a cloud, including:
scanning a local file with a set format type, and acquiring legal characteristic information of the file with the set format type;
and inquiring the file owner corresponding to the legal characteristic information of the file with the set format type stored on the cloud as the owner of the local file.
Furthermore, the legal characteristic information of the file with the set format type is taken as the legal characteristic information of the scanned file.
Further, the method further comprises:
after detecting that a file with a new set format type is created locally, taking a creator as a new file owner, and updating the terminal file attribute library;
and reporting the legal characteristic information of the new file and the identifier of the right owner of the new file to the cloud.
Further, the method further comprises:
when the right owner of the local file cannot be determined through the inquiry cloud, acquiring the access times of a target process accessing the local file to the local file;
and determining the ownership of the local file according to the acquisition condition.
Further, the characteristic information includes file format and characteristic code information; the feature code information comprises file offset, feature code length and feature code.
In a second aspect, an embodiment of the present invention provides a Lesovirus identification apparatus, where the apparatus includes:
the access monitoring unit is used for monitoring the access of the process to the file of the owner with the right;
the ownership judging unit is used for judging whether the process is an ownership of the accessed file or not if the access monitoring unit monitors that the access occurs;
and the virus identification unit is used for backing up the accessed file if the process is not the owner of the accessed file, and identifying the Lesoxhlet virus according to the access behavior of the process to the accessed file.
Further, the ownership judging unit is used for judging whether the process is an ownership of the accessed file, and includes:
searching a right owner of the accessed file in a file attribution right library, wherein the file attribution right library records the corresponding relation between a plurality of file identifications and file right owner identifications;
if the search is successful, the process is judged to be the owner of the accessed file.
Further, the virus identification unit is used for identifying the Lesojous virus according to the access behavior of the process to the accessed file, and comprises the following steps:
and if the characteristic information of the accessed file is damaged or the number of times that the process accesses the file of the owner with the existence right reaches a preset illegal threshold value, determining that the Lesox virus exists.
Further, the virus identification unit is used for determining that the characteristic information of the accessed file is damaged, and comprises:
searching legal characteristic information of the accessed file in a file characteristic library, wherein the file characteristic library records the corresponding relation between a plurality of file identifications and the legal characteristic information of the file;
and matching the found legal characteristic information of the accessed file with the current characteristic information of the accessed file to determine whether the characteristic information of the accessed file is damaged.
Further, the apparatus further comprises:
the cloud query unit is used for scanning the local file and determining a belonger of the local file by querying a cloud;
and the terminal base maintenance unit is used for establishing a terminal file attribute base, wherein the terminal file attribute base comprises a file characteristic base and a file ownership base, and records a plurality of local file identifications, corresponding relations between file ownership identifications and file legal characteristic information.
Further, the cloud query unit is configured to scan the local file, and determine a rightful person of the local file by querying the cloud, including:
scanning a local file with a set format type, and acquiring legal characteristic information of the file with the set format type;
and inquiring a file owner corresponding to the legal characteristic information of the file with the set format type stored on the cloud as an owner of the local file.
Furthermore, the cloud query unit is further configured to use the obtained legal feature information of the file with the set format type as legal feature information of the scanned file.
Further, the terminal library maintenance unit is further configured to:
after detecting that a file with a new set format type is created locally, taking a creator as a new file owner, and updating the terminal file attribute library;
and reporting the legal characteristic information of the new file and the identifier of the right owner of the new file to the cloud.
Further, the ownership judging unit is further configured to:
when the right owner of the local file cannot be determined through the inquiry cloud end, acquiring the access times of a target process which has accessed the local file to the local file;
and determining the ownership of the local file according to the acquisition condition.
Further, the characteristic information comprises file format and characteristic code information; the feature code information comprises file offset, feature code length and feature code.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor reads the executable program code stored in the memory to run a program corresponding to the executable program code, so as to execute the lasso virus identification method according to the first aspect.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where one or more programs are stored, and the one or more programs are executable by one or more central processing units to implement the lasso virus identification method according to the first aspect.
According to the technical scheme provided by the embodiment of the invention, the access of each process on the file with the ownership person on the terminal is monitored in real time, the accessed file can be backed up in time under the condition that the process is not the ownership person of the accessed file, and whether the Leso virus exists or not is further determined through the access behavior of the process, so that the encryption of the Leso virus on the file can be found in time, the encrypted file can be recovered, and the safety of the terminal is well improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for identifying a lemonavirus according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for identifying a Lesovirus according to a second embodiment of the present invention;
fig. 3 is a flowchart of a lasso virus identification method according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a lemonavirus identification apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The embodiment provides a lemonavirus identification method, which can be executed by a corresponding lemonavirus identification device and is applied to a terminal. Referring to fig. 1, the method specifically includes the following steps 101-103.
Step 101, monitoring the access of the process to the file of the owner with the right.
For example, processes running on the terminal may be monitored in real time, and it may be analyzed whether the monitored processes trigger access to files of the rightful holder. The terminal stores a large amount of various files, wherein a part of the files have definite rights, and only the rights have legal modification rights (such as writing, deleting, renaming and the like) to the files. In general, an application program (referred to as a file creator) corresponding to a process of creating a file belongs to a rightful owner of the file. Of course, besides the file creator, other applications corresponding to processes with legal modification rights may also belong to the owner of the file. In practical application, the right holder of the file can be obtained in advance in a manual labeling or intelligent algorithm mode, and the file is stored in a local or cloud terminal of the terminal, and whether the file accessed by the process is the file with the right holder can be judged subsequently based on the storage content.
Typically, the file with the right owner refers to a file with a set format type. Wherein, the format setting type comprises at least one of the following types: WPS, word, excel, PPT, office, JPG, PNG, bmp. Correspondingly, when any process on the terminal is monitored to access the file with the set format type, the process is indicated to be accessing the file of the owner.
And 102, if the access is monitored to occur, judging whether the process is the owner of the accessed file. If not, go to step 103; if yes, the process is ended.
In this step, a file ownership database may be created in advance in the local or cloud terminal of the terminal, and is used to describe ownership of the plurality of files, and the correspondence between the plurality of file identifiers and the file ownership identifier is recorded. The file identification is a character string which can uniquely identify a file on the terminal, and typically can use the full path of the file; the file owner identification corresponding to the file identification may use the application identification corresponding to the process having the legitimate modification right directly or use an encrypted application identification (e.g., MD5 value of the application identification). The terminal can search the right owner of the accessed file in the file attribution right library by accessing the file attribution right library. If the search is successful, the process of the access is judged to be the owner of the accessed file. Otherwise, the process of the access is judged not to be the right person of the accessed file.
And 103, backing up the accessed file, and identifying the Lesojous virus according to the access behavior of the process to the accessed file.
In this step, if the access behavior causes that the feature information of the accessed file is damaged or the number of times that the process accesses the file of the person with the existence right reaches a preset illegal threshold value, it is determined that the lemonavirus exists, for example, the process that has accessed the file is infected with the lemonavirus or the process itself is created for the lemonavirus. The number of times that the process accesses the file of the owner refers to: the number of times that the process has previously accessed the file of the owner, where the file of the owner may only include the file of the owner that the process has accessed this time, and may of course further include files of other owners that the process has accessed. Illustratively, determining that characteristic information of the accessed file is corrupted includes:
searching legal characteristic information of the accessed file in a file characteristic library;
and matching the found legal characteristic information of the accessed file with the current characteristic information of the accessed file to determine whether the characteristic information of the accessed file is damaged.
The file feature library records the corresponding relation between a plurality of file identifications and file legal feature information. The legal characteristic information of the file is information which is not modified by a non-file-right owner and can describe the characteristics of the file, and usually, the characteristic information does not change along with the modification of the file content by the file-right owner, and the legal characteristic information is generated automatically by a technical person specifying the determining mode in advance or other existing file characteristic calculation algorithms. For example, when the file of the existence owner refers to a file of a set format type, the file feature information may be a feature code under the set format type, and the legal feature information of each file having the same set format type is the same, for example, the legal feature information of all the PNG-type picture files is {0x89,0x50,0x4e,0x47}.
If the process is judged not to be the owner of the accessed file, the actual characteristic information of the accessed file can be regularly acquired in the process of accessing the accessed file by the process, and once the matching failure of the current characteristic information of the accessed file and the found legal characteristic information of the accessed file is found, the characteristic information of the accessed file is determined to be damaged and the Lesoh virus exists. Of course, the current feature information of the accessed file may also be obtained after the process finishes accessing the accessed file, and if the matching between the current feature information of the accessed file and the found legal feature information of the accessed file fails, it is determined that the feature information of the accessed file is damaged and the lesonaire virus exists. On the contrary, if the whole access process and the two pieces of feature information are matched successfully all the time after the access is finished, the feature information of the accessed file is not damaged.
In this embodiment, the file ownership database and the file feature database may be two databases independent of each other, where: the former records the corresponding relation between a plurality of file identifications and file ownership persons and is used for determining the file ownership persons; the latter records the corresponding relation between a plurality of file identifications and file legal characteristic information, and is used for determining the file legal characteristic information. Preferably, two database information can be integrated to obtain one database: and the terminal file attribute library records the corresponding relation among the file identifications, the file right owners and the file legal characteristic information.
Example two
In this embodiment, on the basis of the first embodiment, a step of establishing and maintaining a corresponding relationship between the file and the file owner, and the legal feature information of the file is further added, so that the owner of the accessed file can be judged and the lemonavirus can be identified according to the corresponding relationship. Referring to fig. 2, a method for identifying a Lexovirus specifically includes the following steps 201-207.
Step 201, scanning the local file, and determining a right owner of the local file by querying a cloud.
Step 202, a terminal file attribute library is established, and a corresponding relation among a plurality of local file identifications, file owner identifications and file legal characteristic information is recorded.
In this embodiment, the cloud pre-stores the correspondence (referred to as a first correspondence) between the file identifiers (or the legal feature information of the files) on the managed terminals and the identifier of the authority, and the correspondence is usually determined to be correct.
Correspondingly, a corresponding relationship (referred to as a second corresponding relationship) between a plurality of file identifications (or file legal feature information) and the authority identifications is also created on the terminal. The second correspondence may be a correspondence between a plurality of file identifiers (or legal file feature information) and the right identifier, which are obtained by the terminal from the cloud and only belong to the local terminal. In specific implementation, the terminal can scan the local file, determine the file identifier and the legal characteristic information of the local file, then access the cloud to inquire the corresponding owner identifier, and write the following corresponding relationship in the local terminal file attribute library: local file identification, file owner identification and file legal characteristic information.
Preferably, the file with the owner refers to a file with a set format type, the legal feature information of the file is a feature code under the set format type, each file with the same set format type is the same type of file, the legal feature information of the type of file is the same, the owner is the same, but the file identifications are different. Therefore, the cloud end does not need to establish the corresponding relation between each file and the ownership person, but for the same type of files, the corresponding relation between the legal characteristic information of the type of files and the ownership person is established as the first corresponding relation. Correspondingly, step 201 may specifically include: scanning a local file with a set format type, and acquiring legal characteristic information of the file with the set format type; and inquiring a file owner corresponding to the legal characteristic information of the file with the set format type stored on the cloud as an owner of the local file. Furthermore, the legal characteristic information of the file with the set format type can be acquired as the legal characteristic information of the scanned file.
In this embodiment, on the basis of the above scheme, the method for identifying a lemonavirus further includes: after detecting that a file with a new set format type is created locally, taking the creator as a new file owner, updating the terminal file attribute library, and writing the following information into the library: the corresponding relation of the new file identification, the new file owner identification and the new file legal characteristic information; and reporting the legal characteristic information of the new file and the identifier of the right owner of the new file to the cloud.
In addition, as a preferred embodiment, in this embodiment, if the owner of the local file cannot be determined by querying the cloud in step 201, the access frequency of the process (denoted as the target process) accessing the local file to the local file is obtained; and determining the ownership of the local file according to the acquisition condition. Illustratively, if the number of access times reaches a preset legal threshold, the identifier of the application program corresponding to the target process is used as the identifier of the owner of the local file. In particular, for files of the same set format type, if defining: the legal feature information of such documents is the same and the owner is the same, so for the special case of this definition, the above preferred embodiment may specifically include: acquiring the access times of a target process accessing the following target file to the target file before the target process accesses the target file: the local file and other local files with the same set format type; and if the access times reach a preset legal threshold, taking the identifier of the application program corresponding to the target process as the owner identifier of the local file.
Step 203, monitoring the access of the process to the file of the owner with the right.
And step 204, if the access is monitored to occur, searching a terminal file attribute library, and judging whether the process is a belonger of the accessed file. If not, executing step 205-step 206; if yes, the process ends and step 203 is executed.
Step 205, backup of the accessed file.
And step 206, searching a terminal file attribute library, and judging whether the characteristic information of the accessed file is damaged. If yes, go to step 207; if not, the process ends and continues to step 203.
In specific implementation, legal characteristic information of an accessed file is searched in a terminal file attribute library; and matching the found legal characteristic information of the accessed file with the current characteristic information of the accessed file to determine whether the characteristic information of the accessed file is damaged. If the found legal characteristic information of the accessed file is successfully matched with the current characteristic information of the accessed file, determining that the characteristic information of the accessed file is not damaged; otherwise, when the matching fails, the characteristic information of the accessed file is determined to be damaged.
Further, in order to increase the matching speed between the file feature information, preferably, the feature information includes file format and feature code information. The feature code information comprises file offset, feature code length and feature code. When matching between file feature information is performed, the sequence of participation in matching among the parameters may be: and if one parameter of the file characteristic information is different, the matching is considered to fail. Of course, the sequence can also be adjusted according to actual conditions, so as to ensure the high efficiency of matching.
Step 207, determining the presence of the Lesovirus.
In addition, as a more preferable implementation manner, in the step 206, if it is determined that the feature information of the accessed file is not damaged, the step of "ending the flow" may be replaced with the following step: judging whether the number of times of accessing the accessed file by the process reaches a preset illegal threshold value or not; if yes, go to step 207; if not, the process ends and continues to step 203.
EXAMPLE III
The present embodiment provides a preferred embodiment based on the above embodiments. Referring to fig. 3, a lemonavirus identification method specifically includes the following steps 300-308.
Step 300, the terminal obtains legal feature information of the file with the set format type and an MD5 value (i.e. file owner identifier) of an identifier of an application program creating the file with the set format type, and uploads the information as file ownership information to the cloud.
In this step, a plurality of files of set format types may exist on the terminal, and for each of them: and acquiring legal characteristic information of the file with the set format type and an MD5 value of an identifier of an application program for creating the file with the set format type, taking the information as file ownership information, and uploading the information to the cloud. The file legal characteristic information comprises a file format, a file offset, a characteristic code length and a characteristic code.
Preferably, the marking information of whether the file attribution right information is manually confirmed can be uploaded to the cloud terminal at the same time. The credibility of the cloud end to the manually confirmed file ownership information is higher than that of the file ownership information which is not manually confirmed. After the file ownership information which is not confirmed manually is uploaded to the cloud, the file ownership information can be confirmed manually by a manager at the cloud or confirmed intelligently by an automatic analysis program. To this end, a piece of file ownership information on the cloud corresponds to a file with a set format type, and the information includes the following parameters: { file owner identification, file format, file offset, feature code length, feature code, and manual confirmation or not }.
Step 301, the cloud creates a file ownership database, records and confirms the ownership information of each file uploaded by a plurality of terminals.
Step 302, the terminal creates and maintains a terminal file attribute library, and records the corresponding relationship among the local file full path, the file owner identification and the file legal characteristic information.
In specific implementation, the terminal scans each local file with a set format type to acquire legal characteristic information of the file with the set format type; inquiring a file owner identifier corresponding to the legal characteristic information of the file with the set format type stored on the cloud; and establishing a corresponding relation among the full path of each file with the set format type, the file owner identification and the legal characteristic information of the file, and writing the corresponding relation into a terminal file attribute library.
Further, after detecting that a file with a new set format type is created locally, the terminal takes the creator as a new file owner, updates the terminal file attribute library, and writes the following information in the library: and the corresponding relation among the full path of the file with the newly set format type, the new file owner identification and the legal characteristic information of the new file. Meanwhile, the terminal also needs to report the legal characteristic information of the new file and the identifier of the right of the new file to the cloud. Subsequently, if the terminal detects that other files with the new set format type are created locally, the file owner identification corresponding to the legal characteristic information of the files with the new set format type can be inquired from the cloud; and establishing a corresponding relation among the other file full paths, the inquired file owner identification and the file legal characteristic information, and writing the corresponding relation into a terminal file attribute library.
Furthermore, if the owner of the local file cannot be determined by querying the cloud, the access times of the target process accessing the following target file to the target file are acquired: the local file and other files with the same set format type; and if the access times reach a preset legal threshold, taking the identifier of the application program corresponding to the target process as the owner identifier of the local file.
Step 303, the terminal monitors the access of the process to the file of the owner.
And step 304, the terminal searches the terminal file attribute library and judges whether the process is the ownership of the accessed file. If not, executing step 305-step 306; if yes, the process is ended.
And 305, backing up the accessed file by the terminal.
Step 306, the terminal searches the terminal file attribute library and judges whether the characteristic information of the accessed file is damaged. If so, go to step 308; if not, step 307 is performed.
And 307, judging whether the frequency of accessing the accessed file by the process reaches a preset illegal threshold value by the terminal. If so, go to step 308; if not, the process is ended.
Step 308, the terminal determines that the Lesovirus exists.
The technical solution provided by the present embodiment is described in detail by a specific example.
The first step is as follows: the terminal uses a hexadecimal tool to view the PNG type file, the beginning of the file is 0x890x50 0x4E0x47, then uses an MD5 tool to obtain the MD5 value of an application program with legal PNG type file modification permission, and uploads the following file ownership information to the cloud:
{ document owner, document format, { document offset, feature code length, feature code }, manual confirmation or not } = { MD5, PNG, {0,4, {0x89,0x50,0x4e,0x47} },0}. Wherein, if the manual confirmation is yes, 0 can indicate that the value is no, and 1 can indicate that the value is yes.
The second step is that: the terminal scans the local PNG type file, inquires the right owner of the PNG type file from the cloud, and writes the following information in the terminal file right bank: { full path, MD5, PNG, {0,4, {0x89,0x50,0x4e,0x47},1}, and so on for PNG-type file 3.
If the terminal does not have the PNG type file locally at present, when an application program creates a first PNG type file a subsequently, the file attribute library of the terminal is written with: { full path, MD5, PNG, {0,4, {0x89,0x50,0x4e,0x47},0} of PNG-type file a, and upload file ownership information { MD5, PNG, {0,4, {0x89,0x50,0x4e,0x47},0} to the cloud.
The third step: when a process without the ownership right of the PNG type file modifies the PNG type file, the file is immediately backed up, if the file header is no longer 0x890x50 0x4E0x47 after the file is modified by the process, the file is described to be damaged, the user is inquired for processing, if the file is not operated by the user, the damage behavior is prevented from continuing, and the damaged file is recovered.
Example four
The embodiment provides a Lesox virus identification device, which can be implemented by software and integrated on a terminal. The terminal can be an electronic device such as a desktop computer, a notebook computer, a smart phone and the like. Referring to fig. 4, the apparatus includes:
an access monitoring unit 401, configured to monitor access of a process to a file of a rightful holder;
an ownership determining unit 402, configured to determine whether the process is an ownership of the accessed file if the access monitoring unit 401 monitors that the access occurs;
and the virus identification unit 403 is used for backing up the accessed file if the process is not the owner of the accessed file, and identifying the Lesojour virus according to the access behavior of the process to the accessed file.
In a specific implementation, the ownership determining unit 402 is configured to determine whether the process is an owner of the accessed file, and may include:
searching a right holder of the accessed file in a file attribution right library, wherein the file attribution right library records the corresponding relation between a plurality of file identifications and file right holder identifications;
if the search is successful, the process is judged to be the owner of the accessed file.
Further, the virus identification unit 403 is configured to identify a lemonavirus according to an access behavior of a process to an accessed file, and may include:
and if the characteristic information of the accessed file is damaged or the number of times of accessing the accessed file by the process reaches a preset illegal threshold value, determining that the Lesox virus exists.
The virus identification unit 403 is configured to determine that the feature information of the accessed file is corrupted, and may include:
searching legal characteristic information of the accessed file in a file characteristic library, wherein the file characteristic library records the corresponding relation between a plurality of file identifications and the legal characteristic information of the file;
and matching the found legal characteristic information of the accessed file with the current characteristic information of the accessed file to determine whether the characteristic information of the accessed file is damaged.
On the basis of the above scheme, the apparatus for identifying a lasso virus provided in this embodiment further includes:
the cloud query unit 404 is configured to scan the local file, and determine a belonger of the local file by querying a cloud;
the terminal library maintenance unit 405 is configured to establish a terminal file attribute library, where the terminal file attribute library includes a file feature library and a file ownership library, and records a plurality of local file identifiers, and a corresponding relationship between file ownership identifiers and file legal feature information.
In specific implementation, the cloud query unit 404 is configured to scan the local file, and determine the owner of the local file by querying the cloud, which may include:
scanning a local file with a set format type, and acquiring legal characteristic information of the file with the set format type;
and inquiring the file owner corresponding to the legal characteristic information of the file with the set format type stored on the cloud as the owner of the local file.
Further, the cloud query unit 404 is further configured to use the obtained legal feature information of the file with the set format type as legal feature information of the scanned file.
In addition, the terminal library maintenance unit may be further configured to:
after detecting that a new file is created locally, taking a creator as a new file owner, and updating the terminal file attribute library;
and reporting the legal characteristic information of the new file and the identifier of the right of the new file to the cloud.
The ownership determining unit 402 is further configured to:
when the owner of the local file cannot be determined by inquiring the cloud,
acquiring the access times of a target process which has accessed the local file to the local file;
and determining the ownership of the local file according to the acquisition condition.
Typically, the feature information includes file format and feature code information; the feature code information comprises file offset, feature code length and feature code.
The lemonavirus identification apparatus provided in this embodiment belongs to the same inventive concept as the method embodiments, and the technical details that are not described in the apparatus embodiments may refer to the related descriptions in the method embodiments, and are not described herein again.
Fig. 5 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which may implement the flows of the embodiments shown in fig. 1, fig. 2, and fig. 3 of the present invention, and as shown in fig. 5, the electronic device may include: the device comprises a shell 51, a processor 52, a memory 53, a circuit board 54 and a power circuit 55, wherein the circuit board 54 is arranged inside a space enclosed by the shell 51, and the processor 52 and the memory 53 are arranged on the circuit board 54; a power supply circuit 55 for supplying power to each circuit or device of the electronic apparatus; the memory 53 is used to store executable program code; the processor 52 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 53, and is configured to perform the scan background removal method according to any of the foregoing embodiments.
For the specific execution process of the above steps by the processor 52 and the steps further executed by the processor 52 by running the executable program code, reference may be made to the description of the embodiments shown in fig. 1, fig. 2, and fig. 3 of the present invention, which is not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) Other electronic devices having data processing capabilities.
Furthermore, an embodiment of the present invention further provides a computer-readable storage medium, where one or more programs are stored, and the one or more programs are executable by one or more central processing units to implement the lasso virus identification method described in the foregoing embodiment.
According to the technical scheme provided by the embodiment of the invention, when the application program corresponding to the terminal process accessing the file with the owner is not the file owner, the file can be backed up in time so as to prevent the file from being encrypted by suspicious Lesoviruses and further determine whether the Lesoviruses exist according to the current access behavior of the terminal process, so that the Lesoviruses can be found in time to prompt, and the risk brought by the viruses is reduced.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The term "and/or" in the embodiments of the present invention describes an association relationship of associated objects, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
For convenience of description, the above devices are described as being respectively described in terms of functional division into various units/modules. Of course, the functionality of the various units/modules may be implemented in the same software and/or hardware in the implementation of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (11)

1. A method of identifying a Lessovirus, the method comprising:
monitoring the access of the process to the file of the owner;
if the access is monitored to occur, judging whether the process is the ownership of the accessed file;
if not, backing up the accessed file, and identifying the Lesojous virus according to the access behavior of the process to the accessed file.
2. The method of claim 1, wherein determining whether the process is a rightful owner of the accessed file comprises:
searching a right owner of the accessed file in a file attribution right library, wherein the file attribution right library records the corresponding relation between a plurality of file identifications and file right owner identifications;
if the search is successful, the process is judged to be the owner of the accessed file.
3. The method of claim 1 or 2, wherein identifying the Leso virus according to the access behavior of the process to the accessed file comprises:
and if the characteristic information of the accessed file is damaged or the number of times that the process accesses the file of the owner with the existence right reaches a preset illegal threshold value, determining that the Lesox virus exists.
4. The method of claim 3, wherein determining that the characteristic information of the accessed file is corrupted comprises:
searching legal characteristic information of the accessed file in a file characteristic library, wherein the file characteristic library records the corresponding relation between a plurality of file identifications and the legal characteristic information of the file;
and matching the found legal characteristic information of the accessed file with the current characteristic information of the accessed file to determine whether the characteristic information of the accessed file is damaged.
5. The method of claim 4, further comprising:
scanning a local file, and determining a belonger of the local file by inquiring a cloud end;
and establishing a terminal file attribute library, wherein the terminal file attribute library comprises a file characteristic library and a file ownership library, and records the corresponding relationship among a plurality of local file identifications, file ownership person identifications and file legal characteristic information.
6. The method of claim 5, wherein scanning the local file to determine the owner of the local file by querying the cloud comprises:
scanning a local file with a set format type, and acquiring legal characteristic information of the file with the set format type;
and inquiring the file owner corresponding to the legal characteristic information of the file with the set format type stored on the cloud as the owner of the local file.
7. The method according to claim 6, wherein the legal characteristic information of the file with the set format type is obtained as legal characteristic information of the scanned file.
8. The method of claim 7, further comprising:
after detecting that a file with a new set format type is created locally, taking a creator as a new file owner, and updating the terminal file attribute library;
and reporting the legal characteristic information of the new file and the identifier of the right owner of the new file to the cloud.
9. The method of claim 5, further comprising:
if the inquiry cloud end cannot determine the ownership of the local file, acquiring the access times of a target process accessing the local file to the local file;
and determining the ownership of the local file according to the acquisition condition.
10. The method of claim 4, wherein the feature information includes file format and feature code information; the feature code information comprises file offset, feature code length and feature code.
11. A Lessovirus identification device, said device comprising:
the access monitoring unit is used for monitoring the access of the process to the file of the owner with the right;
the ownership judging unit is used for judging whether the process is an ownership of the accessed file or not if the access monitoring unit monitors that the access occurs;
and the virus identification unit is used for backing up the accessed file if the process is not the owner of the accessed file, and identifying the Lesoxhlet virus according to the access behavior of the process to the accessed file.
CN202211219761.7A 2022-09-30 2022-09-30 Lesovirus identification method and device, electronic equipment and storage medium Pending CN115587360A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211219761.7A CN115587360A (en) 2022-09-30 2022-09-30 Lesovirus identification method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211219761.7A CN115587360A (en) 2022-09-30 2022-09-30 Lesovirus identification method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115587360A true CN115587360A (en) 2023-01-10

Family

ID=84773039

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211219761.7A Pending CN115587360A (en) 2022-09-30 2022-09-30 Lesovirus identification method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115587360A (en)

Similar Documents

Publication Publication Date Title
US9639697B2 (en) Method and apparatus for retroactively detecting malicious or otherwise undesirable software
CN111030986B (en) Attack organization traceability analysis method and device and storage medium
KR101956486B1 (en) Method and system for facilitating terminal identifiers
CN108875364B (en) Threat determination method and device for unknown file, electronic device and storage medium
CN108875373B (en) Mobile storage medium file control method, device and system and electronic equipment
CN107545048B (en) Processing method and device for encrypted compressed file
CN110866248B (en) Lesovirus identification method and device, electronic equipment and storage medium
CN111183620B (en) Intrusion investigation
CN107070845B (en) System and method for detecting phishing scripts
CN109145589B (en) Application program acquisition method and device
CN110740117B (en) Counterfeit domain name detection method and device, electronic equipment and storage medium
CN113010904A (en) Data processing method and device and electronic equipment
CN115587360A (en) Lesovirus identification method and device, electronic equipment and storage medium
CN111027065A (en) Lesovirus identification method and device, electronic equipment and storage medium
CN114297645B (en) Method, device and system for identifying Lesox family in cloud backup system
CN115499120A (en) Data storage method and data storage platform based on cloud computing
CN114039779A (en) Method and device for safely accessing network, electronic equipment and storage medium
CN114035812A (en) Application software installation and/or operation method, device, electronic equipment and storage medium
CN113572860A (en) Method and device for tracking leaked data, storage system, equipment and storage medium
CN107465744B (en) Data downloading control method and system
CN108881151B (en) Joint-point-free determination method and device and electronic equipment
CN107844485B (en) Test script file updating method and device
CN114491653A (en) Data content tamper-proof system, method and device
CN112580038A (en) Anti-virus data processing method, device and equipment
CN111030982A (en) Strong management and control method, system and storage medium for confidential files

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination