KR101828600B1 - Context-aware ransomware detection - Google Patents

Abstract

According to the present invention, a system protection method includes the steps of: storing logs of proactive actions of a process executed on a system; sensing the process attempting to adjust the target files; determining whether the target file adjustment of the process corresponds to a suspected action at least partially based on the logs of the proactive actions; backing up the target files when the target file adjustment is determined to correspond to a suspected action; determining whether the process corresponds to a malicious code; stopping the execution of the process when the process is determined to correspond to a malicious code; recovering the target files backed up due to the process; and recovering the proactive actions of the process based on the logs of the proactive actions.

Description

Context-aware Ransomware Detection {CONTEXT-AWARE RANSOMWARE DETECTION}

This specification is for context awareness based Ransomware detection.

Among malicious programs, there is a direct aim of damaging the user or organization of the electronic device by deleting or changing the file or information. However, in recent malicious programs, the file of the system is encrypted, and after the attacker receives the payment from the victim There is a form to decode.

Detection of specific malicious programs based on information on known malicious programs is very vulnerable to attacks by unknown malicious programs. In order to minimize the damage, various methods such as bait file, sandbox, signature base, etc. are suggested.

In this specification, it is determined whether a program installed in a computing device is a malicious code, and if it is determined that the program is malicious code, the method can be restored without hindering it.

A method of protecting a system in one embodiment is disclosed. The system protection method includes the steps of: storing a log of a preliminary action of a process executed on the system; Detecting that the process is attempting to change a target file; Determining whether the subject file change of the process corresponds to a suspicious behavior based at least in part on a log of the dictionary action; Backing up the target file if it is determined that the change of the target file corresponds to a suspicious behavior; Determining whether the process corresponds to a malicious code; Stopping the execution of the process when it is determined that the process corresponds to a malicious code; Restoring the target file backed up due to the process; And restoring the proactive behavior of the process based on the log of the proactive act.

The above or other embodiments may include any one of the following features.

Whether or not the suspicious behavior corresponds to at least one of a file creation operation including a file extension change, a setting of a program to be linked and executed, an encryption display file name change, a self-duplication file creation of the process, May be determined based on whether or not one is included. Whether or not the process corresponds to a malicious code may be determined based on the file header content, the file header structure, the body content, the body size, the entropy of the body text, the file name, And abnormal changes including file update time. Whether or not the process corresponds to a malicious code can be judged based on whether the abnormal change caused by the process occurs for a specific number or more of files.

Whether or not the process corresponds to a malicious code can be judged based on whether the process performs an operation of encrypting the target file. Also, the process may be ransomware that encrypts the target file using a public key encryption algorithm. In addition, the step of storing the log of the preliminary action of the process may include recording at least a part of the name change, creation, modification and deletion of the file through the file I / O call of the process How to Protect Your System.

Meanwhile, a control unit for executing a mini-filter engine for executing the method is provided. An electronic device including a log of a dictionary action, a target file, and a storage unit for storing a backup file is disclosed.

On the other hand, a program stored in a medium for implementing the above method is disclosed.

On the other hand, a server storing a program for executing any one of the above methods by a computer is disclosed.

According to the embodiments disclosed in the present specification, it is possible to perform blocking and recovery operations for the RANCOMM software in which the pattern or feature information is not known in the computing device.

According to the embodiments disclosed herein, it is possible to detect Ransomware which is difficult to detect by a conventional Ransomware detection method such as signature based, bait file based, sandbox based based.

Figure 1 illustrates the operating environment of an electronic device to which the techniques disclosed herein may be applied.
Figure 2 illustrates the architecture of an electronic device in which the techniques disclosed herein may be employed.
3 is a flow chart of a method for malicious code detection module according to an embodiment disclosed herein to protect a system from a malicious process.
Figure 4 is an electronic device in which the techniques disclosed herein may be employed.

The techniques disclosed herein can be applied to system protection devices. However, the technology disclosed in this specification is not limited thereto, and can be applied to all electronic devices and methods to which the technical idea of the above-described technology can be applied.

It is noted that the technical terms used herein are used only to describe specific embodiments and are not intended to limit the scope of the technology disclosed herein. Also, the technical terms used herein should be interpreted as being generally understood by those skilled in the art to which the presently disclosed subject matter belongs, unless the context clearly dictates otherwise in this specification, Should not be construed in a broader sense, or interpreted in an oversimplified sense. It is also to be understood that the technical terms used herein are erroneous technical terms that do not accurately represent the spirit of the technology disclosed herein, it is to be understood that the technical terms used herein may be understood by those of ordinary skill in the art to which this disclosure belongs And it should be understood. Also, the general terms used in the present specification should be interpreted in accordance with the predefined or prior context, and should not be construed as being excessively reduced in meaning.

As used herein, terms including ordinals, such as first, second, etc., may be used to describe various elements, but the elements should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, wherein like reference numerals denote like or similar elements, and redundant description thereof will be omitted.

Further, in the description of the technology disclosed in this specification, a detailed description of related arts will be omitted if it is determined that the gist of the technology disclosed in this specification may be obscured. It is to be noted that the attached drawings are only for the purpose of easily understanding the concept of the technology disclosed in the present specification, and should not be construed as limiting the spirit of the technology by the attached drawings.

1

Figure 1 illustrates the operating environment of an electronic device to which the techniques disclosed herein may be applied.

In an environment where various devices are interconnected through a network, the electronic device 110 can receive and install a malicious program from the distribution server 120 due to a user's carelessness or the like. The distribution server 120 is a device for transmitting a malicious program to an unspecified number of devices. For example, the distribution server 120 may be a server-type device connected to the Internet for providing a file, such as a web server, a file server, a cloud service, But may be any type of device that provides a file containing malicious code without being limited to the specific form of the device. A person who intends to distribute a malicious program is required to allow a user of the electronic device 110 to transmit a program containing malicious code to the electronic device 110 without being aware of the user of the electronic device 110 May be placed on the distribution server 120 in disguise as a normal program or data.

There are a variety of channels through which the electronic device 110 can receive an external program from the distribution server 120 or the like. Generally, a process of downloading and installing an external program from a web site without knowing whether a user of the electronic device 110 is malicious or not, a process of downloading an external program to an electronic device 110, The external program is received and installed through a process of inadvertently executing the attachment file by a user of the electronic device 110 or a process of executing an external program transmitted to the electronic device 110 through the auxiliary storage device or the inter- .

The malicious program installed in the electronic device 110 may include a malicious code that causes harm to the system. Malicious code can refer to a file stored in storage or a program that compromises information. For example, the malicious code may be stored in a local storage mounted in the electronic device 110 or in an external storage accessible by the electronic device 110, Information can be compromised.

Among such malicious programs, there is a kind of malicious programs written with direct targets of damaging users or organizations of electronic devices by deleting or changing files or information, and this kind of malicious programs is an attacker, that is, The author or distributor receives indirect compensation through the victim's injury rather than wanting to receive monetary compensation directly from the victim.

However, there is a kind of malicious programs that are recently reported frequently so that the original user can not access the system or the target file, and the malicious program creator or distributor directly restores the original state after receiving the monetary compensation . This is a malicious program called so-called ransomware. It is installed in the victim device and then executed in the background to encrypt the target files so that the user of the victim device can not use the target file, And notifies the user of the payment to be made. An attacker who has been paid a monetary or other charge may provide keys and / or tools to decrypt the encrypted subject file on the victim device.

The Ransomware may be a malicious program based on an asymmetric encryption algorithm. If the Ransomware uses an asymmetric encryption algorithm, the malicious program installed in the victim device may be accessed by one of the asymmetric key pairs generated by the attacker, for example, a public key, Lt; RTI ID = 0.0 > accessible. In this case, the target file encrypted by the malicious program can be accessed only by the restoration tool having another key, for example, a private key, among the asymmetric key pairs generated by the attacker. The system protection techniques disclosed herein can be used to detect malicious programs that are a kind of trapdoor or backdoor program installed on a computer device and to recover the damage caused thereby. As described above, the system protection technology disclosed herein can be used to cope with a malicious program in the form of a cryptographic trapdoor designed to be accessible only to a specific authorized user by using an encryption function.

The electronic device 110 may contact the recovery server 130 to pay an attacker for an encrypted object file or to receive a key or a tool for decrypting the encrypted object file. The malicious program may include access information to the recovery server 130 to receive a key or tool for restoring an encrypted file according to an attacker's instructions.

Ransomware can contain information that can be distinguished in malicious code. The distinguishable information includes, for example, connection information such as an external URL for later connection by Ransomware or system information such as a file name, a registry value, and a path. Therefore, a conventional method for detecting a malicious program includes a signature based detection method for detecting the presence or absence of a malicious code based on a unique hash of a malicious code portion including distinguishable information, A behavior based detection method for detecting a specific behavior patterned by a malicious code, a sandbox detection method for detecting a malicious code based on an action after execution of a malicious code in a virtual environment, Based malware detection.

Such existing malicious code detection technology detects malicious code based on the distinguishable information of each malicious code, and the prevention program has to establish a database for distinguishable information according to each malicious code This can be detected. Therefore, the malicious code detection method based on the distinguishable information may cause a problem that the newly appeared malicious program can not be detected due to the lack of information thereon. That is, in order to cope with a new malicious program that bypasses signature information change, action based rule, metadata, sandbox, etc., the prevention program can not detect the database because it can not establish the database therefor.

The system protection techniques disclosed herein can protect files or information accessible from a malicious program in a system or system. The system protection technology disclosed herein can protect a system from malicious programs designed to block access to a target file using a cryptographic function and to unblock it using only restoration information or tools provided by an attacker have. The system protection technology disclosed herein is based on the feature that the asymmetric cryptographic algorithm uses a key pair made up of different asymmetric keys so that only a remote attacker can control the malware installed in the victim device The system can be protected from malicious programs designed.

Ransomware, which operates as a cryptographic trap door, is designed to encrypt a target file for later decryption or to notify an attacker to pay a decryption fee for design purposes. Thus, unlike conventional protection programs that block the inflow and installation path of the RAN available, or detect malicious actions themselves to prevent damage, the electronic devices that follow the exemplary protection techniques of the present disclosure can be used as a common pre- Context awareness based detection can be performed on the behaviors.

That is, for example, an electronic device conforming to the exemplary protection technology of the present disclosure can track change of file name for detection of an encryption after extrapolation after extrapolation, a self-duplication file creation and a decryption payment guidance file deletion, Tracking the creation of files for detection, Tracking the existence of backups of original files for recovery before detection, Detecting unauthorized file corruption, Recognizing normal file modification behavior, Creating / changing / overwriting / deleting, Of the suspicious process.

The system protection techniques disclosed herein can perform a preliminary determination as to whether a particular process is malicious based on a predicted prior action of a malicious program in the form of a cryptographic trap door.

The electronic device according to the exemplary protection techniques of the present disclosure may then perform a rollback of the proactive actions based on a log of the proactive behavior of the particular process when the particular process is determined to be malicious .

In addition, an electronic device in accordance with the exemplary protection techniques herein may log a proactive action for a plurality of processes. In this case, if more than one process is determined to be malicious code, a rollback of the proactivity of each process can be performed.

On the other hand, an exemplary protection device can detect whether there is a proactive action for a shared folder that another device is allowed to access, and record the proactive action for the folder, as opposed to performing a proactive action by monitoring the target process . When a pre-action to be predicted as a malicious program from another device occurs, a log of the pre-action may be recorded based on the address information of the other device. If it is determined that the file is changed or damaged from the other device, it may be blocked based on the address information of the other device.

2

Figure 2 illustrates the architecture of an electronic device in which the techniques disclosed herein may be employed. The Raman software (210) installed in the electronic device (200) is a kind of program executed in the user mode of the system. The techniques disclosed herein can determine whether or not the program is a malicious program based on advance actions of Ransomware 210, attacks on a target file, and other features.

A file operation of a program installed in the electronic device 200, such as the RAN firmware 210 or the general program 220, is performed as follows. First, a program whose malicious program is not yet known can execute a file operation on a file in the file system through the file I / O 230. When a program 220 or a random software 210 operating in a user mode performs a file operation through a file I / O 230, a corresponding event via the I / O manager 240 in a kernel mode, And the file system driver 260 performs a file operation corresponding to the event through the storage driver stack 270 for controlling the storage 280 device. The storage 280 may be a storage device attached to the electronic device 200 and in other embodiments may be a networked storage device accessible via the file system driver 260.

The system protection technology disclosed herein is for a program that operates in the user mode and the RAN firmware 210 and the general program 220 can change the target file stored through the same file input / output operation, ), And to suggest a restoration plan for the process.

The system protection techniques disclosed herein may utilize the filter manager 250 to detect and control file input / output operations of the RANCOMMER 210 or the program 220 running on the electronic device 200. The filter manager 250 can detect an event for a file operation in the electronic device. For example, if the filter manager 250 detects a name when an event such as a write, a delete, or a rename occurs with respect to a target file, Let it know whether it is code or not.

In one embodiment, the method of protecting a system according to the techniques disclosed herein may be implemented in the form of a file action filter 290 registered with the filter manager 250. The file operation filter 290 records a preliminary action of a process of performing a file input / output operation based on a file operation event transmitted to the file system driver 260, and judges that a suspicious action is to be performed on the object file A process of backing up the target file and blocking the process when it is determined that the process corresponds to a malicious code based on an action of the process and restoring the target file. In one embodiment, the file action filter 290 may be implemented in the form of a context awareness ransomware behavior detection engine based on context awareness to protect the subject file.

2, the file operation filter 290 registered in the filter manager 250 includes a file operation tracking module 291, a process manager 293, a file backup module 295, and a malicious code detection module 297 ).

The file action filter 290 may store a log of a proactive action of the process based on a system-executed process, that is, a file action event of the program 220 or the Rangumware 210. [

The advance action indicated by the RAN firmware 210 may be an action predicted for the attacker's Rangem software design, in addition to direct file operations on the target file. For example, the process manager 293 may include a file including a file extension change, a setting of a program to be executed in connection with the Raman software 210, an encryption display file name change, a self-duplication file creation of the process, A log of a preliminary action such as a creation activity can be stored.

The log of the dictionary action may be stored in the storage 280, and the general process may be set inaccessible. In one embodiment, the act of storing a log of the proactive behavior of the process may be implemented in the form of a process manager 293.

In addition, the work filter 290 may detect that the process is attempting to change a target file stored in the storage 280. For example, the job filter 290 may detect that the process performs a file input / output operation corresponding to the file operation event. The operation for monitoring the file input / output operation may be implemented in the form of a file operation tracking module 291.

When the task filter 290 detects an attempt to change the target file, the task filter 290 permits the change when the change attempt is a normal change by a general process, In this case, the file change is blocked. However, the system protection technology disclosed in the present specification is based on a log of a proactive action of each process, taking into consideration that a process is not sufficient to judge whether or not the process is malicious by merely attempting to change a file, It is first determined whether or not the change attempt is a suspicious behavior and an operation of backing up a file in which the process tries to change is performed if it is determined to be a suspicious behavior first (even if the process finally judges that the process corresponds to a malicious code) .

That is, when the job filter 290 detects a file input / output job of the process, it can determine whether the file input / output job of the process corresponds to a suspicious behavior. The fact that the file I / O operation of the process corresponds to a suspicious behavior means that the process is likely to correspond to Rangemeware or malicious code.

The action filter 290 can determine whether the file input / output operation of the process corresponds to a suspicious action based at least in part on the pre-action log of the process. Specifically, when the action filter 290 includes an action that can be viewed as an action of the Ransomware in the pre-action log of the process, it can be determined that the detected file input / output action of the process corresponds to a suspicious action . To this end, the probability is calculated based on a plurality of pre-action logs for the process, and if it exceeds the predetermined probability, it can be determined that the action corresponds to a suspicious behavior.

The operation filter 290 can back up the target file to the storage 280 when it determines that the file input / output operation for the target file of the process corresponds to a suspicious behavior. Thereafter, when the process is judged to be Ransomware and blocked or deleted, the job filter 290 can restore the file backed up in the storage 280 in order to restore the target file damaged by the process. The action of the task filter 290 to back up or restore the target file may be implemented in the form of a file backup module 295.

The area in which the target file is backed up on the storage 280 may be an area divided so as not to have access rights to another process or the RANCHEMAware.

The work filter 290 can perform restoration of the file even when the file is recorded in the pre-action log of the process while restoring the target file. That is, before the process determined as a malicious code destroys the target file, a file generated in the process of performing a suspicious action such as a self-duplication file of the Raman software program in the storage 280 and a file generated to notify the user Can be deleted.

In addition, the operation filter 290 can determine whether the process corresponds to a malicious code based on a modulation state of a target file. The operation filter 290 can determine whether the modulation of the target file is a normal modulation by a general process or a modulation for file damage of the Raman software corresponding to the malicious code. The operation of determining whether the process corresponds to a malicious code may be implemented in the form of malicious code detection module 297. [

The malicious code detection module 297 requests malicious code by encrypting the target file, and determines whether the malicious code is a malicious code based on the characteristic indicated by the malicious code in the form of Ransomware designed to decrypt the target file after receiving the request It can be judged. For example, the malicious code detection module 297 determines whether the file header content has been changed due to file modification of the process, whether the structure of the file header has been changed to that of a different kind of file, whether there has been a change in the entropy of the text, A part or all of the file change situation such as whether the content size has changed, the file update time has changed, the file name has been changed, and the like can be used as a judgment criterion. In addition, the malicious code detection module 297 may apply a generally known Ransomware detection method such as signature-based detection and sandbox detection.

3

3 is a flow chart of a method for a malicious code detection module according to an embodiment disclosed herein to protect a system from a malicious process.

The detection module stores (310) a log of proactive actions of a process executed on the system. The log of the proactive action of the process can refer to whether or not the process performed the preliminary action that can be regarded as the behavior of the Randomware in the process of judging whether or not the process is malicious code. Thus, even if a doubtful action If there is a backup target file, the backup target file can be performed in advance. In addition, the log of the pre-action of the process may record what the process performed by the process other than the target file corruption in the subsequent process after the process is determined to be malicious code so that the process can be restored later.

Wherein storing the log of the proactive behavior of the process includes recording at least some of the name change, creation, modification, and deletion of the file through a file I / O call of the process .

The detection module senses (320) that the process is changing a target file. (330) whether the subject file change of the process corresponds to a suspicious behavior based at least in part on a log of the pre-act. Whether or not the suspicious behavior corresponds to at least one of a file creation operation including a file extension change, a setting of a program to be linked and executed, an encryption display file name change, a self-duplication file creation of the process, May be determined based on whether or not one is included. If it is determined that the change of the target file corresponds to a suspicious behavior, the detection module backs up the target file (340).

Thereafter, the detection module determines whether the process corresponds to a malicious code (350). Whether or not the process corresponds to a malicious code is determined based on the file header content, the file header structure, the content of the body, the size of the main text, the entropy of the main text, the file name, And abnormal changes including time. ≪ RTI ID = 0.0 > [0031] < / RTI > The detection module may determine whether the process corresponds to a malicious code in consideration of whether the abnormal change caused by the process has occurred with respect to at least one or more files. In particular, it can be determined whether the process corresponds to malicious code based on whether the target file is encrypted with a public key encryption algorithm or not.

The detection module counts the number of corrupted files and may record the proactive behavior of the process until the maximum allowed number is reached. In one embodiment, the detection module may determine that the process corresponds to a malicious code when the number of files damaged by the process becomes a specific value. The specific value may be determined based on the size of the storage space for the dictionary action recording.

If the detection module determines that the malicious code has been accessed based on the damage of the file by the remote device, the detection module may access the remote device to prevent the file damage operation from being performed based on the address of the remote device Can be blocked.

If it is determined that the process corresponds to a malicious code, the detection module stops performing the process (360). The detection module restores the target file backed up due to the process (370). The detection module restores the pre-act of the process based on the log of the pre-act (380).

4

Figure 4 is an electronic device in which the techniques disclosed herein may be employed.

The implementation of the electronic device 400 may provide an environment in which malicious code, such as a computer or an electronic device, may be installed and executed. The electronic device 400 may include a storage unit 410 for storing a log of a pre-action, a target file, and a backup file. In addition, the electronic device 400 may include a control unit connected to the storage unit to execute a mini-filter engine for protecting the target file.

Wherein the minifilter engine is included in a file input / output processing operation, the minifilter engine storing a preliminary action log of a running process in the storage; Detecting that the process is attempting to change a target file; Determining whether the subject file change of the process corresponds to a suspicious behavior based at least in part on a log of the dictionary action; Backing up the target file to the storage unit when it is determined that the change of the target file corresponds to a suspicious behavior; Determining whether the process corresponds to a malicious code; Stopping the execution of the process when it is determined that the process corresponds to a malicious code; Restoring the target file backed up due to the process from the storage unit; And restoring the proactive behavior of the process based on the log of the proactive act.

The electronic device 400 may be, for example, a server of a service provider, a device associated with a client (e.g., a client device), an on-chip system, and / or any other suitable computing device or computing system. As shown, exemplary electronic device 400 may include a storage unit 410, a control unit 420, and one or more I / O interfaces communicatively coupled to one another. Although not shown, the electronic device 400 may further include a system bus or other data and command transmission system that interconnects the various components. The system bus may include any one or combination of different bus architectures, such as a memory bus or memory controller, a peripheral bus, a universal serial bus, and / or a processor or local bus using any of a variety of bus architectures. Various other examples such as control or data lines are also contemplated. The control unit 420 indicates a function of performing one or more operations using hardware. Accordingly, the control unit 420 may include hardware elements that can be configured as a processor, a functional block, and the like. This may include an implementation in hardware as an application specific integrated circuit or other logic device formed using one or more semiconductors.

In the foregoing, preferred embodiments of the present invention have been described with reference to the accompanying drawings. Here, terms and words used in the present specification and claims should not be construed as limited to ordinary or dictionary terms, and should be construed in a sense and concept consistent with the technical idea of the present invention.

The scope of the present invention is not limited to the embodiments disclosed in this specification, and the present invention can be modified, changed, or improved in various forms within the scope of the present invention and the claims.

Claims (12)

CLAIMS What is claimed is: 1. A method for preventing a file stored in a device from being corrupted by a process running on the device and other remote devices,
Detecting a preliminary action generated by a remote process executed in the remote device with respect to a shared storage space in the device, and storing a log of the detected preliminary action by the address of the remote device;
The remote process executing on the remote device detecting an attempt to change a target file in the shared storage space in the device;
Determining whether an attempt to change the target file of the remote process corresponds to an abnormal change action based on the log of the dictionary action;
Backing up the target file in advance if it is determined that the change attempt of the target file corresponds to the unauthorized change behavior;
Determining whether the remote process performs an unauthorized change action on the target file more than a predetermined number of times;
Blocking access to the shared storage within the device from an address of the remote device identified based on the log of the dictionary action if it is determined that the remote process performs the unauthorized modification behavior more than the predetermined number of times step;
Restoring the target file backed up due to the remote process; And
And restoring a dictionary action corresponding to an address of the remote device in the log of the dictionary action,
The shared storage space within the device
The device being shared by the device so as to be accessible by the remote device,
The dictionary action
Generating a self-replicating file in the storage space, and generating a file including a payment guidance for decryption cost, instead of performing a direct file operation on the target file.
How to prevent file corruption. The method according to claim 1,
Wherein the step of determining whether the change attempt of the target file corresponds to an unauthorized change behavior
Whether or not the header content of the target file is replaced, whether the entropy of the main text of the target file changes, whether the header structure of the target file is changed to a different structure from the previous one, Quot ;. < / RTI > 3. The method of claim 2,
When the process executed in the remote device is judged to be ransomware for presenting a price for decrypting the object file, access of the Ransomware to the device is blocked based on the address of the remote device And the file is deleted. The method of claim 3,
Wherein the preliminary action is a preliminary action expected from a design purpose for the RANCOMM running on the remote device. A computer program stored on a medium for carrying out the method of any one of claims 1 to 4 using a computer. A server for storing a program for causing a computer to execute the method according to any one of claims 1 to 4. delete delete delete delete delete delete

Images