RU2015141551A - Способ обнаружения работы вредоносной программы, запущенной с клиента, на сервере - Google Patents
Способ обнаружения работы вредоносной программы, запущенной с клиента, на сервере Download PDFInfo
- Publication number
- RU2015141551A RU2015141551A RU2015141551A RU2015141551A RU2015141551A RU 2015141551 A RU2015141551 A RU 2015141551A RU 2015141551 A RU2015141551 A RU 2015141551A RU 2015141551 A RU2015141551 A RU 2015141551A RU 2015141551 A RU2015141551 A RU 2015141551A
- Authority
- RU
- Russia
- Prior art keywords
- file
- server
- computer
- user
- analyzer
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/541—Client-server
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/542—Intercept
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Claims (12)
1. Способ определения работы вредоносной программы, запущенной с компьютера пользователя, на сервере:
а) перехватывают файловую операцию со стороны компьютера пользователя на сервере с помощью перехватчика;
б) передают данные по перехваченной файловой операции анализатору, при этом данные включают по меньшей мере одно из: тип файловой операции, буферы данных с оригинальным содержимым файла и модифицированным содержимым файла, данные о компьютере пользователя;
в) подсчитывают информационную энтропию для буфера данных с оригинальным содержимым файла с помощью анализатора;
г) подсчитывают информационную энтропию для буфера данных с модифицированным содержимым файла с помощью анализатора;
д) подсчитывают разность полученных значений энтропии на этапах в) и г) с помощью анализатора;
е) при превышении порогового значения подсчитанной на этапе д) разности, определяют файловую операцию со стороны компьютера пользователя на сервере как работу вредоносной программы.
2. Способ по п. 1, в котором вредоносной программой является программа-шифровальщик (англ. cryptor ransomware).
3. Способ по п. 1, в котором дополнительно после этапа а) производят создание резервной копии файла, над которым совершается файловая операция.
4. Способ по п. 3, в котором дополнительно после этапа е) производят восстановление резервной копии файла на сервере после определения файловой операции со стороны компьютера пользователя на сервере как работу вредоносной программы.
5. Способ по п. 1, в котором перехватчик и анализатор работают в асинхронном режиме.
6. Способ по п. 1, в котором на компьютере пользователя установлено антивирусное приложение, которому передается информация о работе вредоносной программы.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2015141551A RU2617631C2 (ru) | 2015-09-30 | 2015-09-30 | Способ обнаружения работы вредоносной программы, запущенной с клиента, на сервере |
US14/951,970 US10375086B2 (en) | 2015-09-30 | 2015-11-25 | System and method for detection of malicious data encryption programs |
EP15202318.0A EP3151147B1 (en) | 2015-09-30 | 2015-12-23 | System and method for detection of malicious data encryption programs |
CN201610232432.4A CN106557696B (zh) | 2015-09-30 | 2016-04-14 | 用于检测恶意数据加密程序的系统和方法 |
JP2016093108A JP6298849B2 (ja) | 2015-09-30 | 2016-05-06 | 悪意あるデータ暗号化プログラムの検出のためのシステムおよび方法 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2015141551A RU2617631C2 (ru) | 2015-09-30 | 2015-09-30 | Способ обнаружения работы вредоносной программы, запущенной с клиента, на сервере |
Publications (2)
Publication Number | Publication Date |
---|---|
RU2015141551A true RU2015141551A (ru) | 2017-04-05 |
RU2617631C2 RU2617631C2 (ru) | 2017-04-25 |
Family
ID=58409447
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
RU2015141551A RU2617631C2 (ru) | 2015-09-30 | 2015-09-30 | Способ обнаружения работы вредоносной программы, запущенной с клиента, на сервере |
Country Status (4)
Country | Link |
---|---|
US (1) | US10375086B2 (ru) |
JP (1) | JP6298849B2 (ru) |
CN (1) | CN106557696B (ru) |
RU (1) | RU2617631C2 (ru) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111935162A (zh) * | 2020-08-14 | 2020-11-13 | 山东云海国创云计算装备产业创新中心有限公司 | 一种云端文件访问方法、装置及相关组件 |
Families Citing this family (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3206359B1 (en) * | 2016-02-15 | 2019-03-06 | Wipro Limited | Methods and systems for performing lawful interception (li) in communication networks involving content adulteration with colluding agents |
WO2017168016A1 (es) * | 2016-04-01 | 2017-10-05 | Telefonica Digital España, S.L.U. | Método y sistema para proteger un archivo informático ante un eventual cifrado realizado por código malicioso |
US10831893B2 (en) * | 2016-07-14 | 2020-11-10 | Mcafee, Llc | Mitigation of ransomware |
US10715533B2 (en) * | 2016-07-26 | 2020-07-14 | Microsoft Technology Licensing, Llc. | Remediation for ransomware attacks on cloud drive folders |
US10210330B1 (en) * | 2016-09-13 | 2019-02-19 | Symantec Corporation | Systems and methods for detecting malicious processes that encrypt files |
US10366234B2 (en) * | 2016-09-16 | 2019-07-30 | Rapid7, Inc. | Identifying web shell applications through file analysis |
US10289844B2 (en) * | 2017-01-19 | 2019-05-14 | International Business Machines Corporation | Protecting backup files from malware |
US10628585B2 (en) | 2017-01-23 | 2020-04-21 | Microsoft Technology Licensing, Llc | Ransomware resilient databases |
US10447671B1 (en) * | 2017-03-29 | 2019-10-15 | Symantec Corporation | Systems and methods for recovering encrypted information |
JP2020522808A (ja) * | 2017-05-30 | 2020-07-30 | サイエンプティブ テクノロジーズ インコーポレイテッド | カーネルモードにおけるマルウェアおよびステガノグラフィのリアルタイム検出ならびにマルウェアおよびステガノグラフィからの保護 |
US10909239B2 (en) * | 2017-06-29 | 2021-02-02 | Webroot, Inc. | Advanced file modification heuristics |
CN107277037A (zh) * | 2017-07-14 | 2017-10-20 | 北京安数云信息技术有限公司 | 基于插件的任意文件操作检测方法和装置 |
US10637879B2 (en) | 2017-10-06 | 2020-04-28 | Carbonite, Inc. | Systems and methods for detection and mitigation of malicious encryption |
JP6442649B1 (ja) * | 2017-10-11 | 2018-12-19 | 株式会社オレガ | ファイル・アクセス監視方法、プログラム、および、システム |
WO2019073720A1 (ja) * | 2017-10-11 | 2019-04-18 | 株式会社 オレガ | ファイル・アクセス監視方法、プログラム、および、システム |
US10733290B2 (en) * | 2017-10-26 | 2020-08-04 | Western Digital Technologies, Inc. | Device-based anti-malware |
US11308207B2 (en) * | 2018-03-30 | 2022-04-19 | Microsoft Technology Licensing, Llc | User verification of malware impacted files |
CN110502894B (zh) * | 2018-05-18 | 2023-03-21 | 阿里巴巴集团控股有限公司 | 操作行为的识别方法、设备和系统 |
RU2728506C2 (ru) * | 2018-06-29 | 2020-07-29 | Акционерное общество "Лаборатория Касперского" | Способ блокировки сетевых соединений |
RU2708356C1 (ru) * | 2018-06-29 | 2019-12-05 | Акционерное общество "Лаборатория Касперского" | Система и способ двухэтапной классификации файлов |
RU2739865C2 (ru) * | 2018-12-28 | 2020-12-29 | Акционерное общество "Лаборатория Касперского" | Система и способ обнаружения вредоносного файла |
US11288111B2 (en) * | 2019-04-18 | 2022-03-29 | Oracle International Corporation | Entropy-based classification of human and digital entities |
CN110324339B (zh) * | 2019-07-02 | 2021-10-08 | 光通天下网络科技股份有限公司 | 基于信息熵的DDoS攻击检测方法、装置和电子设备 |
US11269735B2 (en) * | 2020-02-28 | 2022-03-08 | EMC IP Holding Company LLC | Methods and systems for performing data backups |
US11544390B2 (en) * | 2020-05-05 | 2023-01-03 | Forcepoint Llc | Method, system, and apparatus for probabilistic identification of encrypted files |
CN112699086A (zh) * | 2020-12-30 | 2021-04-23 | 北京明朝万达科技股份有限公司 | 一种基于Windows系统的文件操作监控方法和装置 |
CN112347499B (zh) * | 2021-01-08 | 2021-04-30 | 北京东方通软件有限公司 | 一种程序自我保护的方法 |
GB2604903A (en) * | 2021-03-18 | 2022-09-21 | The Court Of Edinburgh Napier Univ Constituted By The Napier College Of Commerce And Technology No 2 | Detection of Ransomware |
Family Cites Families (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6119151A (en) * | 1994-03-07 | 2000-09-12 | International Business Machines Corp. | System and method for efficient cache management in a distributed file system |
JP2003162439A (ja) * | 2001-11-22 | 2003-06-06 | Hitachi Ltd | ストレージシステム及びその制御方法 |
US7150042B2 (en) | 2001-12-06 | 2006-12-12 | Mcafee, Inc. | Techniques for performing malware scanning of files stored within a file storage device of a computer network |
JP4389622B2 (ja) * | 2004-03-24 | 2009-12-24 | 日本電気株式会社 | データ監視方法、情報処理装置、プログラム及び記録媒体、並びに情報処理システム |
US20060019050A1 (en) * | 2004-07-23 | 2006-01-26 | Gilmer Phyllis A | Perforated adhesive label and method of making same |
JP4519565B2 (ja) * | 2004-08-05 | 2010-08-04 | 株式会社ニフコ | 小物入れ |
US7424902B2 (en) * | 2004-11-24 | 2008-09-16 | The Boeing Company | In-process vision detection of flaw and FOD characteristics |
US7818608B2 (en) * | 2005-02-18 | 2010-10-19 | Microsoft Corporation | System and method for using a file system to automatically backup a file as a generational file |
JP2006338461A (ja) * | 2005-06-03 | 2006-12-14 | Hitachi Ltd | 電子的なファイルの記憶を制御するシステム及び方法 |
JP4675737B2 (ja) * | 2005-09-29 | 2011-04-27 | 株式会社日立ソリューションズ | 監査ログの出力及び管理方法並びにシステム |
US8627490B2 (en) * | 2005-12-29 | 2014-01-07 | Nextlabs, Inc. | Enforcing document control in an information management system |
US8336107B2 (en) * | 2007-04-27 | 2012-12-18 | Angel Secure Networks, Inc. | System and methods for defending against root |
FR2918759B1 (fr) * | 2007-07-13 | 2009-09-18 | Eurocopter France | Procede de test d'un systeme electronique |
CN101187872A (zh) | 2007-10-31 | 2008-05-28 | 白杰 | 基于行为的程序种类判断方法、装置和程序控制方法、装置 |
US7836174B2 (en) * | 2008-01-30 | 2010-11-16 | Commvault Systems, Inc. | Systems and methods for grid-based data scanning |
US9152789B2 (en) * | 2008-05-28 | 2015-10-06 | Zscaler, Inc. | Systems and methods for dynamic cloud-based malware behavior analysis |
WO2010107659A1 (en) * | 2009-03-16 | 2010-09-23 | Guidance Software, Inc. | System and method for entropy-based near-match analysis |
EP2246798A1 (en) * | 2009-04-30 | 2010-11-03 | TomTec Imaging Systems GmbH | Method and system for managing and displaying medical data |
CN102014145A (zh) * | 2009-09-04 | 2011-04-13 | 鸿富锦精密工业(深圳)有限公司 | 文件传输安全管控系统及方法 |
US20110069089A1 (en) * | 2009-09-23 | 2011-03-24 | Microsoft Corporation | Power management for organic light-emitting diode (oled) displays |
CN101984550B (zh) | 2010-11-24 | 2012-07-18 | 南京航空航天大学 | 基于柔性铰链的直线超声电机夹持定位装置 |
CN101984450B (zh) * | 2010-12-15 | 2012-10-24 | 北京安天电子设备有限公司 | 恶意代码检测方法和系统 |
US9584877B2 (en) | 2011-06-16 | 2017-02-28 | Microsoft Technology Licensing, Llc | Light-weight validation of native images |
US8918878B2 (en) * | 2011-09-13 | 2014-12-23 | F-Secure Corporation | Restoration of file damage caused by malware |
CN102708313B (zh) | 2012-03-08 | 2015-04-22 | 珠海市君天电子科技有限公司 | 针对大文件的病毒检测系统及方法 |
US20140053267A1 (en) * | 2012-08-20 | 2014-02-20 | Trusteer Ltd. | Method for identifying malicious executables |
RU2530210C2 (ru) | 2012-12-25 | 2014-10-10 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ выявления вредоносных программ, препятствующих штатному взаимодействию пользователя с интерфейсом операционной системы |
CN104036187B (zh) | 2013-03-04 | 2017-04-12 | 阿里巴巴集团控股有限公司 | 计算机病毒类型确定方法及其系统 |
GB2517483B (en) * | 2013-08-22 | 2015-07-22 | F Secure Corp | Detecting file encrypting malware |
US9482349B2 (en) * | 2014-01-09 | 2016-11-01 | International Business Machines Corporation | Air valve for electronics enclosures |
US9514309B1 (en) * | 2014-04-30 | 2016-12-06 | Symantec Corporation | Systems and methods for protecting files from malicious encryption attempts |
US9848005B2 (en) * | 2014-07-29 | 2017-12-19 | Aruba Networks, Inc. | Client reputation driven role-based access control |
US20160180087A1 (en) * | 2014-12-23 | 2016-06-23 | Jonathan L. Edwards | Systems and methods for malware detection and remediation |
US9465940B1 (en) * | 2015-03-30 | 2016-10-11 | Cylance Inc. | Wavelet decomposition of software entropy to identify malware |
-
2015
- 2015-09-30 RU RU2015141551A patent/RU2617631C2/ru active
- 2015-11-25 US US14/951,970 patent/US10375086B2/en active Active
-
2016
- 2016-04-14 CN CN201610232432.4A patent/CN106557696B/zh active Active
- 2016-05-06 JP JP2016093108A patent/JP6298849B2/ja active Active
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111935162A (zh) * | 2020-08-14 | 2020-11-13 | 山东云海国创云计算装备产业创新中心有限公司 | 一种云端文件访问方法、装置及相关组件 |
Also Published As
Publication number | Publication date |
---|---|
US20170093886A1 (en) | 2017-03-30 |
US10375086B2 (en) | 2019-08-06 |
CN106557696B (zh) | 2020-10-27 |
CN106557696A (zh) | 2017-04-05 |
JP2017068822A (ja) | 2017-04-06 |
RU2617631C2 (ru) | 2017-04-25 |
JP6298849B2 (ja) | 2018-03-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
RU2015141551A (ru) | Способ обнаружения работы вредоносной программы, запущенной с клиента, на сервере | |
US11062029B2 (en) | File sanitization technologies | |
Gülmezoğlu et al. | A faster and more realistic flush+ reload attack on AES | |
US10382468B2 (en) | Malware identification via secondary file analysis | |
WO2015047432A1 (en) | Digital protection that travels with data | |
WO2017012241A1 (zh) | 文件的检测方法、装置、设备及非易失性计算机存储介质 | |
Kara et al. | Static and dynamic analysis of third generation cerber ransomware | |
Huang et al. | Malware behavioral analysis system: TWMAN | |
US20230262076A1 (en) | Malicious domain generation algorithm (dga) detection in memory of a data processing unit using machine learning detection models | |
US10601867B2 (en) | Attack content analysis program, attack content analysis method, and attack content analysis apparatus | |
CN106529342B (zh) | 基于安全芯片的虚拟机监控器动态完整性检测方法 | |
Bazzi et al. | IDS for detecting malicious non-executable files using dynamic analysis | |
EP3151147B1 (en) | System and method for detection of malicious data encryption programs | |
KR101983997B1 (ko) | 악성코드 검출시스템 및 검출방법 | |
US9607152B1 (en) | Detect encrypted program based on CPU statistics | |
Kührer et al. | Cloudsylla: Detecting suspicious system calls in the cloud | |
US9723015B2 (en) | Detecting malware-related activity on a computer | |
US10069833B2 (en) | Computer network cross-boundary protection | |
Podolanko | Effective crypto ransomware detection using hardware performance counters | |
US20230259614A1 (en) | Malicious activity detection in memory of a data processing unit using machine learning detection models | |
US20230259625A1 (en) | Ransomware detection in memory of a data processing unit using machine learning detection models | |
US20230319108A1 (en) | Malicious uniform resource locator (url) detection in memory of a data processing unit using machine learning detection models | |
JP6498413B2 (ja) | 情報処理システム、情報処理装置、制御サーバ、生成サーバ、動作制御方法及び動作制御プログラム | |
Lee et al. | DetecClu: live malicious detection engine for cloud | |
JP2015127906A (ja) | 異常検出装置、異常検出方法、及び異常検出プログラム |