WO2019073720A1 - ファイル・アクセス監視方法、プログラム、および、システム - Google Patents
ファイル・アクセス監視方法、プログラム、および、システム Download PDFInfo
- Publication number
- WO2019073720A1 WO2019073720A1 PCT/JP2018/032766 JP2018032766W WO2019073720A1 WO 2019073720 A1 WO2019073720 A1 WO 2019073720A1 JP 2018032766 W JP2018032766 W JP 2018032766W WO 2019073720 A1 WO2019073720 A1 WO 2019073720A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- file access
- ransomware
- file
- record
- attack
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Definitions
- the present invention relates to monitoring file access in an information system, and more particularly to a method, program and system for monitoring unauthorized access by ransomware.
- ransomware Malicious software
- Typical ransomware is used to continuously and unlawfully encrypt and render unusable many files on infected computers and on file servers accessible from those computers, which are needed for decryption.
- Patent Document 1 and Patent Document 2 a policy file holding a program name, a user name, etc. for which access is permitted for each file is compared with a parameter in the file access request to determine the accessibility. Discloses a technology for dealing with unauthorized access, but since file access by ransomware appears to be normal file access that is not unauthorized by an authorized user at the system level, this technology and operating system -It is difficult to take measures against ransomware with the access control function that is normally provided in the system.
- ransomware is often sent into the organization as an attached file of a fake e-mail
- virus detection software it is desirable for virus detection software to be able to identify and eliminate e-mail attachments including ransomware, but realistically, It is impossible to prevent ransomware for the purpose of attacks before a patch for system software vulnerabilities is provided (so-called zero-day attack), and ransomware for clever camouflage. Often there is.
- virus detection software is often installed on the file server side, but when a PC on the network infects ransomware and encrypts files in the file server, it is necessary that the file server be installed. Because the file is not infected with malware, but the file is simply encrypted, it is impossible for the file server's virus detection software to prevent the encryption process.
- firewalls There is also a limit to the measures taken by firewalls. Although outbound malware can be detected and blocked by a firewall if it is a type of malware that sends information to the outside, it is usually difficult for firewalls to detect this because the ransomware does not send information to the outside. It is.
- Patent Document 1 Japanese Patent Application Laid-Open No. 2007-148946
- the present invention is a ransomware detection method implemented by a computer, comprising: The first step of reading the file access log record from the file access log storage means at a predetermined time, and if the file access log storage means includes a denied file access record The second step of selecting only the file access record permitted from the read out records, the third step comparing the record of the permitted file access with the pre-stored conditions, and the comparison
- the above problem is solved by providing a ransomware detection method including a fourth step of calling a ransomware handling process when it is determined that there is a ransomware attack.
- the third step comprises the steps of: counting the number of records including a file access type stored in advance as a monitoring target in the records of the permitted file access;
- the third step may be any one of the number of file access operation denials within a predetermined period, the detection result of malware, or the number of file accesses different from the access pattern stored in advance.
- the present invention relates to the ransomware as described in paragraph 0010, paragraph 0011 or paragraph 0012, wherein the fourth step includes the step of transmitting a command instructing the file access control means to block file access.
- the fourth step includes the step of transmitting a command instructing the file access control means to block file access.
- an instruction group for counting the number of records including a file access type stored in advance as a monitoring target, among the records of the permitted file access;
- the above problem is solved by providing the ransomware detection method according to paragraph 0014 including a group of instructions for determining that there is a ransomware attack when the counted number is equal to or more than a threshold stored in advance.
- the third group of instructions may be any one of the number of file access operation denials within a predetermined period, the detection result of malware, or the number of file accesses different from the access pattern stored in advance.
- the fourth instruction group includes an instruction group for transmitting a command instructing the file access control means to block the file access according to paragraph 0014, paragraph 0015 or paragraph 0016.
- the present invention comprises a file access log monitoring means and an unauthorized file access pattern storage means which are used together with an information system comprising a file access control means and a file access log storage means.
- a ransomware detection system The file access log monitoring means reads a file access log record from the file access log storage means at a predetermined time, and the file access log storage means rejects the denied file access When the record is included, only the record of the permitted file access is selected from the read record, and the record of the permitted file access and the condition stored in advance in the illegal file access pattern storage means.
- the previously stored condition is a monitoring target file access type and a threshold value of the number of cases within a predetermined period
- the file access log monitoring means records the permitted file access
- the file access log monitoring means The number of denied file access operations within a predetermined period, the detection result of malware, or any one or more of the number of file accesses different from the predetermined access pattern stored in the illegal file access pattern storage means.
- the file access log monitoring means further transmits a command instructing the file access control means to block file access when it is determined that there is a ransomware attack.
- the problem is solved by providing the ransomware detection system according to paragraph 0018, paragraph 0019 or paragraph 0020.
- a file access monitoring method, program, and system are provided that are effective measures against ransomware.
- FIG. 1 is an overall view of a system including an embodiment of a ransomware monitoring system according to the present invention. It is a functional outline of some of the components of the embodiment of the ransomware monitoring system according to the present invention. It is an example of the content of the file access log which is a component of the Example of the ransomware monitoring system based on this invention, and an unauthorized access pattern file. It is a general
- FIG. 1 shows an overall view of a system including an embodiment of a ransomware monitoring system according to the present invention.
- the Internet (101) is a network outside the organization, and is connected to an in-house network (102) via a firewall (103).
- the user terminal (104) is a computer group for accessing data inside and outside the organization and performing business processing, and is typically a personal computer, a tablet terminal, a smartphone, or the like.
- the file server (105) is a means for storing data required for business, and may be realized by a server computer, a storage device, and an associated computer program.
- the file access log (106) is a means for obtaining and storing the access history of files on the file server (105), with server computers, storage devices and associated computer programs It may be realized.
- the file access log (106) may physically be a function of the file server (105) or an independent server device.
- the file access log (106) may be used not only as a ransomware measure but also as a log function for general audit and performance management.
- the file access monitoring server (107) is a means for monitoring file access to the file server (105) by periodically reading the contents of the file access log (106). , May be realized by a related computer program.
- the unauthorized access pattern file (108) is a means for storing a file access pattern which is a standard for judging the unauthorized access by the file access monitoring server (107), such as a ransomware etc. It may be realized by a storage device accessible from (107).
- the unauthorized access log (109) is a means for storing the history of unauthorized file access by ransomware or file access that is likely to occur, and storage accessible by the file access monitoring server (107) It may be realized by an apparatus.
- the administrator terminal (110) displays a warning message when ransomware is detected or suspected, and the system administrator changes the contents of the unauthorized access pattern file (108). It is a terminal device used in cases, etc., and is typically a personal computer, a tablet terminal, a smart phone or the like.
- the administrator terminal (110) does not have to be a dedicated device, but the system administrator calls the administrator screen by logging in from the user terminal (104) with a predetermined ID, and functions as the administrator terminal (110). May be configured.
- File server (105), file access log (106), file access monitoring server (107), unauthorized access pattern file (108), and unauthorized access log (109) exist in the organization It may be realized by a physical device such as a server or computer, but it is realized by a group of devices hosted outside the organization and set accessible by the user terminal (103) and the administrator terminal (110). It is also good. Also, it may be realized by a virtual server or the like provided on a cloud service. Similarly, the user terminal (104) and the administrator terminal (110) do not need to physically exist in the organization, and can access the file server (105) etc. via the VPN (virtual private network) etc. It may be a device physically present outside the tissue.
- VPN virtual private network
- ransomware is sent as an email attachment from the Internet (101) through the firewall (103) and the company network (102) to one or more user terminals (104) for infection.
- Execute access The user terminal (104) may be directly infected via USB memory or the like).
- One user terminal (104) may be the springboard to infect other user terminals (104) in the organization.
- ransomware infects a user terminal (104), it typically encrypts files on the file server (105) exhaustively and can not be used for business. After encrypting a large number of files, a message is often displayed on the infected user terminal (104) and a ransom payment in cryptographic currency such as Bitcoin is often requested at the expense of providing a file decryption key.
- ransomware is not necessarily limited to malware that requires “lansom” (runs-up), and file access (for example, encryption) that looks normal in terms of access control provided by the system.
- ransomware represents malware in general that interferes with the execution of normal business (for example, it also includes the case of sabotage rather than ransom purpose).
- the ransomware monitoring method according to the present invention does not replace the conventional file access control method, and it is intended to minimize the damage caused by ransomware etc. which could not be prevented by the conventional file access control. It is intended to act as a "crew”.
- FIG. 2 shows a functional outline of some of the components of the embodiment of the ransomware monitoring system according to the present invention.
- the file server (105) may include a network connection function (201), a file I / O function (202), an access control function (203), and an access log write function (204).
- the network connection function (201) is typically a function for connecting to the in-house network (102).
- the file I / O function (202) is a function to read and write files according to an access request from the user terminal (104).
- the access control function (203) is a function to determine file access availability based on the ID etc. of the user who made the file access request, and also has a function to block file access in response to an external command. Is desirable.
- the access log write function (204) is a function to write a file access record to the file access log (106).
- the file access monitoring server (107) has a network connection function (205), an access log reading function (206), an unauthorized access pattern file maintenance function (207), a ransomware determination function (208), an alert transmission function ( 209) may be included.
- the network connection function (205) is typically a function for connecting to the in-house network (102).
- the access log reading function (206) is a function for reading the file access log (106) at predetermined intervals or constantly.
- the unauthorized access pattern file maintenance function (207) is a function for the system administrator to change the contents of the unauthorized access pattern file (108) as needed.
- the ransomware determination function (208) is means for determining whether the system is attacked by ransomware based on the contents of the read file access log (106) (the specific method of determination will be described later) ).
- the alert transmission function (209) is a function that performs the necessary response when there is a high possibility of a ransomware attack.
- each function is an example, and may be determined as a system design item.
- some functions may be operated by the user terminal (104), or may be realized by a cloud or the like operating outside the organization.
- FIG. 3 shows an example of the contents of the file access log (106) in the embodiment of the ransomware monitoring system according to the present invention.
- the timestamp is the date and time when the access request to the file was executed, and both the start time and the completion time of the access request may be stored.
- the access type is a requested type of file access such as READ (read), WRITE (write), CREATE (file creation), RENAME (file name change), DELETE (file deletion), and the like.
- the parameters are additional information for each file access request, such as the ID of the user who made the request, the IP address and ID of the request source PC, the start position and length of the data, and the name of the file to be created or changed.
- the return code is a value returned from the file server in response to the file access request, and represents information such as whether or not the file access has been successfully processed.
- the file access log (106) may be implemented as a flat file, a data storage format having a DBMS (database management system) -like structure, or a temporary area in memory. Good.
- FIG. 3 shows an example of the contents of the unauthorized access pattern file (108) in the embodiment of the ransomware monitoring system according to the present invention.
- the unauthorized access pattern file (108) it is preferable to store the type of file access to be monitored in the ransomware determination process (hereinafter referred to as the monitored access type or the access type).
- Typical monitored access types are WRITE (for writing) and RENAME (for renaming) for the entire file, but these are not hard-coded in the program but stored in the unauthorized access pattern file (108) It is desirable to make it changeable by the system administrator. Thus, for example, even if a new attack pattern of ransomware appears in the future, it can be effectively coped with.
- a threshold for example, 10 times per second
- the unauthorized access pattern file (108) may store a profile (time, target directory, etc.) of standard file access for each user. If there is a file access that deviates from this profile in the decision logic of the ransomware attack, it may be a material to affirm the presence of the ransomware attack. As an alternative configuration, it may be configured to save a file access profile that can not be made on a regular basis.
- FIG. 4 shows a flowchart of an embodiment of a ransomware monitoring program according to the present invention.
- the ransomware monitoring program corresponding to the ransomware determination function (208) of the file access monitoring server (107) reads records from the file access log (106) at regular intervals or constantly (S401). Then, only the record for which file access is permitted is selected (S402). If the file access permitted record is an implementation in which the file access log (106) is not written but saved in another log, it is preferable to omit the step S402. Then, the content of the unauthorized access pattern file (108) is compared with the selected record to determine whether there is matching information (S403). If there is matching information, that is, if the presence of ransomware is suspected, the necessary measures are taken (S404).
- the ransomware determination process of S403 described above will be described in detail.
- the frequency of monitored access types performed from one user terminal (104) within a fixed time is stored in advance in the unauthorized access pattern file (108). If it exceeds a predetermined threshold (for example, 10 times per second), it may be determined that a ransomware is present, and a ransomware handling process described below may be performed.
- a predetermined threshold for example, 10 times per second
- monitoring target file operations from a plurality of terminals may be summed up as a material for the ransomware presence determination. This is because ransomware may infect multiple user terminals (104) and perform encryption processing simultaneously and frequently.
- the threshold for each user terminal (104) and the total threshold for a plurality of user terminals (104) may be stored separately.
- the number of denied file accesses recorded in the file access log (106) (or other logs) within a certain period of time exceeds a preset threshold (for example, 10 operations per second) If so, it may be used as an input to determine the presence of ransomware. For example, a ransomware that has usually obtained user rights may continuously try to encrypt system files and end up failing.
- a ransomware that has usually obtained user rights may continuously try to encrypt system files and end up failing.
- denial of file access by the file access control function is not the subject matter of the present invention, the information that it has been rejected can be used as effective information for determining a ransomware attack. In the determination, in particular, it is preferable to place more importance on the rejected monitored access type (for example, writing or renaming) than for other file operations (for example, reading).
- virus detection software or a firewall installed in the organization detects malware, it may be used as effective information for determining a ransomware attack. This is because multiple types of ransomware attacks may be simultaneously launched against an organization, some of which may be detected, but others may start working without being detected. In addition, because some users have not set appropriate virus detection software, there is a possibility that ransomware may intrude into the in-house system.
- Profiles such as the user ID, the ID of the access source terminal, the IP address of the access source terminal, and the date and time of access are stored in advance in the unauthorized access pattern file (108), and the content of the access log is that profile If it deviates significantly from the above, it may be used as an input for determining the presence of ransomware. For example, it is conceivable that a user using a system administrator's user ID performs an operation to rename a large number of files collectively for file server maintenance work, but a user using a general user ID If such an operation is performed, the presence of ransomware may be judged as suspicious.
- the above-mentioned conditions (1) the number of file accesses of the monitored access type within a predetermined time, (2) the number of file access operations denied within a predetermined time, and (3) detection of malware by other software components (4)
- the stored standard profile, the number of different file accesses, and other conditions may be combined and used as a basis for ransomware attack determination. Even in such a case, it is preferable to treat (1) as the most important standard. For example, each condition may be weighted and scoring may be performed, and if the score exceeds a threshold, it may be determined that a ransomware attack has been made.
- the number of file accesses of the monitored access type within a predetermined period exceeds a first threshold (for example, 10 per second), and the number of file access operation rejections within a predetermined time is a second threshold (for example, predetermined logic may be employed, such as determining that a ransomware attack has been made if the number of events per second exceeds five.
- a first threshold for example, 10 per second
- predetermined logic may be employed, such as determining that a ransomware attack has been made if the number of events per second exceeds five.
- the above inputs may be combined to be learned as an input of a neural network so that a ransomware attack can be determined by machine learning.
- Blocking of file access from the user terminal (104) of the access source This can be realized by sending an instruction to the access control function (203) of the file server (105). It may be realized by running agent software on the user terminal (104) and sending a command to the agent software operating on the user terminal (104) suspected of ransomware infection. In this case, the commanded agent software may block file access by disconnecting the user terminal (104) from the in-house network (103).
- a message display on the user terminal (104) screen of the access source may be realized by sending an instruction to the access control function (203) of the file server (105). It may be realized by running agent software on the user terminal (104) and sending a command to the agent software operating on the user terminal (104) suspected of ransomware infection. In this case, the commanded agent software may block file access by disconnecting the user terminal (104) from the in-house network (103).
- a message display on the user terminal (104) screen of the access source This can be realized by sending an instruction to the access control function (203) of the file server (105). It may be realized by running agent software
- FIG. 5 shows an example of a management screen of the embodiment of the ransomware monitoring program according to the present invention.
- the management screen is preferably displayed on the administrator terminal (110).
- FIG. 5-a is an example of a screen of the monitoring dashboard when being under attack by ransomware.
- the detection date and time of attack currently occurring on the file server to be monitored, attack time (continuous count), user ID of attack source (account ID), IP address and ID of connection source PC (connection source) are displayed. ing. It is desirable that various countermeasure processes such as blocking file access from the PC can be executed from this screen. In addition, it is desirable that the history of past attacks stored in the unauthorized access log (109) can also be referenced from the screen.
- FIG. 5-b is an example of a pop-up screen for setting attack detection.
- notification destinations when an attack by ransomware is detected (recording in event (recording to unauthorized access log (109) etc.), notification to administrator, arbitrary e-mail address), ransomware detection processing
- the execution interval of the process (the process shown in FIG. 4), and the threshold value of the file access to be monitored (In this example, if there is 10,000 or more write operations from a certain user every 30 minutes, ransomware attack and It is set that can be determined. Other information may be added.
- FIG. 6 shows a configuration example when the ransomware monitoring system according to the present invention is executed on a stand-alone PC.
- the configuration shown in FIG. 1 is an example in the case where a plurality of PCs and a plurality of servers are used in an enterprise, but the present invention can also be implemented on a system constituted by one PC. Specifically, this is a case where the business process is completed on one PC even if it is used by an individual or in a company.
- the personal computer (601) is a computer device that performs business processing, and may be a tablet terminal or a smartphone.
- the business program (602) is, for example, a word processor or the like, and is a program that performs various processes meeting the purpose of the user.
- the job file (603) is a file for storing data used by the user.
- the monitoring program (604) is, in the case of FIG. 1, the file access log (106), the file access monitoring server (107), the unauthorized access pattern file (108), and the unauthorized access log (109). Perform the corresponding function.
- the monitoring program (604) may be implemented as a function of conventional virus detection software. It is equivalent to the embodiment of FIG. 1 that the monitoring program (604) executes the ransomware detection processing corresponding to FIG.
- the present invention has a technically significant advantage in that it can minimize ransomware damage that could not be prevented by conventional file access control.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
Description
所定の時刻にファイル・アクセス・ログ保存手段からファイル・アクセス・ログのレコードを読み出す第一のステップと、前記ファイル・アクセス・ログ保存手段が、拒否されたファイル・アクセスのレコードを含む場合には、読み出したレコードから許可されたファイル・アクセスのレコードのみを選択する第二のステップと、前記許可されたファイル・アクセスのレコードと予め保存された条件とを比較する第三のステップと、前記比較によりランサムウェアによる攻撃があると判定された場合にはランサムウェア対応処理を呼び出す第四のステップとを含むランサムウェア検知方法を提供することで上記課題を解決する。
前記ファイル・アクセス・ログ監視手段は、所定の時刻に前記ファイル・アクセス・ログ保存手段からファイル・アクセス・ログのレコードを読み出し、前記ファイル・アクセス・ログ保存手段が、拒否されたファイル・アクセスのレコードを含む場合には、読み出したレコードから許可されたファイル・アクセスのレコードのみを選択し、前記許可されたファイル・アクセスのレコードと前記不正ファイル・アクセス・パターン保存手段に予め保存された条件とを比較し、前記比較によりランサムウェアによる攻撃があると判定された場合にはランサムウェア対応処理を呼び出すランサムウェア検知システムを提供することで上記課題を解決する。
所定期間内のファイル・アクセス操作拒否件数、マルウェアの検知結果、または、前記不正ファイル・アクセス・パターン保存手段に保存された所定のアクセス・パターンと異なるファイル・アクセスの件数のいずれか一つ以上の組み合わせを加味してランサムウェア攻撃の判定を行なう段落0018、または、段落0019に記載のランサムウェア検知システムを提供することで上記課題を解決する。
(1)アクセス元のユーザー端末(104)からのファイル・アクセス遮断。これは、ファイル・サーバー(105)のアクセス制御機能(203)に指令を送ることで実現可能である。ユーザー端末(104)上でエージェント・ソフトウェアを稼働しておき、ランサムウェアの感染が疑われるユーザー端末(104)上で稼働するエージェント・ソフトウェアに対して指令を送ることで実現してもよい。この場合に、指令を受けたエージェント・ソフトウェアはユーザー端末(104)を社内ネットワーク(103)から切り離すことでファイル・アクセスを遮断してよい。
(2)アクセス元のユーザー端末(104)画面へのメッセージ表示。これは、ユーザー端末(104)上でエージェント・ソフトウェアを稼働しておき、ランサムウェアの感染が疑われるユーザー端末(104)上で稼働するエージェント・ソフトウェアに対して指令を送ることで実現してもよい。
(3)システム管理者の端末画面へのメッセージ表示。通常、システム管理者は、システムの状況を監視するための管理ソフトウェアを稼働しており、そのような管理ソフトウェアはコンソールにメッセージを表示するためのインターフェースを開放しているので、当該インターフェースを介してメッセージが表示可能である。
(4)システム管理者へのメール送付。
(5)オンラインになっているバックアップファイルの切り離し。
(6)不正アクセス・ログ(109)へのランサムウェア攻撃情報の保存。
本願発明は、従来型のファイル・アクセス制御では防ぐことができなかったランサムウェアの被害を最小限に食い止めることができる点で技術的に顕著な優位性を有する。
Claims (12)
- コンピューターにより実行されるランサムウェア検知方法であって、
所定の時刻にファイル・アクセス・ログ保存手段からファイル・アクセス・ログのレコードを読み出す第一のステップと、
前記ファイル・アクセス・ログ保存手段が、拒否されたファイル・アクセスのレコードを含む場合には、読み出したレコードから許可されたファイル・アクセスのレコードのみを選択する第二のステップと、
前記許可されたファイル・アクセスのレコードと予め保存された条件とを比較する第三のステップと、
前記比較によりランサムウェアによる攻撃があると判定された場合にはランサムウェア対応処理を呼び出す第四のステップとを含むランサムウェア検知方法。 - 前記第三のステップは、
前記許可されたファイル・アクセスのレコード中の、予め監視対象として保存されたファイル・アクセス種別を含むレコードの件数をカウントするステップと、
前記カウントされた件数が予め保存された閾値以上である場合にランサムウェアの攻撃があると判定するステップとを含む
請求項1に記載のランサムウェア検知方法。 - 前記第三のステップは、
所定期間内のファイル・アクセス操作拒否件数、マルウェアの検知結果、または、予め保存されたアクセス・パターンと異なるファイル・アクセスの件数のいずれか一つ以上の組み合わせを加味してランサムウェア攻撃の判定を行なうステップをさらに含む
請求項1、または、請求項2に記載のランサムウェア検知方法。 - 前記第四のステップは、
ファイル・アクセス制御手段にファイル・アクセスを遮断することを命じる指令を送信するステップを含む
請求項1、請求項2、または、請求項3に記載のランサムウェア検知方法。 - 所定の時刻にファイル・アクセス・ログ保存手段からファイル・アクセス・ログのレコードを読み出す第一の命令群と、
前記ファイル・アクセス・ログ保存手段が、拒否されたファイル・アクセスのレコードを含む場合には、読み出したレコードから許可されたファイル・アクセスのレコードのみを選択する第二の命令群と、
前記許可されたファイル・アクセスのレコードと予め保存された条件とを比較する第三の命令群と、
前記比較によりランサムウェアによる攻撃があると判定された場合にはランサムウェア対応処理を呼び出す第四の命令群とを含むランサムウェア検知プログラム。 - 前記第三の命令群は、
前記許可されたファイル・アクセスのレコード中の、予め監視対象として保存されたファイル・アクセス種別を含むレコードの件数をカウントする命令群と、
前記カウントされた件数が予め保存された閾値以上である場合にランサムウェアの攻撃があると判定する命令群とを含む
請求項5に記載のランサムウェア検知プログラム。 - 前記第三の命令群は、
所定期間内のファイル・アクセス操作拒否件数、マルウェアの検知結果、または、予め保存されたアクセス・パターンと異なるファイル・アクセスの件数のいずれか一つ以上の組み合わせを加味してランサムウェア攻撃の判定を行なう命令群を含む
請求項5、または、請求項6に記載のランサムウェア検知プログラム。 - 前記第四の命令群は、
ファイル・アクセス制御手段にファイル・アクセスを遮断することを命じる指令を送信する命令群を含む
請求項5、請求項6、または、請求項7に記載のランサムウェア検知プログラム。 - ファイル・アクセス制御手段とファイル・アクセス・ログ保存手段とを備えた情報システムと共に使用される、ファイル・アクセス・ログ監視手段と不正ファイル・アクセス・パターン保存手段とを備えたランサムウェア検知システムであって、
前記ファイル・アクセス・ログ監視手段は、所定の時刻に前記ファイル・アクセス・ログ保存手段からファイル・アクセス・ログのレコードを読み出し、
前記ファイル・アクセス・ログ保存手段が、拒否されたファイル・アクセスのレコードを含む場合には、読み出したレコードから許可されたファイル・アクセスのレコードのみを選択し、
前記許可されたファイル・アクセスのレコードと前記不正ファイル・アクセス・パターン保存手段に予め保存された条件とを比較し、
前記比較によりランサムウェアによる攻撃があると判定された場合にはランサムウェア対応処理を呼び出すランサムウェア検知システム。 - 前記予め保存された条件は監視対象ファイル・アクセス種別とその所定期間内の件数の閾値であり、
前記ファイル・アクセス・ログ監視手段は、前記許可されたファイル・アクセスのレコード中の前記監視対象ファイル・アクセス種別を含むレコードの件数が前記閾値を越えた場合に、ランサムウェアによる攻撃があると判定する請求項9に記載のランサムウェア検知システム。 - 前記ファイル・アクセス・ログ監視手段は、
所定期間内のファイル・アクセス操作拒否件数、マルウェアの検知結果、または、前記不正ファイル・アクセス・パターン保存手段に保存された所定のアクセス・パターンと異なるファイル・アクセスの件数のいずれか一つ以上の組み合わせを加味してランサムウェア攻撃の判定を行なう
請求項9、または、請求項10に記載のランサムウェア検知システム。 - 前記ファイル・アクセス・ログ監視手段は、さらに、
ランサムウェアによる攻撃があると判定された場合に、前記ファイル・アクセス制御手段にファイル・アクセスを遮断することを命じる指令を送信する
請求項9、請求項10、または、請求項11に記載のランサムウェア検知システム。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018556001A JP6442649B1 (ja) | 2017-10-11 | 2018-09-04 | ファイル・アクセス監視方法、プログラム、および、システム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017198080 | 2017-10-11 | ||
JP2017-198080 | 2017-10-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019073720A1 true WO2019073720A1 (ja) | 2019-04-18 |
Family
ID=66101552
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2018/032766 WO2019073720A1 (ja) | 2017-10-11 | 2018-09-04 | ファイル・アクセス監視方法、プログラム、および、システム |
Country Status (2)
Country | Link |
---|---|
JP (1) | JP7123488B2 (ja) |
WO (1) | WO2019073720A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111444503A (zh) * | 2020-03-25 | 2020-07-24 | 深信服科技股份有限公司 | 一种检测勒索病毒的方法、装置、系统和介质 |
CN111626860A (zh) * | 2020-07-24 | 2020-09-04 | 成都寻道数财科技有限公司 | 结合历史和实时财务数据判断高频交易的系统及方法 |
CN113572778A (zh) * | 2021-07-27 | 2021-10-29 | 北京卫达信息技术有限公司 | 检测非法侵入网络的方法 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007026081A (ja) * | 2005-07-15 | 2007-02-01 | Canon Inc | プログラム |
US20110082838A1 (en) * | 2009-10-07 | 2011-04-07 | F-Secure Oyj | Computer security method and apparatus |
US20160378988A1 (en) * | 2015-06-26 | 2016-12-29 | Quick Heal Technologies Private Limited | Anti-ransomware |
JP2017068822A (ja) * | 2015-09-30 | 2017-04-06 | エーオー カスペルスキー ラボAO Kaspersky Lab | 悪意あるデータ暗号化プログラムの検出のためのシステムおよび方法 |
JP2018128910A (ja) * | 2017-02-09 | 2018-08-16 | Sky株式会社 | アクセス監視システム |
-
2018
- 2018-09-04 WO PCT/JP2018/032766 patent/WO2019073720A1/ja active Application Filing
- 2018-11-26 JP JP2018220425A patent/JP7123488B2/ja active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007026081A (ja) * | 2005-07-15 | 2007-02-01 | Canon Inc | プログラム |
US20110082838A1 (en) * | 2009-10-07 | 2011-04-07 | F-Secure Oyj | Computer security method and apparatus |
US20160378988A1 (en) * | 2015-06-26 | 2016-12-29 | Quick Heal Technologies Private Limited | Anti-ransomware |
JP2017068822A (ja) * | 2015-09-30 | 2017-04-06 | エーオー カスペルスキー ラボAO Kaspersky Lab | 悪意あるデータ暗号化プログラムの検出のためのシステムおよび方法 |
JP2018128910A (ja) * | 2017-02-09 | 2018-08-16 | Sky株式会社 | アクセス監視システム |
Non-Patent Citations (1)
Title |
---|
SCAIFE, NOLEN: "CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data", ICDCS 2016, 27 June 2016 (2016-06-27), pages 303 - 312, XP032939899, DOI: doi:10.1109/ICDCS.2016.46 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111444503A (zh) * | 2020-03-25 | 2020-07-24 | 深信服科技股份有限公司 | 一种检测勒索病毒的方法、装置、系统和介质 |
CN111444503B (zh) * | 2020-03-25 | 2023-11-07 | 深信服科技股份有限公司 | 一种检测勒索病毒的方法、装置、系统和介质 |
CN111626860A (zh) * | 2020-07-24 | 2020-09-04 | 成都寻道数财科技有限公司 | 结合历史和实时财务数据判断高频交易的系统及方法 |
CN113572778A (zh) * | 2021-07-27 | 2021-10-29 | 北京卫达信息技术有限公司 | 检测非法侵入网络的方法 |
Also Published As
Publication number | Publication date |
---|---|
JP2019075131A (ja) | 2019-05-16 |
JP7123488B2 (ja) | 2022-08-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109766699B (zh) | 操作行为的拦截方法及装置、存储介质、电子装置 | |
US9213836B2 (en) | System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages | |
US20030159070A1 (en) | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages | |
EP2345977B1 (en) | Client computer for protecting confidential file, server computer therefor, method therefor, and computer program | |
US20040034794A1 (en) | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages | |
EP1305688A2 (en) | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages | |
CN113660224A (zh) | 基于网络漏洞扫描的态势感知防御方法、装置及系统 | |
JP7123488B2 (ja) | ファイル・アクセス監視方法、プログラム、および、システム | |
JP6442649B1 (ja) | ファイル・アクセス監視方法、プログラム、および、システム | |
KR101614809B1 (ko) | 엔드포인트 응용프로그램 실행 제어 시스템 및 그 제어 방법 | |
Belmabrouk | Cyber Criminals and Data Privacy Measures | |
GB2404262A (en) | Protection for computers against malicious programs using a security system which performs automatic segregation of programs | |
Ahmad et al. | Security issues on banking systems | |
CN113239349B (zh) | 一种电力监控系统网络安全测试方法 | |
Powers et al. | Whitelist malware defense for embedded control system devices | |
Egerton et al. | Applying zero trust security principles to defence mechanisms against data exfiltration attacks | |
Iordache | Database–Web Interface Vulnerabilities | |
GUVÇİ et al. | An Improved Protection Approach for Protecting from Ransomware Attacks | |
Ruha | Cybersecurity of computer networks | |
CA2471505A1 (en) | System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages | |
Pill | 10 Database Attacks | |
Waziri et al. | Data loss prevention and challenges faced in their deployments | |
GB2411748A (en) | Anti-virus system for detecting abnormal data outputs | |
Victor et al. | Data loss prevention and challenges faced in their deployments | |
Droppa et al. | Cyber security state in real environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2018556001 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18865861 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 23/07/2020) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18865861 Country of ref document: EP Kind code of ref document: A1 |