WO2023151238A1 - Ransomware detection method and related system - Google Patents

Ransomware detection method and related system Download PDF

Info

Publication number
WO2023151238A1
WO2023151238A1 PCT/CN2022/107830 CN2022107830W WO2023151238A1 WO 2023151238 A1 WO2023151238 A1 WO 2023151238A1 CN 2022107830 W CN2022107830 W CN 2022107830W WO 2023151238 A1 WO2023151238 A1 WO 2023151238A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
ransomware
bait
behavior
decoy
Prior art date
Application number
PCT/CN2022/107830
Other languages
French (fr)
Chinese (zh)
Inventor
刘剑波
Original Assignee
华为云计算技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为云计算技术有限公司 filed Critical 华为云计算技术有限公司
Publication of WO2023151238A1 publication Critical patent/WO2023151238A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Definitions

  • the present application relates to the technical field of network security, and in particular to a ransomware virus detection method, system, computer cluster, computer-readable storage medium, and computer program product.
  • Ransomware generally traverses all directories of the client host through deep traversal, and encrypts key business/data files (such as database files, office documents, compressed files, videos, pictures, and source codes). Some ransomware will encrypt specified types of files exceeding a fixed size in a specific directory, making the encrypted files unable to be read normally and affecting the normal operation of the business. At the same time, the ransomware virus generates a ransom note file in the directory where the encrypted file is located. The customer can only obtain the decryption password/tool or the method to restore the normal operation of the system after paying the ransom based on the ransom note file.
  • key business/data files such as database files, office documents, compressed files, videos, pictures, and source codes.
  • the present application provides a ransomware detection method, the method detects the access behavior to the bait directory and/or bait file, matches the access behavior with the behavior pattern of the ransomware encrypted file, detects the ransomware based on the matching result, and improves It improves the accuracy and speed of detecting ransomware.
  • the present application also provides a ransomware detection system, a computer cluster, a computer-readable storage medium, and a computer program product corresponding to the above method.
  • the present application provides a method for detecting ransomware.
  • the method can be executed by a ransomware detection system.
  • the ransomware detection system may also be referred to as a detection system for short.
  • the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system.
  • the detection system may also be a hardware system for detecting ransomware.
  • the embodiment of this application uses the ransomware detection system as an example for illustration.
  • the detection system detects the access behavior of the decoy file and/or decoy directory, and then matches the access behavior with the behavior pattern (for example, the behavior pattern preset by the service provider) to obtain the matching result, and then according to the access behavior and The matching result of the behavior pattern determines the ransomware.
  • the behavior pattern for example, the behavior pattern preset by the service provider
  • the detection system provides a general behavior pattern abstracted from the behavior of encrypted files based on the ransomware process (the process generated when the ransomware virus is executed), and compares the access behavior of the process to the lure file and/or lure directory with the above behavior pattern Matching is performed to identify whether the process is a ransomware process, thereby realizing the detection of ransomware viruses.
  • the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business.
  • the method detects ransomware through simple behavior pattern matching, which improves the detection speed.
  • the detection system may also present warning information to the user.
  • the warning information includes the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access type of the ransomware process
  • the ransomware process is the process corresponding to the ransomware virus.
  • the detection system may present the alarm information to the user through the alarm interface.
  • the detection system may also issue an alarm through a voice broadcast.
  • the detection system will give an alarm when it detects a ransomware virus, which can remind users to take precautions to ensure data security.
  • the detection system may perform a security response when detecting a ransomware virus.
  • the detection system may stop the ransomware process, the ransomware process is a process corresponding to the ransomware virus, specifically, it may be a process generated when the ransomware virus is executed.
  • the detection system can block ransomware.
  • the detection system can isolate the ransomware, for example, in a sandbox, so as to block the ransomware.
  • the detection system can prevent data from being encrypted by ransomware by stopping the ransomware process or blocking the ransomware virus, thereby ensuring data security and normal business operation.
  • the behavior mode includes at least the following behaviors: writing to a newly created non-bait file in the bait directory; or renaming the bait file.
  • ransomware When ransomware encrypts files, it can usually write to newly created non-bait files in the bait directory, or rename the bait files. Therefore, the detection system combines access behaviors to bait directories and/or bait files Pattern matching can effectively improve the accuracy and speed of detecting ransomware.
  • the ransomware can read the source file, encrypt the source file, write a new file with an additional extension, and then delete the source file to implement extortion based on the above new file.
  • the behavior mode may include a first behavior mode, and the first behavior mode includes: reading the decoy file, writing a newly created non-decoy file under the decoy directory, and deleting the decoy file.
  • the ransomware can read the encrypted source file and write it back to the source file, and then rename it to a new file with an additional extension, so as to implement ransom based on the above-mentioned new file.
  • the behavior pattern may include a second behavior pattern, which includes: reading the bait file, writing the bait file, renaming the bait file (equivalent to writing the newly created bait file under the bait directory) non-bait files).
  • the ransomware virus can also rename the source file to a new file with an additional extension, read the file content, and encrypt and write back the new file to implement blackmail based on the new file.
  • the behavior pattern may include a third behavior pattern, which includes: renaming the decoy file (equivalent to writing a newly created non-bait file under the decoy directory), reading the newly created decoy file under the decoy directory The non-bait file is written into the non-bait file in the bait directory.
  • the detection system can further improve the detection of ransomware by matching the access behavior of the decoy directory and/or decoy file with the behavior in the above-mentioned first behavior mode, second behavior mode and/or third behavior mode.
  • the accuracy of the virus can be further improve.
  • the detection system may obtain the process identifier of the target process, the file path accessed by the target process, and the access type from the file access message.
  • the detection system can obtain information such as the process identifier of the target process, the file path accessed by the target process, and the access type by parsing the file access message.
  • the detection system matches the file path with the decoy directory by obtaining information such as the process identifier, the file path accessed by the process, and the access type from the file access message, and further matches the file path with the decoy directory when the file path matches the decoy directory
  • the accessed files are matched with the decoy files, so as to detect the access behavior of the decoy directory and/or decoy files.
  • This detection method has high accuracy and can meet the precision requirements for detecting ransomware.
  • the detection system may also acquire the attributes of the decoy file and the attributes of the written file.
  • the written file includes the modified decoy file or the non-decoy file.
  • the detection system may determine whether to encrypt the decoy file according to the attribute of the decoy file and the attribute of the written file.
  • the detection system can determine that the target process is a blackmail process, and the target process is generated during execution files are ransomware.
  • the detection system on the basis of behavior matching, also combines the attributes of the decoy file and the changes in the attributes of the written file to filter the access behavior of non-encrypted files, further improving the accuracy of ransomware detection and avoiding ransomware. False positives affect the normal operation of the business.
  • the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file. Encrypting the lure file by ransomware can cause the size of the lure file to change, the entropy value to change, and the hash value to change. Therefore, the detection system can identify suspicious encryption behaviors by detecting one or more of the size, entropy value, or hash value of the decoy file, thereby improving the accuracy of detecting ransomware.
  • the detection system may also obtain the parent process identifier of the target process.
  • the detection system may also detect the access behavior of the decoy file and/or the decoy directory by the associated process of the target process according to the parent process identifier.
  • the parent process ID of the associated process is the same as the parent process ID of the target process. That is, the target process and the associated process have the same parent process, and the target process and the associated process are child processes under the same parent process.
  • the detection system can further detect the access behavior of the associated process to the decoy directory and/or decoy file, thereby realizing the detection of multiple processes
  • the behavior of encrypting bait files covers the scene where ransomware encrypts bait files through multiple processes to improve the detection rate of ransomware.
  • the detection system may determine that the access behavior under the parent process matches the behavior pattern according to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern the number of processes.
  • the detection system may determine the file that generates the parent process during execution as a ransomware virus.
  • the detection system statistically analyzes the number of suspicious child processes (including the target process and associated processes) that have bait abnormal access under the parent process, and based on this number, identifies whether the parent process is a ransomware that encrypts files through multiple child processes parent process, thereby increasing the confidence in detecting ransomware.
  • the detection system may also identify the ransom note file according to the access behavior to the non-bait files in the lure directory. For example, the detection system can analyze whether the non-bait file in the bait directory written by the process has only write operations and no read operations, so as to identify whether the non-bait file is a ransom note file. Furthermore, the detection system can also identify whether the non-bait file is a ransom note file according to whether the name of the non-bait file includes the keywords of the dictionary of common names of ransom note files, such as readme, decrypt, restore, and recover, so as to improve the blackmail description file. Document recognition accuracy. Correspondingly, the detection system can determine the ransomware virus according to the matching result and the recognition result of the ransomware description file.
  • the method On the basis of behavior matching, the method also detects the ransomware by combining the identification of the ransomware description file, which improves the accuracy of the detection of the ransomware, and avoids false positives of the ransomware from affecting the normal operation of the business.
  • the detection system may determine the first score according to the matching result, determine the second score according to the recognition result of the ransom note file, and then the detection system may determine the second score based on the first score and the second score. Score to identify ransomware.
  • the detection system may preset different base scores for different matching results, and the base scores may be set according to experience values. After obtaining the matching result, the detection system may determine a base score corresponding to the matching result, and determine the base score as the first score. Further, considering the fact that the target process accesses multiple decoy files, the detection system may also count the number of times the target process's access behavior to the decoy directory and/or decoy files matches the behavior pattern. Correspondingly, the detection system may also determine the first score according to the basic score, the behavior pattern matching weighted score and the matching times. Similarly, the detection system may set a weighted score for the ransom description file for the ransom description file.
  • the detection system may match the weighted score according to the ransom description file to obtain a second score.
  • the detection system may determine a total score based on the first score and the second score described above. In some embodiments, the total score may be the sum of the first score and the second score.
  • the detection system can then determine the ransomware based on the total score. For example, when the total score is greater than the preset score, the detection system may determine that the process file of the target process is a ransomware virus, and determine that the target process is a ransomware process.
  • the detection system scores the ransomware through multiple dimensions such as behavior matching and ransomware description files, and comprehensively detects the ransomware with scores from different dimensions, which has a high degree of confidence.
  • the detection system may also match the attributes of the target process with the attributes of the processes in the whitelist. For example, match the process file hash of the target process with the process file hash of the process in the whitelist. When the attribute of the target process does not match the attribute of the process in the white list, the detection system matches the access behavior with the behavior pattern to obtain a matching result. In this way, abnormal access behaviors of processes in the whitelist can be filtered, and false positives of ransomware viruses caused by user misoperations can be avoided.
  • the ransomware detection system may also be referred to simply as a detection system.
  • the detection system includes the following functional modules:
  • An access monitoring module used to detect access behaviors to bait files and/or bait directories
  • a behavior detection module configured to match the access behavior with a behavior pattern to obtain a matching result
  • the ransomware detection module is configured to determine the ransomware according to the matching result.
  • the system also includes:
  • An alarm module configured to present alarm information to the user, the alarm information including the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware process
  • the ransomware process is a process corresponding to the ransomware virus.
  • the system also includes:
  • the security response module is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.
  • the behavior pattern includes at least the following behaviors:
  • the behavior mode includes one or more of the first behavior mode, the second behavior mode and the third behavior mode;
  • the first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;
  • the second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;
  • the third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
  • the access monitoring module is specifically configured to:
  • the access monitoring module is also used for:
  • the access type is writing
  • the attribute of the decoy file and the attribute of the written file are obtained, and the written file includes the modified decoy file or the non-decoy file;
  • the ransomware detection module is specifically used for:
  • the target process When the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, it is determined that the target process is a ransomware process, and the file that generates the target process is a ransomware virus during execution.
  • the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file.
  • the access monitoring module is also used for:
  • the access behavior of the associated process of the target process to the decoy file and/or the decoy directory is detected, and the parent process ID of the associated process is the same as the parent process ID of the target process.
  • the ransomware detection module is specifically configured to:
  • the file that generates the parent process during execution is determined to be a ransomware virus.
  • the system also includes:
  • a blackmail description detection module is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory
  • the ransomware detection module is specifically used for:
  • the ransomware is determined.
  • the ransomware detection module is specifically configured to:
  • the system also includes:
  • a whitelist filtering module configured to match the attributes of the target process with the attributes of the processes in the whitelist
  • the behavior detection module is specifically used for:
  • the access behavior is matched with the behavior pattern to obtain a matching result.
  • the present application provides a computer cluster.
  • the computer cluster includes at least one computer including at least one processor and at least one memory.
  • the at least one processor and the at least one memory communicate with each other.
  • the at least one processor is configured to execute the instructions stored in the at least one memory, so that the computer or computer cluster executes the ransomware detection method in the first aspect or any implementation manner of the first aspect.
  • the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and the instructions instruct a computer or a computer cluster to execute any implementation of the first aspect or the first aspect above The described ransomware detection method.
  • the present application provides a computer program product containing instructions, which, when run on a computer or a computer cluster, causes the computer or computer cluster to perform the above-mentioned first aspect or any one of the implementations of the first aspect. ransomware detection method.
  • Fig. 1 is a schematic diagram of the architecture of a ransomware detection system provided in the embodiment of the present application
  • Fig. 2 is the flowchart of a kind of blackmail virus detection method that the embodiment of the present application provides;
  • FIG. 3 is a schematic interface diagram of an alarm interface provided by an embodiment of the present application.
  • Fig. 4 is the flowchart of a kind of blackmail virus detection method that the embodiment of the present application provides;
  • FIG. 5 is a schematic structural diagram of a ransomware detection system provided in an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a computer cluster provided by an embodiment of the present application.
  • first and second in the embodiments of the present application are used for description purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Thus, a feature defined as “first” and “second” may explicitly or implicitly include one or more of these features.
  • Ransomware also known as ransomware or ransomware
  • ransomware is a special type of malware that is usually classified as a denial-of-access attack.
  • the biggest difference between ransomware and other viruses lies in the method and poisoning method.
  • a typical ransomware is to systematically encrypt files stored in computing devices, such as encrypting key business/data files, which can be database files, office documents, compressed files, videos, pictures and source files.
  • One or more of the codes and then ask the victim to pay a ransom to get back the decryption password/tool that the victim has no way of obtaining by himself in order to decrypt the file.
  • Ransomware usually spreads in the form of Trojan horse viruses. Specifically, ransomware disguises itself as seemingly harmless files. For example, ransomware can trick victims into clicking links to download through social engineering methods such as pretending to be ordinary emails, or, like many other worms, exploit software vulnerabilities to spread among networked computing devices.
  • ransomware detection schemes In order to reduce the damage of ransomware, the industry provides some ransomware detection schemes to detect ransomware in advance, and then block the ransomware.
  • the mainstream detection schemes include ransomware detection methods based on decoy files. Specifically, a fixed-type and fixed-size decoy file is deployed in the specified decoy directory, and known or unknown ransomware is identified by monitoring changes in the decoy file, such as changes in the size, entropy value, or type of the decoy file.
  • the accuracy of the above method for detecting ransomware is not high, which may lead to misidentifying the business process as the ransomware process corresponding to the ransomware virus, affecting the normal operation of the business.
  • the embodiment of the present application provides a ransomware detection method.
  • the method can be executed by a ransomware detection system.
  • the embodiment of the present application may also simply refer to the ransomware detection system as the detection system.
  • the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system.
  • the detection system may also be a hardware system for detecting ransomware.
  • the embodiment of this application uses the ransomware detection system as an example for illustration.
  • the detection system detects the access behavior of the decoy file and/or decoy directory, and then matches the access behavior with the behavior pattern (for example, the behavior pattern preset by the service provider) to obtain the matching result, and then according to the access behavior and The matching result of the behavior pattern determines the ransomware.
  • the behavior pattern for example, the behavior pattern preset by the service provider
  • the detection system provides a general behavior pattern abstracted from the behavior of encrypted files based on the ransomware process (the process generated when the ransomware virus is executed), and compares the access behavior of the process to the lure file and/or lure directory with the above behavior pattern Matching is performed to identify whether the process is a ransomware process, thereby realizing the detection of ransomware viruses.
  • the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business.
  • the method detects ransomware through simple behavior pattern matching, which improves the detection speed.
  • the ransomware detection method of the embodiment of the present application is applicable to the scenario of quickly detecting known/unknown ransomware on a terminal (for example, a host)/server.
  • a terminal for example, a host
  • the ransomware detection method in the embodiment of the present application can quickly occupy light-weight resources. Detect ransomware, so as to meet the timeliness of detection and light-weight resource consumption requirements.
  • tenants such as individuals, enterprises or other group organizations
  • tenant applications can lease or purchase one or more cloud servers in the cloud computing cluster 10 , to deploy tenant applications, for example, to deploy application 1 to application N, where N is a positive integer.
  • FIG. 1 illustrates by deploying multiple applications.
  • a tenant may also deploy one application.
  • a ransomware detection system 100 is also deployed in the cloud computing cluster 10 , which is referred to as the detection system 100 hereinafter for convenience of description.
  • the cloud computing cluster 10 establishes a communication connection with the terminal 20 .
  • the terminal 20 is installed with a client, which may be, for example, a general client such as a browser, or a detection client specially used for ransomware detection.
  • the detection system 100 in the cloud computing cluster 10 can detect the access behavior to the decoy file and/or decoy directory, and then match the access behavior with the behavior pattern to obtain the matching result, and then determine according to the matching result of the access behavior and the behavior pattern Ransomware.
  • the detection system 100 may generate warning information according to the detected ransomware virus, and send the warning information to the terminal 20, so that the terminal 20 presents the warning information to the user.
  • the warning information includes the process identification of the ransomware process, the path of the ransomware virus, the hash value (hash) of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, the ransomware process One or more of the access behaviors.
  • the ransomware process is a process corresponding to the ransomware virus.
  • the detection system 100 can also stop the ransomware process.
  • the detection system 100 can also block the ransomware when detecting the ransomware, that is, isolate the executable file of the ransomware. In this way, it is possible to prevent the ransomware process from encrypting the business/data files of the application, thereby causing the user's interests to be infringed.
  • the embodiment shown in FIG. 1 is an example of deploying the detection system 100 in a cloud computing cluster and detecting whether the application deployed in the cloud computing cluster includes a ransomware virus.
  • the detection system 100 can also be deployed in A local computing device, such as a desktop computer or a notebook computer, is used to detect ransomware for applications deployed in the terminal 20 .
  • the method includes:
  • the detection system 100 obtains the process identifier of the target process, the file path accessed by the target process, and the access type from the file access message.
  • execute S204 executes.
  • execute S228 executes the file path accessed by the target process does not match the decoy directory.
  • the file access message may be an application programming interface (application programming interface, API) call message for reading or writing a file.
  • the message includes the process identification (process ID, PID) of the target process, the file path accessed by the target process, and the access type.
  • the detection system 100 can obtain information such as the PID of the target process, the file path accessed by the target process, and the access type by parsing the file access message.
  • the target process refers to a process performing a file access operation.
  • a process is an instance of a running program.
  • Programs are usually stored in the form of files, for example, in the form of binary files.
  • the code of the program and the data required for operation are loaded into the memory, and the operating system gives the memory unit loaded with the above code and data an identifier, that is, a PID.
  • the access type refers to the type of operation on the file. In this embodiment, the access type may include reading and/or writing.
  • the file path accessed by the target process may indicate the directory of the file accessed by the target process. Based on this, the detection system 100 may match the directory of the file accessed by the target process with the decoy directory, so as to determine whether the target process accesses the decoy directory.
  • the directory of the file accessed by the target process matches the decoy directory (also called a spoofed directory, used to lure the extortion process to access)
  • the detection system 100 can execute S204.
  • the directory of the file accessed by the target process does not match the decoy directory, it indicates that the target process does not currently access the decoy directory, and the detection system 100 may execute S228 to end the current process without performing subsequent processes.
  • the detection system 100 records the access behavior of the target process to the decoy directory, and matches the files accessed by the target process with the decoy files. When the file accessed by the target process matches the decoy file, execute S206. When the file accessed by the target process does not match the decoy file, execute S208.
  • the detection system 100 can record the access behavior of the target process to the decoy directory in the access list. Further, the detection system 100 compares the files accessed by the target process (files read or written) with the decoy file (also called Deception files, used to lure the ransomware process to access, and perform file encryption) for matching, so as to determine whether the target process accesses the decoy file or accesses the non-decoy files in the decoy directory.
  • the decoy file also called Deception files, used to lure the ransomware process to access, and perform file encryption
  • the detection system 100 may obtain the attributes of the files accessed by the target process according to the PID of the target process.
  • the attribute may include one or more of the name, size, hash value, entropy value, and type of the file.
  • the detection system 100 can match the attribute of the file accessed by the target process with the attribute of the decoy file, for example, match the name, hash value or entropy value of the file accessed by the target process with the name, hash value or entropy value of the decoy file , so as to determine whether the file accessed by the target process is a decoy file or a non-bait file.
  • the detection system 100 may determine that the target process accesses the decoy file, and execute S206.
  • the detection system 100 may determine that the target process accesses a non-bait file under the decoy directory, and execute S208.
  • S206 The detection system 100 records the access behavior of the target process to the decoy file.
  • the detection system 100 may record the PID of the target process, the attributes of the decoy file (such as one or more of name, hash value, and entropy value) and access type, In this way, the access behavior of the target process to the decoy file can be recorded. In this way, it can provide help for subsequent mathematical statistics for different lure files.
  • the detection system 100 records the access behavior of the target process to the non-bait files in the bait directory.
  • the detection system 100 can record the PID of the target process, the attributes of the non-decoy file (such as one or more of name, hash value, and entropy value) and the access type, thereby Realize recording the access behavior of the target process to non-bait files in the bait directory. This can provide help for subsequent mathematical statistics for different non-bait files.
  • the above S202 to S208 is an implementation method for the detection system 100 to detect the access behavior of the decoy file and/or decoy directory. and/or access behavior of decoy directories.
  • the detection system 100 may receive an event of accessing a decoy file and/or a decoy directory reported by a target process, so as to detect an access behavior to a decoy file and/or a decoy directory.
  • the detection system 100 acquires the attributes of the target process, and compares the attributes of the target process with the attributes of the processes in the whitelist. When the attribute of the target process is inconsistent with the attribute of the process in the white list, execute S210; when the attribute of the target process is consistent with the attribute of the process in the white list, execute S228.
  • the attribute of the process may include one or more of process name, process file path, process file hash, and process command line.
  • the process name may be determined according to the name of the file (also called a process file) that generates the process during execution.
  • a process named browser may be generated.
  • the process file path refers to the path where the process file is located.
  • the process file hash refers to the hash value obtained by hashing the process file.
  • the process file can be executed on a graphical interface or through a command line tool.
  • the command line tool is used to execute the process file to generate a process
  • the attribute of the process may also include a process command line, that is, a command line for executing the process file.
  • the detection system 100 can acquire the attributes of the target process according to the PID of the target process. Taking the attribute of the target process including the process file hash as an example, the detection system 100 can determine the process file hash of the target process and the process file hash of the processes in the white list, and compare the process file hash of the target process with the process file hash of the processes in the white list. Process file hash, so as to achieve process filtering. Wherein, the detection system 100 can call the interface of the process whitelist manager according to the process file hash of the target process, and compare the process file hash of the target process with the process file hash of the processes in the white list, so as to compare the target process with the Processes in the preset or manually imported whitelist are matched.
  • the detection system 100 can filter the target process, stop the ransomware detection, execute S228, and end the current process .
  • the attribute of the target process is inconsistent with the attribute of the process in the white list, it indicates that the target process does not belong to a trusted process, and the detection system 100 can execute S210 to continue to detect ransomware.
  • the detection system 100 prevents users of client hosts or servers from accidentally accessing decoy targets or decoy files by performing whitelist filtering, resulting in false positives and blocking of business processes. It should be noted that the detection system 100 may not perform the above S209. For example, the detection system 100 may directly perform S210 to match the access behavior with a preset behavior pattern after detecting the access behavior to the decoy file and/or decoy directory.
  • S210 The detection system 100 matches the access behavior with the behavior pattern, and obtains a matching result.
  • S212 is executed.
  • the detection system 100 can provide a general behavior pattern abstracted from the behavior of encrypted files of the ransomware. In this way, the detection system 100 can detect whether the access behavior of the target process matches the above-mentioned behavior pattern through behavior matching. This checks whether the target process is a ransomware process (the process corresponding to the ransomware virus, usually the process generated when the ransomware virus is executed).
  • a ransomware process the process corresponding to the ransomware virus, usually the process generated when the ransomware virus is executed.
  • the preset behavior mode includes at least the following behaviors: writing the newly created non-bait file under the bait directory, or renaming the bait file.
  • the preset behavior patterns include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern.
  • the first behavior pattern, the second behavior pattern and the third behavior pattern include the following behaviors respectively:
  • the detection system 100 can match an access behavior in the access list with the first step in the first behavior pattern, the second behavior pattern, or the third behavior pattern (specifically reading the decoy file or renaming the decoy file) .
  • the access behavior matches the first step
  • the next access behavior in the access list is matched with the second step in the first behavior pattern, the second behavior pattern or the third behavior pattern.
  • the next access behavior matches the second step
  • another access behavior in the access list is matched with the third step in the first behavior pattern, the second behavior pattern or the third behavior pattern.
  • another access behavior matches the third step it indicates that the access behavior of the target process matches the first behavior pattern, the second behavior pattern or the third behavior pattern.
  • the detection system 100 may stop the matching, and determine the matching result as the access behavior does not match the behavior pattern.
  • the behavior pattern provided by the detection system 100 can be set in advance, or can be set in real time when detecting the ransomware virus, which is not limited in this embodiment of the present application.
  • the detection system 100 acquires the attributes of the decoy file and the attributes of the written file.
  • the detection system 100 can further obtain the attributes of the decoy file and the attributes of the written file to determine the target Whether the process performs cryptographic behavior.
  • the written file may be a modified bait file or a non-bait file in a bait directory.
  • the written file may be a newly created non-bait file under the bait directory.
  • the written file may be a decoy file.
  • the written file may be a non-bait file in the bait directory.
  • the attributes of the lure file include one or more of the size, entropy value or hash value of the lure file.
  • writing a file includes writing one or more of a size, an entropy value, or a hash value of the file. It should be noted that when the decoy file is modified, the attributes of the decoy file are specifically the attributes of the decoy file before modification.
  • S214 The detection system 100 determines whether to encrypt the decoy file according to the attribute of the decoy file and the attribute of the written file.
  • the detection system 100 can compare the attributes of the decoy file with the attributes of the written file to determine whether the target process encrypts the decoy file .
  • the detection system 100 determines that the target process encrypts the decoy file; when the size, entropy value or hash value of the decoy file does not change, the detection system 100 determines the target process Decoy files are not encrypted.
  • the above S212 to S214 are optional steps in the embodiment of the present application, and the execution of the ransomware detection method in the embodiment of the present application may not execute the above S212 to S214.
  • the detection system 100 can directly determine the ransomware virus according to the matching result, without needing to detect whether the target process executes the encryption behavior.
  • S216 The detection system 100 identifies the ransom description file according to the access behavior to the non-bait files in the bait directory.
  • the detection system 100 judges whether the access type of the target process's access behavior to the non-bait files in the bait directory includes writing, but not reading. 100 can identify the non-bait file as a ransom note file.
  • the detection system 100 may also determine whether the name of the non-bait file includes keywords in a dictionary of commonly used names of ransom note files, such as readme, decrypt, restore, or recover. If yes, the detection system 100 determines the non-bait file as a ransom note file. Considering that the ransom note file is usually a small file, the detection system 100 can also compare the size of the non-bait file with a preset threshold, and if it is smaller than the preset threshold, the non-bait file can be determined as the ransom note file.
  • the detection system 100 may also regard a non-bait file whose access type includes writing but not reading as a suspicious file, or when the non-baiting file meets the following conditions: the access type includes writing but not reading, and the file
  • the access type includes writing but not reading
  • the file When the name includes the keywords of the common name dictionary of the ransom note file, it is determined as a suspicious file, and the number of suspicious files is counted.
  • the detection system 100 can also compare the number of suspicious files with a set number, and when the number of suspicious files is greater than the set number, can identify the suspicious file as a ransom note file.
  • S218 The detection system 100 determines a first score according to the matching result.
  • the matching result may include the access behavior matching the behavior pattern, or the access behavior not matching the behavior pattern, and the detection system 100 may preset different base scores for different matching results, and the base score may be set according to experience values. After obtaining the matching result, the detection system 100 may determine a base score corresponding to the matching result, and determine the base score as the first score.
  • the detection system 100 may also count the number n of times the target process's access behavior to the decoy directory and/or decoy files matches the behavior pattern.
  • the detection system 100 may determine the first score according to the above-mentioned basic score Score base , the behavior pattern matching weighted score Score weight_modelmatch , and the number n of matches.
  • the detection system 100 can determine the first score Score 1 through the following formula:
  • Score 1 Score base + Score weight_modelmatch (n-1) (1)
  • the basic score is 70 points, and when the access behavior does not match the preset behavior pattern, the basic score is 0 points.
  • Behavioral pattern matching has a weighted score of 10.
  • S220 The detection system 100 determines a second score according to the recognition result of the ransom note file.
  • the detection system 100 may set a weighted score for the ransom description file.
  • the embodiment of the present application may set the weighted score for the ransom description file as the weighted score for matching the ransom description file.
  • the matching weighted score of the ransom note file can be set according to the experience value, for example, it can be set to 15 points.
  • the detection system 100 may match the weighted score according to the ransom description file to obtain a second score Score 2 .
  • the second score may be equal to the ransom specification file matching weighted score.
  • S222 The detection system 100 determines the ransomware according to the first score and the second score.
  • the detection system 100 can determine the total score Scoretotal according to the first score and the second score, and then compare the total score with a preset score, and when the total score is greater than the preset score, the process of the target process can be determined
  • the file is a ransomware virus, and the target process is determined to be a ransomware process.
  • the above S218 to S222 is an implementation of the detection system 100 in the embodiment of this application to determine the ransomware virus according to the matching result.
  • the detection system 100 can also directly The result determines the ransomware, for example, when the matching result indicates that the access behavior matches the preset behavior pattern, the process file of the target process is determined as a ransomware.
  • S224 The detection system 100 presents the warning information to the user.
  • the detection system 100 may present warning information to the user when a ransomware virus is detected.
  • the warning information includes the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access type of the ransomware process
  • the ransomware process is the process corresponding to the ransomware virus
  • the detection system 100 can also determine the hazard level, and when the hazard level reaches a set level, an alarm message will be presented to the user. Wherein, the detection system 100 can set different scoring ranges for different hazard levels, so that the detection system 100 can determine the hazard level according to the scoring range of the total score.
  • the hazard level when the total score is between 70 and 80, that is, when 70 ⁇ Score total ⁇ 80, the hazard level can be low risk; when the total score is between 80 and 90, that is, 80 ⁇ Score total ⁇ 90, the hazard level can be It is medium risk; when the total score is above 90, that is, when Score total >90, the hazard level can be high risk.
  • the detection system 100 may present alarm information to the user through an alarm interface.
  • the alarm interface 300 includes alarm information 302, and the alarm information is used to prompt the user that a ransomware virus is detected. Further, the alarm information also prompts the user to the PID and process of the ransomware process corresponding to the ransomware virus File path (the path of the ransomware).
  • the detection system 100 may also give a warning prompt to the user through voice. As shown in FIG. 3 , the alarm interface 300 also carries a voice prompt control 304 , and when the voice prompt control 304 is triggered, the detection system 100 can give an alarm prompt by playing a voice.
  • S226 The detection system 100 stops the ransomware process and blocks the ransomware virus.
  • the detection system 100 can automatically stop the ransomware process and block the ransomware when it detects the ransomware.
  • the detection system 100 presents the warning information to the user, the user confirms the warning information, and then stops the ransomware process and blocks the ransomware virus after obtaining the user's authorization or permission.
  • the alarm interface 300 also carries a stop control 306 and a blocking control 307 .
  • the detection system 100 can stop the ransomware process
  • the blocking control 307 is triggered
  • the detection system 100 can block the ransomware virus.
  • the detection system 100 can transfer the ransomware to a sandbox to block the ransomware.
  • the alarm interface 300 can also carry a skip control 308. When the skip control 308 is triggered, the detection system 100 can skip the ransomware without blocking or other processing.
  • the above S226 is an implementation manner for the detection system 100 to perform a security response to the ransomware virus.
  • the detection system 100 may stop the ransomware process, or block the ransomware virus.
  • the embodiment of the present application does not limit the manner in which the detection system 100 performs a security response.
  • the embodiment of the present application provides a ransomware detection method.
  • the detection system 100 abstracts a general behavior pattern based on the behavior of the encrypted file of the ransom process, and matches the access behavior of the process to the decoy file and/or decoy directory with the above-mentioned behavior pattern, thereby identifying whether the process is a ransom process, Then realize the detection of ransomware.
  • the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business.
  • the method detects ransomware through simple behavior pattern matching, which improves the detection speed.
  • the detection system 100 can also detect the access behavior of multiple processes to the decoy file, so as to cover the scene where the ransomware encrypts files through multiple processes, thereby increasing the detection rate of the ransomware.
  • the method also includes the following steps:
  • the detection system 100 acquires the parent process identifier of the target process.
  • the detection system 100 may search for the parent process ID of the target process according to the ID of the target process.
  • the parent process refers to the process that creates the target process
  • the parent process identifier may be the PID of the parent process.
  • the detection system 100 may also acquire one or more of the name of the parent process, the file path of the parent process, the command line of the parent process, and the hash of the file of the parent process.
  • the parent process file refers to the file that generates the parent process during execution, and the path of the parent process file is the path where the file that generates the parent process resides.
  • the parent process can be generated by executing the parent process file on a graphical interface or by executing the parent process file through a command line tool. When the command line tool is used to execute the parent process file, the command line used to execute the parent process file is the parent process command line.
  • the parent process file hash refers to the hash value obtained by hashing the parent process file.
  • the detection system 100 detects the access behavior of the target process's associated process to the decoy file and/or decoy directory according to the parent process identifier.
  • the associated process of the target process may be referred to as an associated process for short.
  • the parent process ID of the associated process is the same as the parent process ID of the target process. That is, the target process and the associated process are multiple child processes of the same parent process.
  • the detection system 100 may detect the access behavior of the associated process to the decoy file and/or decoy directory in a manner similar to the detection of the target process's access behavior to the decoy file and/or decoy directory.
  • the detection system 100 obtains the file access message, and parses the file access message to obtain the process identifier of the associated process, the file path accessed by the associated process, and the access type. Then, the detection system 100 matches the file path accessed by the associated process with the decoy directory. When the file path accessed by the associated process matches the decoy directory, the detection system 100 may also match the file accessed by the associated process with the decoy file.
  • the detection system 100 records the access behavior of the associated process to the decoy file; if the file accessed by the associated process does not match the decoy file, for example, the hash value of the file If the values are inconsistent, the detection system 100 records the access behavior of the associated process to the non-bait files in the bait directory.
  • S234 The detection system 100 matches the access behavior of the associated process to the decoy file and/or decoy directory with the behavior pattern.
  • the detection system 100 can also match the access behavior of the associated process to the decoy file and/or decoy directory with the preset behavior pattern to match.
  • the preset behavior pattern may include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern.
  • Each behavior pattern is usually a combination of several behaviors.
  • the first behavior mode includes the following three behaviors: 1. Read the decoy file; 2. Write the newly created non-bait file in the decoy directory; 3. Delete the decoy file.
  • the detection system 100 may match a behavior (such as the i-th behavior) in the access list of the associated process with the first behavior in the combination of behaviors included in the preset behavior pattern.
  • a behavior such as the i-th behavior
  • the next behavior in the access list is matched with the second behavior in the combination of the behaviors included in the preset behavior pattern.
  • the second behavior is successfully matched
  • the next behavior in the access list is matched with the third one in the combination of behaviors included in the preset behavior pattern.
  • the third behavior matches successfully it indicates that the access behavior of the associated process to the decoy file and/or decoy directory matches the preset behavior pattern.
  • one of the preset behavior patterns fails to match, the current round of matching can be stopped, and the i+1th behavior in the access list of the associated process can be obtained for a new round of matching.
  • S236 The detection system 100 determines the number of processes whose access behavior matches the behavior pattern under the parent process.
  • the detection system 100 can count the number of processes whose access behavior matches a preset behavior pattern under the parent process, so as to detect the behavior of multi-process encrypted files. Specifically, the detection system 100 can search the abnormal access tracking list according to the PID of the parent process, and when the abnormal access tracking list is found, it can match the preset behavior pattern with the access behavior of the associated process to the decoy file and/or decoy directory As a result, the abnormal access tracking list is updated to count the processes whose access behavior under the parent process matches the preset behavior pattern.
  • the detection system 100 can also create an abnormal access tracking list with the PID of the parent process as the KEY, and according to the associated process's access behavior and preset The abnormal access tracking list is updated according to the matching result of the behavior pattern, so as to count the processes whose access behavior under the parent process matches the preset behavior pattern.
  • the detection system 100 may also determine the multi-process anomaly detection weighted score under the condition that the multi-process encrypted decoy file is met. On the basis of the single-process encrypted decoy file, the detection system 100 may also combine the multi-process anomaly detection weighted score Score weight_multiprocess to determine the first score Score 1 .
  • the detection system 100 can determine the first score Score 1 through the following formula:
  • n i indicates the matching times of the i-th process.
  • i can be a positive integer.
  • the detection system 100 can compare the number of processes whose access behavior matches the preset behavior pattern under the parent process with the preset number, and when the number of processes whose access behavior matches the preset behavior pattern under the parent process is greater than the preset number , then it conforms to the multi-process encrypted decoy file, and the detection system 100 can determine the multi-process anomaly detection weighted score.
  • the weighted score of multi-process anomaly detection can be set according to experience value, for example, it can be set to 15 points.
  • the detection system 100 can determine the ransomware according to the above-mentioned first score and the second score. It should be noted that the detection system 100 determines the ransomware virus based on the above-mentioned first score and the second score is only an implementation of the embodiment of the present application, and in other possible implementations of the embodiment of the application, the detection system 100 may not For scoring, for example, the detection system 100 may determine that a ransomware virus is detected when the number of processes whose access behavior under the parent process matches a preset behavior pattern is greater than the preset number. The detection system 100 can determine that the file that generates the parent process during execution is a ransomware virus.
  • the detection system 100 identifies the abnormal behavior of the ransomware virus encrypting files through multiple processes by associating the abnormal file access behaviors of multiple child processes under the same parent process, so as to improve the detection rate of the ransomware virus and avoid business operations being affected .
  • the embodiment of the present application also provides a detection system 100 as described above.
  • the detection system 100 provided by the embodiment of the present application will be introduced below with reference to the accompanying drawings.
  • the system 100 includes:
  • An access monitoring module 102 configured to detect access behaviors to decoy files and/or decoy directories
  • a behavior detection module 104 configured to match the access behavior with the behavior pattern to obtain a matching result
  • the ransomware detection module 106 is configured to determine the ransomware according to the matching result.
  • system 100 further includes:
  • the warning module 108 is configured to present warning information to the user, the warning information including the process identification of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware virus One or more of the access path of the process and the access type of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.
  • system 100 further includes:
  • the security response module 110 is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.
  • the behavior pattern includes at least the following behaviors:
  • the behavior mode includes one or more of the first behavior mode, the second behavior mode and the third behavior mode;
  • the first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;
  • the second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;
  • the third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
  • the access monitoring module 102 is specifically configured to:
  • the access monitoring module 102 is also configured to:
  • the access type is writing
  • the attribute of the decoy file and the attribute of the written file are obtained, and the written file includes the modified decoy file or the non-decoy file;
  • the ransomware detection module 106 is specifically used for:
  • the target process When the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, it is determined that the target process is a ransomware process, and the file that generates the target process is a ransomware virus during execution.
  • the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file.
  • the access monitoring module 102 is also configured to:
  • the ransomware detection module 106 is specifically configured to:
  • the file that generates the parent process during execution is determined to be a ransomware virus.
  • system 100 further includes:
  • the blackmail description detection module 114 is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory;
  • the ransomware detection module 106 is specifically used for:
  • the ransomware is determined.
  • the ransomware detection module 106 is specifically configured to:
  • system 100 further includes:
  • a whitelist filtering module 112 configured to match the attributes of the target process with the attributes of the processes in the whitelist
  • the behavior detection module 104 is specifically used for:
  • the access behavior is matched with the behavior pattern to obtain a matching result.
  • system 100 further includes:
  • the lure management module 116 is configured to manage lure directories and/or lure files.
  • the decoy management module 116 may generate and deploy a decoy directory and/or a decoy file. Further, the lure management module 116 may also update the lure directory and/or the lure file. For example, the decoy management module 116 can adaptively update the decoy directory and/or decoy file according to the change of the application, so as to prevent the ransomware from bypassing the decoy directory and/or decoy file, thus resulting in false report of the ransomware.
  • the detection system 100 can correspond to the implementation of the method described in the embodiment of the present application, and the above-mentioned and other operations and/or functions of the various modules/units of the detection system 100 are respectively in order to realize the For the sake of brevity, the corresponding processes of the methods in the embodiments are not repeated here.
  • the embodiment of the present application also provides a computer cluster.
  • the computer cluster includes at least one computer, which may be a server, for example.
  • the computer cluster may be a cloud computing cluster 10 as shown in FIG. 1 .
  • the cloud computing cluster 10 includes at least one cloud server.
  • the computer cluster may be an edge computing cluster.
  • the edge computing cluster includes at least one edge server.
  • the computer cluster is specifically used to implement the functions of the ransomware detection system 100 in the embodiment shown in FIG. 5 .
  • FIG. 6 provides a schematic structural diagram of a computer cluster.
  • the computer cluster 60 includes multiple computers 600 , and the computers 600 include a bus 601 , a processor 602 , a communication interface 603 and a memory 604 .
  • the processor 602 , the memory 604 and the communication interface 603 communicate through the bus 601 .
  • the bus 601 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus or the like.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 6 , but it does not mean that there is only one bus or one type of bus.
  • the processor 602 may be a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU), a microprocessor (micro processor, MP) or a digital signal processor (digital signal processor, DSP) etc. Any one or more of them.
  • CPU central processing unit
  • GPU graphics processing unit
  • MP microprocessor
  • DSP digital signal processor
  • the communication interface 603 is used for communicating with the outside.
  • the communication interface 603 is used to present warning information and the like to the user.
  • the memory 604 may include a volatile memory (volatile memory), such as a random access memory (random access memory, RAM).
  • volatile memory such as a random access memory (random access memory, RAM).
  • Memory 604 can also include non-volatile memory (non-volatile memory), such as read-only memory (read-only memory, ROM), flash memory, hard disk drive (hard disk drive, HDD) or solid state drive (solid state drive) , SSD).
  • Computer-readable instructions are stored in the memory 604, and the processor 602 executes the computer-readable instructions, so that the computer cluster 60 executes the aforementioned ransomware detection method (or realizes the functions of the aforementioned ransomware detection system 100).
  • each module or unit in FIG. 5 is executed
  • Software or program code required for the functioning of the units may be stored in at least one memory 604 in the computer cluster 60 .
  • At least one processor 602 executes the program code stored in the memory 604, so that the computer cluster 60 executes the aforementioned ransomware detection method.
  • the embodiment of the present application also provides a computer-readable storage medium.
  • the computer-readable storage medium may be any available medium that can be stored by a computer, or a data storage device such as a data center including one or more available media.
  • the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state hard disk), etc.
  • the computer-readable storage medium includes instructions, and the instructions instruct a computer or a computer cluster to execute the above ransomware detection method.
  • the embodiment of the present application also provides a computer program product.
  • the computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wirelessly (such as infrared, wireless, microwave, etc.) to another website site, computer or data center.
  • the computer program product may be a software installation package, and if any method of the aforementioned ransomware detection method needs to be used, the computer program product may be downloaded and executed on a computer or a computer cluster.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

Provided in the present application is a ransomware detection method. The method comprises: detecting an access behavior regarding a decoy file and/or a decoy directory; matching the access behavior with a behavior mode, so as to obtain a matching result; and determining ransomware according to the matching result. In the method, an access behavior regarding a decoy directory and/or a decoy file is detected, the access behavior is matched with a behavior mode in which ransomware encrypts a file, and ransomware is detected on the basis of a matching result, thereby improving the accuracy of ransomware detection and the detection speed.

Description

一种勒索病毒检测方法及相关系统A kind of blackmail virus detection method and related system
本申请要求于2022年02月08日提交中国国家知识产权局、申请号为202210118704.3、发明名称为“一种勒索病毒检测方法及相关系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202210118704.3 and the title of the invention "A Ransomware Detection Method and Related System" submitted to the State Intellectual Property Office of China on February 08, 2022, the entire contents of which are incorporated by reference in this application.
技术领域technical field
本申请涉及网络安全技术领域,尤其涉及一种勒索病毒检测方法、系统以及计算机集群、计算机可读存储介质、计算机程序产品。The present application relates to the technical field of network security, and in particular to a ransomware virus detection method, system, computer cluster, computer-readable storage medium, and computer program product.
背景技术Background technique
随着互联网的发展,尤其是移动互联网的发展,恶意代码如漏洞扫描、病毒等攻击代码能够在网络中广泛传播,并对网络中的设备进行攻击或感染,导致网络安全受到严重挑战。目前,勒索病毒攻击已成为最严峻的网络安全威胁之一,并且勒索病毒攻击还在持续增长,对客户造成巨大的影响。With the development of the Internet, especially the development of the mobile Internet, malicious codes such as vulnerability scanning, virus and other attack codes can be widely spread in the network, and attack or infect the devices in the network, causing serious challenges to network security. At present, ransomware attacks have become one of the most serious network security threats, and ransomware attacks continue to grow, causing a huge impact on customers.
勒索病毒一般会通过深度遍历的方式遍历客户主机的所有目录,并对关键的业务/数据文件(如数据库文件、办公文档、压缩文件、视频、图片和源代码)进行加密。部分勒索病毒会加密特定目录下超过固定大小的指定类型文件,使加密后的文件无法正常读取,影响业务正常运行。同时勒索病毒在加密文件所在目录下生成勒索说明文件,客户基于勒索说明文件缴纳赎金后才可获取解密口令/工具或获得恢复系统正常工作的方法。Ransomware generally traverses all directories of the client host through deep traversal, and encrypts key business/data files (such as database files, office documents, compressed files, videos, pictures, and source codes). Some ransomware will encrypt specified types of files exceeding a fixed size in a specific directory, making the encrypted files unable to be read normally and affecting the normal operation of the business. At the same time, the ransomware virus generates a ransom note file in the directory where the encrypted file is located. The customer can only obtain the decryption password/tool or the method to restore the normal operation of the system after paying the ransom based on the ransom note file.
如何快速、有效地检测到勒索病毒,进而降低勒索病毒造成的影响已成为网络安全领域的关键技术及挑战。How to quickly and effectively detect ransomware, and then reduce the impact of ransomware has become a key technology and challenge in the field of network security.
发明内容Contents of the invention
本申请提供了一种勒索病毒检测方法,该方法通过检测对诱饵目录和/或诱饵文件的访问行为,将该访问行为与勒索病毒加密文件的行为模式进行匹配,基于匹配结果检测勒索病毒,提高了检测勒索病毒的准确度以及检测速度。本申请还提供了上述方法对应的勒索病毒检测系统、计算机集群、计算机可读存储介质以及计算机程序产品。The present application provides a ransomware detection method, the method detects the access behavior to the bait directory and/or bait file, matches the access behavior with the behavior pattern of the ransomware encrypted file, detects the ransomware based on the matching result, and improves It improves the accuracy and speed of detecting ransomware. The present application also provides a ransomware detection system, a computer cluster, a computer-readable storage medium, and a computer program product corresponding to the above method.
第一方面,本申请提供了一种勒索病毒检测方法。该方法可以由勒索病毒检测系统执行。其中,勒索病毒检测系统也可以简称为检测系统。在一些实施例中,检测系统可以是软件系统,软件系统可以部署在计算机集群中,计算机集群通过运行该软件系统的程序代码,以执行勒索病毒检测方法。在另一些实施例中,该检测系统也可以是用于检测勒索病毒的硬件系统。本申请实施例以勒索病毒检测系统为软件系统进行示例说明。In the first aspect, the present application provides a method for detecting ransomware. The method can be executed by a ransomware detection system. Wherein, the ransomware detection system may also be referred to as a detection system for short. In some embodiments, the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system. In other embodiments, the detection system may also be a hardware system for detecting ransomware. The embodiment of this application uses the ransomware detection system as an example for illustration.
具体地,检测系统检测对诱饵文件和/或诱饵目录的访问行为,然后将该访问行为与行为模式(例如是服务提供商预设的行为模式)进行匹配,获得匹配结果,接着根据访问行为和行为模式的匹配结果,确定勒索病毒。Specifically, the detection system detects the access behavior of the decoy file and/or decoy directory, and then matches the access behavior with the behavior pattern (for example, the behavior pattern preset by the service provider) to obtain the matching result, and then according to the access behavior and The matching result of the behavior pattern determines the ransomware.
在该方法中,检测系统提供有基于勒索进程(勒索病毒执行时产生的进程)加密文件的行为抽象出的通用的行为模式,将进程对诱饵文件和/或诱饵目录的访问行为与上述行为 模式进行匹配,从而识别进程是否为勒索进程,进而实现检测勒索病毒。相较于基于诱饵文件的变化的检测方式,本申请实施例的检测方法具有较高准确度,避免了误报过多影响业务正常运行。而且,该方法通过简单的行为模式匹配进行勒索病毒检测,提升了检测速度。In this method, the detection system provides a general behavior pattern abstracted from the behavior of encrypted files based on the ransomware process (the process generated when the ransomware virus is executed), and compares the access behavior of the process to the lure file and/or lure directory with the above behavior pattern Matching is performed to identify whether the process is a ransomware process, thereby realizing the detection of ransomware viruses. Compared with the detection method based on the change of the decoy file, the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business. Moreover, the method detects ransomware through simple behavior pattern matching, which improves the detection speed.
在一些可能的实现方式中,检测系统还可以向用户呈现告警信息。该告警信息包括勒索进程的进程标识、所述勒索病毒的路径、所述勒索病毒的哈希值、所述勒索病毒的命令行、所述勒索进程的访问路径、所述勒索进程的访问类型中的一种或多种,所述勒索进程为所述勒索病毒对应的进程。In some possible implementation manners, the detection system may also present warning information to the user. The warning information includes the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access type of the ransomware process One or more, the ransomware process is the process corresponding to the ransomware virus.
其中,检测系统可以通过告警界面向用户呈现告警信息。在一些实施例中,检测系统也可以通过语音播报方式进行告警。如此可以满足在不同场景下使用该勒索病毒检测服务的需求,或者满足不同用户对该勒索病毒检测服务的需求,具有较高可用性。并且,检测系统在检测到勒索病毒时进行告警,可以提醒用户进行防范,从而保障数据安全。Wherein, the detection system may present the alarm information to the user through the alarm interface. In some embodiments, the detection system may also issue an alarm through a voice broadcast. In this way, the requirements of using the ransomware detection service in different scenarios, or the requirements of different users for the ransomware detection service can be met, and it has high availability. In addition, the detection system will give an alarm when it detects a ransomware virus, which can remind users to take precautions to ensure data security.
在一些可能的实现方式中,检测系统可以在检测到勒索病毒时,进行安全响应。例如,检测系统可以停止勒索进程,该勒索进程为勒索病毒对应的进程,具体可以是勒索病毒执行时所产生的进程。又例如,检测系统可以阻断勒索病毒。其中,检测系统可以将勒索病毒隔离,例如隔离在沙箱,从而实现阻断勒索病毒。In some possible implementation manners, the detection system may perform a security response when detecting a ransomware virus. For example, the detection system may stop the ransomware process, the ransomware process is a process corresponding to the ransomware virus, specifically, it may be a process generated when the ransomware virus is executed. As another example, the detection system can block ransomware. Among them, the detection system can isolate the ransomware, for example, in a sandbox, so as to block the ransomware.
在该方法中,检测系统通过停止勒索进程,或者阻断勒索病毒,可以避免数据被勒索加密,从而保障数据安全,以及业务正常运行。In this method, the detection system can prevent data from being encrypted by ransomware by stopping the ransomware process or blocking the ransomware virus, thereby ensuring data security and normal business operation.
在一些可能的实现方式中,行为模式至少包括如下行为:写入所述诱饵目录下新创建的非诱饵文件;或者重命名所述诱饵文件。勒索病毒在加密文件时,通常可以写入诱饵目录下新创建的非诱饵文件,或者重命名诱饵文件,因此,检测系统通过将对诱饵目录和/或诱饵文件的访问行为与包括上述行为的行为模式进行匹配,可以有效提高检测勒索病毒的准确度和速度。In some possible implementation manners, the behavior mode includes at least the following behaviors: writing to a newly created non-bait file in the bait directory; or renaming the bait file. When ransomware encrypts files, it can usually write to newly created non-bait files in the bait directory, or rename the bait files. Therefore, the detection system combines access behaviors to bait directories and/or bait files Pattern matching can effectively improve the accuracy and speed of detecting ransomware.
在一些可能的实现方式中,勒索病毒可以通过读取源文件,加密源文件后写入包含附加扩展名的新文件,然后再删除源文件,实现基于上述新文件进行勒索。基于此,行为模式可以包括第一行为模式,该第一行为模式包括:读取所述诱饵文件,写入所述诱饵目录下新创建的非诱饵文件,删除所述诱饵文件。类似地,勒索病毒可以通过读取源文件加密后写回源文件,然后重命名为包含附加扩展名的新文件,实现基于上述新文件进行勒索。基于此,行为模式可以包括第二行为模式,该第二行为模式包括:读取所述诱饵文件,写入所述诱饵文件,重命名所述诱饵文件(相当于写入诱饵目录下新创建的非诱饵文件)。勒索病毒也可以通过将源文件重命名为包含附加扩展名的新文件,读取文件内容,并加密写回新文件,实现基于新文件进行勒索。基于此,行为模式可以包括第三行为模式,该第三行为模式包括:重命名所述诱饵文件(相当于写入诱饵目录下新创建的非诱饵文件),读取所述诱饵目录下新创建的非诱饵文件,写入所述诱饵目录下的所述非诱饵文件。In some possible implementations, the ransomware can read the source file, encrypt the source file, write a new file with an additional extension, and then delete the source file to implement extortion based on the above new file. Based on this, the behavior mode may include a first behavior mode, and the first behavior mode includes: reading the decoy file, writing a newly created non-decoy file under the decoy directory, and deleting the decoy file. Similarly, the ransomware can read the encrypted source file and write it back to the source file, and then rename it to a new file with an additional extension, so as to implement ransom based on the above-mentioned new file. Based on this, the behavior pattern may include a second behavior pattern, which includes: reading the bait file, writing the bait file, renaming the bait file (equivalent to writing the newly created bait file under the bait directory) non-bait files). The ransomware virus can also rename the source file to a new file with an additional extension, read the file content, and encrypt and write back the new file to implement blackmail based on the new file. Based on this, the behavior pattern may include a third behavior pattern, which includes: renaming the decoy file (equivalent to writing a newly created non-bait file under the decoy directory), reading the newly created decoy file under the decoy directory The non-bait file is written into the non-bait file in the bait directory.
在该方法中,检测系统通过将对诱饵目录和/或诱饵文件的访问行为,与上述第一行为模式、第二行为模式和/或第三行为模式中的行为进行匹配,可以进一步提升检测勒索病毒的准确度。In this method, the detection system can further improve the detection of ransomware by matching the access behavior of the decoy directory and/or decoy file with the behavior in the above-mentioned first behavior mode, second behavior mode and/or third behavior mode. The accuracy of the virus.
在一些可能的实现方式中,检测系统可以从文件访问消息中,获得目标进程的进程标 识、所述目标进程访问的文件路径以及访问类型。例如,检测系统可以通过解析文件访问消息,获得目标进程的进程标识、目标进程访问的文件路径以及访问类型等信息。当目标进程访问的文件路径与所述诱饵目录匹配时,记录所述目标进程对所述诱饵目录的访问行为,并将所述目标进程访问的文件与所述诱饵文件匹配;当所述目标进程访问的文件与所述诱饵文件匹配时,记录所述目标进程对所述诱饵文件的访问行为,当所述目标进程访问的文件与所述诱饵文件不匹配时,记录所述目标进程对所述诱饵目录下非诱饵文件的访问行为。In some possible implementation manners, the detection system may obtain the process identifier of the target process, the file path accessed by the target process, and the access type from the file access message. For example, the detection system can obtain information such as the process identifier of the target process, the file path accessed by the target process, and the access type by parsing the file access message. When the file path accessed by the target process matches the decoy directory, record the access behavior of the target process to the decoy directory, and match the file accessed by the target process with the decoy file; when the target process When the accessed file matches the decoy file, record the access behavior of the target process to the decoy file; when the file accessed by the target process does not match the decoy file, record the target process’s access to the Access behavior of non-bait files in the bait directory.
在该方法中,检测系统通过从文件访问消息中获取进程标识、进程访问的文件路径、访问类型等信息,将文件路径和诱饵目录进行匹配,并在文件路径与诱饵目录匹配成功时,进一步将访问的文件与诱饵文件进行匹配,从而实现对诱饵目录和/或诱饵文件的访问行为的检测,该检测方法具有较高准确度,能够满足检测勒索病毒的精度要求。In this method, the detection system matches the file path with the decoy directory by obtaining information such as the process identifier, the file path accessed by the process, and the access type from the file access message, and further matches the file path with the decoy directory when the file path matches the decoy directory The accessed files are matched with the decoy files, so as to detect the access behavior of the decoy directory and/or decoy files. This detection method has high accuracy and can meet the precision requirements for detecting ransomware.
在一些可能的实现方式中,所述访问类型为写入时,检测系统还可以获取所述诱饵文件的属性和写入文件的属性。其中,所述写入文件包括修改后的诱饵文件或者所述非诱饵文件。检测系统可以根据所述诱饵文件的属性和所述写入文件的属性,确定是否对所述诱饵文件加密。相应地,当所述匹配结果表征所述访问行为与行为模式匹配,且所述目标进程对所述诱饵文件加密,则检测系统可以确定所述目标进程为勒索进程,执行时产生所述目标进程的文件为勒索病毒。In some possible implementation manners, when the access type is writing, the detection system may also acquire the attributes of the decoy file and the attributes of the written file. Wherein, the written file includes the modified decoy file or the non-decoy file. The detection system may determine whether to encrypt the decoy file according to the attribute of the decoy file and the attribute of the written file. Correspondingly, when the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, the detection system can determine that the target process is a blackmail process, and the target process is generated during execution files are ransomware.
在该方法中,检测系统在行为匹配的基础上,还结合诱饵文件的属性和写入文件的属性变化,过滤非加密文件的访问行为,进一步提高了检测勒索病毒的准确度,避免了勒索病毒误报影响业务正常运行。In this method, on the basis of behavior matching, the detection system also combines the attributes of the decoy file and the changes in the attributes of the written file to filter the access behavior of non-encrypted files, further improving the accuracy of ransomware detection and avoiding ransomware. False positives affect the normal operation of the business.
在一些可能的实现方式中,所述诱饵文件的属性包括所述诱饵文件的大小、熵值或哈希值中的一种或多种。由于勒索病毒加密诱饵文件可以导致诱饵文件的大小发生变化,熵值发生变化,以及哈希值发生变化。因此,检测系统可以通过检测诱饵文件的大小、熵值或哈希值中的一种或多种,识别可疑的加密行为,由此提高检测勒索病毒的准确度。In some possible implementation manners, the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file. Encrypting the lure file by ransomware can cause the size of the lure file to change, the entropy value to change, and the hash value to change. Therefore, the detection system can identify suspicious encryption behaviors by detecting one or more of the size, entropy value, or hash value of the decoy file, thereby improving the accuracy of detecting ransomware.
在一些可能的实现方式中,检测系统还可以获取目标进程的父进程标识。相应地,检测系统还可以根据所述父进程标识,检测所述目标进程的关联进程对所述诱饵文件和/或所述诱饵目录的访问行为。其中,所述关联进程的父进程标识与所述目标进程的父进程标识相同。也即,目标进程和关联进程具有相同的父进程,目标进程和关联进程为同一父进程下的子进程。In some possible implementation manners, the detection system may also obtain the parent process identifier of the target process. Correspondingly, the detection system may also detect the access behavior of the decoy file and/or the decoy directory by the associated process of the target process according to the parent process identifier. Wherein, the parent process ID of the associated process is the same as the parent process ID of the target process. That is, the target process and the associated process have the same parent process, and the target process and the associated process are child processes under the same parent process.
在该方法中,检测系统可以在检测目标进程对诱饵目录和/或诱饵文件的访问行为的基础上,进一步检测关联进程对诱饵目录和/或诱饵文件的访问行为,由此可以实现检测多进程加密诱饵文件的行为,覆盖勒索病毒通过多进程加密诱饵文件的场景,提高勒索病毒的检出率。In this method, on the basis of detecting the access behavior of the target process to the decoy directory and/or decoy file, the detection system can further detect the access behavior of the associated process to the decoy directory and/or decoy file, thereby realizing the detection of multiple processes The behavior of encrypting bait files covers the scene where ransomware encrypts bait files through multiple processes to improve the detection rate of ransomware.
在一些可能的实现方式中,检测系统可以根据目标进程的访问行为与行为模式的匹配结果和关联进程的访问行为与行为模式的匹配结果,确定父进程下所述访问行为与所述行为模式匹配的进程的数量。当所述进程的数量大于预设数量时,检测系统可以将执行时产生所述父进程的文件确定为勒索病毒。In some possible implementations, the detection system may determine that the access behavior under the parent process matches the behavior pattern according to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern the number of processes. When the number of the processes is greater than the preset number, the detection system may determine the file that generates the parent process during execution as a ransomware virus.
在该方法中,检测系统通过统计分析父进程下存在诱饵异常访问的可疑子进程(包括 目标进程和关联进程)的数量,基于该数量识别该父进程是否为通过多个子进程加密文件的勒索病毒的父进程,由此提高检测勒索病毒的置信度。In this method, the detection system statistically analyzes the number of suspicious child processes (including the target process and associated processes) that have bait abnormal access under the parent process, and based on this number, identifies whether the parent process is a ransomware that encrypts files through multiple child processes parent process, thereby increasing the confidence in detecting ransomware.
在一些可能的实现方式中,检测系统还可以根据对所述诱饵目录下非诱饵文件的访问行为,识别勒索说明文件。例如,检测系统可以分析进程写入的诱饵目录下非诱饵文件是否只有写操作并没有读操作,以识别该非诱饵文件是否为勒索说明文件。进一步地,检测系统还可以根据该非诱饵文件的名称是否包括勒索说明文件常用名称字典的关键字,例如为readme、decrypt、restore、recover,识别非诱饵文件是否为勒索说明文件,以提高勒索说明文件的识别准确度。相应地,检测系统可以根据所述匹配结果和所述勒索说明文件的识别结果,确定勒索病毒。In some possible implementation manners, the detection system may also identify the ransom note file according to the access behavior to the non-bait files in the lure directory. For example, the detection system can analyze whether the non-bait file in the bait directory written by the process has only write operations and no read operations, so as to identify whether the non-bait file is a ransom note file. Furthermore, the detection system can also identify whether the non-bait file is a ransom note file according to whether the name of the non-bait file includes the keywords of the dictionary of common names of ransom note files, such as readme, decrypt, restore, and recover, so as to improve the blackmail description file. Document recognition accuracy. Correspondingly, the detection system can determine the ransomware virus according to the matching result and the recognition result of the ransomware description file.
该方法在行为匹配的基础上,还结合勒索说明文件识别对勒索病毒进行检测,提高了检测勒索病毒的准确度,避免了勒索病毒误报影响业务正常运行。On the basis of behavior matching, the method also detects the ransomware by combining the identification of the ransomware description file, which improves the accuracy of the detection of the ransomware, and avoids false positives of the ransomware from affecting the normal operation of the business.
在一些可能的实现方式中,检测系统可以根据所述匹配结果确定第一评分,根据所述勒索说明文件的识别结果确定第二评分,然后检测系统可以根据所述第一评分和所述第二评分,确定勒索病毒。In some possible implementation manners, the detection system may determine the first score according to the matching result, determine the second score according to the recognition result of the ransom note file, and then the detection system may determine the second score based on the first score and the second score. Score to identify ransomware.
具体地,检测系统可以针对不同匹配结果预先设置不同的基础分值,该基础分值可以根据经验值设置。检测系统可以在获得匹配结果后,确定与该匹配结果对应的基础分值,将基础分值确定为第一评分。进一步地,考虑到目标进程访问多个诱饵文件的情况,检测系统还可以统计目标进程对诱饵目录和/或诱饵文件的访问行为与行为模式匹配的次数。相应地,检测系统还可以根据基础分值、行为模式匹配加权分值和匹配的次数确定第一评分。类似地,检测系统可以为勒索说明文件设置勒索说明文件加权分值。当勒索说明文件的识别结果为识别到勒索说明文件时,检测系统可以根据勒索说明文件匹配加权分值,获得第二评分。检测系统可以根据上述第一评分和第二评分确定总评分。在一些实施例中,总评分可以是第一评分与第二评分之和。然后检测系统可以根据总评分,确定勒索病毒。例如,总评分大于预设分值时,检测系统可以确定目标进程的进程文件为勒索病毒,确定目标进程为勒索进程。Specifically, the detection system may preset different base scores for different matching results, and the base scores may be set according to experience values. After obtaining the matching result, the detection system may determine a base score corresponding to the matching result, and determine the base score as the first score. Further, considering the fact that the target process accesses multiple decoy files, the detection system may also count the number of times the target process's access behavior to the decoy directory and/or decoy files matches the behavior pattern. Correspondingly, the detection system may also determine the first score according to the basic score, the behavior pattern matching weighted score and the matching times. Similarly, the detection system may set a weighted score for the ransom description file for the ransom description file. When the recognition result of the ransom description file is that the ransom description file has been identified, the detection system may match the weighted score according to the ransom description file to obtain a second score. The detection system may determine a total score based on the first score and the second score described above. In some embodiments, the total score may be the sum of the first score and the second score. The detection system can then determine the ransomware based on the total score. For example, when the total score is greater than the preset score, the detection system may determine that the process file of the target process is a ransomware virus, and determine that the target process is a ransomware process.
在该方法中,检测系统通过行为匹配、勒索说明文件等多个维度进行评分,并综合不同维度的评分对勒索病毒进行检测,具有较高置信度。In this method, the detection system scores the ransomware through multiple dimensions such as behavior matching and ransomware description files, and comprehensively detects the ransomware with scores from different dimensions, which has a high degree of confidence.
在一些可能的实现方式中,检测系统还可以将所述目标进程的属性与白名单中进程的属性进行匹配。例如,将目标进程的进程文件哈希与白名单中进程的进程文件哈希进行匹配。当所述目标进程的属性与所述白名单中进程的属性不匹配时,检测系统将所述访问行为与行为模式进行匹配,获得匹配结果。如此可以实现过滤白名单中进程的异常访问行为,避免了用户误操作导致勒索病毒误报的情况发生。In some possible implementation manners, the detection system may also match the attributes of the target process with the attributes of the processes in the whitelist. For example, match the process file hash of the target process with the process file hash of the process in the whitelist. When the attribute of the target process does not match the attribute of the process in the white list, the detection system matches the access behavior with the behavior pattern to obtain a matching result. In this way, abnormal access behaviors of processes in the whitelist can be filtered, and false positives of ransomware viruses caused by user misoperations can be avoided.
第二方面,本申请提供了一种勒索病毒检测系统。该勒索病毒检测系统也可以简称为检测系统。该检测系统包括如下功能模块:In the second aspect, the present application provides a ransomware detection system. The ransomware detection system may also be referred to simply as a detection system. The detection system includes the following functional modules:
访问监控模块,用于检测对诱饵文件和/或诱饵目录的访问行为;An access monitoring module, used to detect access behaviors to bait files and/or bait directories;
行为检测模块,用于将所述访问行为与行为模式进行匹配,获得匹配结果;A behavior detection module, configured to match the access behavior with a behavior pattern to obtain a matching result;
勒索病毒检测模块,用于根据所述匹配结果,确定勒索病毒。The ransomware detection module is configured to determine the ransomware according to the matching result.
在一些可能的实现方式中,所述系统还包括:In some possible implementations, the system also includes:
告警模块,用于向用户呈现告警信息,所述告警信息包括勒索进程的进程标识、所述勒索病毒的路径、所述勒索病毒的哈希值、所述勒索病毒的命令行、所述勒索进程的访问路径、所述勒索进程的访问类型中的一种或多种,所述勒索进程为所述勒索病毒对应的进程。An alarm module, configured to present alarm information to the user, the alarm information including the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware process One or more of the access path of the ransomware process and the access type of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.
在一些可能的实现方式中,所述系统还包括:In some possible implementations, the system also includes:
安全响应模块,用于停止勒索进程,所述勒索进程为所述勒索病毒对应的进程;或者,阻断所述勒索病毒。The security response module is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.
在一些可能的实现方式中,所述行为模式至少包括如下行为:In some possible implementations, the behavior pattern includes at least the following behaviors:
写入所述诱饵目录下新创建的非诱饵文件;Write to the newly created non-bait file under the bait directory;
或者重命名所述诱饵文件。Or rename said decoy file.
在一些可能的实现方式中,所述行为模式包括第一行为模式、第二行为模式和第三行为模式中的一种或多种;In some possible implementations, the behavior mode includes one or more of the first behavior mode, the second behavior mode and the third behavior mode;
所述第一行为模式包括:读取所述诱饵文件,写入所述诱饵目录下新创建的非诱饵文件,删除所述诱饵文件;The first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;
所述第二行为模式包括:读取所述诱饵文件,写入所述诱饵文件,重命名所述诱饵文件;The second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;
所述第三行为模式包括:重命名所述诱饵文件,读取所述诱饵目录下新创建的非诱饵文件,写入所述诱饵目录下的所述非诱饵文件。The third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
在一些可能的实现方式中,所述访问监控模块具体用于:In some possible implementation manners, the access monitoring module is specifically configured to:
从文件访问消息中,得到目标进程的进程标识、所述目标进程访问的文件路径以及访问类型;From the file access message, obtain the process identification of the target process, the file path and access type accessed by the target process;
当所述目标进程访问的文件路径与所述诱饵目录匹配时,记录所述目标进程对所述诱饵目录的访问行为,并将所述目标进程访问的文件与所述诱饵文件匹配;When the file path accessed by the target process matches the decoy directory, record the access behavior of the target process to the decoy directory, and match the file accessed by the target process with the decoy file;
当所述目标进程访问的文件与所述诱饵文件匹配时,记录所述目标进程对所述诱饵文件的访问行为,当所述目标进程访问的文件与所述诱饵文件不匹配时,记录所述目标进程对所述诱饵目录下非诱饵文件的访问行为。When the file accessed by the target process matches the decoy file, record the access behavior of the target process to the decoy file; when the file accessed by the target process does not match the decoy file, record the decoy file. The access behavior of the target process to the non-bait files in the bait directory.
在一些可能的实现方式中,所述访问监控模块还用于:In some possible implementations, the access monitoring module is also used for:
所述访问类型为写入时,获取所述诱饵文件的属性和写入文件的属性,所述写入文件包括修改后的诱饵文件或者所述非诱饵文件;When the access type is writing, the attribute of the decoy file and the attribute of the written file are obtained, and the written file includes the modified decoy file or the non-decoy file;
根据所述诱饵文件的属性和所述写入文件的属性,确定是否对所述诱饵文件加密;According to the attribute of the decoy file and the attribute of the written file, determine whether to encrypt the decoy file;
所述勒索病毒检测模块具体用于:The ransomware detection module is specifically used for:
当所述匹配结果表征所述访问行为与行为模式匹配,且所述目标进程对所述诱饵文件加密,确定所述目标进程为勒索进程,执行时产生所述目标进程的文件为勒索病毒。When the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, it is determined that the target process is a ransomware process, and the file that generates the target process is a ransomware virus during execution.
在一些可能的实现方式中,所述诱饵文件的属性包括所述诱饵文件的大小、熵值或哈希值中的一种或多种。In some possible implementation manners, the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file.
在一些可能的实现方式中,所述访问监控模块还用于:In some possible implementations, the access monitoring module is also used for:
获取所述目标进程的父进程标识;Obtain the parent process identifier of the target process;
根据所述父进程标识,检测所述目标进程的关联进程对所述诱饵文件和/或所述诱饵目 录的访问行为,所述关联进程的父进程标识与所述目标进程的父进程标识相同。According to the parent process ID, the access behavior of the associated process of the target process to the decoy file and/or the decoy directory is detected, and the parent process ID of the associated process is the same as the parent process ID of the target process.
在一些可能的实现方式中,所述勒索病毒检测模块具体用于:In some possible implementation manners, the ransomware detection module is specifically configured to:
根据所述目标进程的访问行为与所述行为模式的匹配结果和所述关联进程的访问行为与所述行为模式的匹配结果,确定父进程下所述访问行为与所述行为模式匹配的进程的数量;According to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern, determine the process of the parent process whose access behavior matches the behavior pattern quantity;
当所述进程的数量大于预设数量时,将执行时产生所述父进程的文件确定为勒索病毒。When the number of the processes is greater than the preset number, the file that generates the parent process during execution is determined to be a ransomware virus.
在一些可能的实现方式中,所述系统还包括:In some possible implementations, the system also includes:
勒索说明检测模块,用于根据对所述诱饵目录下非诱饵文件的访问行为,识别勒索说明文件;A blackmail description detection module is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory;
所述勒索病毒检测模块具体用于:The ransomware detection module is specifically used for:
根据所述匹配结果和所述勒索说明文件的识别结果,确定勒索病毒。According to the matching result and the recognition result of the ransom note file, the ransomware is determined.
在一些可能的实现方式中,所述勒索病毒检测模块具体用于:In some possible implementation manners, the ransomware detection module is specifically configured to:
根据所述匹配结果确定第一评分,根据所述勒索说明文件的识别结果确定第二评分;determining a first score according to the matching result, and determining a second score according to the recognition result of the ransom note file;
根据所述第一评分和所述第二评分,确定勒索病毒。Determine the ransomware according to the first score and the second score.
在一些可能的实现方式中,所述系统还包括:In some possible implementations, the system also includes:
白名单过滤模块,用于将所述目标进程的属性与白名单中进程的属性进行匹配;A whitelist filtering module, configured to match the attributes of the target process with the attributes of the processes in the whitelist;
所述行为检测模块具体用于:The behavior detection module is specifically used for:
当所述目标进程的属性与所述白名单中进程的属性不匹配时,将所述访问行为与行为模式进行匹配,获得匹配结果。When the attribute of the target process does not match the attribute of the process in the white list, the access behavior is matched with the behavior pattern to obtain a matching result.
第三方面,本申请提供一种计算机集群。所述计算机集群包括至少一台计算机,所述至少一台计算机包括至少一个处理器和至少一个存储器。所述至少一个处理器、所述至少一个存储器进行相互的通信。所述至少一个处理器用于执行所述至少一个存储器中存储的指令,以使得计算机或计算机集群执行如第一方面或第一方面的任一种实现方式中的勒索病毒检测方法。In a third aspect, the present application provides a computer cluster. The computer cluster includes at least one computer including at least one processor and at least one memory. The at least one processor and the at least one memory communicate with each other. The at least one processor is configured to execute the instructions stored in the at least one memory, so that the computer or computer cluster executes the ransomware detection method in the first aspect or any implementation manner of the first aspect.
第四方面,本申请提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,所述指令指示计算机或计算机集群执行上述第一方面或第一方面的任一种实现方式所述的勒索病毒检测方法。In a fourth aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and the instructions instruct a computer or a computer cluster to execute any implementation of the first aspect or the first aspect above The described ransomware detection method.
第五方面,本申请提供了一种包含指令的计算机程序产品,当其在计算机或计算机集群上运行时,使得计算机或计算机集群执行上述第一方面或第一方面的任一种实现方式所述的勒索病毒检测方法。In the fifth aspect, the present application provides a computer program product containing instructions, which, when run on a computer or a computer cluster, causes the computer or computer cluster to perform the above-mentioned first aspect or any one of the implementations of the first aspect. ransomware detection method.
本申请在上述各方面提供的实现方式的基础上,还可以进行进一步组合以提供更多实现方式。On the basis of the implementation manners provided in the foregoing aspects, the present application may further be combined to provide more implementation manners.
附图说明Description of drawings
为了更清楚地说明本申请实施例的技术方法,下面将对实施例中所需使用的附图作以简单地介绍。In order to more clearly illustrate the technical methods of the embodiments of the present application, the following will briefly introduce the drawings required in the embodiments.
图1为本申请实施例提供的一种勒索病毒检测系统的架构示意图;Fig. 1 is a schematic diagram of the architecture of a ransomware detection system provided in the embodiment of the present application;
图2为本申请实施例提供的一种勒索病毒检测方法的流程图;Fig. 2 is the flowchart of a kind of blackmail virus detection method that the embodiment of the present application provides;
图3为本申请实施例提供的一种告警界面的界面示意图;FIG. 3 is a schematic interface diagram of an alarm interface provided by an embodiment of the present application;
图4为本申请实施例提供的一种勒索病毒检测方法的流程图;Fig. 4 is the flowchart of a kind of blackmail virus detection method that the embodiment of the present application provides;
图5为本申请实施例提供的一种勒索病毒检测系统的结构示意图;FIG. 5 is a schematic structural diagram of a ransomware detection system provided in an embodiment of the present application;
图6为本申请实施例提供的一种计算机集群的结构示意图。FIG. 6 is a schematic structural diagram of a computer cluster provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请实施例中的术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。The terms "first" and "second" in the embodiments of the present application are used for description purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features.
首先对本申请实施例中所涉及到的一些技术术语进行介绍。First, some technical terms involved in the embodiments of the present application are introduced.
勒索病毒,也称作勒索软件、勒索软体,是一种特殊的恶意软件,通常被归类为“阻断访问式攻击”(denial-of-access attack)。勒索病毒与其他病毒最大的不同在于手法以及中毒方式。其中,一种典型的勒索病毒是系统性地加密计算设备存储的文件,例如是加密关键的业务/数据文件,该业务/数据文件可以是数据库文件、办公文档、压缩文件、视频、图片和源代码中的一种或多种,然后要求受害者缴纳赎金以取回受害者根本无从自行获取的解密口令/工具以便解密文件。Ransomware, also known as ransomware or ransomware, is a special type of malware that is usually classified as a denial-of-access attack. The biggest difference between ransomware and other viruses lies in the method and poisoning method. Among them, a typical ransomware is to systematically encrypt files stored in computing devices, such as encrypting key business/data files, which can be database files, office documents, compressed files, videos, pictures and source files. One or more of the codes, and then ask the victim to pay a ransom to get back the decryption password/tool that the victim has no way of obtaining by himself in order to decrypt the file.
勒索病毒通常透过木马病毒的形式传播。具体地,勒索病毒将自身为掩盖为看似无害的文件。例如,勒索病毒可以通过假冒成普通的电子邮件等社会工程学方法欺骗受害者点击链接下载,或者是与许多其他蠕虫病毒一样利用软件的漏洞在联网的计算设备间传播。Ransomware usually spreads in the form of Trojan horse viruses. Specifically, ransomware disguises itself as seemingly harmless files. For example, ransomware can trick victims into clicking links to download through social engineering methods such as pretending to be ordinary emails, or, like many other worms, exploit software vulnerabilities to spread among networked computing devices.
为了降低勒索病毒的损害,业界提供了一些勒索病毒的检测方案,以提前检测出勒索病毒,进而对勒索病毒进行阻断。主流的检测方案包括基于诱饵文件的勒索病毒检测方法。具体地,在指定的诱饵目录部署固定类型、固定大小的诱饵文件,通过监控诱饵文件的变化,例如是监控诱饵文件的大小、熵值或类型的变化,从而识别已知或未知的勒索病毒。然而,上述方法检测勒索病毒的准确度不高,可以导致将业务的进程误识别为勒索病毒对应的勒索进程,影响业务正常运行。In order to reduce the damage of ransomware, the industry provides some ransomware detection schemes to detect ransomware in advance, and then block the ransomware. The mainstream detection schemes include ransomware detection methods based on decoy files. Specifically, a fixed-type and fixed-size decoy file is deployed in the specified decoy directory, and known or unknown ransomware is identified by monitoring changes in the decoy file, such as changes in the size, entropy value, or type of the decoy file. However, the accuracy of the above method for detecting ransomware is not high, which may lead to misidentifying the business process as the ransomware process corresponding to the ransomware virus, affecting the normal operation of the business.
有鉴于此,本申请实施例提供了一种勒索病毒检测方法。该方法可以由勒索病毒检测系统执行。为了便于描述,本申请实施例也可以将勒索病毒检测系统简称为检测系统。在一些实施例中,检测系统可以是软件系统,软件系统可以部署在计算机集群中,计算机集群通过运行该软件系统的程序代码,以执行勒索病毒检测方法。在另一些实施例中,该检测系统也可以是用于检测勒索病毒的硬件系统。本申请实施例以勒索病毒检测系统为软件系统进行示例说明。In view of this, the embodiment of the present application provides a ransomware detection method. The method can be executed by a ransomware detection system. For ease of description, the embodiment of the present application may also simply refer to the ransomware detection system as the detection system. In some embodiments, the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system. In other embodiments, the detection system may also be a hardware system for detecting ransomware. The embodiment of this application uses the ransomware detection system as an example for illustration.
具体地,检测系统检测对诱饵文件和/或诱饵目录的访问行为,然后将该访问行为与行为模式(例如是服务提供商预设的行为模式)进行匹配,获得匹配结果,接着根据访问行为和行为模式的匹配结果,确定勒索病毒。Specifically, the detection system detects the access behavior of the decoy file and/or decoy directory, and then matches the access behavior with the behavior pattern (for example, the behavior pattern preset by the service provider) to obtain the matching result, and then according to the access behavior and The matching result of the behavior pattern determines the ransomware.
在该方法中,检测系统提供有基于勒索进程(勒索病毒执行时产生的进程)加密文件的行为抽象出的通用的行为模式,将进程对诱饵文件和/或诱饵目录的访问行为与上述行为模式进行匹配,从而识别进程是否为勒索进程,进而实现检测勒索病毒。相较于基于诱饵文件的变化的检测方式,本申请实施例的检测方法具有较高准确度,避免了误报过多影响 业务正常运行。而且,该方法通过简单的行为模式匹配进行勒索病毒检测,提升了检测速度。In this method, the detection system provides a general behavior pattern abstracted from the behavior of encrypted files based on the ransomware process (the process generated when the ransomware virus is executed), and compares the access behavior of the process to the lure file and/or lure directory with the above behavior pattern Matching is performed to identify whether the process is a ransomware process, thereby realizing the detection of ransomware viruses. Compared with the detection method based on the change of the decoy file, the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business. Moreover, the method detects ransomware through simple behavior pattern matching, which improves the detection speed.
需要说明的是,本申请实施例的勒索病毒检测方法可适用于在终端(例如是主机)/服务器上快速检测已知/未知勒索病毒的场景。尤其是在“云”场景下,租户所租赁或购买的云服务器上运行大量的业务并保存关键的业务/数据文件时,本申请实施例的勒索病毒检测方法能够基于轻量级的资源占用快速检测出勒索病毒,从而满足对于检测的时效性和轻量级资源占用的需求。It should be noted that the ransomware detection method of the embodiment of the present application is applicable to the scenario of quickly detecting known/unknown ransomware on a terminal (for example, a host)/server. Especially in the "cloud" scenario, when a large amount of business is run on the cloud server leased or purchased by the tenant and key business/data files are saved, the ransomware detection method in the embodiment of the present application can quickly occupy light-weight resources. Detect ransomware, so as to meet the timeliness of detection and light-weight resource consumption requirements.
为了使得本申请的技术方案更加清楚、易于理解,下面结合附图对本申请实施例的系统架构进行介绍。In order to make the technical solution of the present application clearer and easier to understand, the system architecture of the embodiment of the present application will be introduced below with reference to the accompanying drawings.
参见图1所述的勒索病毒检测系统的系统架构图,在该示例中,租户(例如可以是个人、企业或其他团体组织)可以租赁或购买云计算集群10中的一台或多台云服务器,以部署租户的应用,例如是部署应用1至应用N,N为正整数。图1以部署多个应用进行示例说明,在一些实施例中,租户也可以部署一个应用。云计算集群10中还部署有勒索病毒检测系统100,为了描述方便,下文简称为检测系统100。Referring to the system architecture diagram of the ransomware detection system described in Fig. 1, in this example, tenants (such as individuals, enterprises or other group organizations) can lease or purchase one or more cloud servers in the cloud computing cluster 10 , to deploy tenant applications, for example, to deploy application 1 to application N, where N is a positive integer. FIG. 1 illustrates by deploying multiple applications. In some embodiments, a tenant may also deploy one application. A ransomware detection system 100 is also deployed in the cloud computing cluster 10 , which is referred to as the detection system 100 hereinafter for convenience of description.
云计算集群10与终端20建立有通信连接。终端20安装有客户端,该客户端例如可以是浏览器等通用客户端,或者是专用于勒索病毒检测的检测客户端。云计算集群10中的检测系统100可以检测对诱饵文件和/或诱饵目录的访问行为,然后将该访问行为和行为模式进行匹配,获得匹配结果,接着根据访问行为和行为模式的匹配结果,确定勒索病毒。The cloud computing cluster 10 establishes a communication connection with the terminal 20 . The terminal 20 is installed with a client, which may be, for example, a general client such as a browser, or a detection client specially used for ransomware detection. The detection system 100 in the cloud computing cluster 10 can detect the access behavior to the decoy file and/or decoy directory, and then match the access behavior with the behavior pattern to obtain the matching result, and then determine according to the matching result of the access behavior and the behavior pattern Ransomware.
进一步地,检测系统100可以根据检测的勒索病毒生成告警信息,并向所述终端20发送告警信息,从而使得终端20向用户呈现告警信息。其中,告警信息包括勒索进程的进程标识、所述勒索病毒的路径、所述勒索病毒的哈希值(hash)、所述勒索病毒的命令行、所述勒索进程的访问路径、所述勒索进程的访问行为中的一种或多种。在该实施例中,勒索进程为所述勒索病毒对应的进程。Further, the detection system 100 may generate warning information according to the detected ransomware virus, and send the warning information to the terminal 20, so that the terminal 20 presents the warning information to the user. Wherein, the warning information includes the process identification of the ransomware process, the path of the ransomware virus, the hash value (hash) of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, the ransomware process One or more of the access behaviors. In this embodiment, the ransomware process is a process corresponding to the ransomware virus.
需要说明的是,当检测到勒索病毒时,检测系统100还可以停止勒索进程。在一些实施例中,检测系统100还可以在检测到勒索病毒时阻隔勒索病毒,也即对勒索病毒这一可执行文件进行隔离。如此,可以避免勒索进程对应用的业务/数据文件进行加密,从而导致用户利益受到侵害。It should be noted that when a ransomware virus is detected, the detection system 100 can also stop the ransomware process. In some embodiments, the detection system 100 can also block the ransomware when detecting the ransomware, that is, isolate the executable file of the ransomware. In this way, it is possible to prevent the ransomware process from encrypting the business/data files of the application, thereby causing the user's interests to be infringed.
图1所示实施例是以检测系统100部署在云计算集群,并检测该云计算集群中部署的应用是否包括勒索病毒进行示例说明,在一些可能的实现方式中,检测系统100也可以部署在本地计算设备,例如是台式机、笔记本电脑等终端20中,以用于对终端20中部署的应用进行勒索病毒检测。The embodiment shown in FIG. 1 is an example of deploying the detection system 100 in a cloud computing cluster and detecting whether the application deployed in the cloud computing cluster includes a ransomware virus. In some possible implementations, the detection system 100 can also be deployed in A local computing device, such as a desktop computer or a notebook computer, is used to detect ransomware for applications deployed in the terminal 20 .
接下来,将从检测系统100的角度,对本申请实施例提供的勒索病毒检测方法进行详细说明。Next, from the perspective of the detection system 100, the ransomware detection method provided in the embodiment of the present application will be described in detail.
参见图2所示的勒索病毒检测方法的流程图,该方法包括:Referring to the flowchart of the ransomware detection method shown in Figure 2, the method includes:
S202:检测系统100从文件访问消息中,得到目标进程的进程标识、目标进程访问的文件路径以及访问类型。当目标进程访问的文件路径与诱饵目录匹配时,执行S204。当目 标进程访问的文件路径与诱饵目录不匹配时,执行S228。S202: The detection system 100 obtains the process identifier of the target process, the file path accessed by the target process, and the access type from the file access message. When the file path accessed by the target process matches the decoy directory, execute S204. When the file path accessed by the target process does not match the decoy directory, execute S228.
具体地,文件访问消息可以是读文件或写文件的应用程序编程接口(application programming interface,API)调用消息。该消息中包括目标进程的进程标识(process ID,PID)、目标进程访问的文件路径以及访问类型。检测系统100可以通过解析文件访问消息,从而获取目标进程的PID、目标进程访问的文件路径、访问类型等信息。Specifically, the file access message may be an application programming interface (application programming interface, API) call message for reading or writing a file. The message includes the process identification (process ID, PID) of the target process, the file path accessed by the target process, and the access type. The detection system 100 can obtain information such as the PID of the target process, the file path accessed by the target process, and the access type by parsing the file access message.
其中,目标进程是指执行文件访问操作的进程。进程是一个运行程序的实例。程序通常是以文件的形态存储,例如是以二进制文件的形态存储。当程序被触发或执行时,程序的代码以及运行所需要的数据被加载至内存,操作系统给予加载上述代码和数据的内存单元一个标识符即PID。访问类型是指对文件的操作类型,在本实施例中,访问类型可以包括读取和/或写入。Wherein, the target process refers to a process performing a file access operation. A process is an instance of a running program. Programs are usually stored in the form of files, for example, in the form of binary files. When the program is triggered or executed, the code of the program and the data required for operation are loaded into the memory, and the operating system gives the memory unit loaded with the above code and data an identifier, that is, a PID. The access type refers to the type of operation on the file. In this embodiment, the access type may include reading and/or writing.
目标进程访问的文件路径可以指示目标进程访问的文件的目录,基于此,检测系统100可以将目标进程访问的文件的目录与诱饵目录进行匹配,从而确定目标进程是否访问诱饵目录。当目标进程访问的文件的目录与诱饵目录(也可以称作欺骗目录,用于引诱勒索进程访问)匹配时,则表明目标进程访问诱饵目录,检测系统100可以执行S204。当目标进程访问的文件的目录与诱饵目录不匹配时,则表明目标进程当前并未访问诱饵目录,检测系统100可以执行S228,结束当前流程,而无需执行后续流程。The file path accessed by the target process may indicate the directory of the file accessed by the target process. Based on this, the detection system 100 may match the directory of the file accessed by the target process with the decoy directory, so as to determine whether the target process accesses the decoy directory. When the directory of the file accessed by the target process matches the decoy directory (also called a spoofed directory, used to lure the extortion process to access), it indicates that the target process accesses the decoy directory, and the detection system 100 can execute S204. When the directory of the file accessed by the target process does not match the decoy directory, it indicates that the target process does not currently access the decoy directory, and the detection system 100 may execute S228 to end the current process without performing subsequent processes.
S204:检测系统100记录目标进程对诱饵目录的访问行为,并将目标进程访问的文件与诱饵文件匹配。当目标进程访问的文件与诱饵文件匹配时,执行S206。当目标进程访问的文件与诱饵文件不匹配时,执行S208。S204: The detection system 100 records the access behavior of the target process to the decoy directory, and matches the files accessed by the target process with the decoy files. When the file accessed by the target process matches the decoy file, execute S206. When the file accessed by the target process does not match the decoy file, execute S208.
具体地,检测系统100可以在访问列表中记录目标进程对诱饵目录的访问行为,进一步地,检测系统100将目标进程访问的文件(读取或写入的文件)与诱饵文件(也可以称作欺骗文件,用于引诱勒索进程访问,并执行文件加密)进行匹配,从而确定目标进程访问诱饵文件或者访问诱饵目录下非诱饵文件。Specifically, the detection system 100 can record the access behavior of the target process to the decoy directory in the access list. Further, the detection system 100 compares the files accessed by the target process (files read or written) with the decoy file (also called Deception files, used to lure the ransomware process to access, and perform file encryption) for matching, so as to determine whether the target process accesses the decoy file or accesses the non-decoy files in the decoy directory.
其中,检测系统100可以根据目标进程的PID,获取目标进程访问的文件的属性。该属性可以包括文件的名称、大小、哈希(hash)值、熵值、类型中的一种或多种。检测系统100可以将目标进程访问的文件的属性与诱饵文件的属性进行匹配,例如将目标进程访问的文件的名称、哈希值或熵值与诱饵文件的名称、哈希值或熵值进行匹配,从而确定目标进程访问的文件为诱饵文件或非诱饵文件。当目标进程访问的文件的属性与诱饵文件的属性匹配时,检测系统100可以确定目标进程访问诱饵文件,执行S206。当目标进程访问的文件的属性与诱饵文件的属性不匹配时,检测系统100可以确定目标进程访问诱饵目录下非诱饵文件,执行S208。Wherein, the detection system 100 may obtain the attributes of the files accessed by the target process according to the PID of the target process. The attribute may include one or more of the name, size, hash value, entropy value, and type of the file. The detection system 100 can match the attribute of the file accessed by the target process with the attribute of the decoy file, for example, match the name, hash value or entropy value of the file accessed by the target process with the name, hash value or entropy value of the decoy file , so as to determine whether the file accessed by the target process is a decoy file or a non-bait file. When the attribute of the file accessed by the target process matches the attribute of the decoy file, the detection system 100 may determine that the target process accesses the decoy file, and execute S206. When the attribute of the file accessed by the target process does not match the attribute of the decoy file, the detection system 100 may determine that the target process accesses a non-bait file under the decoy directory, and execute S208.
S206:检测系统100记录目标进程对诱饵文件的访问行为。S206: The detection system 100 records the access behavior of the target process to the decoy file.
考虑到诱饵目录下可以包括一个或多个诱饵文件,检测系统100可以记录目标进程的PID、诱饵文件的属性(例如名称、哈希值、熵值中的一种或多种)和访问类型,从而实现记录目标进程对诱饵文件的访问行为。如此,可以为后续针对不同诱饵文件分别进行数学统计提供帮助。Considering that one or more decoy files may be included in the decoy directory, the detection system 100 may record the PID of the target process, the attributes of the decoy file (such as one or more of name, hash value, and entropy value) and access type, In this way, the access behavior of the target process to the decoy file can be recorded. In this way, it can provide help for subsequent mathematical statistics for different lure files.
S208:检测系统100记录目标进程对诱饵目录下非诱饵文件的访问行为。S208: The detection system 100 records the access behavior of the target process to the non-bait files in the bait directory.
与记录目标进程对诱饵文件的访问行为类型,检测系统100可以记录目标进程的PID、 非诱饵文件的属性(例如名称、哈希值、熵值中的一种或多种)和访问类型,从而实现记录目标进程对诱饵目录下非诱饵文件的访问行为。如此可以为后续针对不同非诱饵文件分别进行数学统计提供帮助。To record the type of access behavior of the target process to the decoy file, the detection system 100 can record the PID of the target process, the attributes of the non-decoy file (such as one or more of name, hash value, and entropy value) and the access type, thereby Realize recording the access behavior of the target process to non-bait files in the bait directory. This can provide help for subsequent mathematical statistics for different non-bait files.
上述S202至S208为检测系统100检测对诱饵文件和/或诱饵目录的访问行为的一种实现方式,在本申请实施例其他可能的实现方式中,检测系统100也可以通过其他方式检测对诱饵文件和/或诱饵目录的访问行为。例如,检测系统100可以接收目标进程上报的访问诱饵文件和/或诱饵目录的事件,从而实现检测对诱饵文件和/或诱饵目录的访问行为。The above S202 to S208 is an implementation method for the detection system 100 to detect the access behavior of the decoy file and/or decoy directory. and/or access behavior of decoy directories. For example, the detection system 100 may receive an event of accessing a decoy file and/or a decoy directory reported by a target process, so as to detect an access behavior to a decoy file and/or a decoy directory.
S209:检测系统100获取所述目标进程的属性,比较目标进程的属性和白名单中进程的属性。当目标进程的属性和白名单中进程的属性不一致时,执行S210;当目标进程的属性和白名单中进程的属性一致时,执行S228。S209: The detection system 100 acquires the attributes of the target process, and compares the attributes of the target process with the attributes of the processes in the whitelist. When the attribute of the target process is inconsistent with the attribute of the process in the white list, execute S210; when the attribute of the target process is consistent with the attribute of the process in the white list, execute S228.
进程的属性可以包括进程名称、进程文件路径、进程文件哈希、进程命令行中的一种或多种。其中,进程名称可以根据执行时产生该进程的文件(也称作进程文件)的名称确定。例如,浏览器应用的可执行文件执行时,可以产生一个进程名称为browser的进程。进程文件路径是指进程文件所在路径。进程文件哈希是指对进程文件进行哈希运算所得的哈希值。进程文件可以在图形化界面执行,也可以通过命令行工具执行。当采用命令行工具执行进程文件产生进程时,进程的属性还可以包括进程命令行,也即用于执行进程文件的命令行。The attribute of the process may include one or more of process name, process file path, process file hash, and process command line. Wherein, the process name may be determined according to the name of the file (also called a process file) that generates the process during execution. For example, when the executable file of the browser application is executed, a process named browser may be generated. The process file path refers to the path where the process file is located. The process file hash refers to the hash value obtained by hashing the process file. The process file can be executed on a graphical interface or through a command line tool. When the command line tool is used to execute the process file to generate a process, the attribute of the process may also include a process command line, that is, a command line for executing the process file.
具体地,检测系统100可以根据目标进程的PID获取目标进程的属性。以目标进程的属性包括进程文件哈希为例,检测系统100可以确定目标进程的进程文件哈希和白名单中进程的进程文件哈希,比较目标进程的进程文件哈希和白名单中进程的进程文件哈希,从而实现进程过滤。其中,检测系统100可以根据目标进程的进程文件哈希,调用进程白名单管理器的接口,将目标进程的进程文件哈希和白名单中进程的进程文件哈希进行比较,以将目标进程与预置或人工导入的白名单中的进程进行匹配。Specifically, the detection system 100 can acquire the attributes of the target process according to the PID of the target process. Taking the attribute of the target process including the process file hash as an example, the detection system 100 can determine the process file hash of the target process and the process file hash of the processes in the white list, and compare the process file hash of the target process with the process file hash of the processes in the white list. Process file hash, so as to achieve process filtering. Wherein, the detection system 100 can call the interface of the process whitelist manager according to the process file hash of the target process, and compare the process file hash of the target process with the process file hash of the processes in the white list, so as to compare the target process with the Processes in the preset or manually imported whitelist are matched.
当目标进程的属性(如进程文件哈希)和白名单中进程的属性一致时,表明目标进程为可信进程,检测系统100可以过滤该目标进程,停止勒索病毒检测,执行S228,结束当前流程。当目标进程的属性和白名单中进程的属性不一致时,表明目标进程不属于可信进程,检测系统100可以执行S210,以继续进行勒索病毒检测。When the attribute of the target process (such as process file hash) is consistent with the attribute of the process in the white list, it indicates that the target process is a trusted process, and the detection system 100 can filter the target process, stop the ransomware detection, execute S228, and end the current process . When the attribute of the target process is inconsistent with the attribute of the process in the white list, it indicates that the target process does not belong to a trusted process, and the detection system 100 can execute S210 to continue to detect ransomware.
在本实施例中,检测系统100通过进行白名单过滤,从而避免客户主机或服务器的用户误访问诱饵目标或诱饵文件,导致产生误报,进而导致业务进程被阻断。需要说明的是,检测系统100也可以不执行上述S209,例如检测系统100可以在检测对诱饵文件和/或诱饵目录的访问行为后,直接执行S210将访问行为与预设的行为模式进行匹配。In this embodiment, the detection system 100 prevents users of client hosts or servers from accidentally accessing decoy targets or decoy files by performing whitelist filtering, resulting in false positives and blocking of business processes. It should be noted that the detection system 100 may not perform the above S209. For example, the detection system 100 may directly perform S210 to match the access behavior with a preset behavior pattern after detecting the access behavior to the decoy file and/or decoy directory.
S210:检测系统100将访问行为与行为模式进行匹配,获得匹配结果。当匹配结果表征访问行为与行为模式匹配时,执行S212。S210: The detection system 100 matches the access behavior with the behavior pattern, and obtains a matching result. When the matching result indicates that the access behavior matches the behavior pattern, S212 is executed.
为了实现检测勒索病毒,检测系统100可以提供从勒索病毒加密文件的行为中抽象出的通用的行为模式,如此,检测系统100可以通过行为匹配方式检测目标进程的访问行为是否匹配上述行为模式,由此检测目标进程是否为勒索进程(勒索病毒对应的进程,通常是勒索病毒执行时产生的进程)。In order to detect ransomware, the detection system 100 can provide a general behavior pattern abstracted from the behavior of encrypted files of the ransomware. In this way, the detection system 100 can detect whether the access behavior of the target process matches the above-mentioned behavior pattern through behavior matching. This checks whether the target process is a ransomware process (the process corresponding to the ransomware virus, usually the process generated when the ransomware virus is executed).
其中,预设的行为模式至少包括如下行为:写入所述诱饵目录下新创建的非诱饵文件, 或者重命名诱饵文件。在一些实施例中,预设的行为模式包括第一行为模式、第二行为模式和第三行为模式中的一种或多种。Wherein, the preset behavior mode includes at least the following behaviors: writing the newly created non-bait file under the bait directory, or renaming the bait file. In some embodiments, the preset behavior patterns include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern.
参见表1,第一行为模式、第二行为模式和第三行为模式分别包括如下行为:Referring to Table 1, the first behavior pattern, the second behavior pattern and the third behavior pattern include the following behaviors respectively:
表1 行为模式说明Table 1 Description of Behavior Modes
Figure PCTCN2022107830-appb-000001
Figure PCTCN2022107830-appb-000001
具体地,检测系统100可以将访问列表中的一个访问行为与第一行为模式、第二行为模式或第三行为模式中的第一步(具体为读取诱饵文件或重命名诱饵文件)进行匹配。当该访问行为与第一步匹配时,则将访问列表中的下一个访问行为与第一行为模式、第二行为模式或第三行为模式中的第二步进行匹配。当该下一个访问行为与第二步匹配时,则将访问列表中的又一个访问行为与第一行为模式、第二行为模式或第三行为模式中的第三步进行匹配。当又一个访问行为与第三步匹配时,则表明目标进程的访问行为与第一行为模式、第二行为模式或第三行为模式匹配。当上述行为匹配过程中,访问行为与任意一步不匹配时,检测系统100可以停止匹配,将匹配结果确定为访问行为与行为模式不匹配。Specifically, the detection system 100 can match an access behavior in the access list with the first step in the first behavior pattern, the second behavior pattern, or the third behavior pattern (specifically reading the decoy file or renaming the decoy file) . When the access behavior matches the first step, the next access behavior in the access list is matched with the second step in the first behavior pattern, the second behavior pattern or the third behavior pattern. When the next access behavior matches the second step, another access behavior in the access list is matched with the third step in the first behavior pattern, the second behavior pattern or the third behavior pattern. When another access behavior matches the third step, it indicates that the access behavior of the target process matches the first behavior pattern, the second behavior pattern or the third behavior pattern. When the access behavior does not match any step in the above behavior matching process, the detection system 100 may stop the matching, and determine the matching result as the access behavior does not match the behavior pattern.
需要说明的是,检测系统100提供的行为模式可以预先设置,也可以在检测勒索病毒时实时设置,本申请实施例对此不作限制。It should be noted that the behavior pattern provided by the detection system 100 can be set in advance, or can be set in real time when detecting the ransomware virus, which is not limited in this embodiment of the present application.
S212:针对访问类型为写入的访问行为,检测系统100获取诱饵文件的属性和写入文件的属性。S212: For the access behavior whose access type is writing, the detection system 100 acquires the attributes of the decoy file and the attributes of the written file.
由于勒索病毒执行时通常会产生勒索进程,勒索进程可以对文件进行加密,因此,针对访问类型为写入的访问行为,检测系统100可以进一步获取诱饵文件的属性和写入文件的属性,确定目标进程是否执行加密行为。Because a ransomware virus usually generates a ransomware process when it is executed, and the ransomware process can encrypt files, therefore, for access behaviors whose access type is writing, the detection system 100 can further obtain the attributes of the decoy file and the attributes of the written file to determine the target Whether the process performs cryptographic behavior.
其中,写入文件可以为修改后的诱饵文件或者诱饵目录下的非诱饵文件。例如,访问行为与第一行为模式匹配时,写入文件可以是诱饵目录下新创建的非诱饵文件。又例如,访问行为与第二行为模式匹配时,写入文件可以是诱饵文件。还例如,访问行为与第三行为模式匹配时,写入文件可以是诱饵目录下非诱饵文件。Wherein, the written file may be a modified bait file or a non-bait file in a bait directory. For example, when the access behavior matches the first behavior pattern, the written file may be a newly created non-bait file under the bait directory. For another example, when the access behavior matches the second behavior pattern, the written file may be a decoy file. For another example, when the access behavior matches the third behavior pattern, the written file may be a non-bait file in the bait directory.
诱饵文件的属性包括诱饵文件的大小、熵值或哈希值中的一种或多种。类似地,写入文件包括写入文件的大小、熵值或哈希值中的一种或多种。需要说明的是,当诱饵文件被 修改时,诱饵文件的属性具体为修改前的诱饵文件的属性。The attributes of the lure file include one or more of the size, entropy value or hash value of the lure file. Similarly, writing a file includes writing one or more of a size, an entropy value, or a hash value of the file. It should be noted that when the decoy file is modified, the attributes of the decoy file are specifically the attributes of the decoy file before modification.
S214:检测系统100根据诱饵文件的属性和所述写入文件的属性,确定是否对所述诱饵文件加密。S214: The detection system 100 determines whether to encrypt the decoy file according to the attribute of the decoy file and the attribute of the written file.
考虑到加密诱饵文件后,诱饵文件的属性如大小、熵值或哈希值通常会发生变化,检检测系统100可以比较诱饵文件的属性和写入文件的属性,确定目标进程是否对诱饵文件加密。当诱饵文件的大小、熵值或哈希值发生变化时,检测系统100确定目标进程对诱饵文件加密;当诱饵文件的大小、熵值或哈希值未发生变化时,检测系统100确定目标进程未对诱饵文件加密。Considering that after the decoy file is encrypted, the attributes of the decoy file such as size, entropy or hash value will usually change, the detection system 100 can compare the attributes of the decoy file with the attributes of the written file to determine whether the target process encrypts the decoy file . When the size, entropy value or hash value of the decoy file changes, the detection system 100 determines that the target process encrypts the decoy file; when the size, entropy value or hash value of the decoy file does not change, the detection system 100 determines the target process Decoy files are not encrypted.
上述S212至S214为本申请实施例的可选步骤,执行本申请实施例的勒索病毒检测方法也可以不执行上述S212至S214。例如,检测系统100可以直接根据匹配结果确定勒索病毒,而无需再对目标进程是否执行加密行为进行检测。The above S212 to S214 are optional steps in the embodiment of the present application, and the execution of the ransomware detection method in the embodiment of the present application may not execute the above S212 to S214. For example, the detection system 100 can directly determine the ransomware virus according to the matching result, without needing to detect whether the target process executes the encryption behavior.
S216:检测系统100根据对诱饵目录下非诱饵文件的访问行为,识别勒索说明文件。S216: The detection system 100 identifies the ransom description file according to the access behavior to the non-bait files in the bait directory.
具体地,检测系统100判断目标进程对诱饵目录下非诱饵文件的访问行为的访问类型是否包括写,而不包括读,若是,则表明该非诱饵文件有较高概率为勒索说明文件,检测系统100可以将该非诱饵文件识别为勒索说明文件。Specifically, the detection system 100 judges whether the access type of the target process's access behavior to the non-bait files in the bait directory includes writing, but not reading. 100 can identify the non-bait file as a ransom note file.
进一步地,为了保障可靠性,检测系统100还可以确定该非诱饵文件的名称是否包括勒索说明文件常用名称字典的关键字,如readme、decrypt、restore或者recover等。若是,则检测系统100将该非诱饵文件确定为勒索说明文件。考虑到勒索说明文件通常是小文件,检测系统100还可以将非诱饵文件的大小与预设阈值进行比较,若小于该预设阈值,则可以将该非诱饵文件确定为勒索说明文件。Further, in order to ensure reliability, the detection system 100 may also determine whether the name of the non-bait file includes keywords in a dictionary of commonly used names of ransom note files, such as readme, decrypt, restore, or recover. If yes, the detection system 100 determines the non-bait file as a ransom note file. Considering that the ransom note file is usually a small file, the detection system 100 can also compare the size of the non-bait file with a preset threshold, and if it is smaller than the preset threshold, the non-bait file can be determined as the ransom note file.
进一步地,检测系统100还可以将访问类型包括写入而不包括读取的非诱饵文件作为可疑文件,或者是在非诱饵文件满足如下条件:访问类型包括写入而不包括读取,且文件名称中包括勒索说明文件常用名称字典的关键字时,将其确定为可疑文件,统计可疑文件的个数。检测系统100还可以将可疑文件的个数与设定数量进行比较,当可疑文件的个数大于设定数量时,可以将上述可疑文件标识为勒索说明文件。Further, the detection system 100 may also regard a non-bait file whose access type includes writing but not reading as a suspicious file, or when the non-baiting file meets the following conditions: the access type includes writing but not reading, and the file When the name includes the keywords of the common name dictionary of the ransom note file, it is determined as a suspicious file, and the number of suspicious files is counted. The detection system 100 can also compare the number of suspicious files with a set number, and when the number of suspicious files is greater than the set number, can identify the suspicious file as a ransom note file.
需要说明的是,上述S216为本申请实施例的可选步骤,执行本申请实施例的勒索病毒检测方法也可以不执行上述S216。It should be noted that the above S216 is an optional step in the embodiment of the present application, and the above S216 may not be executed to execute the ransomware detection method in the embodiment of the present application.
S218:检测系统100根据匹配结果确定第一评分。S218: The detection system 100 determines a first score according to the matching result.
具体地,匹配结果可以包括访问行为匹配行为模式,或者访问行为不匹配行为模式,检测系统100可以针对不同匹配结果预先设置不同的基础分值,该基础分值可以根据经验值设置。检测系统100可以在获得匹配结果后,确定与该匹配结果对应的基础分值,将基础分值确定为第一评分。Specifically, the matching result may include the access behavior matching the behavior pattern, or the access behavior not matching the behavior pattern, and the detection system 100 may preset different base scores for different matching results, and the base score may be set according to experience values. After obtaining the matching result, the detection system 100 may determine a base score corresponding to the matching result, and determine the base score as the first score.
进一步地,考虑到目标进程访问多个诱饵文件的情况,检测系统100还可以统计目标进程对诱饵目录和/或诱饵文件的访问行为与行为模式匹配的次数n。相应地,检测系统100可以根据上述基础分值Score base和行为模式匹配加权分值Score weight_modelmatch、匹配的次数n,确定第一评分。 Further, considering the fact that the target process accesses multiple decoy files, the detection system 100 may also count the number n of times the target process's access behavior to the decoy directory and/or decoy files matches the behavior pattern. Correspondingly, the detection system 100 may determine the first score according to the above-mentioned basic score Score base , the behavior pattern matching weighted score Score weight_modelmatch , and the number n of matches.
例如,检测系统100可以通过如下公式确定第一评分Score 1For example, the detection system 100 can determine the first score Score 1 through the following formula:
Score 1=Score base+Score weight_modelmatch·(n-1)      (1) Score 1 = Score base + Score weight_modelmatch (n-1) (1)
为了便于理解,下面结合一具体示例进行说明。在该示例中,访问行为与预设的行为 模式匹配时,基础分值为70分,访问行为与预设的行为模式不匹配时,基础分值为0分。行为模式匹配加权分值为10。当一个目标进程加密2个诱饵文件,使得该目标进程的访问行为与预设的行为模式发生2次匹配时,检测系统100可以确定第一评分为:70+10*(2-1)=80分。For ease of understanding, the following description will be made in combination with a specific example. In this example, when the access behavior matches the preset behavior pattern, the basic score is 70 points, and when the access behavior does not match the preset behavior pattern, the basic score is 0 points. Behavioral pattern matching has a weighted score of 10. When a target process encrypts 2 decoy files, so that the access behavior of the target process matches the preset behavior pattern twice, the detection system 100 can determine that the first score is: 70+10*(2-1)=80 point.
S220:检测系统100根据勒索说明文件的识别结果确定第二评分。S220: The detection system 100 determines a second score according to the recognition result of the ransom note file.
具体地,检测系统100可以为勒索说明文件设置加权分值,为了区别行为模式匹配加权分值,本申请实施例可以将为勒索说明文件设置的加权分值称作勒索说明文件匹配加权分值。其中,勒索说明文件匹配加权分值可以根据经验值设置,例如可以设置为15分。当勒索说明文件的识别结果为识别到勒索说明文件时,检测系统100可以根据勒索说明文件匹配加权分值,获得第二评分Score 2。例如,第二评分可以等于勒索说明文件匹配加权分值。 Specifically, the detection system 100 may set a weighted score for the ransom description file. In order to distinguish the weighted score for matching behavior patterns, the embodiment of the present application may set the weighted score for the ransom description file as the weighted score for matching the ransom description file. Wherein, the matching weighted score of the ransom note file can be set according to the experience value, for example, it can be set to 15 points. When the recognition result of the ransom description file is that the ransom description file has been identified, the detection system 100 may match the weighted score according to the ransom description file to obtain a second score Score 2 . For example, the second score may be equal to the ransom specification file matching weighted score.
S222:检测系统100根据第一评分和第二评分确定勒索病毒。S222: The detection system 100 determines the ransomware according to the first score and the second score.
具体地,检测系统100可以根据第一评分和第二评分确定总评分Score total,然后将总评分与预设分值进行比较,当总评分大于预设分值时,则可以确定目标进程的进程文件为勒索病毒,确定目标进程为勒索进程。 Specifically, the detection system 100 can determine the total score Scoretotal according to the first score and the second score, and then compare the total score with a preset score, and when the total score is greater than the preset score, the process of the target process can be determined The file is a ransomware virus, and the target process is determined to be a ransomware process.
需要说明的是,上述S218至S222为本申请实施例中检测系统100根据匹配结果确定勒索病毒的一种实现方式,在本申请实施例其他可能的实现方式中,检测系统100也可以直接根据匹配结果确定勒索病毒,例如匹配结果表征访问行为与预设的行为模式匹配时,将目标进程的进程文件确定为勒索病毒。It should be noted that the above S218 to S222 is an implementation of the detection system 100 in the embodiment of this application to determine the ransomware virus according to the matching result. In other possible implementations of the embodiment of the application, the detection system 100 can also directly The result determines the ransomware, for example, when the matching result indicates that the access behavior matches the preset behavior pattern, the process file of the target process is determined as a ransomware.
S224:检测系统100向用户呈现告警信息。S224: The detection system 100 presents the warning information to the user.
可选地,检测系统100可以在检测到勒索病毒时,向用户呈现告警信息。该告警信息包括勒索进程的进程标识、所述勒索病毒的路径、所述勒索病毒的哈希值、所述勒索病毒的命令行、所述勒索进程的访问路径、所述勒索进程的访问类型中的一种或多种,所述勒索进程为所述勒索病毒对应的进程Optionally, the detection system 100 may present warning information to the user when a ransomware virus is detected. The warning information includes the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access type of the ransomware process One or more of, the ransomware process is the process corresponding to the ransomware virus
进一步地,检测系统100还可以确定危害等级,当危害等级达到设定等级时,向用户呈现告警信息。其中,检测系统100可以为不同危害等级设置不同评分范围,如此检测系统100可以根据总评分所处的评分范围确定危害等级。Further, the detection system 100 can also determine the hazard level, and when the hazard level reaches a set level, an alarm message will be presented to the user. Wherein, the detection system 100 can set different scoring ranges for different hazard levels, so that the detection system 100 can determine the hazard level according to the scoring range of the total score.
例如,总评分位于70分至80分,也即70<Score total≤80时,危害等级可以为低危;总评分位于80分至90分,也即80<Score total≤90时,危害等级可以为中危;总评分为90分以上,即Score total>90时,危害等级可以为高危。 For example, when the total score is between 70 and 80, that is, when 70<Score total ≤80, the hazard level can be low risk; when the total score is between 80 and 90, that is, 80<Score total ≤90, the hazard level can be It is medium risk; when the total score is above 90, that is, when Score total >90, the hazard level can be high risk.
在一些可能的实现方式中,检测系统100可以通过告警界面向用户呈现告警信息。参见图3所示的告警界面的示意图,告警界面300包括告警信息302,告警信息用于向用户提示检测到勒索病毒,进一步地,告警信息还向用户提示勒索病毒对应的勒索进程的PID以及进程文件路径(勒索病毒的路径)。在一些实施例中,检测系统100还可以通过语音向用户进行告警提示。如图3所示,告警界面300还承载有语音提示控件304,该语音提示控件304被触发时,检测系统100可以通过播放语音进行告警提示。In some possible implementation manners, the detection system 100 may present alarm information to the user through an alarm interface. Referring to the schematic diagram of the alarm interface shown in FIG. 3, the alarm interface 300 includes alarm information 302, and the alarm information is used to prompt the user that a ransomware virus is detected. Further, the alarm information also prompts the user to the PID and process of the ransomware process corresponding to the ransomware virus File path (the path of the ransomware). In some embodiments, the detection system 100 may also give a warning prompt to the user through voice. As shown in FIG. 3 , the alarm interface 300 also carries a voice prompt control 304 , and when the voice prompt control 304 is triggered, the detection system 100 can give an alarm prompt by playing a voice.
S226:检测系统100停止勒索进程,阻断勒索病毒。S226: The detection system 100 stops the ransomware process and blocks the ransomware virus.
考虑到安全性,检测系统100可以在检测到勒索病毒时,自动停止勒索进程,阻断勒索病毒。在一些实施例中,检测系统100也可以是在想用户呈现告警信息后,由用户对告 警信息进行确认,然后在获得用户的授权或许可后,停止勒索进程,阻断勒索病毒。Considering safety, the detection system 100 can automatically stop the ransomware process and block the ransomware when it detects the ransomware. In some embodiments, after the detection system 100 presents the warning information to the user, the user confirms the warning information, and then stops the ransomware process and blocks the ransomware virus after obtaining the user's authorization or permission.
参见图3所示的告警界面的示意图,告警界面300还承载有停止控件306和阻断控件307。其中,停止控件306被触发时,检测系统100可以停止勒索进程,阻断控件307被触发时,检测系统100可以阻断勒索病毒。具体地,检测系统100可以将勒索病毒转移至沙箱中,以阻断勒索病毒。在一些实施例中,告警界面300还可以承载跳过控件308,当跳过控件308被触发时,检测系统100可以跳过该勒索病毒,不进行阻断等处理。Referring to the schematic diagram of the alarm interface shown in FIG. 3 , the alarm interface 300 also carries a stop control 306 and a blocking control 307 . Wherein, when the stop control 306 is triggered, the detection system 100 can stop the ransomware process, and when the blocking control 307 is triggered, the detection system 100 can block the ransomware virus. Specifically, the detection system 100 can transfer the ransomware to a sandbox to block the ransomware. In some embodiments, the alarm interface 300 can also carry a skip control 308. When the skip control 308 is triggered, the detection system 100 can skip the ransomware without blocking or other processing.
上述S226为检测系统100对勒索病毒进行安全响应的一种实现方式,在本申请实施例其他可能的实现方式中,检测系统100可以停止勒索进程,或者阻断勒索病毒。本申请实施例对检测系统100进行安全响应的方式不作限制。The above S226 is an implementation manner for the detection system 100 to perform a security response to the ransomware virus. In other possible implementation manners of the embodiment of the present application, the detection system 100 may stop the ransomware process, or block the ransomware virus. The embodiment of the present application does not limit the manner in which the detection system 100 performs a security response.
S228:检测系统100结束当前流程。S228: The detection system 100 ends the current process.
基于上述内容描述,本申请实施例提供了一种勒索病毒检测方法。在该方法中,检测系统100基于勒索进程加密文件的行为抽象出通用的行为模式,将进程对诱饵文件和/或诱饵目录的访问行为与上述行为模式进行匹配,从而识别进程是否为勒索进程,进而实现检测勒索病毒。相较于基于诱饵文件的变化的检测方式,本申请实施例的检测方法具有较高准确度,避免了误报过多影响业务正常运行。而且,该方法通过简单的行为模式匹配进行勒索病毒检测,提升了检测速度。Based on the above description, the embodiment of the present application provides a ransomware detection method. In this method, the detection system 100 abstracts a general behavior pattern based on the behavior of the encrypted file of the ransom process, and matches the access behavior of the process to the decoy file and/or decoy directory with the above-mentioned behavior pattern, thereby identifying whether the process is a ransom process, Then realize the detection of ransomware. Compared with the detection method based on the change of the decoy file, the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business. Moreover, the method detects ransomware through simple behavior pattern matching, which improves the detection speed.
考虑到勒索病毒还可以通过多进程加密文件,检测系统100还可以检测多进程对诱饵文件的访问行为,以覆盖勒索病毒通过多进程加密文件的场景,从而提升勒索病毒的检出率。Considering that the ransomware can also encrypt files through multiple processes, the detection system 100 can also detect the access behavior of multiple processes to the decoy file, so as to cover the scene where the ransomware encrypts files through multiple processes, thereby increasing the detection rate of the ransomware.
下面结合附图,对本申请实施例提供的勒索病毒检测方法进行详细说明。The ransomware detection method provided in the embodiment of the present application will be described in detail below with reference to the accompanying drawings.
参见图4所示的勒索病毒检测方法的流程图,在图2所示实施例基础上,该方法还包括如下步骤:Referring to the flowchart of the ransomware detection method shown in Figure 4, on the basis of the embodiment shown in Figure 2, the method also includes the following steps:
S230:检测系统100获取目标进程的父进程标识。S230: The detection system 100 acquires the parent process identifier of the target process.
具体地,检测系统100可以根据目标进程的标识,查找目标进程的父进程标识。其中,父进程是指创建目标进程的进程,父进程标识可以是父进程的PID。进一步地,检测系统100还可以获取父进程名称、父进程文件路径、父进程命令行、父进程文件哈希中的一种或多种。父进程文件是指执行时产生父进程的文件,父进程文件路径即为产生父进程的文件所在路径。父进程可以是在图形化界面执行父进程文件产生或者通过命令行工具执行父进程文件产生。当采用命令行工具执行父进程文件时,用于执行父进程文件的命令行即为父进程命令行。父进程文件哈希是指对父进程文件进行哈希运算所得的哈希值。Specifically, the detection system 100 may search for the parent process ID of the target process according to the ID of the target process. Wherein, the parent process refers to the process that creates the target process, and the parent process identifier may be the PID of the parent process. Further, the detection system 100 may also acquire one or more of the name of the parent process, the file path of the parent process, the command line of the parent process, and the hash of the file of the parent process. The parent process file refers to the file that generates the parent process during execution, and the path of the parent process file is the path where the file that generates the parent process resides. The parent process can be generated by executing the parent process file on a graphical interface or by executing the parent process file through a command line tool. When the command line tool is used to execute the parent process file, the command line used to execute the parent process file is the parent process command line. The parent process file hash refers to the hash value obtained by hashing the parent process file.
S232:检测系统100根据父进程标识,检测目标进程的关联进程对诱饵文件和/或诱饵目录的访问行为。S232: The detection system 100 detects the access behavior of the target process's associated process to the decoy file and/or decoy directory according to the parent process identifier.
其中,目标进程的关联进程可以简称为关联进程。关联进程的父进程标识与目标进程的父进程标识相同。也即目标进程和关联进程为同一父进程的多个子进程。检测系统100可以采用与检测目标进程对诱饵文件和/诱饵目录的访问行为相似的方式,检测关联进程对诱饵文件和/或诱饵目录的访问行为。Wherein, the associated process of the target process may be referred to as an associated process for short. The parent process ID of the associated process is the same as the parent process ID of the target process. That is, the target process and the associated process are multiple child processes of the same parent process. The detection system 100 may detect the access behavior of the associated process to the decoy file and/or decoy directory in a manner similar to the detection of the target process's access behavior to the decoy file and/or decoy directory.
具体地,检测系统100获取文件访问消息,并解析文件访问消息,获得关联进程的进 程标识、关联进程访问的文件路径以及访问类型。然后,检测系统100将关联进程访问的文件路径与诱饵目录进行匹配。当关联进程访问的文件路径与诱饵目录匹配时,检测系统100还可以将关联进程访问的文件与诱饵文件进行匹配。若关联进程访问的文件与诱饵文件匹配,例如文件的哈希值一致,则检测系统100记录关联进程对诱饵文件的访问行为;若关联进程访问的文件与诱饵文件不匹配,例如文件的哈希值不一致,则检测系统100记录关联进程对诱饵目录下非诱饵文件的访问行为。Specifically, the detection system 100 obtains the file access message, and parses the file access message to obtain the process identifier of the associated process, the file path accessed by the associated process, and the access type. Then, the detection system 100 matches the file path accessed by the associated process with the decoy directory. When the file path accessed by the associated process matches the decoy directory, the detection system 100 may also match the file accessed by the associated process with the decoy file. If the file accessed by the associated process matches the decoy file, for example, the hash value of the file is consistent, then the detection system 100 records the access behavior of the associated process to the decoy file; if the file accessed by the associated process does not match the decoy file, for example, the hash value of the file If the values are inconsistent, the detection system 100 records the access behavior of the associated process to the non-bait files in the bait directory.
S234:检测系统100将关联进程对诱饵文件和/或诱饵目录的访问行为与行为模式进行匹配。S234: The detection system 100 matches the access behavior of the associated process to the decoy file and/or decoy directory with the behavior pattern.
与将目标进程对诱饵文件和/或诱饵目录的访问行为与预设的行为模式进行匹配类似,检测系统100还可以将关联进程对诱饵文件和/或诱饵目录的访问行为与预设的行为模式进行匹配。Similar to matching the access behavior of the target process to the decoy file and/or decoy directory with the preset behavior pattern, the detection system 100 can also match the access behavior of the associated process to the decoy file and/or decoy directory with the preset behavior pattern to match.
其中,预设的行为模式可以包括第一行为模式、第二行为模式和第三行为模式的一种或多种。每一种行为模式通常是多个行为的组合。以第一行为模式为例,该第一行为模式包括如下三种行为:1.读取诱饵文件;2.写入诱饵目录下新创建的非诱饵文件;3.删除诱饵文件。Wherein, the preset behavior pattern may include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern. Each behavior pattern is usually a combination of several behaviors. Taking the first behavior mode as an example, the first behavior mode includes the following three behaviors: 1. Read the decoy file; 2. Write the newly created non-bait file in the decoy directory; 3. Delete the decoy file.
检测系统100可以将关联进程的访问列表中的一个行为(如第i个行为)与上述预设的行为模式包括的行为的组合中的第一个行为进行匹配。当第一个行为匹配成功,则将访问列表中下一个行为与上述预设的行为模式包括的行为的组合中的第二个行为进行匹配。当第二个行为匹配成功,则将访问列表中下一个行为与预设的行为模式包括的行为的组合中的第三个进行匹配。当第三个行为匹配成功,则表明关联进程对诱饵文件和/或诱饵目录的访问行为与预设的行为模式匹配。当预设的行为模式中有一个行为匹配失败,则可以停止本轮匹配,获取关联进程的访问列表中第i+1个行为进行新一轮匹配。The detection system 100 may match a behavior (such as the i-th behavior) in the access list of the associated process with the first behavior in the combination of behaviors included in the preset behavior pattern. When the first behavior is matched successfully, the next behavior in the access list is matched with the second behavior in the combination of the behaviors included in the preset behavior pattern. When the second behavior is successfully matched, the next behavior in the access list is matched with the third one in the combination of behaviors included in the preset behavior pattern. When the third behavior matches successfully, it indicates that the access behavior of the associated process to the decoy file and/or decoy directory matches the preset behavior pattern. When one of the preset behavior patterns fails to match, the current round of matching can be stopped, and the i+1th behavior in the access list of the associated process can be obtained for a new round of matching.
S236:检测系统100确定父进程下访问行为与行为模式匹配的进程的数量。S236: The detection system 100 determines the number of processes whose access behavior matches the behavior pattern under the parent process.
检测系统100可以统计父进程下访问行为与预设的行为模式匹配的进程的数量,以用于检测多进程加密文件的行为。具体地,检测系统100可以根据父进程的PID查找异常访问跟踪列表,当查找到异常访问跟踪列表时,可以根据关联进程对诱饵文件和/或诱饵目录的访问行为与预设的行为模式的匹配结果更新异常访问跟踪列表,以对父进程下访问行为与预设的行为模式匹配的进程进行计数。The detection system 100 can count the number of processes whose access behavior matches a preset behavior pattern under the parent process, so as to detect the behavior of multi-process encrypted files. Specifically, the detection system 100 can search the abnormal access tracking list according to the PID of the parent process, and when the abnormal access tracking list is found, it can match the preset behavior pattern with the access behavior of the associated process to the decoy file and/or decoy directory As a result, the abnormal access tracking list is updated to count the processes whose access behavior under the parent process matches the preset behavior pattern.
当检测系统100未查找到异常访问跟踪列表时,检测系统100还可以创建以父进程的PID为KEY的异常访问跟踪列表,并根据关联进程对诱饵文件和/或诱饵目录的访问行为与预设的行为模式的匹配结果更新异常访问跟踪列表,以对父进程下访问行为与预设的行为模式匹配的进程进行计数。When the detection system 100 does not find the abnormal access tracking list, the detection system 100 can also create an abnormal access tracking list with the PID of the parent process as the KEY, and according to the associated process's access behavior and preset The abnormal access tracking list is updated according to the matching result of the behavior pattern, so as to count the processes whose access behavior under the parent process matches the preset behavior pattern.
相应地,检测系统100在执行S218确定第一评分时,还可以在符合多进程加密诱饵文件的情况下,确定多进程异常检测加权分值。在单进程加密诱饵文件的基础上,检测系统100还可以结合多进程异常检测加权分值Score weight_multiprocess,确定第一评分Score 1Correspondingly, when performing S218 to determine the first score, the detection system 100 may also determine the multi-process anomaly detection weighted score under the condition that the multi-process encrypted decoy file is met. On the basis of the single-process encrypted decoy file, the detection system 100 may also combine the multi-process anomaly detection weighted score Score weight_multiprocess to determine the first score Score 1 .
例如,检测系统100可以通过如下公式确定第一评分Score 1For example, the detection system 100 can determine the first score Score 1 through the following formula:
Figure PCTCN2022107830-appb-000002
Figure PCTCN2022107830-appb-000002
其中,
Figure PCTCN2022107830-appb-000003
表示第i个进程的基础分值,n i表示第i个进程的匹配次数。i可以取值为正整数。
in,
Figure PCTCN2022107830-appb-000003
Indicates the basic score of the i-th process, and n i indicates the matching times of the i-th process. i can be a positive integer.
其中,检测系统100可以比较父进程下访问行为与预设的行为模式匹配的进程的数量和预设数量,当父进程下访问行为与预设的行为模式匹配的进程的数量大于预设数量时,则符合多进程加密诱饵文件,检测系统100可以确定多进程异常检测加权分值。需要说明的是,多进程异常检测加权分值可以根据经验值设置,例如可以设置为15分。Wherein, the detection system 100 can compare the number of processes whose access behavior matches the preset behavior pattern under the parent process with the preset number, and when the number of processes whose access behavior matches the preset behavior pattern under the parent process is greater than the preset number , then it conforms to the multi-process encrypted decoy file, and the detection system 100 can determine the multi-process anomaly detection weighted score. It should be noted that the weighted score of multi-process anomaly detection can be set according to experience value, for example, it can be set to 15 points.
为了便于理解,下面结合一具体示例进行说明。假设父进程下有3个进程的访问行为与预设的行为模式匹配,并且每个进程的匹配次数均为1,则每个进程的基础分值
Figure PCTCN2022107830-appb-000004
(i分别取值为1,2,3)为70,行为模式匹配加权分值Score weight_modelmatch分值为10,多进程异常检测加权分值Score weight_multiprocess为15。第一评分Score 1可以为max(70+10*0,70+10*0,70+10*0)+15=85分。
For ease of understanding, the following description will be made in combination with a specific example. Assuming that the access behavior of 3 processes under the parent process matches the preset behavior pattern, and the matching times of each process is 1, then the basic score of each process
Figure PCTCN2022107830-appb-000004
(i takes the values of 1, 2, and 3 respectively) to be 70, the behavior pattern matching weighted score Score weight_modelmatch is 10, and the multi-process anomaly detection weighted score Score weight_multiprocess is 15. The first score Score 1 may be max(70+10*0, 70+10*0, 70+10*0)+15=85 points.
如此,检测系统100可以根据上述第一评分和第二评分,确定勒索病毒。需要说明的是,检测系统100基于上述第一评分和第二评分确定勒索病毒仅为本申请实施例的一种实现方式,在本申请实施例可能的其他实现方式中,检测系统100也可以不进行评分,例如检测系统100可以在父进程下访问行为与预设的行为模式匹配的进程的数量大于预设数量时,确定检测到勒索病毒。检测系统100可以将执行时产生父进程的文件确定为勒索病毒。In this way, the detection system 100 can determine the ransomware according to the above-mentioned first score and the second score. It should be noted that the detection system 100 determines the ransomware virus based on the above-mentioned first score and the second score is only an implementation of the embodiment of the present application, and in other possible implementations of the embodiment of the application, the detection system 100 may not For scoring, for example, the detection system 100 may determine that a ransomware virus is detected when the number of processes whose access behavior under the parent process matches a preset behavior pattern is greater than the preset number. The detection system 100 can determine that the file that generates the parent process during execution is a ransomware virus.
在该方法中,检测系统100通过关联同一个父进程下多个子进程的文件异常访问行为,识别勒索病毒通过多个进程加密文件的异常行为,提高勒索病毒的检出率,避免业务运行受到影响。In this method, the detection system 100 identifies the abnormal behavior of the ransomware virus encrypting files through multiple processes by associating the abnormal file access behaviors of multiple child processes under the same parent process, so as to improve the detection rate of the ransomware virus and avoid business operations being affected .
基于本申请实施例提供的勒索病毒检测方法,本申请实施例还提供了一种如前述的检测系统100。下面将结合附图对本申请实施例提供的检测系统100进行介绍。Based on the ransomware detection method provided in the embodiment of the present application, the embodiment of the present application also provides a detection system 100 as described above. The detection system 100 provided by the embodiment of the present application will be introduced below with reference to the accompanying drawings.
参见图5所示的检测系统100的结构示意图,该系统100包括:Referring to the schematic structural diagram of the detection system 100 shown in FIG. 5, the system 100 includes:
访问监控模块102,用于检测对诱饵文件和/或诱饵目录的访问行为;An access monitoring module 102, configured to detect access behaviors to decoy files and/or decoy directories;
行为检测模块104,用于将所述访问行为与行为模式进行匹配,获得匹配结果;A behavior detection module 104, configured to match the access behavior with the behavior pattern to obtain a matching result;
勒索病毒检测模块106,用于根据所述匹配结果,确定勒索病毒。The ransomware detection module 106 is configured to determine the ransomware according to the matching result.
在一些可能的实现方式中,所述系统100还包括:In some possible implementations, the system 100 further includes:
告警模块108,用于向用户呈现告警信息,所述告警信息包括勒索进程的进程标识、所述勒索病毒的路径、所述勒索病毒的哈希值、所述勒索病毒的命令行、所述勒索进程的访问路径、所述勒索进程的访问类型中的一种或多种,所述勒索进程为所述勒索病毒对应的进程。The warning module 108 is configured to present warning information to the user, the warning information including the process identification of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware virus One or more of the access path of the process and the access type of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.
在一些可能的实现方式中,所述系统100还包括:In some possible implementations, the system 100 further includes:
安全响应模块110,用于停止勒索进程,所述勒索进程为所述勒索病毒对应的进程;或者,阻断所述勒索病毒。The security response module 110 is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.
在一些可能的实现方式中,所述行为模式至少包括如下行为:In some possible implementations, the behavior pattern includes at least the following behaviors:
写入所述诱饵目录下新创建的非诱饵文件;Write to the newly created non-bait file under the bait directory;
或者重命名所述诱饵文件。Or rename said decoy file.
在一些可能的实现方式中,所述行为模式包括第一行为模式、第二行为模式和第三行为模式中的一种或多种;In some possible implementations, the behavior mode includes one or more of the first behavior mode, the second behavior mode and the third behavior mode;
所述第一行为模式包括:读取所述诱饵文件,写入所述诱饵目录下新创建的非诱饵文件,删除所述诱饵文件;The first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;
所述第二行为模式包括:读取所述诱饵文件,写入所述诱饵文件,重命名所述诱饵文件;The second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;
所述第三行为模式包括:重命名所述诱饵文件,读取所述诱饵目录下新创建的非诱饵文件,写入所述诱饵目录下的所述非诱饵文件。The third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
在一些可能的实现方式中,所述访问监控模块102具体用于:In some possible implementation manners, the access monitoring module 102 is specifically configured to:
从文件访问消息中,得到目标进程的进程标识、所述目标进程访问的文件路径以及访问类型;From the file access message, obtain the process identification of the target process, the file path and access type accessed by the target process;
当所述目标进程访问的文件路径与所述诱饵目录匹配时,记录所述目标进程对所述诱饵目录的访问行为,并将所述目标进程访问的文件与所述诱饵文件匹配;When the file path accessed by the target process matches the decoy directory, record the access behavior of the target process to the decoy directory, and match the file accessed by the target process with the decoy file;
当所述目标进程访问的文件与所述诱饵文件匹配时,记录所述目标进程对所述诱饵文件的访问行为,当所述目标进程访问的文件与所述诱饵文件不匹配时,记录所述目标进程对所述诱饵目录下非诱饵文件的访问行为。When the file accessed by the target process matches the decoy file, record the access behavior of the target process to the decoy file; when the file accessed by the target process does not match the decoy file, record the decoy file. The access behavior of the target process to the non-bait files in the bait directory.
在一些可能的实现方式中,所述访问监控模块102还用于:In some possible implementations, the access monitoring module 102 is also configured to:
所述访问类型为写入时,获取所述诱饵文件的属性和写入文件的属性,所述写入文件包括修改后的诱饵文件或者所述非诱饵文件;When the access type is writing, the attribute of the decoy file and the attribute of the written file are obtained, and the written file includes the modified decoy file or the non-decoy file;
根据所述诱饵文件的属性和所述写入文件的属性,确定是否对所述诱饵文件加密;According to the attribute of the decoy file and the attribute of the written file, determine whether to encrypt the decoy file;
所述勒索病毒检测模块106具体用于:The ransomware detection module 106 is specifically used for:
当所述匹配结果表征所述访问行为与行为模式匹配,且所述目标进程对所述诱饵文件加密,确定所述目标进程为勒索进程,执行时产生所述目标进程的文件为勒索病毒。When the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, it is determined that the target process is a ransomware process, and the file that generates the target process is a ransomware virus during execution.
在一些可能的实现方式中,所述诱饵文件的属性包括所述诱饵文件的大小、熵值或哈希值中的一种或多种。In some possible implementation manners, the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file.
在一些可能的实现方式中,所述访问监控模块102还用于:In some possible implementations, the access monitoring module 102 is also configured to:
获取所述目标进程的父进程标识;Obtain the parent process identifier of the target process;
根据所述父进程标识,检测所述目标进程的关联进程对所述诱饵文件和/或所述诱饵目录的访问行为,所述关联进程的父进程标识与所述目标进程的父进程标识相同。Detecting an access behavior of the decoy file and/or the decoy directory by an associated process of the target process according to the parent process ID, where the parent process ID of the associated process is the same as the parent process ID of the target process.
在一些可能的实现方式中,所述勒索病毒检测模块106具体用于:In some possible implementations, the ransomware detection module 106 is specifically configured to:
根据所述目标进程的访问行为与所述行为模式的匹配结果和所述关联进程的访问行为与所述行为模式的匹配结果,确定父进程下所述访问行为与所述行为模式匹配的进程的数量;According to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern, determine the process of the parent process whose access behavior matches the behavior pattern quantity;
当所述进程的数量大于预设数量时,将执行时产生所述父进程的文件确定为勒索病毒。When the number of the processes is greater than the preset number, the file that generates the parent process during execution is determined to be a ransomware virus.
在一些可能的实现方式中,所述系统100还包括:In some possible implementations, the system 100 further includes:
勒索说明检测模块114,用于根据对所述诱饵目录下非诱饵文件的访问行为,识别勒索说明文件;The blackmail description detection module 114 is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory;
所述勒索病毒检测模块106具体用于:The ransomware detection module 106 is specifically used for:
根据所述匹配结果和所述勒索说明文件的识别结果,确定勒索病毒。According to the matching result and the recognition result of the ransom note file, the ransomware is determined.
在一些可能的实现方式中,所述勒索病毒检测模块106具体用于:In some possible implementations, the ransomware detection module 106 is specifically configured to:
根据所述匹配结果确定第一评分,根据所述勒索说明文件的识别结果确定第二评分;determining a first score according to the matching result, and determining a second score according to the recognition result of the ransom note file;
根据所述第一评分和所述第二评分,确定勒索病毒。Determine the ransomware according to the first score and the second score.
在一些可能的实现方式中,所述系统100还包括:In some possible implementations, the system 100 further includes:
白名单过滤模块112,用于将所述目标进程的属性与白名单中进程的属性进行匹配;A whitelist filtering module 112, configured to match the attributes of the target process with the attributes of the processes in the whitelist;
所述行为检测模块104具体用于:The behavior detection module 104 is specifically used for:
当所述目标进程的属性与所述白名单中进程的属性不匹配时,将所述访问行为与行为模式进行匹配,获得匹配结果。When the attribute of the target process does not match the attribute of the process in the white list, the access behavior is matched with the behavior pattern to obtain a matching result.
在一些可能的实现方式中,所述系统100还包括:In some possible implementations, the system 100 further includes:
诱饵管理模块116,用于对诱饵目录和/或诱饵文件进行管理。The lure management module 116 is configured to manage lure directories and/or lure files.
具体地,诱饵管理模块116可以生成并部署诱饵目录和/或诱饵文件。进一步地,诱饵管理模块116还可以更新诱饵目录和/或诱饵文件。例如,诱饵管理模块116可以根据应用的变化,自适应地更新诱饵目录和/或诱饵文件,以避免勒索病毒绕过该诱饵目录和/或诱饵文件,从而导致勒索病毒漏报。Specifically, the decoy management module 116 may generate and deploy a decoy directory and/or a decoy file. Further, the lure management module 116 may also update the lure directory and/or the lure file. For example, the decoy management module 116 can adaptively update the decoy directory and/or decoy file according to the change of the application, so as to prevent the ransomware from bypassing the decoy directory and/or decoy file, thus resulting in false report of the ransomware.
根据本申请实施例的检测系统100可对应于执行本申请实施例中描述的方法,并且检测系统100的各个模块/单元的上述和其它操作和/或功能分别为了实现图3、图4所示实施例中的各个方法的相应流程,为了简洁,在此不再赘述。The detection system 100 according to the embodiment of the present application can correspond to the implementation of the method described in the embodiment of the present application, and the above-mentioned and other operations and/or functions of the various modules/units of the detection system 100 are respectively in order to realize the For the sake of brevity, the corresponding processes of the methods in the embodiments are not repeated here.
本申请实施例还提供一种计算机集群。该计算机集群包括至少一台计算机,该计算机例如可以是服务器。在一些实施例中,该计算机集群可以是如图1所示的云计算集群10。其中,云计算集群10包括至少一台云服务器。在另一些实施例中,该计算机集群可以是是边缘计算集群。该边缘计算集群包括至少一台边缘服务器。该计算机集群具体用于实现如图5所示实施例中勒索病毒检测系统100的功能。The embodiment of the present application also provides a computer cluster. The computer cluster includes at least one computer, which may be a server, for example. In some embodiments, the computer cluster may be a cloud computing cluster 10 as shown in FIG. 1 . Wherein, the cloud computing cluster 10 includes at least one cloud server. In some other embodiments, the computer cluster may be an edge computing cluster. The edge computing cluster includes at least one edge server. The computer cluster is specifically used to implement the functions of the ransomware detection system 100 in the embodiment shown in FIG. 5 .
图6提供了一种计算机集群的结构示意图,如图6所示,计算机集群60包括多台计算机600,计算机600包括总线601、处理器602、通信接口603和存储器604。处理器602、存储器604和通信接口603之间通过总线601通信。FIG. 6 provides a schematic structural diagram of a computer cluster. As shown in FIG. 6 , the computer cluster 60 includes multiple computers 600 , and the computers 600 include a bus 601 , a processor 602 , a communication interface 603 and a memory 604 . The processor 602 , the memory 604 and the communication interface 603 communicate through the bus 601 .
总线601可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图6中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 601 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 6 , but it does not mean that there is only one bus or one type of bus.
处理器602可以为中央处理器(central processing unit,CPU)、图形处理器(graphics processing unit,GPU)、微处理器(micro processor,MP)或者数字信号处理器(digital signal processor,DSP)等处理器中的任意一种或多种。The processor 602 may be a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU), a microprocessor (micro processor, MP) or a digital signal processor (digital signal processor, DSP) etc. Any one or more of them.
通信接口603用于与外部通信。例如,通信接口603用于向用户呈现告警信息等等。The communication interface 603 is used for communicating with the outside. For example, the communication interface 603 is used to present warning information and the like to the user.
存储器604可以包括易失性存储器(volatile memory),例如随机存取存储器(random access memory,RAM)。存储器604还可以包括非易失性存储器(non-volatile memory),例如只读存储器(read-only memory,ROM),快闪存储器,硬盘驱动器(hard disk drive,HDD)或固态驱动器(solid state drive,SSD)。The memory 604 may include a volatile memory (volatile memory), such as a random access memory (random access memory, RAM). Memory 604 can also include non-volatile memory (non-volatile memory), such as read-only memory (read-only memory, ROM), flash memory, hard disk drive (hard disk drive, HDD) or solid state drive (solid state drive) , SSD).
存储器604中存储有计算机可读指令,处理器602执行该计算机可读指令,以使得计 算机集群60执行前述勒索病毒检测方法(或实现前述勒索病毒检测系统100的功能)。Computer-readable instructions are stored in the memory 604, and the processor 602 executes the computer-readable instructions, so that the computer cluster 60 executes the aforementioned ransomware detection method (or realizes the functions of the aforementioned ransomware detection system 100).
具体地,在实现图5所示系统的实施例的情况下,且图5中所描述的勒索病毒检测系统100的模块或单元的功能为通过软件实现的情况下,执行图5中各模块或单元的功能所需的软件或程序代码可以存储在计算机集群60中的至少一个存储器604中。至少一个处理器602执行存储器604中存储的程序代码,以使得计算机集群60执行前述勒索病毒检测方法。Specifically, in the case of implementing the embodiment of the system shown in FIG. 5, and the functions of the modules or units of the ransomware detection system 100 described in FIG. 5 are realized by software, each module or unit in FIG. 5 is executed Software or program code required for the functioning of the units may be stored in at least one memory 604 in the computer cluster 60 . At least one processor 602 executes the program code stored in the memory 604, so that the computer cluster 60 executes the aforementioned ransomware detection method.
本申请实施例还提供了一种计算机可读存储介质。所述计算机可读存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘)等。该计算机可读存储介质包括指令,所述指令指示计算机或计算机集群执行上述勒索病毒检测方法。The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium may be any available medium that can be stored by a computer, or a data storage device such as a data center including one or more available media. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state hard disk), etc. The computer-readable storage medium includes instructions, and the instructions instruct a computer or a computer cluster to execute the above ransomware detection method.
本申请实施例还提供了一种计算机程序产品。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机或数据中心进行传输。所述计算机程序产品可以为一个软件安装包,在需要使用前述勒索病毒检测方法的任一方法的情况下,可以下载该计算机程序产品并在计算机或计算机集群上执行该计算机程序产品。The embodiment of the present application also provides a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wirelessly (such as infrared, wireless, microwave, etc.) to another website site, computer or data center. The computer program product may be a software installation package, and if any method of the aforementioned ransomware detection method needs to be used, the computer program product may be downloaded and executed on a computer or a computer cluster.
上述各个附图对应的流程或结构的描述各有侧重,某个流程或结构中没有详述的部分,可以参见其他流程或结构的相关描述。The description of the process or structure corresponding to each of the above drawings has its own emphasis. For the part that is not described in detail in a certain process or structure, you can refer to the relevant description of other processes or structures.

Claims (22)

  1. 一种勒索病毒检测方法,其特征在于,所述方法包括:A method for detecting ransomware, characterized in that the method comprises:
    检测对诱饵文件和/或诱饵目录的访问行为;Detect access to decoy files and/or decoy directories;
    将所述访问行为与行为模式进行匹配,获得匹配结果;Matching the access behavior with the behavior pattern to obtain a matching result;
    根据所述匹配结果,确定勒索病毒。According to the matching result, the ransomware is determined.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    向用户呈现告警信息,所述告警信息包括勒索进程的进程标识、所述勒索病毒的路径、所述勒索病毒的哈希值、所述勒索病毒的命令行、所述勒索进程的访问路径、所述勒索进程的访问类型中的一种或多种,所述勒索进程为所述勒索病毒对应的进程。Presenting warning information to the user, the warning information including the process identification of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, the One or more of the access types of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, characterized in that the method further comprises:
    停止勒索进程,所述勒索进程为所述勒索病毒对应的进程;或者,stop the ransomware process, the ransomware process is the process corresponding to the ransomware virus; or,
    阻断所述勒索病毒。Block the ransomware.
  4. 根据权利要求1至3任一项所述的方法,其特征在于,所述行为模式至少包括如下行为:The method according to any one of claims 1 to 3, wherein the behavior pattern includes at least the following behaviors:
    写入所述诱饵目录下新创建的非诱饵文件;Write to the newly created non-bait file under the bait directory;
    或者重命名所述诱饵文件。Or rename said decoy file.
  5. 根据权利要求1至4任一项所述的方法,其特征在于,所述行为模式包括第一行为模式、第二行为模式和第三行为模式中的一种或多种;The method according to any one of claims 1 to 4, wherein the behavior pattern comprises one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern;
    所述第一行为模式包括:读取所述诱饵文件,写入所述诱饵目录下新创建的非诱饵文件,删除所述诱饵文件;The first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;
    所述第二行为模式包括:读取所述诱饵文件,写入所述诱饵文件,重命名所述诱饵文件;The second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;
    所述第三行为模式包括:重命名所述诱饵文件,读取所述诱饵目录下新创建的非诱饵文件,写入所述诱饵目录下的所述非诱饵文件。The third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
  6. 根据权利要求1至5任一项所述的方法,其特征在于,所述检测对诱饵文件和/或诱饵目录的访问行为,包括:The method according to any one of claims 1 to 5, wherein the detection of access behavior to the decoy file and/or decoy directory includes:
    从文件访问消息中,得到目标进程的进程标识、所述目标进程访问的文件路径以及访问类型;From the file access message, obtain the process identification of the target process, the file path and access type accessed by the target process;
    当所述目标进程访问的文件路径与所述诱饵目录匹配时,记录所述目标进程对所述诱饵目录的访问行为,并将所述目标进程访问的文件与所述诱饵文件匹配;When the file path accessed by the target process matches the decoy directory, record the access behavior of the target process to the decoy directory, and match the file accessed by the target process with the decoy file;
    当所述目标进程访问的文件与所述诱饵文件匹配时,记录所述目标进程对所述诱饵文件的访问行为,当所述目标进程访问的文件与所述诱饵文件不匹配时,记录所述目标进程对所述诱饵目录下非诱饵文件的访问行为。When the file accessed by the target process matches the decoy file, record the access behavior of the target process to the decoy file; when the file accessed by the target process does not match the decoy file, record the decoy file. The access behavior of the target process to the non-bait files in the bait directory.
  7. 根据权利要求6所述的方法,其特征在于,所述访问类型为写入时,所述方法还包括:The method according to claim 6, wherein when the access type is writing, the method further comprises:
    获取所述诱饵文件的属性和写入文件的属性,所述写入文件包括修改后的诱饵文件或者所述非诱饵文件;Obtain the attributes of the decoy file and the attributes of the written file, the written file includes the modified bait file or the non-bait file;
    根据所述诱饵文件的属性和所述写入文件的属性,确定是否对所述诱饵文件加密;According to the attribute of the decoy file and the attribute of the written file, determine whether to encrypt the decoy file;
    所述根据所述匹配结果,确定勒索病毒,包括:According to the matching result, determining the ransomware virus includes:
    当所述匹配结果表征所述访问行为与行为模式匹配,且所述目标进程对所述诱饵文件加密,确定所述目标进程为勒索进程,执行时产生所述目标进程的文件为勒索病毒。When the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, it is determined that the target process is a ransomware process, and the file that generates the target process is a ransomware virus during execution.
  8. 根据权利要求7所述的方法,其特征在于,所述诱饵文件的属性包括所述诱饵文件的大小、熵值或哈希值中的一种或多种。The method according to claim 7, wherein the attribute of the decoy file includes one or more of the size, entropy value or hash value of the decoy file.
  9. 根据权利要求6所述的方法,其特征在于,所述方法还包括:The method according to claim 6, further comprising:
    获取所述目标进程的父进程标识;Obtain the parent process identifier of the target process;
    所述检测对诱饵文件和/或诱饵目录的访问行为,还包括:The detection of access behavior to the decoy file and/or decoy directory also includes:
    根据所述父进程标识,检测所述目标进程的关联进程对所述诱饵文件和/或所述诱饵目录的访问行为,所述关联进程的父进程标识与所述目标进程的父进程标识相同。Detecting an access behavior of the decoy file and/or the decoy directory by an associated process of the target process according to the parent process ID, where the parent process ID of the associated process is the same as the parent process ID of the target process.
  10. 根据权利要求9所述的方法,其特征在于,所述根据所述匹配结果,确定勒索病毒,包括:The method according to claim 9, wherein said determining the ransomware according to the matching result includes:
    根据所述目标进程的访问行为与所述行为模式的匹配结果和所述关联进程的访问行为与所述行为模式的匹配结果,确定父进程下所述访问行为与所述行为模式匹配的进程的数量;According to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern, determine the process of the parent process whose access behavior matches the behavior pattern quantity;
    当所述进程的数量大于预设数量时,将执行时产生所述父进程的文件确定为勒索病毒。When the number of the processes is greater than the preset number, the file that generates the parent process during execution is determined to be a ransomware virus.
  11. 根据权利要求1至10任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 10, further comprising:
    根据对所述诱饵目录下非诱饵文件的访问行为,识别勒索说明文件;According to the access behavior to the non-bait files in the bait directory, identify the ransom description file;
    所述根据所述匹配结果,确定勒索病毒,包括:According to the matching result, determining the ransomware virus includes:
    根据所述匹配结果和所述勒索说明文件的识别结果,确定勒索病毒。According to the matching result and the recognition result of the ransom note file, the ransomware is determined.
  12. 根据权利要求11所述的方法,其特征在于,所述根据所述匹配结果和所述勒索说明文件的识别结果,确定勒索病毒,包括:The method according to claim 11, wherein the determining the ransomware according to the matching result and the identification result of the ransom description file includes:
    根据所述匹配结果确定第一评分,根据所述勒索说明文件的识别结果确定第二评分;determining a first score according to the matching result, and determining a second score according to the recognition result of the ransom note file;
    根据所述第一评分和所述第二评分,确定勒索病毒。Determine the ransomware according to the first score and the second score.
  13. 根据权利要求6所述的方法,其特征在于,所述方法还包括:The method according to claim 6, further comprising:
    将所述目标进程的属性与白名单中进程的属性进行匹配;matching the attributes of the target process with the attributes of the processes in the whitelist;
    所述将所述访问行为与行为模式进行匹配,获得匹配结果,包括:The matching of the access behavior with the behavior pattern to obtain the matching result includes:
    当所述目标进程的属性与所述白名单中进程的属性不匹配时,将所述访问行为与行为模式进行匹配,获得匹配结果。When the attribute of the target process does not match the attribute of the process in the white list, the access behavior is matched with the behavior pattern to obtain a matching result.
  14. 一种勒索病毒检测系统,其特征在于,所述系统包括:A ransomware detection system, characterized in that the system includes:
    访问监控模块,用于检测对诱饵文件和/或诱饵目录的访问行为;An access monitoring module, used to detect access behaviors to bait files and/or bait directories;
    行为检测模块,用于将所述访问行为与行为模式进行匹配,获得匹配结果;A behavior detection module, configured to match the access behavior with a behavior pattern to obtain a matching result;
    勒索病毒检测模块,用于根据所述匹配结果,确定勒索病毒。The ransomware detection module is configured to determine the ransomware according to the matching result.
  15. 根据权利要求14所述的系统,其特征在于,所述系统还包括:The system according to claim 14, further comprising:
    告警模块,用于向用户呈现告警信息,所述告警信息包括勒索进程的进程标识、所述勒索病毒的路径、所述勒索病毒的哈希值、所述勒索病毒的命令行、所述勒索进程的访问路径、所述勒索进程的访问类型中的一种或多种,所述勒索进程为所述勒索病毒对应的进程。An alarm module, configured to present alarm information to the user, the alarm information including the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware process One or more of the access path of the ransomware process and the access type of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.
  16. 根据权利要求14或15所述的系统,其特征在于,所述系统还包括:The system according to claim 14 or 15, wherein the system further comprises:
    安全响应模块,用于停止勒索进程,所述勒索进程为所述勒索病毒对应的进程;或者,阻断所述勒索病毒。The security response module is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.
  17. 根据权利要求14至16任一项所述的系统,其特征在于,所述行为模式至少包括如下行为:The system according to any one of claims 14 to 16, wherein the behavior pattern includes at least the following behaviors:
    写入所述诱饵目录下新创建的非诱饵文件;Write to the newly created non-bait file under the bait directory;
    或者重命名所述诱饵文件。Or rename said decoy file.
  18. 根据权利要求14至17任一项所述的系统,其特征在于,所述行为模式包括第一行为模式、第二行为模式和第三行为模式中的一种或多种;The system according to any one of claims 14 to 17, wherein the behavior patterns include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern;
    所述第一行为模式包括:读取所述诱饵文件,写入所述诱饵目录下新创建的非诱饵文件,删除所述诱饵文件;The first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;
    所述第二行为模式包括:读取所述诱饵文件,写入所述诱饵文件,重命名所述诱饵文件;The second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;
    所述第三行为模式包括:重命名所述诱饵文件,读取所述诱饵目录下新创建的非诱饵文件,写入所述诱饵目录下的所述非诱饵文件。The third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
  19. 根据权利要求14至18任一项所述的系统,其特征在于,所述系统还包括:The system according to any one of claims 14 to 18, wherein the system further comprises:
    勒索说明检测模块,用于根据对所述诱饵目录下非诱饵文件的访问行为,识别勒索说明文件;A blackmail description detection module is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory;
    所述勒索病毒检测模块具体用于:The ransomware detection module is specifically used for:
    根据所述匹配结果和所述勒索说明文件的识别结果,确定勒索病毒。According to the matching result and the recognition result of the ransom note file, the ransomware is determined.
  20. 一种计算机集群,其特征在于,所述计算机集群包括至少一台计算机,所述至少一台计算机包括至少一个处理器和至少一个存储器,所述至少一个存储器中存储有计算机可读指令,所述至少一个处理器执行所述计算机可读指令,使得所述计算机集群执行如权利要求1至13任一项所述的方法。A computer cluster, characterized in that the computer cluster includes at least one computer, the at least one computer includes at least one processor and at least one memory, and computer-readable instructions are stored in the at least one memory, the At least one processor executes the computer readable instructions, causing the computer cluster to perform the method according to any one of claims 1 to 13.
  21. 一种计算机可读存储介质,其特征在于,包括计算机可读指令,当所述计算机可读指令在计算机或计算机集群上运行时,使得所述计算机或计算机集群执行如权利要求1至13任一项所述的方法。A computer-readable storage medium, characterized in that it includes computer-readable instructions, and when the computer-readable instructions are run on a computer or a computer cluster, the computer or computer cluster executes any one of claims 1 to 13. method described in the item.
  22. 一种计算机程序产品,其特征在于,包括计算机可读指令,当所述计算机可读指令在计算机或计算机集群上运行时,使得所述计算机或计算机集群执行如权利要求1至13任一项所述的方法。A computer program product, characterized in that it includes computer-readable instructions, and when the computer-readable instructions are run on a computer or a computer cluster, the computer or a computer cluster executes the computer or computer cluster according to any one of claims 1 to 13. described method.
PCT/CN2022/107830 2022-02-08 2022-07-26 Ransomware detection method and related system WO2023151238A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210118704.3A CN116611058A (en) 2022-02-08 2022-02-08 Lexovirus detection method and related system
CN202210118704.3 2022-02-08

Publications (1)

Publication Number Publication Date
WO2023151238A1 true WO2023151238A1 (en) 2023-08-17

Family

ID=87563533

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/107830 WO2023151238A1 (en) 2022-02-08 2022-07-26 Ransomware detection method and related system

Country Status (2)

Country Link
CN (1) CN116611058A (en)
WO (1) WO2023151238A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116881918A (en) * 2023-09-08 2023-10-13 北京安天网络安全技术有限公司 Process safety detection protection method and device, electronic equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus
CN107480527A (en) * 2017-08-03 2017-12-15 深圳市联软科技股份有限公司 Extort the prevention method and system of software
US10193918B1 (en) * 2018-03-28 2019-01-29 Malwarebytes Inc. Behavior-based ransomware detection using decoy files
CN112560031A (en) * 2020-11-16 2021-03-26 杭州美创科技有限公司 Lesovirus detection method and system
US20210182392A1 (en) * 2019-12-17 2021-06-17 Rangone, LLC Method for Detecting and Defeating Ransomware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus
CN107480527A (en) * 2017-08-03 2017-12-15 深圳市联软科技股份有限公司 Extort the prevention method and system of software
US10193918B1 (en) * 2018-03-28 2019-01-29 Malwarebytes Inc. Behavior-based ransomware detection using decoy files
US20210182392A1 (en) * 2019-12-17 2021-06-17 Rangone, LLC Method for Detecting and Defeating Ransomware
CN112560031A (en) * 2020-11-16 2021-03-26 杭州美创科技有限公司 Lesovirus detection method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116881918A (en) * 2023-09-08 2023-10-13 北京安天网络安全技术有限公司 Process safety detection protection method and device, electronic equipment and medium
CN116881918B (en) * 2023-09-08 2023-11-10 北京安天网络安全技术有限公司 Process safety detection protection method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN116611058A (en) 2023-08-18

Similar Documents

Publication Publication Date Title
US11343280B2 (en) System and method for identifying and controlling polymorphic malware
US11055411B2 (en) System and method for protection against ransomware attacks
US11611586B2 (en) Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
US10320818B2 (en) Systems and methods for detecting malicious computing events
US9147073B2 (en) System and method for automatic generation of heuristic algorithms for malicious object identification
US10079835B1 (en) Systems and methods for data loss prevention of unidentifiable and unsupported object types
US8739284B1 (en) Systems and methods for blocking and removing internet-traversing malware
US20160180087A1 (en) Systems and methods for malware detection and remediation
US9065849B1 (en) Systems and methods for determining trustworthiness of software programs
US8955138B1 (en) Systems and methods for reevaluating apparently benign behavior on computing devices
US9385869B1 (en) Systems and methods for trusting digitally signed files in the absence of verifiable signature conditions
US11625488B2 (en) Continuous risk assessment for electronic protected health information
US10735468B1 (en) Systems and methods for evaluating security services
US10250588B1 (en) Systems and methods for determining reputations of digital certificate signers
US10262131B2 (en) Systems and methods for obtaining information about security threats on endpoint devices
US9659182B1 (en) Systems and methods for protecting data files
WO2023151238A1 (en) Ransomware detection method and related system
US9785775B1 (en) Malware management
US10169584B1 (en) Systems and methods for identifying non-malicious files on computing devices within organizations
US11003746B1 (en) Systems and methods for preventing electronic form data from being electronically transmitted to untrusted domains
WO2023124041A1 (en) Ransomware detection method and related system
US10546117B1 (en) Systems and methods for managing security programs
JP2016525750A (en) Identifying misuse of legal objects
US9037608B1 (en) Monitoring application behavior by detecting file access category changes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22925597

Country of ref document: EP

Kind code of ref document: A1