WO2023151238A1

WO2023151238A1 - Ransomware detection method and related system

Info

Publication number: WO2023151238A1
Application number: PCT/CN2022/107830
Authority: WO
Inventors: 刘剑波
Original assignee: 华为云计算技术有限公司
Priority date: 2022-02-08
Filing date: 2022-07-26
Publication date: 2023-08-17
Also published as: CN116611058A

Abstract

Provided in the present application is a ransomware detection method. The method comprises: detecting an access behavior regarding a decoy file and/or a decoy directory; matching the access behavior with a behavior mode, so as to obtain a matching result; and determining ransomware according to the matching result. In the method, an access behavior regarding a decoy directory and/or a decoy file is detected, the access behavior is matched with a behavior mode in which ransomware encrypts a file, and ransomware is detected on the basis of a matching result, thereby improving the accuracy of ransomware detection and the detection speed.

Description

A kind of blackmail virus detection method and related system

This application claims the priority of the Chinese patent application with the application number 202210118704.3 and the title of the invention "A Ransomware Detection Method and Related System" submitted to the State Intellectual Property Office of China on February 08, 2022, the entire contents of which are incorporated by reference in this application.

technical field

The present application relates to the technical field of network security, and in particular to a ransomware virus detection method, system, computer cluster, computer-readable storage medium, and computer program product.

Background technique

With the development of the Internet, especially the development of the mobile Internet, malicious codes such as vulnerability scanning, virus and other attack codes can be widely spread in the network, and attack or infect the devices in the network, causing serious challenges to network security. At present, ransomware attacks have become one of the most serious network security threats, and ransomware attacks continue to grow, causing a huge impact on customers.

Ransomware generally traverses all directories of the client host through deep traversal, and encrypts key business/data files (such as database files, office documents, compressed files, videos, pictures, and source codes). Some ransomware will encrypt specified types of files exceeding a fixed size in a specific directory, making the encrypted files unable to be read normally and affecting the normal operation of the business. At the same time, the ransomware virus generates a ransom note file in the directory where the encrypted file is located. The customer can only obtain the decryption password/tool or the method to restore the normal operation of the system after paying the ransom based on the ransom note file.

How to quickly and effectively detect ransomware, and then reduce the impact of ransomware has become a key technology and challenge in the field of network security.

Contents of the invention

The present application provides a ransomware detection method, the method detects the access behavior to the bait directory and/or bait file, matches the access behavior with the behavior pattern of the ransomware encrypted file, detects the ransomware based on the matching result, and improves It improves the accuracy and speed of detecting ransomware. The present application also provides a ransomware detection system, a computer cluster, a computer-readable storage medium, and a computer program product corresponding to the above method.

In the first aspect, the present application provides a method for detecting ransomware. The method can be executed by a ransomware detection system. Wherein, the ransomware detection system may also be referred to as a detection system for short. In some embodiments, the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system. In other embodiments, the detection system may also be a hardware system for detecting ransomware. The embodiment of this application uses the ransomware detection system as an example for illustration.

Specifically, the detection system detects the access behavior of the decoy file and/or decoy directory, and then matches the access behavior with the behavior pattern (for example, the behavior pattern preset by the service provider) to obtain the matching result, and then according to the access behavior and The matching result of the behavior pattern determines the ransomware.

In this method, the detection system provides a general behavior pattern abstracted from the behavior of encrypted files based on the ransomware process (the process generated when the ransomware virus is executed), and compares the access behavior of the process to the lure file and/or lure directory with the above behavior pattern Matching is performed to identify whether the process is a ransomware process, thereby realizing the detection of ransomware viruses. Compared with the detection method based on the change of the decoy file, the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business. Moreover, the method detects ransomware through simple behavior pattern matching, which improves the detection speed.

In some possible implementation manners, the detection system may also present warning information to the user. The warning information includes the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access type of the ransomware process One or more, the ransomware process is the process corresponding to the ransomware virus.

Wherein, the detection system may present the alarm information to the user through the alarm interface. In some embodiments, the detection system may also issue an alarm through a voice broadcast. In this way, the requirements of using the ransomware detection service in different scenarios, or the requirements of different users for the ransomware detection service can be met, and it has high availability. In addition, the detection system will give an alarm when it detects a ransomware virus, which can remind users to take precautions to ensure data security.

In some possible implementation manners, the detection system may perform a security response when detecting a ransomware virus. For example, the detection system may stop the ransomware process, the ransomware process is a process corresponding to the ransomware virus, specifically, it may be a process generated when the ransomware virus is executed. As another example, the detection system can block ransomware. Among them, the detection system can isolate the ransomware, for example, in a sandbox, so as to block the ransomware.

In this method, the detection system can prevent data from being encrypted by ransomware by stopping the ransomware process or blocking the ransomware virus, thereby ensuring data security and normal business operation.

In some possible implementation manners, the behavior mode includes at least the following behaviors: writing to a newly created non-bait file in the bait directory; or renaming the bait file. When ransomware encrypts files, it can usually write to newly created non-bait files in the bait directory, or rename the bait files. Therefore, the detection system combines access behaviors to bait directories and/or bait files Pattern matching can effectively improve the accuracy and speed of detecting ransomware.

In some possible implementations, the ransomware can read the source file, encrypt the source file, write a new file with an additional extension, and then delete the source file to implement extortion based on the above new file. Based on this, the behavior mode may include a first behavior mode, and the first behavior mode includes: reading the decoy file, writing a newly created non-decoy file under the decoy directory, and deleting the decoy file. Similarly, the ransomware can read the encrypted source file and write it back to the source file, and then rename it to a new file with an additional extension, so as to implement ransom based on the above-mentioned new file. Based on this, the behavior pattern may include a second behavior pattern, which includes: reading the bait file, writing the bait file, renaming the bait file (equivalent to writing the newly created bait file under the bait directory) non-bait files). The ransomware virus can also rename the source file to a new file with an additional extension, read the file content, and encrypt and write back the new file to implement blackmail based on the new file. Based on this, the behavior pattern may include a third behavior pattern, which includes: renaming the decoy file (equivalent to writing a newly created non-bait file under the decoy directory), reading the newly created decoy file under the decoy directory The non-bait file is written into the non-bait file in the bait directory.

In this method, the detection system can further improve the detection of ransomware by matching the access behavior of the decoy directory and/or decoy file with the behavior in the above-mentioned first behavior mode, second behavior mode and/or third behavior mode. The accuracy of the virus.

In some possible implementation manners, the detection system may obtain the process identifier of the target process, the file path accessed by the target process, and the access type from the file access message. For example, the detection system can obtain information such as the process identifier of the target process, the file path accessed by the target process, and the access type by parsing the file access message. When the file path accessed by the target process matches the decoy directory, record the access behavior of the target process to the decoy directory, and match the file accessed by the target process with the decoy file; when the target process When the accessed file matches the decoy file, record the access behavior of the target process to the decoy file; when the file accessed by the target process does not match the decoy file, record the target process’s access to the Access behavior of non-bait files in the bait directory.

In this method, the detection system matches the file path with the decoy directory by obtaining information such as the process identifier, the file path accessed by the process, and the access type from the file access message, and further matches the file path with the decoy directory when the file path matches the decoy directory The accessed files are matched with the decoy files, so as to detect the access behavior of the decoy directory and/or decoy files. This detection method has high accuracy and can meet the precision requirements for detecting ransomware.

In some possible implementation manners, when the access type is writing, the detection system may also acquire the attributes of the decoy file and the attributes of the written file. Wherein, the written file includes the modified decoy file or the non-decoy file. The detection system may determine whether to encrypt the decoy file according to the attribute of the decoy file and the attribute of the written file. Correspondingly, when the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, the detection system can determine that the target process is a blackmail process, and the target process is generated during execution files are ransomware.

In this method, on the basis of behavior matching, the detection system also combines the attributes of the decoy file and the changes in the attributes of the written file to filter the access behavior of non-encrypted files, further improving the accuracy of ransomware detection and avoiding ransomware. False positives affect the normal operation of the business.

In some possible implementation manners, the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file. Encrypting the lure file by ransomware can cause the size of the lure file to change, the entropy value to change, and the hash value to change. Therefore, the detection system can identify suspicious encryption behaviors by detecting one or more of the size, entropy value, or hash value of the decoy file, thereby improving the accuracy of detecting ransomware.

In some possible implementation manners, the detection system may also obtain the parent process identifier of the target process. Correspondingly, the detection system may also detect the access behavior of the decoy file and/or the decoy directory by the associated process of the target process according to the parent process identifier. Wherein, the parent process ID of the associated process is the same as the parent process ID of the target process. That is, the target process and the associated process have the same parent process, and the target process and the associated process are child processes under the same parent process.

In this method, on the basis of detecting the access behavior of the target process to the decoy directory and/or decoy file, the detection system can further detect the access behavior of the associated process to the decoy directory and/or decoy file, thereby realizing the detection of multiple processes The behavior of encrypting bait files covers the scene where ransomware encrypts bait files through multiple processes to improve the detection rate of ransomware.

In some possible implementations, the detection system may determine that the access behavior under the parent process matches the behavior pattern according to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern the number of processes. When the number of the processes is greater than the preset number, the detection system may determine the file that generates the parent process during execution as a ransomware virus.

In this method, the detection system statistically analyzes the number of suspicious child processes (including the target process and associated processes) that have bait abnormal access under the parent process, and based on this number, identifies whether the parent process is a ransomware that encrypts files through multiple child processes parent process, thereby increasing the confidence in detecting ransomware.

In some possible implementation manners, the detection system may also identify the ransom note file according to the access behavior to the non-bait files in the lure directory. For example, the detection system can analyze whether the non-bait file in the bait directory written by the process has only write operations and no read operations, so as to identify whether the non-bait file is a ransom note file. Furthermore, the detection system can also identify whether the non-bait file is a ransom note file according to whether the name of the non-bait file includes the keywords of the dictionary of common names of ransom note files, such as readme, decrypt, restore, and recover, so as to improve the blackmail description file. Document recognition accuracy. Correspondingly, the detection system can determine the ransomware virus according to the matching result and the recognition result of the ransomware description file.

On the basis of behavior matching, the method also detects the ransomware by combining the identification of the ransomware description file, which improves the accuracy of the detection of the ransomware, and avoids false positives of the ransomware from affecting the normal operation of the business.

In some possible implementation manners, the detection system may determine the first score according to the matching result, determine the second score according to the recognition result of the ransom note file, and then the detection system may determine the second score based on the first score and the second score. Score to identify ransomware.

Specifically, the detection system may preset different base scores for different matching results, and the base scores may be set according to experience values. After obtaining the matching result, the detection system may determine a base score corresponding to the matching result, and determine the base score as the first score. Further, considering the fact that the target process accesses multiple decoy files, the detection system may also count the number of times the target process's access behavior to the decoy directory and/or decoy files matches the behavior pattern. Correspondingly, the detection system may also determine the first score according to the basic score, the behavior pattern matching weighted score and the matching times. Similarly, the detection system may set a weighted score for the ransom description file for the ransom description file. When the recognition result of the ransom description file is that the ransom description file has been identified, the detection system may match the weighted score according to the ransom description file to obtain a second score. The detection system may determine a total score based on the first score and the second score described above. In some embodiments, the total score may be the sum of the first score and the second score. The detection system can then determine the ransomware based on the total score. For example, when the total score is greater than the preset score, the detection system may determine that the process file of the target process is a ransomware virus, and determine that the target process is a ransomware process.

In this method, the detection system scores the ransomware through multiple dimensions such as behavior matching and ransomware description files, and comprehensively detects the ransomware with scores from different dimensions, which has a high degree of confidence.

In some possible implementation manners, the detection system may also match the attributes of the target process with the attributes of the processes in the whitelist. For example, match the process file hash of the target process with the process file hash of the process in the whitelist. When the attribute of the target process does not match the attribute of the process in the white list, the detection system matches the access behavior with the behavior pattern to obtain a matching result. In this way, abnormal access behaviors of processes in the whitelist can be filtered, and false positives of ransomware viruses caused by user misoperations can be avoided.

In the second aspect, the present application provides a ransomware detection system. The ransomware detection system may also be referred to simply as a detection system. The detection system includes the following functional modules:

An access monitoring module, used to detect access behaviors to bait files and/or bait directories;

A behavior detection module, configured to match the access behavior with a behavior pattern to obtain a matching result;

The ransomware detection module is configured to determine the ransomware according to the matching result.

In some possible implementations, the system also includes:

An alarm module, configured to present alarm information to the user, the alarm information including the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware process One or more of the access path of the ransomware process and the access type of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.

In some possible implementations, the system also includes:

The security response module is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.

In some possible implementations, the behavior pattern includes at least the following behaviors:

Write to the newly created non-bait file under the bait directory;

Or rename said decoy file.

In some possible implementations, the behavior mode includes one or more of the first behavior mode, the second behavior mode and the third behavior mode;

The first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;

The second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;

The third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.

In some possible implementation manners, the access monitoring module is specifically configured to:

From the file access message, obtain the process identification of the target process, the file path and access type accessed by the target process;

When the file path accessed by the target process matches the decoy directory, record the access behavior of the target process to the decoy directory, and match the file accessed by the target process with the decoy file;

When the file accessed by the target process matches the decoy file, record the access behavior of the target process to the decoy file; when the file accessed by the target process does not match the decoy file, record the decoy file. The access behavior of the target process to the non-bait files in the bait directory.

In some possible implementations, the access monitoring module is also used for:

When the access type is writing, the attribute of the decoy file and the attribute of the written file are obtained, and the written file includes the modified decoy file or the non-decoy file;

According to the attribute of the decoy file and the attribute of the written file, determine whether to encrypt the decoy file;

The ransomware detection module is specifically used for:

When the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, it is determined that the target process is a ransomware process, and the file that generates the target process is a ransomware virus during execution.

In some possible implementation manners, the attribute of the decoy file includes one or more of a size, an entropy value, or a hash value of the decoy file.

Obtain the parent process identifier of the target process;

According to the parent process ID, the access behavior of the associated process of the target process to the decoy file and/or the decoy directory is detected, and the parent process ID of the associated process is the same as the parent process ID of the target process.

In some possible implementation manners, the ransomware detection module is specifically configured to:

According to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern, determine the process of the parent process whose access behavior matches the behavior pattern quantity;

When the number of the processes is greater than the preset number, the file that generates the parent process during execution is determined to be a ransomware virus.

In some possible implementations, the system also includes:

A blackmail description detection module is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory;

The ransomware detection module is specifically used for:

According to the matching result and the recognition result of the ransom note file, the ransomware is determined.

determining a first score according to the matching result, and determining a second score according to the recognition result of the ransom note file;

Determine the ransomware according to the first score and the second score.

In some possible implementations, the system also includes:

A whitelist filtering module, configured to match the attributes of the target process with the attributes of the processes in the whitelist;

The behavior detection module is specifically used for:

When the attribute of the target process does not match the attribute of the process in the white list, the access behavior is matched with the behavior pattern to obtain a matching result.

In a third aspect, the present application provides a computer cluster. The computer cluster includes at least one computer including at least one processor and at least one memory. The at least one processor and the at least one memory communicate with each other. The at least one processor is configured to execute the instructions stored in the at least one memory, so that the computer or computer cluster executes the ransomware detection method in the first aspect or any implementation manner of the first aspect.

In a fourth aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and the instructions instruct a computer or a computer cluster to execute any implementation of the first aspect or the first aspect above The described ransomware detection method.

In the fifth aspect, the present application provides a computer program product containing instructions, which, when run on a computer or a computer cluster, causes the computer or computer cluster to perform the above-mentioned first aspect or any one of the implementations of the first aspect. ransomware detection method.

On the basis of the implementation manners provided in the foregoing aspects, the present application may further be combined to provide more implementation manners.

Description of drawings

In order to more clearly illustrate the technical methods of the embodiments of the present application, the following will briefly introduce the drawings required in the embodiments.

Fig. 1 is a schematic diagram of the architecture of a ransomware detection system provided in the embodiment of the present application;

Fig. 2 is the flowchart of a kind of blackmail virus detection method that the embodiment of the present application provides;

FIG. 3 is a schematic interface diagram of an alarm interface provided by an embodiment of the present application;

Fig. 4 is the flowchart of a kind of blackmail virus detection method that the embodiment of the present application provides;

FIG. 5 is a schematic structural diagram of a ransomware detection system provided in an embodiment of the present application;

FIG. 6 is a schematic structural diagram of a computer cluster provided by an embodiment of the present application.

Detailed ways

The terms "first" and "second" in the embodiments of the present application are used for description purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features.

First, some technical terms involved in the embodiments of the present application are introduced.

Ransomware, also known as ransomware or ransomware, is a special type of malware that is usually classified as a denial-of-access attack. The biggest difference between ransomware and other viruses lies in the method and poisoning method. Among them, a typical ransomware is to systematically encrypt files stored in computing devices, such as encrypting key business/data files, which can be database files, office documents, compressed files, videos, pictures and source files. One or more of the codes, and then ask the victim to pay a ransom to get back the decryption password/tool that the victim has no way of obtaining by himself in order to decrypt the file.

Ransomware usually spreads in the form of Trojan horse viruses. Specifically, ransomware disguises itself as seemingly harmless files. For example, ransomware can trick victims into clicking links to download through social engineering methods such as pretending to be ordinary emails, or, like many other worms, exploit software vulnerabilities to spread among networked computing devices.

In order to reduce the damage of ransomware, the industry provides some ransomware detection schemes to detect ransomware in advance, and then block the ransomware. The mainstream detection schemes include ransomware detection methods based on decoy files. Specifically, a fixed-type and fixed-size decoy file is deployed in the specified decoy directory, and known or unknown ransomware is identified by monitoring changes in the decoy file, such as changes in the size, entropy value, or type of the decoy file. However, the accuracy of the above method for detecting ransomware is not high, which may lead to misidentifying the business process as the ransomware process corresponding to the ransomware virus, affecting the normal operation of the business.

In view of this, the embodiment of the present application provides a ransomware detection method. The method can be executed by a ransomware detection system. For ease of description, the embodiment of the present application may also simply refer to the ransomware detection system as the detection system. In some embodiments, the detection system may be a software system, and the software system may be deployed in a computer cluster, and the computer cluster executes the ransomware detection method by running the program code of the software system. In other embodiments, the detection system may also be a hardware system for detecting ransomware. The embodiment of this application uses the ransomware detection system as an example for illustration.

It should be noted that the ransomware detection method of the embodiment of the present application is applicable to the scenario of quickly detecting known/unknown ransomware on a terminal (for example, a host)/server. Especially in the "cloud" scenario, when a large amount of business is run on the cloud server leased or purchased by the tenant and key business/data files are saved, the ransomware detection method in the embodiment of the present application can quickly occupy light-weight resources. Detect ransomware, so as to meet the timeliness of detection and light-weight resource consumption requirements.

In order to make the technical solution of the present application clearer and easier to understand, the system architecture of the embodiment of the present application will be introduced below with reference to the accompanying drawings.

Referring to the system architecture diagram of the ransomware detection system described in Fig. 1, in this example, tenants (such as individuals, enterprises or other group organizations) can lease or purchase one or more cloud servers in the cloud computing cluster 10 , to deploy tenant applications, for example, to deploy application 1 to application N, where N is a positive integer. FIG. 1 illustrates by deploying multiple applications. In some embodiments, a tenant may also deploy one application. A ransomware detection system 100 is also deployed in the cloud computing cluster 10 , which is referred to as the detection system 100 hereinafter for convenience of description.

The cloud computing cluster 10 establishes a communication connection with the terminal 20 . The terminal 20 is installed with a client, which may be, for example, a general client such as a browser, or a detection client specially used for ransomware detection. The detection system 100 in the cloud computing cluster 10 can detect the access behavior to the decoy file and/or decoy directory, and then match the access behavior with the behavior pattern to obtain the matching result, and then determine according to the matching result of the access behavior and the behavior pattern Ransomware.

Further, the detection system 100 may generate warning information according to the detected ransomware virus, and send the warning information to the terminal 20, so that the terminal 20 presents the warning information to the user. Wherein, the warning information includes the process identification of the ransomware process, the path of the ransomware virus, the hash value (hash) of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, the ransomware process One or more of the access behaviors. In this embodiment, the ransomware process is a process corresponding to the ransomware virus.

It should be noted that when a ransomware virus is detected, the detection system 100 can also stop the ransomware process. In some embodiments, the detection system 100 can also block the ransomware when detecting the ransomware, that is, isolate the executable file of the ransomware. In this way, it is possible to prevent the ransomware process from encrypting the business/data files of the application, thereby causing the user's interests to be infringed.

The embodiment shown in FIG. 1 is an example of deploying the detection system 100 in a cloud computing cluster and detecting whether the application deployed in the cloud computing cluster includes a ransomware virus. In some possible implementations, the detection system 100 can also be deployed in A local computing device, such as a desktop computer or a notebook computer, is used to detect ransomware for applications deployed in the terminal 20 .

Next, from the perspective of the detection system 100, the ransomware detection method provided in the embodiment of the present application will be described in detail.

Referring to the flowchart of the ransomware detection method shown in Figure 2, the method includes:

S202: The detection system 100 obtains the process identifier of the target process, the file path accessed by the target process, and the access type from the file access message. When the file path accessed by the target process matches the decoy directory, execute S204. When the file path accessed by the target process does not match the decoy directory, execute S228.

Specifically, the file access message may be an application programming interface (application programming interface, API) call message for reading or writing a file. The message includes the process identification (process ID, PID) of the target process, the file path accessed by the target process, and the access type. The detection system 100 can obtain information such as the PID of the target process, the file path accessed by the target process, and the access type by parsing the file access message.

Wherein, the target process refers to a process performing a file access operation. A process is an instance of a running program. Programs are usually stored in the form of files, for example, in the form of binary files. When the program is triggered or executed, the code of the program and the data required for operation are loaded into the memory, and the operating system gives the memory unit loaded with the above code and data an identifier, that is, a PID. The access type refers to the type of operation on the file. In this embodiment, the access type may include reading and/or writing.

The file path accessed by the target process may indicate the directory of the file accessed by the target process. Based on this, the detection system 100 may match the directory of the file accessed by the target process with the decoy directory, so as to determine whether the target process accesses the decoy directory. When the directory of the file accessed by the target process matches the decoy directory (also called a spoofed directory, used to lure the extortion process to access), it indicates that the target process accesses the decoy directory, and the detection system 100 can execute S204. When the directory of the file accessed by the target process does not match the decoy directory, it indicates that the target process does not currently access the decoy directory, and the detection system 100 may execute S228 to end the current process without performing subsequent processes.

S204: The detection system 100 records the access behavior of the target process to the decoy directory, and matches the files accessed by the target process with the decoy files. When the file accessed by the target process matches the decoy file, execute S206. When the file accessed by the target process does not match the decoy file, execute S208.

Specifically, the detection system 100 can record the access behavior of the target process to the decoy directory in the access list. Further, the detection system 100 compares the files accessed by the target process (files read or written) with the decoy file (also called Deception files, used to lure the ransomware process to access, and perform file encryption) for matching, so as to determine whether the target process accesses the decoy file or accesses the non-decoy files in the decoy directory.

Wherein, the detection system 100 may obtain the attributes of the files accessed by the target process according to the PID of the target process. The attribute may include one or more of the name, size, hash value, entropy value, and type of the file. The detection system 100 can match the attribute of the file accessed by the target process with the attribute of the decoy file, for example, match the name, hash value or entropy value of the file accessed by the target process with the name, hash value or entropy value of the decoy file , so as to determine whether the file accessed by the target process is a decoy file or a non-bait file. When the attribute of the file accessed by the target process matches the attribute of the decoy file, the detection system 100 may determine that the target process accesses the decoy file, and execute S206. When the attribute of the file accessed by the target process does not match the attribute of the decoy file, the detection system 100 may determine that the target process accesses a non-bait file under the decoy directory, and execute S208.

S206: The detection system 100 records the access behavior of the target process to the decoy file.

Considering that one or more decoy files may be included in the decoy directory, the detection system 100 may record the PID of the target process, the attributes of the decoy file (such as one or more of name, hash value, and entropy value) and access type, In this way, the access behavior of the target process to the decoy file can be recorded. In this way, it can provide help for subsequent mathematical statistics for different lure files.

S208: The detection system 100 records the access behavior of the target process to the non-bait files in the bait directory.

To record the type of access behavior of the target process to the decoy file, the detection system 100 can record the PID of the target process, the attributes of the non-decoy file (such as one or more of name, hash value, and entropy value) and the access type, thereby Realize recording the access behavior of the target process to non-bait files in the bait directory. This can provide help for subsequent mathematical statistics for different non-bait files.

The above S202 to S208 is an implementation method for the detection system 100 to detect the access behavior of the decoy file and/or decoy directory. and/or access behavior of decoy directories. For example, the detection system 100 may receive an event of accessing a decoy file and/or a decoy directory reported by a target process, so as to detect an access behavior to a decoy file and/or a decoy directory.

S209: The detection system 100 acquires the attributes of the target process, and compares the attributes of the target process with the attributes of the processes in the whitelist. When the attribute of the target process is inconsistent with the attribute of the process in the white list, execute S210; when the attribute of the target process is consistent with the attribute of the process in the white list, execute S228.

The attribute of the process may include one or more of process name, process file path, process file hash, and process command line. Wherein, the process name may be determined according to the name of the file (also called a process file) that generates the process during execution. For example, when the executable file of the browser application is executed, a process named browser may be generated. The process file path refers to the path where the process file is located. The process file hash refers to the hash value obtained by hashing the process file. The process file can be executed on a graphical interface or through a command line tool. When the command line tool is used to execute the process file to generate a process, the attribute of the process may also include a process command line, that is, a command line for executing the process file.

Specifically, the detection system 100 can acquire the attributes of the target process according to the PID of the target process. Taking the attribute of the target process including the process file hash as an example, the detection system 100 can determine the process file hash of the target process and the process file hash of the processes in the white list, and compare the process file hash of the target process with the process file hash of the processes in the white list. Process file hash, so as to achieve process filtering. Wherein, the detection system 100 can call the interface of the process whitelist manager according to the process file hash of the target process, and compare the process file hash of the target process with the process file hash of the processes in the white list, so as to compare the target process with the Processes in the preset or manually imported whitelist are matched.

When the attribute of the target process (such as process file hash) is consistent with the attribute of the process in the white list, it indicates that the target process is a trusted process, and the detection system 100 can filter the target process, stop the ransomware detection, execute S228, and end the current process . When the attribute of the target process is inconsistent with the attribute of the process in the white list, it indicates that the target process does not belong to a trusted process, and the detection system 100 can execute S210 to continue to detect ransomware.

In this embodiment, the detection system 100 prevents users of client hosts or servers from accidentally accessing decoy targets or decoy files by performing whitelist filtering, resulting in false positives and blocking of business processes. It should be noted that the detection system 100 may not perform the above S209. For example, the detection system 100 may directly perform S210 to match the access behavior with a preset behavior pattern after detecting the access behavior to the decoy file and/or decoy directory.

S210: The detection system 100 matches the access behavior with the behavior pattern, and obtains a matching result. When the matching result indicates that the access behavior matches the behavior pattern, S212 is executed.

In order to detect ransomware, the detection system 100 can provide a general behavior pattern abstracted from the behavior of encrypted files of the ransomware. In this way, the detection system 100 can detect whether the access behavior of the target process matches the above-mentioned behavior pattern through behavior matching. This checks whether the target process is a ransomware process (the process corresponding to the ransomware virus, usually the process generated when the ransomware virus is executed).

Wherein, the preset behavior mode includes at least the following behaviors: writing the newly created non-bait file under the bait directory, or renaming the bait file. In some embodiments, the preset behavior patterns include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern.

Referring to Table 1, the first behavior pattern, the second behavior pattern and the third behavior pattern include the following behaviors respectively:

Table 1 Description of Behavior Modes

Specifically, the detection system 100 can match an access behavior in the access list with the first step in the first behavior pattern, the second behavior pattern, or the third behavior pattern (specifically reading the decoy file or renaming the decoy file) . When the access behavior matches the first step, the next access behavior in the access list is matched with the second step in the first behavior pattern, the second behavior pattern or the third behavior pattern. When the next access behavior matches the second step, another access behavior in the access list is matched with the third step in the first behavior pattern, the second behavior pattern or the third behavior pattern. When another access behavior matches the third step, it indicates that the access behavior of the target process matches the first behavior pattern, the second behavior pattern or the third behavior pattern. When the access behavior does not match any step in the above behavior matching process, the detection system 100 may stop the matching, and determine the matching result as the access behavior does not match the behavior pattern.

It should be noted that the behavior pattern provided by the detection system 100 can be set in advance, or can be set in real time when detecting the ransomware virus, which is not limited in this embodiment of the present application.

S212: For the access behavior whose access type is writing, the detection system 100 acquires the attributes of the decoy file and the attributes of the written file.

Because a ransomware virus usually generates a ransomware process when it is executed, and the ransomware process can encrypt files, therefore, for access behaviors whose access type is writing, the detection system 100 can further obtain the attributes of the decoy file and the attributes of the written file to determine the target Whether the process performs cryptographic behavior.

Wherein, the written file may be a modified bait file or a non-bait file in a bait directory. For example, when the access behavior matches the first behavior pattern, the written file may be a newly created non-bait file under the bait directory. For another example, when the access behavior matches the second behavior pattern, the written file may be a decoy file. For another example, when the access behavior matches the third behavior pattern, the written file may be a non-bait file in the bait directory.

The attributes of the lure file include one or more of the size, entropy value or hash value of the lure file. Similarly, writing a file includes writing one or more of a size, an entropy value, or a hash value of the file. It should be noted that when the decoy file is modified, the attributes of the decoy file are specifically the attributes of the decoy file before modification.

S214: The detection system 100 determines whether to encrypt the decoy file according to the attribute of the decoy file and the attribute of the written file.

Considering that after the decoy file is encrypted, the attributes of the decoy file such as size, entropy or hash value will usually change, the detection system 100 can compare the attributes of the decoy file with the attributes of the written file to determine whether the target process encrypts the decoy file . When the size, entropy value or hash value of the decoy file changes, the detection system 100 determines that the target process encrypts the decoy file; when the size, entropy value or hash value of the decoy file does not change, the detection system 100 determines the target process Decoy files are not encrypted.

The above S212 to S214 are optional steps in the embodiment of the present application, and the execution of the ransomware detection method in the embodiment of the present application may not execute the above S212 to S214. For example, the detection system 100 can directly determine the ransomware virus according to the matching result, without needing to detect whether the target process executes the encryption behavior.

S216: The detection system 100 identifies the ransom description file according to the access behavior to the non-bait files in the bait directory.

Specifically, the detection system 100 judges whether the access type of the target process's access behavior to the non-bait files in the bait directory includes writing, but not reading. 100 can identify the non-bait file as a ransom note file.

Further, in order to ensure reliability, the detection system 100 may also determine whether the name of the non-bait file includes keywords in a dictionary of commonly used names of ransom note files, such as readme, decrypt, restore, or recover. If yes, the detection system 100 determines the non-bait file as a ransom note file. Considering that the ransom note file is usually a small file, the detection system 100 can also compare the size of the non-bait file with a preset threshold, and if it is smaller than the preset threshold, the non-bait file can be determined as the ransom note file.

Further, the detection system 100 may also regard a non-bait file whose access type includes writing but not reading as a suspicious file, or when the non-baiting file meets the following conditions: the access type includes writing but not reading, and the file When the name includes the keywords of the common name dictionary of the ransom note file, it is determined as a suspicious file, and the number of suspicious files is counted. The detection system 100 can also compare the number of suspicious files with a set number, and when the number of suspicious files is greater than the set number, can identify the suspicious file as a ransom note file.

It should be noted that the above S216 is an optional step in the embodiment of the present application, and the above S216 may not be executed to execute the ransomware detection method in the embodiment of the present application.

S218: The detection system 100 determines a first score according to the matching result.

Specifically, the matching result may include the access behavior matching the behavior pattern, or the access behavior not matching the behavior pattern, and the detection system 100 may preset different base scores for different matching results, and the base score may be set according to experience values. After obtaining the matching result, the detection system 100 may determine a base score corresponding to the matching result, and determine the base score as the first score.

Further, considering the fact that the target process accesses multiple decoy files, the detection system 100 may also count the number n of times the target process's access behavior to the decoy directory and/or decoy files matches the behavior pattern. Correspondingly, the detection system 100 may determine the first score according to the above-mentioned basic score Score _base , the behavior pattern matching weighted score Score _{weight_modelmatch} , and the number n of matches.

For example, the detection system 100 can determine the first score Score ₁ through the following formula:

Score ₁ = Score _base + Score _{weight_modelmatch} (n-1) (1)

For ease of understanding, the following description will be made in combination with a specific example. In this example, when the access behavior matches the preset behavior pattern, the basic score is 70 points, and when the access behavior does not match the preset behavior pattern, the basic score is 0 points. Behavioral pattern matching has a weighted score of 10. When a target process encrypts 2 decoy files, so that the access behavior of the target process matches the preset behavior pattern twice, the detection system 100 can determine that the first score is: 70+10*(2-1)=80 point.

S220: The detection system 100 determines a second score according to the recognition result of the ransom note file.

Specifically, the detection system 100 may set a weighted score for the ransom description file. In order to distinguish the weighted score for matching behavior patterns, the embodiment of the present application may set the weighted score for the ransom description file as the weighted score for matching the ransom description file. Wherein, the matching weighted score of the ransom note file can be set according to the experience value, for example, it can be set to 15 points. When the recognition result of the ransom description file is that the ransom description file has been identified, the detection system 100 may match the weighted score according to the ransom description file to obtain a second score Score ₂ . For example, the second score may be equal to the ransom specification file matching weighted score.

S222: The detection system 100 determines the ransomware according to the first score and the second score.

Specifically, the detection system 100 can determine the total score _Scoretotal according to the first score and the second score, and then compare the total score with a preset score, and when the total score is greater than the preset score, the process of the target process can be determined The file is a ransomware virus, and the target process is determined to be a ransomware process.

It should be noted that the above S218 to S222 is an implementation of the detection system 100 in the embodiment of this application to determine the ransomware virus according to the matching result. In other possible implementations of the embodiment of the application, the detection system 100 can also directly The result determines the ransomware, for example, when the matching result indicates that the access behavior matches the preset behavior pattern, the process file of the target process is determined as a ransomware.

S224: The detection system 100 presents the warning information to the user.

Optionally, the detection system 100 may present warning information to the user when a ransomware virus is detected. The warning information includes the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, and the access type of the ransomware process One or more of, the ransomware process is the process corresponding to the ransomware virus

Further, the detection system 100 can also determine the hazard level, and when the hazard level reaches a set level, an alarm message will be presented to the user. Wherein, the detection system 100 can set different scoring ranges for different hazard levels, so that the detection system 100 can determine the hazard level according to the scoring range of the total score.

For example, when the total score is between 70 and 80, that is, when 70<Score _total ≤80, the hazard level can be low risk; when the total score is between 80 and 90, that is, 80<Score _total ≤90, the hazard level can be It is medium risk; when the total score is above 90, that is, when Score _total >90, the hazard level can be high risk.

In some possible implementation manners, the detection system 100 may present alarm information to the user through an alarm interface. Referring to the schematic diagram of the alarm interface shown in FIG. 3, the alarm interface 300 includes alarm information 302, and the alarm information is used to prompt the user that a ransomware virus is detected. Further, the alarm information also prompts the user to the PID and process of the ransomware process corresponding to the ransomware virus File path (the path of the ransomware). In some embodiments, the detection system 100 may also give a warning prompt to the user through voice. As shown in FIG. 3 , the alarm interface 300 also carries a voice prompt control 304 , and when the voice prompt control 304 is triggered, the detection system 100 can give an alarm prompt by playing a voice.

S226: The detection system 100 stops the ransomware process and blocks the ransomware virus.

Considering safety, the detection system 100 can automatically stop the ransomware process and block the ransomware when it detects the ransomware. In some embodiments, after the detection system 100 presents the warning information to the user, the user confirms the warning information, and then stops the ransomware process and blocks the ransomware virus after obtaining the user's authorization or permission.

Referring to the schematic diagram of the alarm interface shown in FIG. 3 , the alarm interface 300 also carries a stop control 306 and a blocking control 307 . Wherein, when the stop control 306 is triggered, the detection system 100 can stop the ransomware process, and when the blocking control 307 is triggered, the detection system 100 can block the ransomware virus. Specifically, the detection system 100 can transfer the ransomware to a sandbox to block the ransomware. In some embodiments, the alarm interface 300 can also carry a skip control 308. When the skip control 308 is triggered, the detection system 100 can skip the ransomware without blocking or other processing.

The above S226 is an implementation manner for the detection system 100 to perform a security response to the ransomware virus. In other possible implementation manners of the embodiment of the present application, the detection system 100 may stop the ransomware process, or block the ransomware virus. The embodiment of the present application does not limit the manner in which the detection system 100 performs a security response.

S228: The detection system 100 ends the current process.

Based on the above description, the embodiment of the present application provides a ransomware detection method. In this method, the detection system 100 abstracts a general behavior pattern based on the behavior of the encrypted file of the ransom process, and matches the access behavior of the process to the decoy file and/or decoy directory with the above-mentioned behavior pattern, thereby identifying whether the process is a ransom process, Then realize the detection of ransomware. Compared with the detection method based on the change of the decoy file, the detection method in the embodiment of the present application has higher accuracy, and avoids too many false positives affecting the normal operation of the business. Moreover, the method detects ransomware through simple behavior pattern matching, which improves the detection speed.

Considering that the ransomware can also encrypt files through multiple processes, the detection system 100 can also detect the access behavior of multiple processes to the decoy file, so as to cover the scene where the ransomware encrypts files through multiple processes, thereby increasing the detection rate of the ransomware.

The ransomware detection method provided in the embodiment of the present application will be described in detail below with reference to the accompanying drawings.

Referring to the flowchart of the ransomware detection method shown in Figure 4, on the basis of the embodiment shown in Figure 2, the method also includes the following steps:

S230: The detection system 100 acquires the parent process identifier of the target process.

Specifically, the detection system 100 may search for the parent process ID of the target process according to the ID of the target process. Wherein, the parent process refers to the process that creates the target process, and the parent process identifier may be the PID of the parent process. Further, the detection system 100 may also acquire one or more of the name of the parent process, the file path of the parent process, the command line of the parent process, and the hash of the file of the parent process. The parent process file refers to the file that generates the parent process during execution, and the path of the parent process file is the path where the file that generates the parent process resides. The parent process can be generated by executing the parent process file on a graphical interface or by executing the parent process file through a command line tool. When the command line tool is used to execute the parent process file, the command line used to execute the parent process file is the parent process command line. The parent process file hash refers to the hash value obtained by hashing the parent process file.

S232: The detection system 100 detects the access behavior of the target process's associated process to the decoy file and/or decoy directory according to the parent process identifier.

Wherein, the associated process of the target process may be referred to as an associated process for short. The parent process ID of the associated process is the same as the parent process ID of the target process. That is, the target process and the associated process are multiple child processes of the same parent process. The detection system 100 may detect the access behavior of the associated process to the decoy file and/or decoy directory in a manner similar to the detection of the target process's access behavior to the decoy file and/or decoy directory.

Specifically, the detection system 100 obtains the file access message, and parses the file access message to obtain the process identifier of the associated process, the file path accessed by the associated process, and the access type. Then, the detection system 100 matches the file path accessed by the associated process with the decoy directory. When the file path accessed by the associated process matches the decoy directory, the detection system 100 may also match the file accessed by the associated process with the decoy file. If the file accessed by the associated process matches the decoy file, for example, the hash value of the file is consistent, then the detection system 100 records the access behavior of the associated process to the decoy file; if the file accessed by the associated process does not match the decoy file, for example, the hash value of the file If the values are inconsistent, the detection system 100 records the access behavior of the associated process to the non-bait files in the bait directory.

S234: The detection system 100 matches the access behavior of the associated process to the decoy file and/or decoy directory with the behavior pattern.

Similar to matching the access behavior of the target process to the decoy file and/or decoy directory with the preset behavior pattern, the detection system 100 can also match the access behavior of the associated process to the decoy file and/or decoy directory with the preset behavior pattern to match.

Wherein, the preset behavior pattern may include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern. Each behavior pattern is usually a combination of several behaviors. Taking the first behavior mode as an example, the first behavior mode includes the following three behaviors: 1. Read the decoy file; 2. Write the newly created non-bait file in the decoy directory; 3. Delete the decoy file.

The detection system 100 may match a behavior (such as the i-th behavior) in the access list of the associated process with the first behavior in the combination of behaviors included in the preset behavior pattern. When the first behavior is matched successfully, the next behavior in the access list is matched with the second behavior in the combination of the behaviors included in the preset behavior pattern. When the second behavior is successfully matched, the next behavior in the access list is matched with the third one in the combination of behaviors included in the preset behavior pattern. When the third behavior matches successfully, it indicates that the access behavior of the associated process to the decoy file and/or decoy directory matches the preset behavior pattern. When one of the preset behavior patterns fails to match, the current round of matching can be stopped, and the i+1th behavior in the access list of the associated process can be obtained for a new round of matching.

S236: The detection system 100 determines the number of processes whose access behavior matches the behavior pattern under the parent process.

The detection system 100 can count the number of processes whose access behavior matches a preset behavior pattern under the parent process, so as to detect the behavior of multi-process encrypted files. Specifically, the detection system 100 can search the abnormal access tracking list according to the PID of the parent process, and when the abnormal access tracking list is found, it can match the preset behavior pattern with the access behavior of the associated process to the decoy file and/or decoy directory As a result, the abnormal access tracking list is updated to count the processes whose access behavior under the parent process matches the preset behavior pattern.

When the detection system 100 does not find the abnormal access tracking list, the detection system 100 can also create an abnormal access tracking list with the PID of the parent process as the KEY, and according to the associated process's access behavior and preset The abnormal access tracking list is updated according to the matching result of the behavior pattern, so as to count the processes whose access behavior under the parent process matches the preset behavior pattern.

Correspondingly, when performing S218 to determine the first score, the detection system 100 may also determine the multi-process anomaly detection weighted score under the condition that the multi-process encrypted decoy file is met. On the basis of the single-process encrypted decoy file, the detection system 100 may also combine the multi-process anomaly detection weighted score Score _{weight_multiprocess} to determine the first score Score ₁ .

in,

Indicates the basic score of the i-th process, and n _i indicates the matching times of the i-th process. i can be a positive integer.

Wherein, the detection system 100 can compare the number of processes whose access behavior matches the preset behavior pattern under the parent process with the preset number, and when the number of processes whose access behavior matches the preset behavior pattern under the parent process is greater than the preset number , then it conforms to the multi-process encrypted decoy file, and the detection system 100 can determine the multi-process anomaly detection weighted score. It should be noted that the weighted score of multi-process anomaly detection can be set according to experience value, for example, it can be set to 15 points.

For ease of understanding, the following description will be made in combination with a specific example. Assuming that the access behavior of 3 processes under the parent process matches the preset behavior pattern, and the matching times of each process is 1, then the basic score of each process

(i takes the values of 1, 2, and 3 respectively) to be 70, the behavior pattern matching weighted score Score _{weight_modelmatch} is 10, and the multi-process anomaly detection weighted score Score _{weight_multiprocess} is 15. The first score Score ₁ may be max(70+10*0, 70+10*0, 70+10*0)+15=85 points.

In this way, the detection system 100 can determine the ransomware according to the above-mentioned first score and the second score. It should be noted that the detection system 100 determines the ransomware virus based on the above-mentioned first score and the second score is only an implementation of the embodiment of the present application, and in other possible implementations of the embodiment of the application, the detection system 100 may not For scoring, for example, the detection system 100 may determine that a ransomware virus is detected when the number of processes whose access behavior under the parent process matches a preset behavior pattern is greater than the preset number. The detection system 100 can determine that the file that generates the parent process during execution is a ransomware virus.

In this method, the detection system 100 identifies the abnormal behavior of the ransomware virus encrypting files through multiple processes by associating the abnormal file access behaviors of multiple child processes under the same parent process, so as to improve the detection rate of the ransomware virus and avoid business operations being affected .

Based on the ransomware detection method provided in the embodiment of the present application, the embodiment of the present application also provides a detection system 100 as described above. The detection system 100 provided by the embodiment of the present application will be introduced below with reference to the accompanying drawings.

Referring to the schematic structural diagram of the detection system 100 shown in FIG. 5, the system 100 includes:

An access monitoring module 102, configured to detect access behaviors to decoy files and/or decoy directories;

A behavior detection module 104, configured to match the access behavior with the behavior pattern to obtain a matching result;

The ransomware detection module 106 is configured to determine the ransomware according to the matching result.

In some possible implementations, the system 100 further includes:

The warning module 108 is configured to present warning information to the user, the warning information including the process identification of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware virus One or more of the access path of the process and the access type of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.

In some possible implementations, the system 100 further includes:

The security response module 110 is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.

Write to the newly created non-bait file under the bait directory;

Or rename said decoy file.

In some possible implementation manners, the access monitoring module 102 is specifically configured to:

In some possible implementations, the access monitoring module 102 is also configured to:

The ransomware detection module 106 is specifically used for:

Obtain the parent process identifier of the target process;

Detecting an access behavior of the decoy file and/or the decoy directory by an associated process of the target process according to the parent process ID, where the parent process ID of the associated process is the same as the parent process ID of the target process.

In some possible implementations, the ransomware detection module 106 is specifically configured to:

In some possible implementations, the system 100 further includes:

The blackmail description detection module 114 is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory;

The ransomware detection module 106 is specifically used for:

Determine the ransomware according to the first score and the second score.

In some possible implementations, the system 100 further includes:

A whitelist filtering module 112, configured to match the attributes of the target process with the attributes of the processes in the whitelist;

The behavior detection module 104 is specifically used for:

In some possible implementations, the system 100 further includes:

The lure management module 116 is configured to manage lure directories and/or lure files.

Specifically, the decoy management module 116 may generate and deploy a decoy directory and/or a decoy file. Further, the lure management module 116 may also update the lure directory and/or the lure file. For example, the decoy management module 116 can adaptively update the decoy directory and/or decoy file according to the change of the application, so as to prevent the ransomware from bypassing the decoy directory and/or decoy file, thus resulting in false report of the ransomware.

The detection system 100 according to the embodiment of the present application can correspond to the implementation of the method described in the embodiment of the present application, and the above-mentioned and other operations and/or functions of the various modules/units of the detection system 100 are respectively in order to realize the For the sake of brevity, the corresponding processes of the methods in the embodiments are not repeated here.

The embodiment of the present application also provides a computer cluster. The computer cluster includes at least one computer, which may be a server, for example. In some embodiments, the computer cluster may be a cloud computing cluster 10 as shown in FIG. 1 . Wherein, the cloud computing cluster 10 includes at least one cloud server. In some other embodiments, the computer cluster may be an edge computing cluster. The edge computing cluster includes at least one edge server. The computer cluster is specifically used to implement the functions of the ransomware detection system 100 in the embodiment shown in FIG. 5 .

FIG. 6 provides a schematic structural diagram of a computer cluster. As shown in FIG. 6 , the computer cluster 60 includes multiple computers 600 , and the computers 600 include a bus 601 , a processor 602 , a communication interface 603 and a memory 604 . The processor 602 , the memory 604 and the communication interface 603 communicate through the bus 601 .

The bus 601 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 6 , but it does not mean that there is only one bus or one type of bus.

The processor 602 may be a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU), a microprocessor (micro processor, MP) or a digital signal processor (digital signal processor, DSP) etc. Any one or more of them.

The communication interface 603 is used for communicating with the outside. For example, the communication interface 603 is used to present warning information and the like to the user.

The memory 604 may include a volatile memory (volatile memory), such as a random access memory (random access memory, RAM). Memory 604 can also include non-volatile memory (non-volatile memory), such as read-only memory (read-only memory, ROM), flash memory, hard disk drive (hard disk drive, HDD) or solid state drive (solid state drive) , SSD).

Computer-readable instructions are stored in the memory 604, and the processor 602 executes the computer-readable instructions, so that the computer cluster 60 executes the aforementioned ransomware detection method (or realizes the functions of the aforementioned ransomware detection system 100).

Specifically, in the case of implementing the embodiment of the system shown in FIG. 5, and the functions of the modules or units of the ransomware detection system 100 described in FIG. 5 are realized by software, each module or unit in FIG. 5 is executed Software or program code required for the functioning of the units may be stored in at least one memory 604 in the computer cluster 60 . At least one processor 602 executes the program code stored in the memory 604, so that the computer cluster 60 executes the aforementioned ransomware detection method.

The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium may be any available medium that can be stored by a computer, or a data storage device such as a data center including one or more available media. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state hard disk), etc. The computer-readable storage medium includes instructions, and the instructions instruct a computer or a computer cluster to execute the above ransomware detection method.

The embodiment of the present application also provides a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wirelessly (such as infrared, wireless, microwave, etc.) to another website site, computer or data center. The computer program product may be a software installation package, and if any method of the aforementioned ransomware detection method needs to be used, the computer program product may be downloaded and executed on a computer or a computer cluster.

The description of the process or structure corresponding to each of the above drawings has its own emphasis. For the part that is not described in detail in a certain process or structure, you can refer to the relevant description of other processes or structures.

Claims

A method for detecting ransomware, characterized in that the method comprises:

Detect access to decoy files and/or decoy directories;

Matching the access behavior with the behavior pattern to obtain a matching result;

According to the matching result, the ransomware is determined.
The method according to claim 1, further comprising:

Presenting warning information to the user, the warning information including the process identification of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the access path of the ransomware process, the One or more of the access types of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.
The method according to claim 1 or 2, characterized in that the method further comprises:

stop the ransomware process, the ransomware process is the process corresponding to the ransomware virus; or,

Block the ransomware.
The method according to any one of claims 1 to 3, wherein the behavior pattern includes at least the following behaviors:

Write to the newly created non-bait file under the bait directory;

Or rename said decoy file.
The method according to any one of claims 1 to 4, wherein the behavior pattern comprises one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern;

The first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;

The second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;

The third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
The method according to any one of claims 1 to 5, wherein the detection of access behavior to the decoy file and/or decoy directory includes:

From the file access message, obtain the process identification of the target process, the file path and access type accessed by the target process;

When the file path accessed by the target process matches the decoy directory, record the access behavior of the target process to the decoy directory, and match the file accessed by the target process with the decoy file;

When the file accessed by the target process matches the decoy file, record the access behavior of the target process to the decoy file; when the file accessed by the target process does not match the decoy file, record the decoy file. The access behavior of the target process to the non-bait files in the bait directory.
The method according to claim 6, wherein when the access type is writing, the method further comprises:

Obtain the attributes of the decoy file and the attributes of the written file, the written file includes the modified bait file or the non-bait file;

According to the attribute of the decoy file and the attribute of the written file, determine whether to encrypt the decoy file;

According to the matching result, determining the ransomware virus includes:

When the matching result indicates that the access behavior matches the behavior pattern, and the target process encrypts the decoy file, it is determined that the target process is a ransomware process, and the file that generates the target process is a ransomware virus during execution.
The method according to claim 7, wherein the attribute of the decoy file includes one or more of the size, entropy value or hash value of the decoy file.
The method according to claim 6, further comprising:

Obtain the parent process identifier of the target process;

The detection of access behavior to the decoy file and/or decoy directory also includes:

Detecting an access behavior of the decoy file and/or the decoy directory by an associated process of the target process according to the parent process ID, where the parent process ID of the associated process is the same as the parent process ID of the target process.
The method according to claim 9, wherein said determining the ransomware according to the matching result includes:

According to the matching result of the access behavior of the target process and the behavior pattern and the matching result of the access behavior of the associated process and the behavior pattern, determine the process of the parent process whose access behavior matches the behavior pattern quantity;

When the number of the processes is greater than the preset number, the file that generates the parent process during execution is determined to be a ransomware virus.
The method according to any one of claims 1 to 10, further comprising:

According to the access behavior to the non-bait files in the bait directory, identify the ransom description file;

According to the matching result, determining the ransomware virus includes:

According to the matching result and the recognition result of the ransom note file, the ransomware is determined.
The method according to claim 11, wherein the determining the ransomware according to the matching result and the identification result of the ransom description file includes:

determining a first score according to the matching result, and determining a second score according to the recognition result of the ransom note file;

Determine the ransomware according to the first score and the second score.
The method according to claim 6, further comprising:

matching the attributes of the target process with the attributes of the processes in the whitelist;

The matching of the access behavior with the behavior pattern to obtain the matching result includes:

When the attribute of the target process does not match the attribute of the process in the white list, the access behavior is matched with the behavior pattern to obtain a matching result.
A ransomware detection system, characterized in that the system includes:

An access monitoring module, used to detect access behaviors to bait files and/or bait directories;

A behavior detection module, configured to match the access behavior with a behavior pattern to obtain a matching result;

The ransomware detection module is configured to determine the ransomware according to the matching result.
The system according to claim 14, further comprising:

An alarm module, configured to present alarm information to the user, the alarm information including the process identifier of the ransomware process, the path of the ransomware virus, the hash value of the ransomware virus, the command line of the ransomware virus, the ransomware process One or more of the access path of the ransomware process and the access type of the ransomware process, the ransomware process is a process corresponding to the ransomware virus.
The system according to claim 14 or 15, wherein the system further comprises:

The security response module is configured to stop the ransomware process, and the ransomware process is a process corresponding to the ransomware virus; or block the ransomware virus.
The system according to any one of claims 14 to 16, wherein the behavior pattern includes at least the following behaviors:

Write to the newly created non-bait file under the bait directory;

Or rename said decoy file.
The system according to any one of claims 14 to 17, wherein the behavior patterns include one or more of the first behavior pattern, the second behavior pattern and the third behavior pattern;

The first behavior mode includes: reading the bait file, writing the newly created non-bait file under the bait directory, and deleting the bait file;

The second behavior mode includes: reading the bait file, writing the bait file, and renaming the bait file;

The third behavior mode includes: renaming the bait file, reading the newly created non-bait file in the bait directory, and writing the non-bait file in the bait directory.
The system according to any one of claims 14 to 18, wherein the system further comprises:

A blackmail description detection module is used to identify the blackmail description file according to the access behavior to the non-bait files in the bait directory;

The ransomware detection module is specifically used for:

According to the matching result and the recognition result of the ransom note file, the ransomware is determined.
A computer cluster, characterized in that the computer cluster includes at least one computer, the at least one computer includes at least one processor and at least one memory, and computer-readable instructions are stored in the at least one memory, the At least one processor executes the computer readable instructions, causing the computer cluster to perform the method according to any one of claims 1 to 13.
A computer-readable storage medium, characterized in that it includes computer-readable instructions, and when the computer-readable instructions are run on a computer or a computer cluster, the computer or computer cluster executes any one of claims 1 to 13. method described in the item.
A computer program product, characterized in that it includes computer-readable instructions, and when the computer-readable instructions are run on a computer or a computer cluster, the computer or a computer cluster executes the computer or computer cluster according to any one of claims 1 to 13. described method.