[go: up one dir, main page]

CN117938434A - A ransomware collaborative protection system based on cloud computing platform - Google Patents

A ransomware collaborative protection system based on cloud computing platform Download PDF

Info

Publication number
CN117938434A
CN117938434A CN202311713539.7A CN202311713539A CN117938434A CN 117938434 A CN117938434 A CN 117938434A CN 202311713539 A CN202311713539 A CN 202311713539A CN 117938434 A CN117938434 A CN 117938434A
Authority
CN
China
Prior art keywords
ransomware
cloud
backup
bait
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311713539.7A
Other languages
Chinese (zh)
Inventor
李良鑫
辛晨
陈川
凌杰
何巧莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Cloud Technology Co Ltd
Original Assignee
China Telecom Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Cloud Technology Co Ltd filed Critical China Telecom Cloud Technology Co Ltd
Priority to CN202311713539.7A priority Critical patent/CN117938434A/en
Publication of CN117938434A publication Critical patent/CN117938434A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Medical Informatics (AREA)
  • Virology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本发明公开了一种基于云计算平台的勒索病毒协同防护系统,包括:云备份模块、诱饵捕获模块、安全中心模块和协同防护模块,所述云备份模块为云厂商提供的云备份产品,所述云备份模块包括云主机备份、云硬盘备份、文件备份和数据库备份。本发明解决利用云计算平台的优势,对企业的云上服务进行全面的勒索保护,提高勒索病毒检测的时效性和准确性,增强企业数据的安全性和可恢复性,相比于现有通用防护手段,具有更高的效率和更好的效果,实现对云平台下所有主机的快速响应和协同防护,实现数据的高效可靠备份和快速恢复。该模块可以在其他所有防护措施都失效的情况下进行兜底,避免数据丢失和损坏,为用户提供最后一道保障。

The present invention discloses a ransomware collaborative protection system based on a cloud computing platform, including: a cloud backup module, a bait capture module, a security center module and a collaborative protection module. The cloud backup module is a cloud backup product provided by a cloud vendor, and the cloud backup module includes cloud host backup, cloud hard disk backup, file backup and database backup. The present invention solves the problem of utilizing the advantages of the cloud computing platform to provide comprehensive ransomware protection for the cloud services of an enterprise, improve the timeliness and accuracy of ransomware detection, enhance the security and recoverability of enterprise data, and has higher efficiency and better effects than existing general protection means, and realizes rapid response and collaborative protection of all hosts under the cloud platform, and realizes efficient, reliable backup and rapid recovery of data. This module can provide a bottom line when all other protection measures fail, avoid data loss and damage, and provide users with a last line of defense.

Description

一种基于云计算平台的勒索病毒协同防护系统A ransomware collaborative protection system based on cloud computing platform

技术领域Technical Field

本发明涉及勒索病毒协同防护系统技术领域,尤其涉及一种基于云计算平台的勒索病毒协同防护系统。The present invention relates to the technical field of ransomware collaborative protection systems, and in particular to a ransomware collaborative protection system based on a cloud computing platform.

背景技术Background technique

勒索病毒是一种恶意软件,具有传播性和破坏性,攻击者通常利用主机的安全配置缺陷和漏洞,进行入侵并植入勒索病毒,勒索病毒利用多种密码算法加密用户数据,然后恐吓、胁迫、勒索用户高额赎金,通常以垃圾邮件、服务器入侵、网页挂马、捆绑软件等多种形式进行传播,一旦遭受勒索病毒攻击,将会使绝大多数的关键文件被加密,被加密的关键文件几乎无法通过技术手段解密,仅能通过向攻击者缴纳高昂的赎金,换取对应的解密私钥才能将被加密的文件还原目前,针对勒索病毒的防护措施主要有以下几种:Ransomware is a type of malware that is contagious and destructive. Attackers usually exploit security configuration flaws and vulnerabilities of the host to invade and implant ransomware. Ransomware uses a variety of cryptographic algorithms to encrypt user data, and then intimidate, coerce, and extort high ransoms from users. It is usually spread in the form of spam, server intrusion, web page Trojans, bundled software, etc. Once attacked by a ransomware, most of the key files will be encrypted. The encrypted key files are almost impossible to decrypt by technical means. The encrypted files can only be restored by paying a high ransom to the attacker in exchange for the corresponding decryption private key. At present, there are mainly the following protection measures against ransomware:

1、安装防病毒软件:通过安装防病毒软件,可以对已知的勒索病毒进行识别和清除。1. Install antivirus software: By installing antivirus software, you can identify and remove known ransomware viruses.

2、使用诱饵文件对勒索行为进行动态检测:通过在主机关键位置上放置诱饵文件,实时监控诱饵文件的改动(诱饵文件通常为无效文件,用户正常情况下不会访问这些文件),一旦诱饵文件发生改动,则判断为勒索行为。2. Use bait files to dynamically detect ransomware behavior: By placing bait files in key locations on the host, changes to the bait files are monitored in real time (bait files are usually invalid files and users will not access these files under normal circumstances). Once the bait files are changed, it is judged as ransomware behavior.

3、定期备份数据:通过定期备份数据,可以在发生勒索事件后恢复数据,减少损失。3. Back up data regularly: By backing up data regularly, you can restore data after a ransomware incident and reduce losses.

然而,这些方法都存在一定的局限性和缺陷:However, these methods all have certain limitations and defects:

1、防病毒软件:无法识别和拦截未知或变种的勒索病毒,容易被绕过。1. Antivirus software: It cannot identify and block unknown or variant ransomware and can be easily bypassed.

2、诱饵文件:只有当勒索病毒访问到诱饵文件之后才能识别到勒索行为,当检测到勒索行为时可能已经有部分文件已经被加密,无法及时阻止损失,并且用户可能误操作访问到诱饵文件,存在一定概率的误报,影响用户体验。2. Bait file: Ransomware can only be identified when the ransomware accesses the bait file. When ransomware is detected, some files may have been encrypted and the loss cannot be prevented in time. In addition, users may mistakenly access the bait file, resulting in a certain probability of false alarms, which affects the user experience.

3、定期数据备份:仅为兜底手段,减小损失,无法将文件恢复到最新状态,不能实时响应勒索事件,同时该方法需要占用大量的存储空间和网络带宽。3. Regular data backup: This is only a safety measure to reduce losses. It cannot restore files to the latest state and cannot respond to ransomware incidents in real time. At the same time, this method requires a large amount of storage space and network bandwidth.

发明内容Summary of the invention

本部分的目的在于概述本发明的实施例的一些方面以及简要介绍一些较佳实施例。在本部分以及本申请的说明书摘要和发明名称中可能会做些简化或省略以避免使本部分说明书摘要和发明名称的目的模糊,而这种简化或省略不能用于限制本发明的范围。The purpose of this section is to summarize some aspects of embodiments of the present invention and briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section and the specification abstract and invention title of this application to avoid blurring the purpose of this section specification abstract and invention title, and such simplifications or omissions cannot be used to limit the scope of the present invention.

鉴于上述现有一种基于云计算平台的勒索病毒协同防护系统存在的问题,提出了本发明。In view of the above-mentioned problems existing in the existing ransomware collaborative protection system based on a cloud computing platform, the present invention is proposed.

因此,本发明目的是提供一种基于云计算平台的勒索病毒协同防护系统,其适用于解决防病毒软件:无法识别和拦截未知或变种的勒索病毒,容易被绕过,诱饵文件:只有当勒索病毒访问到诱饵文件之后才能识别到勒索行为,当检测到勒索行为时可能已经有部分文件已经被加密,无法及时阻止损失,并且用户可能误操作访问到诱饵文件,存在一定概率的误报,影响用户体验,定期数据备份:仅为兜底手段,减小损失,无法将文件恢复到最新状态,不能实时响应勒索事件,同时该方法需要占用大量的存储空间和网络带宽的问题。Therefore, the purpose of the present invention is to provide a ransomware collaborative protection system based on a cloud computing platform, which is suitable for solving the following problems: antivirus software cannot identify and intercept unknown or variant ransomware and is easily bypassed; bait files: the ransomware behavior can only be identified after the ransomware accesses the bait files; when the ransomware behavior is detected, some files may have been encrypted and the loss cannot be prevented in time; and users may mistakenly access the bait files, resulting in a certain probability of false alarms, affecting user experience; regular data backup: it is only a bottom-line measure to reduce losses, but cannot restore files to the latest state, and cannot respond to ransomware events in real time. At the same time, this method requires a large amount of storage space and network bandwidth.

为解决上述技术问题,本发明提供如下技术方案:一种基于云计算平台的勒索病毒协同防护系统,包括:云备份模块、诱饵捕获模块、安全中心模块和协同防护模块,In order to solve the above technical problems, the present invention provides the following technical solutions: a ransomware collaborative protection system based on a cloud computing platform, comprising: a cloud backup module, a bait capture module, a security center module and a collaborative protection module.

所述云备份模块为云厂商提供的云备份产品,所述云备份模块包括云主机备份、云硬盘备份、文件备份和数据库备份,所述云备份模块可自定义选择备份方式、备份频率和备份范围,所述云备份模块可在其他防护手段失效并发生勒索事件后,快速恢复数据,保证数据的安全性和完整性,进而为用户提供最后一道保障;The cloud backup module is a cloud backup product provided by cloud vendors. The cloud backup module includes cloud host backup, cloud hard disk backup, file backup and database backup. The cloud backup module allows you to customize the backup method, backup frequency and backup scope. The cloud backup module can quickly restore data after other protection measures fail and a ransomware incident occurs, ensuring the security and integrity of the data, thereby providing the last line of defense for users.

所述诱饵捕获模块负责在主机上部署一些诱饵文件来对勒索行为进行动态检测,当检测到勒索行为后生成告警信息并上报给安全中心;The bait capture module is responsible for deploying some bait files on the host to dynamically detect ransomware behavior, and when ransomware behavior is detected, an alarm message is generated and reported to the security center;

所述安全中心模块负责收集并转发各主机上报的勒索信息,并对勒索信息进行分析和确认,并下达防护指令;The security center module is responsible for collecting and forwarding the ransom information reported by each host, analyzing and confirming the ransom information, and issuing protection instructions;

所述协同防护模块负责处理安全中心下发的勒索信息和防护指令。The collaborative protection module is responsible for processing the ransomware information and protection instructions issued by the security center.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述云备份模块可以利用云厂商提供的强大的存储空间和计算能力,实现数据的高速传输和加密存储,保证数据的完整性和安全性;云备份模块可以根据用户的需求,灵活地设置备份策略和还原策略,实现数据的定期备份,以及数据的全量或增量备份,满足不同场景和应用的需求。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, the cloud backup module can utilize the powerful storage space and computing power provided by the cloud vendor to achieve high-speed data transmission and encrypted storage, and ensure the integrity and security of the data; the cloud backup module can flexibly set backup strategies and restore strategies according to user needs, realize regular data backup, and full or incremental data backup, to meet the needs of different scenarios and applications.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述云备份模块可以利用云厂商提供的多地域或多可用区的特性,实现数据的跨地域或跨可用区的备份和还原,提高数据的可靠性和可用性,所述诱饵捕获模块根据主机上已有的文件类型和内容以及常见的文件类型,自动随机地生成逼真的诱饵文件或从预设库中选择合适类型的诱饵文件,进而根据用户配置生成诱饵文件。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, the cloud backup module can utilize the multi-regional or multi-availability zone characteristics provided by the cloud vendor to realize cross-regional or cross-availability zone backup and restoration of data, thereby improving data reliability and availability; the bait capture module automatically and randomly generates realistic bait files or selects bait files of appropriate types from a preset library based on the existing file types and contents and common file types on the host, and then generates bait files based on user configuration.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述用户配置内包含文件类型、文件名、文件内容,所述协同防护模块接收到安全中心下发的可疑程序特征值时后,会立即对当前运行程序的可执行文件进行扫描和并持续监控后续新增的文件。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, the user configuration includes file type, file name, and file content. When the collaborative protection module receives the suspicious program feature value issued by the security center, it will immediately scan the executable file of the currently running program and continuously monitor subsequent newly added files.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述勒索软件通常采用Unicode编码顺序以正序或逆序的方式遍历文件,例如在正序遍历中,文件名Unicode编码排序越靠前的文件,在返回结果中也越靠前,为了确保勒索软件最先访问诱饵文件,诱饵文件名在文件夹中的Unicode编码排序需要在最前或最后,使其最先被勒索软件遍历到,在诱饵文件名前添加一个字符的前缀作为首字符,当部署诱饵之前首尾两正常文件名的首字符分别为A字符和B字符,则得到排序高于A字符一位的字符A,以及排序低于B字符一位的字符B,然后将A和B作为前缀添加到诱饵文件名中。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, the ransomware usually traverses files in a forward or reverse order using the Unicode encoding order. For example, in the forward traversal, the file with the file name Unicode encoding ranking at the front is also at the front in the returned result. In order to ensure that the ransomware accesses the bait file first, the Unicode encoding ranking of the bait file name in the folder needs to be at the front or the end, so that it is traversed by the ransomware first. A character prefix is added to the bait file name as the first character. When the first characters of the first and last normal file names before the bait is deployed are A and B respectively, character A ranked one position higher than character A and character B ranked one position lower than character B are obtained, and then A and B are added to the bait file name as prefixes.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述诱饵捕获模块还会定期更新和替换诱饵文件,以提高其可信度和有效性,所述诱饵文件通常存放位置为系统的根目录、每个盘符的根目录、桌面目录、用户主目录,系统的关键目录,用户自定义需要防护的目录,当判定为勒索行为则隔离相关可执行程序并上报给安全中心。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, the bait capture module also regularly updates and replaces the bait file to improve its credibility and effectiveness. The bait file is usually stored in the system's root directory, the root directory of each drive letter, the desktop directory, the user's home directory, the system's key directory, and the user-defined directory that needs to be protected. When it is determined to be a ransomware behavior, the relevant executable program is isolated and reported to the security center.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述协同防护模块接收到安全中心下发的执行动作后,会根据动作类型进行处理,当动作类型是放行,就会恢复隔离的文件并将其加入白名单,当动作类型是拦截,就会删除隔离的文件,并加入病毒库。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, after the collaborative protection module receives the execution action issued by the security center, it will process it according to the action type. When the action type is release, the isolated file will be restored and added to the whitelist. When the action type is interception, the isolated file will be deleted and added to the virus library.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述诱饵捕获模块通过监控对诱饵文件的访问事件来对勒索行为进行动态判断,当对同一诱饵文件发生读操作和写操作时,判定为勒索行为,当对同一诱饵文件发生读操作和删除操作时,判定为勒索行为。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, the bait capture module dynamically judges the ransomware behavior by monitoring the access events to the bait files. When a read operation and a write operation occur on the same bait file, it is determined to be a ransomware behavior; when a read operation and a delete operation occur on the same bait file, it is determined to be a ransomware behavior.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:所述协同防护模块接收到安全中心下发的可疑程序特征值之后,会立即对当前运行程序的可执行文件进行扫描和并持续监控后续新增的文件,当发现有程序或文件匹配特征值,就会终止运行的程序并将文件隔离起来。As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, after the collaborative protection module receives the suspicious program feature value issued by the security center, it will immediately scan the executable file of the currently running program and continuously monitor the subsequent newly added files. When a program or file matching the feature value is found, the running program will be terminated and the file will be isolated.

作为本发明所述一种基于云计算平台的勒索病毒协同防护系统的一种优选方案,其中:具体操作流程如下:As a preferred solution of the ransomware collaborative protection system based on a cloud computing platform described in the present invention, the specific operation process is as follows:

S1.云备份模块对主机上的关键数据进行备份,可以根据用户的需求设置备份的频率、范围和方式;S1. The cloud backup module backs up the key data on the host and can set the frequency, scope and method of backup according to user needs;

S2.诱饵捕获模块在主机上生成并放置一些诱饵文件,吸引勒索病毒的攻击;S2. The bait capture module generates and places some bait files on the host to attract ransomware attacks;

S3.诱饵捕获模块对诱饵文件的访问事件进行监控,检测勒索行为;S3. The bait capture module monitors the access events of the bait files and detects the ransomware behavior;

S4.诱饵捕获模块如果发现勒索行为,则隔离可疑程序,并将事件上报给安全中心进行预警;S4. If the bait capture module finds ransomware behavior, it will isolate the suspicious program and report the incident to the security center for early warning;

S5.安全中心将可疑程序特征值分发给所有主机的协同防护模块,实现云平台下所有主机的快速响应和协同防护;S5. The security center distributes the suspicious program feature values to the collaborative protection modules of all hosts, achieving rapid response and collaborative protection of all hosts under the cloud platform;

S6.主机上的协同防护模块收到安全中心下发的可疑程序特征值后,立即扫描当前运行程序的可执行文件,并监控本机后续新启动程序的可执行文件,若这些程序符合特征,则终止程序运行并将对应可执行文件作为可疑文件进行隔离,有效阻止勒索病毒的扩散和传播;S6. After receiving the suspicious program feature value sent by the security center, the collaborative protection module on the host immediately scans the executable file of the currently running program and monitors the executable files of the newly started programs on the local machine. If these programs meet the features, the program will be terminated and the corresponding executable files will be isolated as suspicious files, effectively preventing the spread and propagation of ransomware;

S7.安全中心对上报的可疑程序进行自动化分析和人工确认,并将结果下发给所有主机的协同防护模块进行处理;S7. The security center automatically analyzes and manually confirms the reported suspicious programs, and sends the results to the collaborative protection modules of all hosts for processing;

S8.主机上的协同防护模块收到安全中心下发的执行动作后执行相应动作,若安全中心标记为放行,则恢复隔离文件并将其加入白名单,如果标记为拦截,则删除对应文件,并将文件特征加入病毒库;S8. The collaborative protection module on the host receives the execution action issued by the security center and executes the corresponding action. If the security center marks it as released, the isolated file is restored and added to the whitelist. If it is marked as blocked, the corresponding file is deleted and the file features are added to the virus database.

S9.若勒索病毒绕过了步骤3的检测,对主机实施了勒索攻击,或在检测到勒索行为前已对主机上部分文件完成了加密,则通过步骤1备份的文件进行数据恢复,减少数据丢失和损坏。S9. If the ransomware bypasses the detection in step 3 and launches a ransomware attack on the host, or has encrypted some files on the host before the ransomware behavior is detected, data recovery can be performed using the files backed up in step 1 to reduce data loss and damage.

本发明的有益效果:Beneficial effects of the present invention:

本发明提出了一种在云计算环境下主机对勒索病毒的协同防护系统,该系统包括四个模块:云备份模块、诱饵捕获模块、安全中心模块和协同防护模块。本发明充分利用云计算平台的优势,对企业的云上服务进行全面的勒索保护,提高勒索病毒检测的时效性和准确性,增强企业数据的安全性和可恢复性,相比于现有通用防护手段,具有更高的效率和更好的效果。The present invention proposes a collaborative protection system for hosts against ransomware in a cloud computing environment, which includes four modules: a cloud backup module, a bait capture module, a security center module, and a collaborative protection module. The present invention fully utilizes the advantages of the cloud computing platform to provide comprehensive ransomware protection for cloud services of enterprises, improves the timeliness and accuracy of ransomware detection, and enhances the security and recoverability of enterprise data. Compared with existing general protection methods, it has higher efficiency and better effects.

本发明提出了一种协同防护的机制,利用云厂商提供的网络通信和消息传递能力,实现对云平台下所有主机的快速响应和协同防护。该机制可以在任一节点发现勒索行为后,第一时间对其进行处理和阻断,最快速地进行响应,避免勒索病毒在云平台上扩散和传播,将损失降到最低。The present invention proposes a collaborative protection mechanism, which uses the network communication and message transmission capabilities provided by cloud vendors to achieve rapid response and collaborative protection for all hosts under the cloud platform. This mechanism can process and block ransomware behavior as soon as it is discovered at any node, respond as quickly as possible, prevent the spread and propagation of ransomware on the cloud platform, and minimize losses.

本发明的云备份模块借助云厂商提供的成熟备份产品,可以根据用户的需求,灵活地选择备份方式,设置备份策略,实现数据的高效可靠备份和快速恢复。该模块可以在其他所有防护措施都失效的情况下进行兜底,避免数据丢失和损坏,为用户提供最后一道保障。The cloud backup module of the present invention can flexibly select backup methods and set backup strategies according to user needs with the help of mature backup products provided by cloud vendors, so as to achieve efficient and reliable backup and rapid recovery of data. The module can provide a last resort when all other protective measures fail, avoiding data loss and damage, and providing users with the last line of defense.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。其中:In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following briefly introduces the drawings required for describing the embodiments. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without creative work. Among them:

图1为本发明提出的一种基于云计算平台的勒索病毒协同防护系统的防护系统结构示意图;FIG1 is a schematic diagram of the structure of a protection system of a ransomware collaborative protection system based on a cloud computing platform proposed by the present invention;

图2为本发明提出的一种基于云计算平台的勒索病毒协同防护系统的防护系统流程图。FIG2 is a protection system flow chart of a ransomware collaborative protection system based on a cloud computing platform proposed by the present invention.

具体实施方式Detailed ways

为使本发明的上述目的特征和优点能够更加明显易懂,下面结合说明书附图对本发明的具体实施方式做详细地说明。In order to make the above-mentioned objectives, features and advantages of the present invention more obvious and easy to understand, the specific implementation methods of the present invention are described in detail below in conjunction with the accompanying drawings.

在下面的描述中阐述了很多具体细节以便于充分理解本发明,但是本发明还可以采用其他不同于在此描述的其它方式来实施,本领域技术人员可以在不违背本发明内涵的情况下做类似推广,因此本发明不受下面公开的具体实施例的限制。In the following description, many specific details are set forth to facilitate a full understanding of the present invention, but the present invention may also be implemented in other ways different from those described herein, and those skilled in the art may make similar generalizations without violating the connotation of the present invention. Therefore, the present invention is not limited to the specific embodiments disclosed below.

其次,此处所称的“一个实施例”或“实施例”是指可包含于本发明至少一个实现方式中的特定特征结构或特性。在本说明书中不同地方出现的“在一个实施例中”并非均指同一个实施例,也不是单独地或选择性地与其他实施例互相排斥的实施例。Secondly, the term "one embodiment" or "embodiment" as used herein refers to a specific feature structure or characteristic that may be included in at least one implementation of the present invention. The term "in one embodiment" that appears in different places in this specification does not necessarily refer to the same embodiment, nor is it an embodiment that is mutually exclusive with other embodiments alone or selectively.

再其次,本发明结合示意图进行详细描述,在详述本发明实施例时,为便于说明,表示器件结构的剖面图会不依一般比例作局部放大,而且所述示意图只是示例,其在此不应限制本发明保护的范围。此外,在实际制作中应包含长度宽度及深度的三维空间尺寸。Secondly, the present invention is described in detail with reference to the schematic diagram. When describing the embodiments of the present invention in detail, for the sake of convenience, the cross-sectional diagrams showing the device structure will not be partially enlarged according to the general scale, and the schematic diagrams are only examples, which should not limit the scope of protection of the present invention. In addition, in actual production, the three-dimensional space dimensions of length, width and depth should be included.

参照图1-2,为本发明的一个实施例,提供了一种基于云计算平台的勒索病毒协同防护系统,包括云备份模块、诱饵捕获模块、安全中心模块和协同防护模块,1-2, an embodiment of the present invention provides a ransomware collaborative protection system based on a cloud computing platform, including a cloud backup module, a bait capture module, a security center module and a collaborative protection module.

云备份模块为云厂商提供的云备份产品,云备份模块包括云主机备份、云硬盘备份、文件备份和数据库备份,云备份模块可自定义选择备份方式、备份频率和备份范围,云备份模块可在其他防护手段失效并发生勒索事件后,快速恢复数据,保证数据的安全性和完整性,进而为用户提供最后一道保障;The cloud backup module is a cloud backup product provided by cloud vendors. The cloud backup module includes cloud host backup, cloud hard disk backup, file backup and database backup. The cloud backup module allows you to customize the backup method, backup frequency and backup scope. The cloud backup module can quickly restore data after other protection measures fail and a ransomware incident occurs, ensuring data security and integrity, thereby providing users with the last line of defense.

诱饵捕获模块负责在主机上部署一些诱饵文件来对勒索行为进行动态检测,当检测到勒索行为后生成告警信息并上报给安全中心;The bait capture module is responsible for deploying some bait files on the host to dynamically detect ransomware behavior. When ransomware behavior is detected, an alarm message is generated and reported to the security center.

安全中心模块负责收集并转发各主机上报的勒索信息,并对勒索信息进行分析和确认,并下达防护指令;The security center module is responsible for collecting and forwarding the ransomware information reported by each host, analyzing and confirming the ransomware information, and issuing protection instructions;

协同防护模块负责处理安全中心下发的勒索信息和防护指令。The collaborative protection module is responsible for processing ransomware information and protection instructions issued by the security center.

进一步,云备份模块可以利用云厂商提供的强大的存储空间和计算能力,实现数据的高速传输和加密存储,保证数据的完整性和安全性;云备份模块可以根据用户的需求,灵活地设置备份策略和还原策略,实现数据的定期备份,以及数据的全量或增量备份,满足不同场景和应用的需求。Furthermore, the cloud backup module can utilize the powerful storage space and computing power provided by cloud vendors to achieve high-speed data transmission and encrypted storage, ensuring data integrity and security; the cloud backup module can flexibly set backup strategies and restore strategies according to user needs, achieve regular data backup, as well as full or incremental data backup, to meet the needs of different scenarios and applications.

进一步,云备份模块可以利用云厂商提供的多地域或多可用区的特性,实现数据的跨地域或跨可用区的备份和还原,提高数据的可靠性和可用性,诱饵捕获模块根据主机上已有的文件类型和内容以及常见的文件类型,自动随机地生成逼真的诱饵文件或从预设库中选择合适类型的诱饵文件,进而根据用户配置生成诱饵文件。Furthermore, the cloud backup module can utilize the multi-regional or multi-availability zone features provided by cloud vendors to realize cross-regional or cross-availability zone backup and restoration of data, thereby improving data reliability and availability. The bait capture module automatically and randomly generates realistic bait files or selects appropriate types of bait files from a preset library based on the existing file types and contents on the host and common file types, and then generates bait files based on user configuration.

进一步,用户配置内包含文件类型、文件名、文件内容,协同防护模块接收到安全中心下发的可疑程序特征值时后,会立即对当前运行程序的可执行文件进行扫描和并持续监控后续新增的文件。Furthermore, the user configuration includes the file type, file name, and file content. When the collaborative protection module receives the suspicious program feature value sent by the security center, it will immediately scan the executable file of the currently running program and continuously monitor subsequent newly added files.

进一步,勒索软件通常采用Unicode编码顺序以正序或逆序的方式遍历文件,例如在正序遍历中,文件名Unicode编码排序越靠前的文件,在返回结果中也越靠前,为了确保勒索软件最先访问诱饵文件,诱饵文件名在文件夹中的Unicode编码排序需要在最前或最后,使其最先被勒索软件遍历到,在诱饵文件名前添加一个字符的前缀作为首字符,当部署诱饵之前首尾两正常文件名的首字符分别为A字符和B字符,则得到排序高于A字符一位的字符A,以及排序低于B字符一位的字符B,然后将A和B作为前缀添加到诱饵文件名中。Furthermore, ransomware usually uses Unicode encoding order to traverse files in forward or reverse order. For example, in forward traversal, the file with the higher Unicode encoding order of the file name is ranked, the higher it is in the returned result. In order to ensure that the ransomware accesses the bait file first, the Unicode encoding order of the bait file name in the folder needs to be at the front or the end, so that it is traversed by the ransomware first. A character prefix is added to the bait file name as the first character. When the first characters of the first and last normal file names before the bait is deployed are A and B respectively, then character A ranked one position higher than character A and character B ranked one position lower than character B are obtained, and then A and B are added as prefixes to the bait file name.

进一步,诱饵捕获模块还会定期更新和替换诱饵文件,以提高其可信度和有效性,诱饵文件通常存放位置为系统的根目录、每个盘符的根目录、桌面目录、用户主目录,系统的关键目录,用户自定义需要防护的目录,当判定为勒索行为则隔离相关可执行程序并上报给安全中心。Furthermore, the bait capture module will regularly update and replace bait files to improve their credibility and effectiveness. Bait files are usually stored in the system's root directory, the root directory of each drive letter, the desktop directory, the user's home directory, the system's key directories, and user-defined directories that need to be protected. When it is determined to be a ransomware behavior, the relevant executable program will be isolated and reported to the security center.

进一步,协同防护模块接收到安全中心下发的执行动作后,会根据动作类型进行处理,当动作类型是放行,就会恢复隔离的文件并将其加入白名单,当动作类型是拦截,就会删除隔离的文件,并加入病毒库。Furthermore, after the collaborative protection module receives the execution action issued by the security center, it will process it according to the action type. When the action type is release, the isolated file will be restored and added to the whitelist. When the action type is interception, the isolated file will be deleted and added to the virus database.

进一步,诱饵捕获模块通过监控对诱饵文件的访问事件来对勒索行为进行动态判断,当对同一诱饵文件发生读操作和写操作时,判定为勒索行为,当对同一诱饵文件发生读操作和删除操作时,判定为勒索行为。Furthermore, the bait capture module dynamically judges the ransomware behavior by monitoring the access events to the bait files. When a read operation and a write operation occur on the same bait file, it is determined to be a ransomware behavior; when a read operation and a delete operation occur on the same bait file, it is determined to be a ransomware behavior.

进一步,协同防护模块接收到安全中心下发的可疑程序特征值时后,会立即对当前运行程序的可执行文件进行扫描和并持续监控后续新增的文件,当发现有程序或文件匹配特征值,就会终止运行的程序并将文件隔离起来。Furthermore, when the collaborative protection module receives the suspicious program feature value sent by the security center, it will immediately scan the executable file of the currently running program and continuously monitor the subsequent newly added files. When a program or file matching the feature value is found, the running program will be terminated and the file will be isolated.

具体实施例操作流程如下:The specific embodiment operation process is as follows:

S1.云备份模块对主机上的关键数据进行备份,可以根据用户的需求设置备份的频率、范围和方式;S1. The cloud backup module backs up the key data on the host and can set the frequency, scope and method of backup according to user needs;

S2.诱饵捕获模块在主机上生成并放置一些诱饵文件,吸引勒索病毒的攻击;S2. The bait capture module generates and places some bait files on the host to attract ransomware attacks;

S3.诱饵捕获模块对诱饵文件的访问事件进行监控,检测勒索行为;S3. The bait capture module monitors the access events of the bait files and detects the ransomware behavior;

S4.诱饵捕获模块如果发现勒索行为,则隔离可疑程序,并将事件上报给安全中心进行预警;S4. If the bait capture module finds ransomware behavior, it will isolate the suspicious program and report the incident to the security center for early warning;

S5.安全中心将可疑程序特征值分发给所有主机的协同防护模块,实现云平台下所有主机的快速响应和协同防护;S5. The security center distributes the suspicious program feature values to the collaborative protection modules of all hosts, achieving rapid response and collaborative protection for all hosts on the cloud platform;

S6.主机上的协同防护模块收到安全中心下发的可疑程序特征值后,立即扫描当前运行程序的可执行文件,并监控本机后续新启动程序的可执行文件,若这些程序符合特征,则终止程序运行并将对应可执行文件作为可疑文件进行隔离,有效阻止勒索病毒的扩散和传播;S6. After receiving the suspicious program feature value sent by the security center, the collaborative protection module on the host immediately scans the executable file of the currently running program and monitors the executable files of the newly started programs on the local machine. If these programs meet the features, the program will be terminated and the corresponding executable files will be isolated as suspicious files, effectively preventing the spread and propagation of ransomware;

S7.安全中心对上报的可疑程序进行自动化分析和人工确认,并将结果下发给所有主机的协同防护模块进行处理;S7. The security center automatically analyzes and manually confirms the reported suspicious programs, and sends the results to the collaborative protection modules of all hosts for processing;

S8.主机上的协同防护模块收到安全中心下发的执行动作后执行相应动作,若安全中心标记为放行,则恢复隔离文件并将其加入白名单,如果标记为拦截,则删除对应文件,并将文件特征加入病毒库;S8. The collaborative protection module on the host receives the execution action issued by the security center and executes the corresponding action. If the security center marks it as released, the isolated file is restored and added to the whitelist. If it is marked as blocked, the corresponding file is deleted and the file features are added to the virus database.

S9.若勒索病毒绕过了步骤3的检测,对主机实施了勒索攻击,或在检测到勒索行为前已对主机上部分文件完成了加密,则通过步骤1备份的文件进行数据恢复,减少数据丢失和损坏。S9. If the ransomware bypasses the detection in step 3 and launches a ransomware attack on the host, or has encrypted some files on the host before the ransomware behavior is detected, data recovery can be performed using the files backed up in step 1 to reduce data loss and damage.

实施例二:Embodiment 2:

相比于传统的防病毒软件或防火墙等静态防护方式,诱饵捕获模块具有以下优势:Compared with traditional static protection methods such as antivirus software or firewalls, the bait capture module has the following advantages:

该模块可以在主机上动态生成一些诱饵文件,并对诱饵文件进行监控和记录,从而构建一个动态变化且难以被攻击者察觉的诱饵环境,有效地吸引并识别出主机勒索病毒;This module can dynamically generate some bait files on the host, monitor and record the bait files, thereby building a dynamically changing bait environment that is difficult for attackers to detect, effectively attracting and identifying host ransomware viruses;

该模块基于诱饵文件的监控和记录,对主机上的文件或程序是否存在勒索行为进行动态判断,并生成告警信息,从而及时地发现并预警出主机勒索病毒;Based on the monitoring and recording of bait files, this module dynamically determines whether the files or programs on the host contain ransomware behavior and generates alarm information, thereby timely discovering and warning of host ransomware viruses;

该模块可以根据不同的主机勒索病毒的特征和行为,动态地调整诱饵文件的生成和分布方式,以及动态判断的规则或算法,从而提高对主机勒索病毒的检测和识别能力。This module can dynamically adjust the generation and distribution methods of bait files, as well as dynamic judgment rules or algorithms according to the characteristics and behaviors of different host ransomware viruses, thereby improving the detection and identification capabilities of host ransomware viruses.

相比于传统的单机防护,安全中心和协同响应模块具有以下优势:Compared with traditional single-machine protection, the security center and collaborative response module have the following advantages:

安全中心模块可以集中管理和处理来自各主机的告警信息,实现对云平台下所有主机勒索病毒攻击的全局视角和统一控制;The security center module can centrally manage and process alarm information from each host, achieving a global perspective and unified control of ransomware attacks on all hosts under the cloud platform;

协同防护模块可以利用云厂商提供的网络通信和消息传递能力,实现对云平台下所有主机的快速响应和协同防护,在发现勒索行为后,防护系统可以第一时间对其进行处理和阻断,最快地进行响应,避免勒索病毒在云平台上扩散和传播,将损失降到最低;The collaborative protection module can use the network communication and message transmission capabilities provided by cloud vendors to achieve rapid response and collaborative protection for all hosts on the cloud platform. After discovering ransomware behavior, the protection system can process and block it immediately and respond as quickly as possible to prevent the spread and propagation of ransomware on the cloud platform and minimize losses.

安全中心模块和协同防护模块可以根据不同的告警信息和处理指令,动态地调整文件隔离或恢复的策略,从而提高对云平台下所有主机的灵活防护和优化处理。The security center module and the collaborative protection module can dynamically adjust the file isolation or recovery strategy according to different alarm information and processing instructions, thereby improving the flexible protection and optimized processing of all hosts under the cloud platform.

实施例三:Embodiment three:

在本实施例中,假设有三台云上主机A、B、C,分别运行着不同的业务和数据,这三台主机都安装了本发明创造提供的防护系统,工作流程如下:In this embodiment, it is assumed that there are three cloud hosts A, B, and C, which respectively run different services and data. The protection system provided by the invention is installed on these three hosts. The workflow is as follows:

S1:用户根据需求配置如下信息:数据备份方式、频率和范围;用户自定义需投放诱饵文件的目录;诱饵文件生成参数,包括诱饵文件类型,诱饵文件名,诱饵文件内容(此配置项可省略,采用系统动态生成的方式);S1: The user configures the following information according to the needs: data backup method, frequency and scope; user-defined directory where bait files need to be placed; bait file generation parameters, including bait file type, bait file name, bait file content (this configuration item can be omitted and dynamically generated by the system);

S2:云备份模块根据用户配置定期对主机A、B、C上的数据进行备份;S2: The cloud backup module regularly backs up the data on hosts A, B, and C according to user configuration;

S3:诱饵捕获模块在主机A、B、C如下三个位置生成多个诱饵文件:系统的根目录、桌面目录、用户主目录;系统的关键目录;用户自定义需要防护的目录,假设用户将诱饵文件生成参数设置为系统自动生成,则诱饵捕获模块会扫描本机上的文件类型以及根据常用的文件类型,随机生成或从预设库中选择对应类型的诱饵文件,添加文件名前缀后,部署在各自主机上;S3: The bait capture module generates multiple bait files in the following three locations of hosts A, B, and C: the root directory of the system, the desktop directory, and the user's home directory; the key directory of the system; and the directory that the user customizes to be protected. Assuming that the user sets the bait file generation parameter to be automatically generated by the system, the bait capture module will scan the file types on the local machine and randomly generate or select the corresponding type of bait files from the preset library based on the commonly used file types, add a file name prefix, and deploy them on each host;

S4:诱饵捕获模块定期更新诱饵文件,以增加其可信度和有效性;S4: The bait capture module regularly updates the bait files to increase their credibility and effectiveness;

S5:诱饵捕获模块监控本机上动态部署的诱饵文件的访问事件;S5: the bait capture module monitors the access events of the bait files dynamically deployed on the local machine;

S6:假设有一个勒索病毒通过网络感染了主机A,并对主机A上的文件进行了加密或删除操作,勒索病毒一旦访问到诱饵文件,就会触发相应的事件,诱饵捕获模块会根据预设的规则和算法判断是否发生了勒索行为,并排除白名单中的程序,如果存在勒索行为,诱饵捕获模块会立即终止勒索病毒的运行,以防止进一步的损失,并将其可执行文件加密后移动到隔离目录,同时,诱饵捕获模块会向安全中心发送告警信息,包括主机信息、程序进程信息、程序可执行文件信息和诱饵文件访问动作信息;S6: Assume that a ransomware virus infects host A through the network and encrypts or deletes files on host A. Once the ransomware virus accesses the bait file, a corresponding event will be triggered. The bait capture module will determine whether ransomware behavior has occurred based on preset rules and algorithms, and exclude programs in the whitelist. If ransomware behavior exists, the bait capture module will immediately terminate the operation of the ransomware virus to prevent further losses, and encrypt its executable file and move it to the isolation directory. At the same time, the bait capture module will send alarm information to the security center, including host information, program process information, program executable file information, and bait file access action information;

S7:安全中心将可疑程序特征值分发给主机B和主机C的协同防护模块;S7: The security center distributes the suspicious program feature value to the collaborative protection modules of host B and host C;

S8:主机B和主机C的协同防护模块收到安全中心下发的可疑程序特征值后,立即扫描当前运行程序的可执行文件,并监控本机后续新启动程序的可执行文件,若这些程序符合特征,则终止程序运行并将对应可执行文件作为可疑文件进行隔离,这样,如果勒索病毒感染主机A后,横向传播到B、C两台主机时,防护系统可以第一时间对其进行处理和阻断,最快地进行响应;S8: After receiving the suspicious program feature value sent by the security center, the collaborative protection module of host B and host C immediately scans the executable file of the currently running program and monitors the executable files of the newly started programs on the local machine. If these programs meet the features, the program will be terminated and the corresponding executable files will be isolated as suspicious files. In this way, if the ransomware infects host A and spreads horizontally to hosts B and C, the protection system can process and block it in the first time and respond as quickly as possible.

S9:安全中心对上报的可疑程序进行自动化分析,并提示用户对结果进行确认,确认完成后将结果下发给主机A、B、C的协同防护模块进行处理;S9: The security center automatically analyzes the reported suspicious programs and prompts the user to confirm the results. After confirmation, the results are sent to the collaborative protection modules of hosts A, B, and C for processing.

S10:主机A、B、C上的协同防护模块收到安全中心下发的执行动作后执行相应动作,若安全中心标记为放行,则恢复隔离文件并将其加入白名单,如果标记为拦截,则删除对应文件,并将文件特征加入病毒库;S10: After receiving the execution action issued by the security center, the collaborative protection modules on hosts A, B, and C execute the corresponding action. If the security center marks it as released, the isolated file is restored and added to the whitelist. If it is marked as blocked, the corresponding file is deleted and the file features are added to the virus database.

S11:若勒索病毒绕过了步骤6的检测,对主机实施了勒索攻击,或在检测到勒索行为前已对主机上部分文件完成了加密,则通过步骤2备份的文件进行数据恢复。S11: If the ransomware bypasses the detection in step 6 and launches a ransomware attack on the host, or some files on the host have been encrypted before the ransomware behavior is detected, data recovery is performed using the files backed up in step 2.

应说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,其均应涵盖在本发明的权利要求范围当中。It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than to limit it. Although the present invention has been described in detail with reference to the preferred embodiments, those skilled in the art should understand that the technical solutions of the present invention may be modified or replaced by equivalents without departing from the spirit and scope of the technical solutions of the present invention, which should all be included in the scope of the claims of the present invention.

Claims (10)

1.一种基于云计算平台的勒索病毒协同防护系统,其特征在于,包括:云备份模块、诱饵捕获模块、安全中心模块和协同防护模块,1. A ransomware collaborative protection system based on a cloud computing platform, characterized in that it includes: a cloud backup module, a bait capture module, a security center module and a collaborative protection module, 所述云备份模块为云厂商提供的云备份产品,所述云备份模块包括云主机备份、云硬盘备份、文件备份和数据库备份,所述云备份模块可自定义选择备份方式、备份频率和备份范围,所述云备份模块可在其他防护手段失效并发生勒索事件后,快速恢复数据,保证数据的安全性和完整性,进而为用户提供最后一道保障;The cloud backup module is a cloud backup product provided by cloud vendors. The cloud backup module includes cloud host backup, cloud hard disk backup, file backup and database backup. The cloud backup module allows you to customize the backup method, backup frequency and backup scope. The cloud backup module can quickly restore data after other protection measures fail and a ransomware incident occurs, ensuring the security and integrity of the data, thereby providing the last line of defense for users. 所述诱饵捕获模块负责在主机上部署一些诱饵文件来对勒索行为进行动态检测,当检测到勒索行为后生成告警信息并上报给安全中心;The bait capture module is responsible for deploying some bait files on the host to dynamically detect ransomware behavior, and when ransomware behavior is detected, an alarm message is generated and reported to the security center; 所述安全中心模块负责收集并转发各主机上报的勒索信息,并对勒索信息进行分析和确认,并下达防护指令;The security center module is responsible for collecting and forwarding the ransom information reported by each host, analyzing and confirming the ransom information, and issuing protection instructions; 所述协同防护模块负责处理安全中心下发的勒索信息和防护指令。The collaborative protection module is responsible for processing the ransomware information and protection instructions issued by the security center. 2.根据权利要求1所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述云备份模块可以利用云厂商提供的强大的存储空间和计算能力,实现数据的高速传输和加密存储,保证数据的完整性和安全性;云备份模块可以根据用户的需求,灵活地设置备份策略和还原策略,实现数据的定期备份,以及数据的全量或增量备份,满足不同场景和应用的需求。2. According to the ransomware collaborative protection system based on the cloud computing platform of claim 1, it is characterized in that: the cloud backup module can utilize the powerful storage space and computing power provided by the cloud vendor to realize high-speed transmission and encrypted storage of data, and ensure the integrity and security of the data; the cloud backup module can flexibly set the backup strategy and restore strategy according to the needs of the user, realize the regular backup of data, and the full or incremental backup of data, to meet the needs of different scenarios and applications. 3.根据权利要求1所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述云备份模块可以利用云厂商提供的多地域或多可用区的特性,实现数据的跨地域或跨可用区的备份和还原,提高数据的可靠性和可用性,所述诱饵捕获模块根据主机上已有的文件类型和内容以及常见的文件类型,自动随机地生成逼真的诱饵文件或从预设库中选择合适类型的诱饵文件,进而根据用户配置生成诱饵文件。3. According to claim 1, a ransomware collaborative protection system based on a cloud computing platform is characterized in that: the cloud backup module can utilize the multi-regional or multi-availability zone characteristics provided by the cloud vendor to realize cross-regional or cross-availability zone backup and restoration of data, thereby improving data reliability and availability; the bait capture module automatically and randomly generates realistic bait files or selects bait files of appropriate types from a preset library based on existing file types and contents and common file types on the host, and then generates bait files according to user configuration. 4.根据权利要求1所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述用户配置内包含文件类型、文件名、文件内容,所述协同防护模块接收到安全中心下发的可疑程序特征值时后,会立即对当前运行程序的可执行文件进行扫描和并持续监控后续新增的文件。4. According to claim 1, a ransomware collaborative protection system based on a cloud computing platform is characterized in that: the user configuration includes file type, file name, and file content. When the collaborative protection module receives the suspicious program feature value issued by the security center, it will immediately scan the executable file of the currently running program and continuously monitor subsequent newly added files. 5.根据权利要求1所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述勒索软件通常采用Unicode编码顺序以正序或逆序的方式遍历文件,例如在正序遍历中,文件名Unicode编码排序越靠前的文件,在返回结果中也越靠前,为了确保勒索软件最先访问诱饵文件,诱饵文件名在文件夹中的Unicode编码排序需要在最前或最后,使其最先被勒索软件遍历到,在诱饵文件名前添加一个字符的前缀作为首字符,当部署诱饵之前首尾两正常文件名的首字符分别为A字符和B字符,则得到排序高于A字符一位的字符A,以及排序低于B字符一位的字符B,然后将A和B作为前缀添加到诱饵文件名中。5. According to claim 1, a ransomware virus collaborative protection system based on a cloud computing platform is characterized in that: the ransomware usually uses Unicode encoding order to traverse files in forward or reverse order. For example, in forward traversal, the file with the file name Unicode encoding ranking at the front is also at the front in the returned result. In order to ensure that the ransomware accesses the bait file first, the Unicode encoding ranking of the bait file name in the folder needs to be at the front or the end, so that it is traversed by the ransomware first, and a character prefix is added to the bait file name as the first character. When the first characters of the first and last normal file names before deploying the bait are A and B respectively, then character A ranked higher than character A by one position, and character B ranked lower than character B by one position are obtained, and then A and B are added to the bait file name as prefixes. 6.根据权利要求5所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述诱饵捕获模块还会定期更新和替换诱饵文件,以提高其可信度和有效性,所述诱饵文件通常存放位置为系统的根目录、每个盘符的根目录、桌面目录、用户主目录,系统的关键目录,用户自定义需要防护的目录,当判定为勒索行为则隔离相关可执行程序并上报给安全中心。6. According to claim 5, a ransomware collaborative protection system based on a cloud computing platform is characterized in that: the bait capture module will also regularly update and replace the bait file to improve its credibility and effectiveness. The bait file is usually stored in the system's root directory, the root directory of each drive letter, the desktop directory, the user's home directory, the system's key directory, and the user-defined directory that needs to be protected. When it is determined to be a ransomware behavior, the relevant executable program is isolated and reported to the security center. 7.根据权利要求1所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述协同防护模块接收到安全中心下发的执行动作后,会根据动作类型进行处理,当动作类型是放行,就会恢复隔离的文件并将其加入白名单,当动作类型是拦截,就会删除隔离的文件,并加入病毒库。7. According to claim 1, a ransomware collaborative protection system based on a cloud computing platform is characterized in that after the collaborative protection module receives the execution action issued by the security center, it will process it according to the action type. When the action type is release, the isolated file will be restored and added to the whitelist. When the action type is interception, the isolated file will be deleted and added to the virus library. 8.根据权利要求1所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述诱饵捕获模块通过监控对诱饵文件的访问事件来对勒索行为进行动态判断,当对同一诱饵文件发生读操作和写操作时,判定为勒索行为,当对同一诱饵文件发生读操作和删除操作时,判定为勒索行为。8. According to the ransomware collaborative protection system based on the cloud computing platform of claim 1, it is characterized in that: the bait capture module dynamically judges the ransomware behavior by monitoring the access events to the bait files. When a read operation and a write operation occur on the same bait file, it is determined as a ransomware behavior; when a read operation and a delete operation occur on the same bait file, it is determined as a ransomware behavior. 9.根据权利要求1所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于:所述协同防护模块接收到安全中心下发的可疑程序特征值之后,会立即对当前运行程序的可执行文件进行扫描和并持续监控后续新增的文件,当发现有程序或文件匹配特征值,就会终止运行的程序并将文件隔离起来。9. According to the ransomware collaborative protection system based on the cloud computing platform of claim 1, it is characterized in that: after the collaborative protection module receives the suspicious program feature value issued by the security center, it will immediately scan the executable file of the currently running program and continuously monitor the subsequent newly added files. When a program or file matching the feature value is found, the running program will be terminated and the file will be isolated. 10.根据权利要求1-9任一项所述的一种基于云计算平台的勒索病毒协同防护系统,其特征在于,该系统具体操作流程如下:10. A ransomware collaborative protection system based on a cloud computing platform according to any one of claims 1 to 9, characterized in that the specific operation process of the system is as follows: S1.云备份模块对主机上的关键数据进行备份,可以根据用户的需求设置备份的频率、范围和方式;S1. The cloud backup module backs up the key data on the host and can set the frequency, scope and method of backup according to user needs; S2.诱饵捕获模块在主机上生成并放置一些诱饵文件,吸引勒索病毒的攻击;S2. The bait capture module generates and places some bait files on the host to attract ransomware attacks; S3.诱饵捕获模块对诱饵文件的访问事件进行监控,检测勒索行为;S3. The bait capture module monitors the access events of the bait files and detects the ransomware behavior; S4.诱饵捕获模块如果发现勒索行为,则隔离可疑程序,并将事件上报给安全中心进行预警;S4. If the bait capture module finds ransomware behavior, it will isolate the suspicious program and report the incident to the security center for early warning; S5.安全中心将可疑程序特征值分发给所有主机的协同防护模块,实现云平台下所有主机的快速响应和协同防护;S5. The security center distributes the suspicious program feature values to the collaborative protection modules of all hosts, achieving rapid response and collaborative protection for all hosts on the cloud platform; S6.主机上的协同防护模块收到安全中心下发的可疑程序特征值后,立即扫描当前运行程序的可执行文件,并监控本机后续新启动程序的可执行文件,若这些程序符合特征,则终止程序运行并将对应可执行文件作为可疑文件进行隔离,有效阻止勒索病毒的扩散和传播;S6. After receiving the suspicious program feature value sent by the security center, the collaborative protection module on the host immediately scans the executable file of the currently running program and monitors the executable files of the newly started programs on the local machine. If these programs meet the features, the program will be terminated and the corresponding executable files will be isolated as suspicious files, effectively preventing the spread and propagation of ransomware; S7.安全中心对上报的可疑程序进行自动化分析和人工确认,并将结果下发给所有主机的协同防护模块进行处理;S7. The security center automatically analyzes and manually confirms the reported suspicious programs, and sends the results to the collaborative protection modules of all hosts for processing; S8.主机上的协同防护模块收到安全中心下发的执行动作后执行相应动作,若安全中心标记为放行,则恢复隔离文件并将其加入白名单,如果标记为拦截,则删除对应文件,并将文件特征加入病毒库;S8. The collaborative protection module on the host receives the execution action issued by the security center and executes the corresponding action. If the security center marks it as released, the isolated file is restored and added to the whitelist. If it is marked as blocked, the corresponding file is deleted and the file features are added to the virus database. S9.若勒索病毒绕过了步骤3的检测,对主机实施了勒索攻击,或在检测到勒索行为前已对主机上部分文件完成了加密,则通过步骤1备份的文件进行数据恢复,减少数据丢失和损坏。S9. If the ransomware bypasses the detection in step 3 and launches a ransomware attack on the host, or has encrypted some files on the host before the ransomware behavior is detected, data recovery can be performed using the files backed up in step 1 to reduce data loss and damage.
CN202311713539.7A 2023-12-13 2023-12-13 A ransomware collaborative protection system based on cloud computing platform Pending CN117938434A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311713539.7A CN117938434A (en) 2023-12-13 2023-12-13 A ransomware collaborative protection system based on cloud computing platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311713539.7A CN117938434A (en) 2023-12-13 2023-12-13 A ransomware collaborative protection system based on cloud computing platform

Publications (1)

Publication Number Publication Date
CN117938434A true CN117938434A (en) 2024-04-26

Family

ID=90760204

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311713539.7A Pending CN117938434A (en) 2023-12-13 2023-12-13 A ransomware collaborative protection system based on cloud computing platform

Country Status (1)

Country Link
CN (1) CN117938434A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119628968A (en) * 2025-02-11 2025-03-14 深圳聚创致远科技有限公司 Attack feature filtering analysis method, system, terminal and medium for industrial control protocol

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119628968A (en) * 2025-02-11 2025-03-14 深圳聚创致远科技有限公司 Attack feature filtering analysis method, system, terminal and medium for industrial control protocol

Similar Documents

Publication Publication Date Title
US11232201B2 (en) Cloud based just in time memory analysis for malware detection
US7269851B2 (en) Managing malware protection upon a computer network
CN109495443B (en) A method and system for anti-ransomware attack based on host honeypot
WO2018156800A1 (en) System and method to prevent, detect, thwart and recover automatically from ransomware cyber attacks
JP2018073423A (en) File-modifying malware detection
US20090328210A1 (en) Chain of events tracking with data tainting for automated security feedback
US20050132184A1 (en) Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network
Shukla et al. Poster: Locally virtualized environment for mitigating ransomware threat
CN113901450B (en) Industrial host terminal safety protection system
US12058175B2 (en) Method for ransomware strike detection and defense, and ransomware security operations center (SOC)
Chen et al. Worm epidemics in high-speed networks
Patyal et al. Multi-layered defense architecture against ransomware
US11909761B2 (en) Mitigating malware impact by utilizing sandbox insights
KR20040101490A (en) Detecting and countering malicious code in enterprise networks
WO2021126747A1 (en) Method for detecting and defeating ransomware
US12406058B2 (en) Protecting data against malware attacks using cyber vault and automated airgap control
Axelsson et al. An approach to UNIX security logging
CN105528543A (en) Remote antivirus method, client, console and system
CN117938434A (en) A ransomware collaborative protection system based on cloud computing platform
CN113449302A (en) Method for detecting malicious software
US20050240769A1 (en) Methods and systems for computer security
Lai et al. RansomSOC: A more effective security operations center to detect and respond to ransomware attacks.(2022)
AT&T
KR102309695B1 (en) File-based deception technology for thwarting malicious users
Kono et al. An unknown malware detection using execution registry access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination