[go: up one dir, main page]

CN118278005A - A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis - Google Patents

A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis Download PDF

Info

Publication number
CN118278005A
CN118278005A CN202410374168.2A CN202410374168A CN118278005A CN 118278005 A CN118278005 A CN 118278005A CN 202410374168 A CN202410374168 A CN 202410374168A CN 118278005 A CN118278005 A CN 118278005A
Authority
CN
China
Prior art keywords
file
change
industrial
program
degree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410374168.2A
Other languages
Chinese (zh)
Inventor
隋天举
冯爽
杨涛
刘海宁
富佳伟
王言伟
孙希明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dalian University of Technology
Original Assignee
Dalian University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dalian University of Technology filed Critical Dalian University of Technology
Priority to CN202410374168.2A priority Critical patent/CN118278005A/en
Publication of CN118278005A publication Critical patent/CN118278005A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention belongs to the field of industrial Internet information security, and discloses an industrial control system Lesovirus detection method based on multi-element file feature monitoring and program behavior analysis. Aiming at the problems of high false alarm rate, multiple redundant characteristics and the like of the current Leucavirus detection method, a more accurate and comprehensive detection method is provided. By inserting a decoy file into a target system to attract potential intruders to operate, monitoring file characteristic changes and designing a change function, analyzing program behaviors by using a memory evidence obtaining tool and a rule matching tool, and designing a matching degree function. And finally, integrating file characteristic change, suspicious program behavior matching condition and target system equipment display screen change, designing a scoring system, and judging whether the suspicious program is industrial lux virus. The comprehensive detection method can timely respond to the invasion of the Leucavirus, reduce the false alarm rate, improve the accuracy, enhance the safety and the efficiency of the system, and provide a new detection means for the field of information safety of the industrial Internet.

Description

一种基于多元文件特征监测与程序行为分析的工业控制系统 勒索病毒检测方法An industrial control system based on multi-file feature monitoring and program behavior analysis Ransomware detection method

技术领域Technical Field

本发明属于工业互联网信息安全领域,公开了一种基于多元文件特征监测与程序行为分析的工业控制系统勒索病毒检测方法。The present invention belongs to the field of industrial Internet information security and discloses an industrial control system ransomware virus detection method based on multi-file feature monitoring and program behavior analysis.

背景技术Background technique

随着工业互联网技术的发展,勒索病毒这种通过加密用户文件或系统使其支付酬金以获取解密密钥的恶意软件已经对工业控制系统构成了严重的网络威胁。攻击者首先会通过钓鱼、弱口令或漏洞形式对工控系统内部机器进行攻击,当联网的某台机器被入侵后,就会对局域网中有漏洞的机器进行探测,最终向有漏洞的机器植入工业勒索病毒程序。一旦该病毒感染了用户系统,便会开始加密生产技术文档、数据信息表等重要文件,使其变得不可访问。因此,需要提出一种更准确、更全面的工业勒索病毒检测方法,来防止此类威胁。With the development of industrial Internet technology, ransomware, a malware that encrypts user files or systems and forces them to pay for decryption keys, has become a serious network threat to industrial control systems. Attackers first attack machines inside industrial control systems through phishing, weak passwords, or vulnerabilities. When a networked machine is invaded, they will detect machines with vulnerabilities in the local area network and eventually implant industrial ransomware programs into the machines with vulnerabilities. Once the virus infects the user system, it will begin to encrypt important files such as production technical documents and data information tables, making them inaccessible. Therefore, a more accurate and comprehensive industrial ransomware detection method is needed to prevent such threats.

目前,针对工业勒索病毒的检测主要有静态检测和动态检测两种。例如《计算机与安全》期刊中SCALAS M等人提出的《系统API相关信息对Android勒索软件检测的有效性研究》中通过匹配事先设定好的勒索病毒API(Application Programming Interface)列表,对勒索病毒进行静态筛选,虽然对于发现已知威胁很有效,检测方法的准确率较高,但检测速度慢。并且,多数勒索病毒会使用代码混淆、花指令等手段对抗静态分析方法;《计算机与现代化》期刊中龚琪等人提出的《基于序列比对的勒索病毒同源性分析》中所使用的动态行为特征结合序列比对方法,对勒索病毒进行动态监测,该检测方法能发现未知的威胁,但由于工业勒索病毒多采用反虚拟环境技术,导致基于沙箱捕获的样本不能完全反映样本的行为容易产生误报。若想提高对工业勒索病毒检测的准确性和鲁棒性就必须找到一种新的针对工业勒索病毒的检测方法。At present, there are two main methods for detecting industrial ransomware: static detection and dynamic detection. For example, in the "Study on the Effectiveness of System API-related Information for Android Ransomware Detection" proposed by SCALAS M et al. in the "Computer and Security" journal, the ransomware was statically screened by matching the pre-set ransomware API (Application Programming Interface) list. Although it is very effective for discovering known threats and the detection method has a high accuracy rate, the detection speed is slow. In addition, most ransomware will use code obfuscation, junk instructions and other means to counter static analysis methods; in the "Ransomware Homology Analysis Based on Sequence Alignment" proposed by Gong Qi et al. in the "Computer and Modernization" journal, the dynamic behavior characteristics used in the combination of sequence alignment methods are used to dynamically monitor the ransomware. This detection method can discover unknown threats, but because industrial ransomware mostly uses anti-virtual environment technology, the samples captured based on the sandbox cannot fully reflect the behavior of the samples and are prone to false positives. If you want to improve the accuracy and robustness of industrial ransomware detection, you must find a new detection method for industrial ransomware.

因此我们采用基于多元文件特征监测与程序行为分析相结合的方式,通过动态分析可疑程序运行时的行为活动,从文件特征的多个层面去监测文件变化,结合内存取证工具和规则匹配工具分析可疑程序行为,最后综合文件特征监测、可疑程序行为匹配情况以及目标系统设备显示屏幕的变化,全面评断该恶意程序是否为工业勒索病毒。Therefore, we adopt a method based on combining multi-file feature monitoring with program behavior analysis. We dynamically analyze the behavioral activities of suspicious programs during runtime, monitor file changes from multiple levels of file features, and analyze suspicious program behaviors using memory forensics tools and rule matching tools. Finally, we comprehensively evaluate whether the malicious program is an industrial ransomware virus based on comprehensive file feature monitoring, suspicious program behavior matching, and changes in the display screen of the target system device.

发明内容Summary of the invention

针对现有检测方法中存在检测速度慢、易产生误报等问题,本发明的目的在于提供一种基于多元文件特征监测与程序行为分析的面向工业控制系统的勒索病毒检测方法。此方法可以综合文件特征变化与程序行为的匹配度进行整体监测,具有可靠性高,鲁棒性强,复杂度低等优点。In view of the problems of slow detection speed and easy false alarm in existing detection methods, the purpose of the present invention is to provide a ransomware virus detection method for industrial control systems based on multi-file feature monitoring and program behavior analysis. This method can comprehensively monitor the matching degree of file feature changes and program behavior, and has the advantages of high reliability, strong robustness, and low complexity.

本发明的技术方案如下:The technical solution of the present invention is as follows:

一种基于多元文件特征监测与程序行为分析的工业控制系统勒索病毒检测方法,步骤如下:A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis, the steps are as follows:

步骤一:创建诱饵文件Step 1: Create a decoy document

在保护目标系统的操作环境中将事先设置好的诱饵文件插入至不同路径;其中诱饵文件包括各类用户类型文件(如:生产技术文档.txt、客户信息表.csv、重要的系统配置文件.ini等);诱饵文件不能为空,文件大小需要占据一定的字节;Insert the pre-set bait files into different paths in the operating environment of the protected target system; the bait files include various user type files (such as: production technical documents.txt, customer information tables.csv, important system configuration files.ini, etc.); the bait files cannot be empty and the file size needs to occupy a certain number of bytes;

步骤二:多元监测文件特征变化Step 2: Multivariate monitoring of file feature changes

保护目标系统将从文件名称、文件类型、文件内容多个层面进行特征变化监测;被工业勒索病毒攻击后,文件名和文件类型的变化主要有两种情况:一是工业勒索病毒直接将原文件命名为自定义的文件名;二是工业勒索病毒会采用原文件的文件名,修改文件类型(后缀)为自定义的格式;文件内容,工业勒索病毒在对文件进行加密操作后,根据文件内容生成的哈希值会发生变化,与加密前原文件的哈希值不一致,因此通过对哈希值的探测可以迅速发现文件是否被加密并且可以检验被测可疑程序运行后文件内容的完整性与准确性。综上设计一个文件特征变化函数,用于定量描述其特征变化。To protect the target system, the file name, file type, and file content will be monitored for feature changes. After being attacked by the industrial ransomware, there are two main changes in the file name and file type: one is that the industrial ransomware directly names the original file as a custom file name; the other is that the industrial ransomware uses the original file name and modifies the file type (suffix) to a custom format; the file content, after the industrial ransomware encrypts the file, the hash value generated according to the file content will change, which is inconsistent with the hash value of the original file before encryption. Therefore, by detecting the hash value, it is possible to quickly find out whether the file is encrypted and to verify the integrity and accuracy of the file content after the suspicious program is run. In summary, a file feature change function is designed to quantitatively describe its feature changes.

步骤三:程序行为分析Step 3: Program Behavior Analysis

分析文件特征完毕后,使用内存取证工具导出内存镜像,再使用规则匹配工具根据匹配规则对内存镜像进行分析,从而获取可疑程序行为;之后通过前期对工业勒索病毒的分析,将构造的勒索病毒行为与获取的行为进行匹配,以帮助识别可疑程序样本是否属于病毒样本家族;据此设计可疑程序样本行为与匹配规则及工业勒索病毒行为特征的匹配程度函数。After analyzing the file features, use the memory forensics tool to export the memory image, and then use the rule matching tool to analyze the memory image according to the matching rules to obtain the suspicious program behavior; then, through the previous analysis of the industrial ransomware virus, match the constructed ransomware virus behavior with the obtained behavior to help identify whether the suspicious program sample belongs to the virus sample family; based on this, design a matching degree function between the suspicious program sample behavior and the matching rules and the industrial ransomware virus behavior characteristics.

步骤四:监控目标操作系统变化Step 4: Monitor changes in the target operating system

当工业控制系统感染勒索病毒后,最明显的特征是目标工程师站的设备显示会发生较大变化,通常以修改桌面背景、更改文件图标或显示勒索信息等形式出现。在可疑程序样本执行前后自动截屏桌面,并使用图像分析方法分析和比较系列屏幕截图,可以确定屏幕突然变化是否是可疑程序样本运行期间发生的。因此根据监测目标系统桌面显示的变化信息,设计对目标系统影响程度的函数。When an industrial control system is infected with a ransomware virus, the most obvious feature is that the device display of the target engineer station will change significantly, usually in the form of modifying the desktop background, changing file icons, or displaying ransomware information. Automatically taking screenshots of the desktop before and after the execution of the suspicious program sample, and using image analysis methods to analyze and compare a series of screenshots, can determine whether the sudden change in the screen occurred during the operation of the suspicious program sample. Therefore, based on the change information of the desktop display of the monitoring target system, a function of the degree of impact on the target system is designed.

步骤五:全面评断是否为工业勒索病毒Step 5: Comprehensively determine whether it is an industrial ransomware virus

针对以上操作步骤我们提出了一个基于多元文件特征监测与程序行为分析的评分体系,用于检测和评估系统中可能存在勒索病毒的风险。该体系涵盖了对文件特征变化、可疑程序行为匹配以及目标系统设备显示变化函数的权重赋值并进行加权评估,即可以全面判断系统是否受到工业勒索病毒的威胁以帮助相关企业及时采取相应的防范和应对措施。Based on the above steps, we proposed a scoring system based on multi-file feature monitoring and program behavior analysis to detect and evaluate the risk of ransomware in the system. The system covers the weight assignment and weighted evaluation of file feature changes, suspicious program behavior matching, and target system device display change functions, which can comprehensively determine whether the system is threatened by industrial ransomware to help related companies take corresponding prevention and response measures in a timely manner.

本发明的有益效果:第一,解决了静态检测方法难以分析的代码混淆、花指令等手段的问题;第二,采用多元文件特征监测与程序行为分析相结合的检测方法。与单一层面的检测方法相比,多元分析更全面,能够从文件名称、类型、内容以及程序行为匹配等多个角度全面评估可疑程序样本的行为,提高了检测的准确性、降低误报率;第三,在检测中引入图像分析方法,监控目标工程师站设备屏幕显示的变化。这有助于及时捕捉到工业勒索病毒感染后的明显特征,例如修改桌面背景、更改文件图标或显示勒索信息等,从而提高了对恶意程序的检测效果。The beneficial effects of the present invention are as follows: First, it solves the problems of code obfuscation, junk instructions and other means that are difficult to analyze with static detection methods; second, it adopts a detection method that combines multivariate file feature monitoring with program behavior analysis. Compared with single-level detection methods, multivariate analysis is more comprehensive, and can comprehensively evaluate the behavior of suspicious program samples from multiple angles such as file name, type, content, and program behavior matching, thereby improving the accuracy of detection and reducing the false alarm rate; third, an image analysis method is introduced in the detection to monitor changes in the screen display of the target engineer station equipment. This helps to capture the obvious features of industrial ransomware virus infection in a timely manner, such as modifying the desktop background, changing file icons, or displaying ransomware information, thereby improving the detection effect of malicious programs.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是一种基于多维度的文件状态改变和内存特征分析相结合的勒索病毒检测方法结构图。FIG1 is a structural diagram of a ransomware detection method based on a combination of multi-dimensional file status changes and memory feature analysis.

图2是一种基于多维度的文件状态改变和内存特征分析相结合的勒索病毒检测方法流程图。FIG2 is a flow chart of a ransomware detection method based on a combination of multi-dimensional file status changes and memory feature analysis.

具体实施方式Detailed ways

以下结合附图和技术方案,进一步说明本发明的具体实施方式。The specific implementation of the present invention is further described below in conjunction with the accompanying drawings and technical solutions.

在本发明的一个基础实施方案中分为五个步骤,发明的目的是要根据多元文件特征监测和程序行为匹配,综合、准确且鲁棒地检测恶意程序是否为工业勒索病毒,具体实施步骤如下:In a basic implementation of the present invention, there are five steps. The purpose of the invention is to comprehensively, accurately and robustly detect whether a malicious program is an industrial ransomware virus based on multi-file feature monitoring and program behavior matching. The specific implementation steps are as follows:

步骤一:创建诱饵文件Step 1: Create a decoy document

在保护目标系统的操作环境中,对可疑程序样本进行动态分析。为了增强诱饵文件的吸引力,考虑将诱饵文件与常见的工业控制系统应用程序和数据文件相关联,因此将事先设置SCADA系统的配置文件、PLC编程文件、HMI项目文件等诱饵文件插入到不同路径下,其中诱饵文件可以包括各类用户类型文件,如.ladder、.db、.txt、.csv等。需要注意的是,诱饵文件不能为空,文件大小需要占据一定的字节。In the operating environment of the protected target system, the suspicious program samples are dynamically analyzed. In order to enhance the attractiveness of the bait file, the bait file is considered to be associated with common industrial control system applications and data files. Therefore, the configuration files of the SCADA system, PLC programming files, HMI project files and other bait files that are pre-set are inserted into different paths. The bait files can include various user type files, such as .ladder, .db, .txt, .csv, etc. It should be noted that the bait file cannot be empty and the file size needs to occupy a certain number of bytes.

步骤二:多元监测文件特征变化Step 2: Multivariate monitoring of file feature changes

目标操作系统将从文件名称、类型、内容多个层面进行特征变化监测。经过勒索病毒攻击后的文件名和文件类型的变化主要有两种情况:一是工业勒索病毒直接将原文件命名为自定义的文件名;二是工业勒索病毒会采用原文件的文件名,修改文件类型(后缀)为自定义的格式;而对于文件内容而言工业勒索病毒在对文件进行加密操作后,根据文件内容生成的MD5哈希值会发生变化,与加密前的原文件MD5哈希值不一致,因此使用开源的文件完整性监测工具AIDE或Tripwire,可以自动化地计算文件的MD5哈希值,并进行比对监测。此外,也可以通过编写简单的脚本利用系统内置的MD5计算工具:Linux中的md5sum命令来实现这一功能。即可验证文件是否被加密并且可以用于检测被勒索后文件的内容是否被破坏以及被破坏的程度。The target operating system will monitor feature changes from multiple levels, including file name, type, and content. There are two main situations in which the file name and file type change after a ransomware attack: one is that the industrial ransomware directly names the original file as a custom file name; the other is that the industrial ransomware will use the file name of the original file and modify the file type (suffix) to a custom format; and as for the file content, after the industrial ransomware encrypts the file, the MD5 hash value generated according to the file content will change, which is inconsistent with the MD5 hash value of the original file before encryption. Therefore, the open source file integrity monitoring tool AIDE or Tripwire can be used to automatically calculate the MD5 hash value of the file and perform comparison monitoring. In addition, this function can also be achieved by writing a simple script to use the system's built-in MD5 calculation tool: the md5sum command in Linux. It can verify whether the file is encrypted and can be used to detect whether the content of the file is damaged and the degree of damage after the ransomware.

据此设计文件特征变化函数为:Based on this, the design file feature change function is:

(1)文件名变化(FN):根据文件名的改变程度给出评分:其中:len(new_filenamej),len(old_filenamej)分别表示第j个被修改的新旧文件名的长度,semantic_changej表示第j个被修改的文件名的语义变化程度,可以通过文本相似性算法进行计算,n是文件总数。(1) File name change (FN): Score is given based on the degree of change of the file name: Where: len(new_filename j ), len(old_filename j ) represent the lengths of the new and old file names of the j-th modified file respectively, semantic_change j represents the degree of semantic change of the j-th modified file name, which can be calculated by the text similarity algorithm, and n is the total number of files.

(2)文件类型变化(FT):根据文件类型(后缀)的变化程度给出评分:(2) File type change (FT): The score is given according to the degree of change of the file type (suffix):

其中:old_numk、new_numk分别是不同文件类型在可疑程序运行前后的数量,m是文件类型的种类总个数,weightk是用户自定义的文件类型的权重,用于表示第k种文件类型的危险程度(如:易于被修改的.txt文档等将赋以较高数值)。Where: old_num k and new_num k are the number of different file types before and after the suspicious program is run, m is the total number of file types, weight k is the user-defined weight of the file type, which is used to indicate the danger level of the kth file type (e.g., .txt documents that are easily modified will be assigned a higher value).

(3)文件内容变化(FC):通过比较加密前后文件的哈希值差异和内容相似度变化,给出评分:(3) File content change (FC): By comparing the hash value difference and content similarity change of the file before and after encryption, a score is given:

其中:hash_differencel表示第l个文件被加密前后哈希值的差异content_similarityl表示第l个文件被加密前后的相似性,可以通过文本相似性算法进行计算,n是文件总数。Among them: hash_difference l represents the difference in hash values before and after the lth file is encrypted; content_similarity l represents the similarity before and after the lth file is encrypted, which can be calculated using a text similarity algorithm; and n is the total number of files.

步骤三:程序行为分析Step 3: Program Behavior Analysis

分析文件特征完毕后,使用内存取证工具导出内存镜像,再使用规则匹配工具根据匹配规则对镜像进行分析,从而获取可疑程序所进行的API调用、注入和代码执行以及网络活动等行为特征。之后通过前期对工业勒索病毒的分析,将构造的勒索病毒行为特征与获取的行为特征进行匹配,以帮助识别可疑程序样本是否属于病毒样本家族。After analyzing the file features, use the memory forensics tool to export the memory image, and then use the rule matching tool to analyze the image according to the matching rules to obtain the behavioral features of the suspicious program, such as API calls, injections, code execution, and network activities. After that, through the early analysis of industrial ransomware, the constructed ransomware behavior features are matched with the obtained behavior features to help identify whether the suspicious program sample belongs to the virus sample family.

因此设计可疑程序样本行为与匹配规则及工业勒索病毒行为特征的匹配程度函数为:Therefore, the matching function of suspicious program sample behavior and matching rules and industrial ransomware virus behavior characteristics is designed as follows:

其中:behavior_similarityt表示第t个可疑程序的行为特征与制定的相应匹配规则的相似度,frequencyt表示第t个可疑程序行为的频率,durationt表示第t个可疑程序行为的持续时间,malware_correlationt表示第t个可疑程序行为与勒索病毒行为特征的相似度,可疑程序共产生u个行为特征。 Wherein: behavior_similarity t represents the similarity between the behavior characteristics of the t-th suspicious program and the corresponding matching rule, frequency t represents the frequency of the t-th suspicious program behavior, duration t represents the duration of the t-th suspicious program behavior, malware_correlation t represents the similarity between the t-th suspicious program behavior and the ransomware virus behavior characteristics, and the suspicious program generates a total of u behavior characteristics.

步骤四:监控目标操作系统变化Step 4: Monitor changes in the target operating system

当工业控制系统感染勒索病毒后,最明显的特征是目标工程师站的设备屏幕显示会发生较大变化,通常以修改桌面背景、更改文件图标或显示勒索信息等形式出现。在可疑程序样本执行前后自动截屏桌面,并使用图像分析方法从图像的亮度、对比度以及结构等方面分析和比较系列屏幕截图,可以确定屏幕突然变化是否是样本运行期间发生的。When an industrial control system is infected with a ransomware virus, the most obvious feature is that the device screen display of the target engineer station will change significantly, usually in the form of modifying the desktop background, changing file icons, or displaying ransomware information. Automatically taking screenshots of the desktop before and after the execution of suspicious program samples, and using image analysis methods to analyze and compare a series of screenshots in terms of image brightness, contrast, and structure, can determine whether the sudden screen change occurred during the sample operation.

因此根据监测目标系统桌面显示的变化信息,设计对目标系统影响程度的函数为:Therefore, according to the change information displayed on the desktop of the monitoring target system, the function of the degree of impact on the target system is designed as follows:

其中impacts表示用户自定义第s个变化对系统的影响程度(如:变化程度较大的背景修改将被赋予较高数值),共产生v个变化(如:出现背景修改、文件图标更改等)。Impact s represents the degree of influence of the sth user-defined change on the system (e.g., background modifications with greater degrees of change will be assigned higher values), and a total of v changes are generated (e.g., background modifications, file icon changes, etc.).

步骤五:全面评断是否为工业勒索病毒Step 5: Comprehensively determine whether it is an industrial ransomware virus

针对以上操作步骤提出一个基于多元文件特征监测与程序行为分析的评分体系,用于检测和评估系统中可能存在的风险。该体系对文件特征变化、可疑程序行为匹配以及目标系统设备显示变化的相关函数分别进行赋权重后,根据其与勒索特征的关联程度进行加权评估,具体评估规则如下:Based on the above steps, a scoring system based on multi-file feature monitoring and program behavior analysis is proposed to detect and evaluate the possible risks in the system. The system assigns weights to the relevant functions of file feature changes, suspicious program behavior matching, and target system device display changes, and then performs a weighted evaluation based on their correlation with ransomware features. The specific evaluation rules are as follows:

综合评分(Total Score):Total Score:

综合考虑以上三个方面五个维度的评分,按照先验知识对其权重赋值:W(1)=0.2、W(2)=0.1、W(3)=0.2、W(4)=0.3、W(5)=0.2,综合评分可计算为:Taking into account the scores of the above three aspects and five dimensions, and assigning weights to them according to prior knowledge: W(1) = 0.2, W(2) = 0.1, W(3) = 0.2, W(4) = 0.3, W(5) = 0.2, the comprehensive score can be calculated as:

其中:W(i)是第i个维度对应的权重,Factor(i)中i=1,2,3,4,5分别对应Factor(i)=F(degree of change)、G(degree of change)、H(degree of change)、I(degree ofchange)、J(degree of change);Normalization(TotalScore)是对总评分进行归一化的函数:Where: W(i) is the weight corresponding to the i-th dimension, i=1, 2, 3, 4, 5 in Factor(i) correspond to Factor(i)=F(degree of change), G(degree of change), H(degree of change), I(degree of change), J(degree of change) respectively; Normalization(TotalScore) is the function for normalizing the total score:

至此,即可得到包含以上五个维度的综合评分。现设定阈值为β,0<β<1,当所得到的评分Total Score高于β时,系统将被判定为遭受了勒索攻击;反之,则系统未受到攻击。At this point, a comprehensive score including the above five dimensions can be obtained. Now set the threshold to β, 0<β<1. When the obtained Total Score is higher than β, the system will be judged as having suffered a ransomware attack; otherwise, the system has not been attacked.

以上述依据本发明的理想实施例为启示,通过上述的说明内容,本领域技术人员完全可以在不偏离本发明技术思想的范围内,进行多样的变更以及修改。本发明的技术性范围并不局限于说明书上的内容,必须要根据权利要求书范围来确定其技术性范围。With the above-mentioned ideal embodiments of the present invention as inspiration, through the above-mentioned description, those skilled in the art can make various changes and modifications without departing from the technical concept of the present invention. The technical scope of the present invention is not limited to the contents of the specification, and its technical scope must be determined according to the scope of the claims.

Claims (5)

1. An industrial control system Lesovirus detection method based on multi-element file feature monitoring and program behavior analysis is characterized by comprising the following steps:
Step one: creating a decoy file
Inserting the preset bait files into different paths in the operation environment of the protection target system; wherein the decoy file comprises various user type files; the bait file cannot be empty, and the file size needs to occupy a certain byte;
Step two: multiple monitoring file feature changes
The protection target system monitors characteristic changes from multiple layers of file names, file types and file contents; after being attacked by the industrial lux virus, there are mainly two cases of changes in file name and file type: firstly, the industrial Lesovirus directly names an original file as a custom file name; secondly, the industrial Leucovirus adopts the file name of the original file, and modifies the file type into a self-defined format; after the file content is encrypted by the industrial Leucovirus, the hash value generated according to the file content is changed and is inconsistent with the hash value of the original file before encryption, so that whether the file is encrypted or not is rapidly found through detecting the hash value, and the integrity and the accuracy of the file content after the suspicious program to be tested is operated are checked;
Step three: program behavior analysis
After the file characteristics are analyzed, a memory evidence obtaining tool is used for exporting a memory mirror image, and a rule matching tool is used for analyzing the memory mirror image according to a matching rule, so that suspicious program behaviors are obtained; then, through early-stage analysis of industrial Leucavirus, the structured Leucavirus behavior is matched with the acquired behavior so as to help identify whether a suspicious program sample belongs to a virus sample family;
Step four: monitoring target operating system changes
When the industrial control system is infected by the lux virus, the most obvious characteristic is that the equipment display of the target engineer station is greatly changed to modify the desktop background, change the file icon or display the lux information form; automatically capturing a screen desktop before and after execution of the suspicious program sample, and analyzing and comparing a series of screen shots by using an image analysis method to determine whether a sudden screen change occurs during the running of the suspicious program sample;
Step five: full evaluation of whether it is an industrial Lexovirus
Providing a scoring system based on multi-element file feature monitoring and program behavior analysis for detecting and evaluating possible risk of the Leucavirus in the system; the scoring system comprises the steps of assigning weights for file characteristic changes, suspicious program behavior matching and target system equipment display change functions and carrying out weighted evaluation, so that whether the system is threatened by industrial Leuch viruses can be comprehensively judged.
2. The method for detecting the Lesovirus of the industrial control system based on the multi-file feature monitoring and the program behavior analysis according to claim 1, wherein,
In the second step, the second step is to carry out the process,
The characteristic change function of the design file is as follows:
(1) File name change: a score is given according to the degree of change in file name:
Wherein: len (new_filename j),len(old_filenamej) represents the length of the j-th modified new and old filenames, semantic _change j represents the semantic change degree of the j-th modified filename, and n is the total number of files;
(2) File type change: a score is given according to the degree of change in the file type:
Wherein: old_num k、new_numk is the number of different file types before and after the suspicious program runs, m is the total number of file types, weight k is the weight of the user-defined file types and is used for representing the risk degree of the kth file type;
(3) File content change: by comparing the hash value difference and the content similarity change of the files before and after encryption, scoring is given:
Wherein: hash_difference l represents the difference in hash values before and after the first file is encrypted,
Content_similarity l represents the similarity of the first file before and after being encrypted, calculated by a text similarity algorithm, and n is the total number of files.
3. The method for detecting the Lesovirus of the industrial control system based on the multi-file feature monitoring and the program behavior analysis according to claim 1, wherein,
In the third step, the first step is performed,
The matching degree function of the suspicious program sample behaviors and the matching rules and the industrial Leesvirus behavior characteristics is designed as follows:
Wherein: behavior _similarity t represents the similarity between the behavior characteristics of the t-th suspicious program and the corresponding matching rules formulated, frequency t represents the frequency of the t-th suspicious program behavior, duration t represents the duration of the t-th suspicious program behavior, and software_classification t represents the similarity between the t-th suspicious program behavior and the behavior characteristics of the lux virus, and the suspicious programs produce u behavior characteristics altogether.
4. The method for detecting the Lesovirus of the industrial control system based on the multi-file feature monitoring and the program behavior analysis according to claim 1, wherein,
In the fourth step, the first step is performed,
According to the change information displayed on the desktop of the monitoring target system, the function of the influence degree on the target system is designed as follows:
Wherein, the image i represents the influence degree of the user-defined s-th change on the system, and v changes are generated in total.
5. The method for detecting the Lesovirus of the industrial control system based on the multi-file feature monitoring and the program behavior analysis according to claim 1, wherein,
In the fifth step, the first step is to carry out the process,
And (3) scoring system, namely assigning weights to the scoring system according to priori knowledge: w (1) =0.2, W (2) =0.1, W (3) =0.2, W (4) =0.3, W (5) =0.2, the composite score is calculated as
Where W (i) is the corresponding weight of the i-th dimension, and i=1, 2,3,4,5 in Factor (i) corresponds to Factor(i)=F(degree of change)、G(degree of change)、H(degree of change)、I(degree of change)、J(degree of change);Normalization(x), respectively, is a function of normalizing the total score:
CN202410374168.2A 2024-03-29 2024-03-29 A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis Pending CN118278005A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410374168.2A CN118278005A (en) 2024-03-29 2024-03-29 A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410374168.2A CN118278005A (en) 2024-03-29 2024-03-29 A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis

Publications (1)

Publication Number Publication Date
CN118278005A true CN118278005A (en) 2024-07-02

Family

ID=91645495

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410374168.2A Pending CN118278005A (en) 2024-03-29 2024-03-29 A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis

Country Status (1)

Country Link
CN (1) CN118278005A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119720201A (en) * 2025-02-26 2025-03-28 上海斗象信息科技有限公司 A method and device for processing ransomware virus, and electronic device
CN121030745A (en) * 2025-10-30 2025-11-28 北京珞安科技有限责任公司 A method for identifying and analyzing malware in power industrial control systems based on artificial intelligence.

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119720201A (en) * 2025-02-26 2025-03-28 上海斗象信息科技有限公司 A method and device for processing ransomware virus, and electronic device
CN121030745A (en) * 2025-10-30 2025-11-28 北京珞安科技有限责任公司 A method for identifying and analyzing malware in power industrial control systems based on artificial intelligence.

Similar Documents

Publication Publication Date Title
Subedi et al. Forensic analysis of ransomware families using static and dynamic analysis
Scalas et al. On the effectiveness of system API-related information for Android ransomware detection
Ahmed et al. Peeler: Profiling kernel-level events to detect ransomware
Faghihi et al. RansomCare: Data-centric detection and mitigation against smartphone crypto-ransomware
Alrzini et al. A review of polymorphic malware detection techniques
CN109409089B (en) Windows encryption type Lego software detection method based on virtual machine introspection
CN118278005A (en) A method for detecting ransomware in industrial control systems based on multi-file feature monitoring and program behavior analysis
AlSabeh et al. Exploiting ransomware paranoia for execution prevention
Najari et al. Malware detection using data mining techniques
Abuzaid et al. An efficient trojan horse classification (ETC)
Nadim et al. Kernel-level rootkit detection, prevention and behavior profiling: A taxonomy and survey
JP2017167695A (en) Attack countermeasure determination system, attack countermeasure determination method and attack countermeasure determination program
Vurdelja et al. Detection of linux malware using system tracers–An overview of solutions
CN111428239A (en) Detection method of malicious mining software
CN111104670B (en) A method for identifying and protecting against APT attacks
Alshaikh et al. Crypto-ransomware detection and prevention techniques and tools a survey
KR102864815B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and computationally-readable storage medium for storing a program processing cyber threat information
KR102864817B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and computationally-readable storage medium for storing a program processing cyber threat information
Helmer et al. Anomalous intrusion detection system for hostile Java applets
Gond et al. System Calls for Malware Detection and Classification: Methodologies and Applications
Gagulic et al. Ransomware detection with machine learning in storage systems
Zhao et al. Malware detection and analysis based on ai algorithm
Ravula et al. Learning attack features from static and dynamic analysis of malware
CN117290823B (en) A method for intelligent detection and security protection of APP, computer equipment and medium
KR102864821B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination