CN118400165A - Ransomware attack and data destruction attack detection method, system, device and medium - Google Patents

Abstract

The present invention discloses a method, system, device and medium for detecting ransomware attacks and data destruction attacks, including: obtaining a plurality of first real files created by a user end, creating a first sentinel file corresponding to the first real file through a gateway, and storing the first real file and the first sentinel file as target data files to a server; monitoring the file status of each target data file through a server, and reporting the file status to a gateway; judging whether the first sentinel file has changed according to the file status through a gateway; when the first sentinel file has changed, judging that the server has encountered a ransomware attack or a data destruction attack, and generating an alarm message. The present invention reduces the underreporting rate and false alarm rate of ransomware attack and data destruction attack detection, reduces operation and maintenance costs, enhances network security, and can be widely used in the field of network security technology.

Description

Ransomware attack and data destruction attack detection method, system, device and medium

Technical Field

The present invention relates to the field of network security technology, and in particular to a method, system, device and medium for detecting extortion attacks and data destruction attacks.

Background technique

Ransomware is a computer network attack targeting data availability. Most of them are computer viruses (including worms, Trojans, etc.) and spread automatically. They can also be initiated by network attackers or even transnational network attackers against target networks. Regardless of the form, the result of a successful attack is usually that the attacker uses encryption algorithms to lock the victim's (which can be an individual, a company, a group, or other organizations) data files and demand money from the victim in the form of ransom. Usually, ransomware attacks only use secure encryption algorithms to lock files, and no one can decrypt them without the correct key. Therefore, victims are usually unable to unlock the attacker's locking mechanism for data files. In the absence of backups and when data becomes unavailable, they may be forced to pay the ransom in the manner required by the attacker, even though the attacker may not comply with the agreement to provide the corresponding key to restore the data files after the victim "goes bankrupt". It can be seen that the specific target of ransomware attacks is usually individual files stored on the server, not the database system. Ransomware attacks are extremely bad in nature and have been notorious in recent years for endangering data security.

Most ransomware attacks are manifested as computer viruses, so many response plans follow the traditional virus detection technology route, such as virus signature library + blacklist and whitelist mechanism. However, this type of mechanism can usually only detect known viruses and it is difficult to detect newly emerging viruses. In addition, this technical route focuses too much on "viruses" and is not closely integrated with "ransomware."

The prior art discloses a solution that modifies the operating system of the file storage server so that its file storage driver has a certain degree of "intelligence": when the running file driver detects that the file system traversal API is called, the file driver drops a bait file (also called a honey spot file, etc.) to the file system traversal API; if the bait file just dropped is written and/or renamed, the process that calls the file system traversal API is determined to be a malicious process and the software running the process is ransomware. The prior art solution has the following defects:

First, different ransomware has different "flavors". Some specialize in attacking one or several types of files (for example, only attacking Office documents), while others specialize in attacking files with a creation time in a certain range (for example, the last year); "smart" ransomware will even actively identify and avoid bait files (for example, not touching temporary files that "pop up" for no reason). The ransomware makes such considerations in order to find the target data that it considers to be most valuable to attack as soon as possible before being discovered or blocked, and lock it to the maximum extent, so as to achieve the maximum destructive effect with the minimum investment and the minimum "movement". The existing technical solution does not consider this type of attack strategy of ransomware, but instead drops a bait file as long as it finds that the file system traversal API is called. Obviously, once such a bait file does not meet the "flavor" of the ransomware attack, the bait file will be ignored and the detection will fail, resulting in a large false alarm rate in the existing technical solution and the low versatility of the detection method.

Secondly, the existing technical solutions are prone to false alarms. For example, when a legitimate user (or its application) traverses the file system, the bait file temporarily dropped by the file driver will often attract the attention and curiosity of uninformed users. At this time, the user's operation on the bait file can easily lead to misjudgment of the existing technical solution, resulting in a relatively large false alarm rate in the existing technical solution.

Finally, the existing technical solutions require modifying the file storage driver on the server. However, in enterprise network environments such as telecommunications and Internet companies, there are tens of thousands of servers and capacity expansion is often required (i.e., deploying new servers to IDC). As a result, these servers need to reinstall the driver, which results in high operation and maintenance costs.

Terminology explanation:

IDC: Internet Data Center. In addition, resource pools in the telecommunications field are also considered a type of IDC.

Summary of the invention

The purpose of the present invention is to solve one of the technical problems existing in the prior art to at least a certain extent.

To this end, an object of an embodiment of the present invention is to provide a method for detecting ransomware attacks and data destruction attacks, which reduces the missed alarm rate and false alarm rate of ransomware attack and data destruction attack detection, reduces operation and maintenance costs, and enhances network security.

Another object of an embodiment of the present invention is to provide a ransomware attack and data destruction attack detection system.

In order to achieve the above technical objectives, the technical solutions adopted by the embodiments of the present invention include:

On the one hand, an embodiment of the present invention provides a method for detecting a ransomware attack and a data destruction attack, comprising the following steps:

Acquire several first real files created by the user end, create first sentinel files corresponding to the first real files through the gateway, and store the first real files and the first sentinel files as target data files in the server;

Monitoring the file status of each of the target data files through the server, and reporting the file status to the gateway;

Determining, by the gateway according to the file status, whether the first sentinel file has changed;

When the first sentinel file changes, it is determined that the server is subjected to a ransomware attack or a data destruction attack, and an alarm message is generated;

The sentinel file list of the first sentinel file is maintained by the gateway, so that the user end cannot perceive the first sentinel file, and the server cannot distinguish between the first real file and the first sentinel file in the target data file.

Further, in one embodiment of the present invention, the step of obtaining a plurality of first real files created by the user terminal, creating a first sentinel file corresponding to the first real file through the gateway, and storing the first real file and the first sentinel file as target data files in the server specifically includes:

In response to the file creation operation of the user terminal, acquiring, through the gateway, a plurality of first real files created by the user terminal;

Detecting the file attribute of the first real file through the gateway, generating the first sentinel file corresponding to the first real file according to the file attribute and a preset sentinel file configuration strategy, and adding the file information of the first sentinel file to the sentinel file list;

Sending the first real file and the first sentinel file as the target data file to the server through the gateway, so that the server stores the target data file;

The file attributes include file type and file path.

Further, in one embodiment of the present invention, the step of generating the first sentinel file corresponding to the first real file according to the file attribute and the preset sentinel file configuration strategy is specifically as follows:

randomly acquiring a sentinel file sample of the same type from a preset sentinel file sample library according to the file type, using the sentinel file sample as the first sentinel file, and determining a storage location of the first sentinel file according to the file path;

or,

A filling template corresponding to the file type is obtained, the filling template is filled with specific content to obtain the first sentinel file, and a storage location of the first sentinel file is determined according to the file path.

Further, in one embodiment of the present invention, the step of monitoring the file status of each target data file through the server and reporting the file status to the gateway specifically includes:

Real-time/regular monitoring of the file status of each of the target data files by the server;

A file status log is generated according to the file status and the monitoring time, and the file status log is reported to the gateway.

Further, in an embodiment of the present invention, the step of determining by the gateway whether the first sentinel file has been changed according to the file status specifically includes:

Determining, by the gateway, the file status of the first sentinel file according to the sentinel file list and the file status log;

It is determined whether the first sentinel file has been changed according to the determined file status of the first sentinel file.

Further, in one embodiment of the present invention, when the first sentinel file changes, determining that the server is subjected to a ransomware attack or a data destruction attack, and generating an alarm message specifically includes:

When it is determined that the first sentinel file has changed, it is determined that the server has been subjected to a ransomware attack or a data destruction attack, and the time of the attack is determined according to corresponding information in the file status log;

Generate alarm information according to the attack occurrence time, and send the alarm information to the administrator.

Furthermore, in one embodiment of the present invention, the ransomware attack and data destruction attack detection method further includes the following steps:

When the gateway detects that the second real file newly created by the user terminal has the same file path and file name as the second sentinel file stored on the server, the second sentinel file is renamed and the sentinel file list is updated according to the renamed second sentinel file, or the second sentinel file is overwritten by the second real file and the file information of the second sentinel file is removed from the sentinel file list.

On the other hand, an embodiment of the present invention provides a ransomware attack and data destruction attack detection system, including:

A sentinel file creation module, used for acquiring a plurality of first real files created by a user terminal, creating a first sentinel file corresponding to the first real file through a gateway, and storing the first real file and the first sentinel file as target data files in a server;

A file status reporting module, used to monitor the file status of each target data file through the server, and report the file status to the gateway;

A file status judgment module, used to judge whether the first sentinel file has changed according to the file status through the gateway;

An alarm information generation module, configured to determine that the server is subjected to a ransomware attack or a data destruction attack and generate an alarm information when the first sentinel file changes;

The sentinel file list of the first sentinel file is maintained by the gateway, so that the user end cannot perceive the first sentinel file, and the server cannot distinguish between the first real file and the first sentinel file in the target data file.

On the other hand, an embodiment of the present invention provides an electronic device, comprising a memory, a processor, a program stored in the memory and executable on the processor, and a data bus for realizing connection and communication between the processor and the memory, wherein the program, when executed by the processor, realizes the ransomware attack and data destruction attack detection method as described above.

On the other hand, an embodiment of the present invention further provides a storage medium, which is a computer-readable storage medium for computer-readable storage, and stores one or more programs, and the one or more programs can be executed by one or more processors to implement the ransomware attack and data destruction attack detection method as described above.

The advantages and beneficial effects of the present invention will be partly given in the following description, partly become apparent from the following description, or be understood through the practice of the present invention:

The embodiment of the present invention obtains several first real files created by the user end, creates a first sentinel file corresponding to the first real file through a gateway, and stores the first real file and the first sentinel file as target data files to a server, monitors the file status of each target data file through the server, and reports the file status to the gateway, and determines whether the first sentinel file has changed according to the file status through the gateway. When the first sentinel file changes, it is determined that the server has encountered a ransom attack or a data destruction attack, and an alarm message is generated. The embodiment of the present invention creates a sentinel file corresponding to a real file through a gateway, stores the sentinel file together with the real file to the server, and the sentinel file list for deploying the sentinel file is only maintained by the gateway, so that the user end cannot perceive the sentinel file and the server cannot distinguish between the real file and the sentinel file. In this way, when the server encounters a ransom attack or a data destruction attack, the sentinel file will be affected by the attack and will be changed. The gateway can determine whether the sentinel file has changed through the file status reported by the server, so that it can be determined whether the server has encountered a ransom attack or a data destruction attack, reducing the missed report rate and false alarm rate of ransom attack and data destruction attack detection, reducing operation and maintenance costs, and enhancing network security.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the technical solution in the embodiments of the present invention, the following introduction is made to the drawings required for use in the embodiments of the present invention. It should be understood that the drawings introduced below are only for the convenience of clearly describing some embodiments of the technical solution of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative work.

FIG1 is a flowchart of a method for detecting ransomware attacks and data destruction attacks provided by an embodiment of the present invention;

FIG2 is a schematic diagram of data interaction of a method for detecting a ransomware attack and a data destruction attack provided by an embodiment of the present invention;

FIG3 is a flowchart of step S101 provided in an embodiment of the present invention;

FIG. 4 is a flowchart of step S1012 provided in an embodiment of the present invention;

FIG5 is a flowchart of step S102 provided in an embodiment of the present invention;

FIG6 is a flowchart of step S103 provided by an embodiment of the present invention;

FIG. 7 is a flowchart of step S104 provided in an embodiment of the present invention;

FIG8 is another step flow chart of a method for detecting a ransomware attack and a data destruction attack provided by an embodiment of the present invention;

FIG9 is a schematic diagram of the structure of a ransomware attack and data destruction attack detection system provided by an embodiment of the present invention;

FIG10 is a schematic diagram of the hardware structure of an electronic device provided in an embodiment of the present invention;

FIG. 11 is a schematic diagram of the structure of a storage medium provided in an embodiment of the present invention.

Detailed ways

Embodiments of the present invention are described in detail below, and examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals throughout represent the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present application, and cannot be understood as limitations on the present application. It should be noted that, although the functional module division is performed in the system schematic diagram and the logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in a different order from the module division in the system schematic diagram or the flow chart. For the step numbers in the following embodiments, they are only set for the convenience of explanation, and the order between the steps is not limited in any way. The execution order of each step in the embodiment can be adaptively adjusted according to the understanding of those skilled in the art.

In the description of the present invention, the meaning of "a plurality" is two or more. If there is a description of the first or the second, it is only for the purpose of distinguishing the technical features, and it cannot be understood as indicating or implying the relative importance or implicitly indicating the number of the indicated technical features or implicitly indicating the order of the indicated technical features. In addition, unless otherwise defined, all technical and scientific terms used in this document have the same meaning as those commonly understood by technicians in the technical field of this application. The terms used in this document are only for the purpose of describing the embodiments of the present application and are not intended to limit the present application.

The ransomware attack and data destruction attack detection method provided in the embodiment of the present application can be applied to the terminal, can also be applied to the server side, and can also be software running in the terminal or the server side. In some embodiments, the terminal can be a smart phone, a tablet computer, a laptop computer, a desktop computer, a set-top box, etc.; the server side can be configured as an independent physical server, or a server cluster or distributed system composed of multiple physical servers, and can also be configured as a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, CDN, and big data and artificial intelligence platforms; the software can be an application that implements the ransomware attack and data destruction attack detection method, but is not limited to the above forms.

The present application can be used in many general or special computer system environments or configurations. For example: personal computers, server computers, handheld or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments including any of the above systems or devices, etc. The present application can be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. The present application can also be practiced in distributed computing environments, in which tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.

It should be noted that in each specific implementation of the present application, when it comes to the need to perform relevant processing based on data related to user identity or characteristics such as user information, user behavior data, user historical data, and user location information, the user's permission or consent will be obtained first, and the collection, use, and processing of these data will comply with the relevant laws, regulations, and standards of the relevant countries and regions. In addition, when the embodiment of the present application needs to obtain the user's sensitive personal information, the user's separate permission or consent will be obtained through a pop-up window or by jumping to a confirmation page. After clearly obtaining the user's separate permission or consent, the necessary user-related data for the normal operation of the embodiment of the present application will be obtained.

FIG1 is a flowchart of a method for detecting a ransomware attack and a data destruction attack provided by an embodiment of the present invention. Referring to FIG1 , an embodiment of the present invention provides a method for detecting a ransomware attack and a data destruction attack, specifically comprising the following steps:

S101, obtaining a plurality of first real files created by a user terminal, creating a first sentinel file corresponding to the first real file through a gateway, and storing the first real file and the first sentinel file as target data files in a server;

The sentinel file list of the first sentinel file is maintained by the gateway, so that the user end cannot perceive the first sentinel file, and the server cannot distinguish the first real file in the target data file from the first sentinel file.

Specifically, as shown in FIG2 , it is a data interaction diagram of the ransomware attack and data destruction attack detection method provided by an embodiment of the present invention. The embodiment of the present invention is applied to a typical enterprise network environment: users and servers are located in two relatively separated networks (for example, in most enterprises, employees are located in the office network, and servers are located in the IDC). Accessing the server side from the user side requires passing through a network entity with a management and control function to pass through the boundary of the two networks. The embodiment of the present invention collectively refers to this entity as a gateway. In actual situations, the gateway can be a virtual private network (VPN) gateway, a bastion host, a zero-trust proxy gateway, etc. The embodiment of the present invention does not limit the specific implementation technology. The gateway performs basic user authentication and other functions, and allows legitimate users to enter the server side and access resources within their authority.

In an embodiment of the present invention, the above-mentioned gateway has the following "intelligence": when a user creates (typically such as uploading) a file, the gateway automatically creates a data file that simulates a real file on behalf of the user according to a certain "equipment" strategy, that is, the sentinel file described in the embodiment of the present invention; the real file created by the user and the sentinel file "equipped" by the gateway on behalf of the user are stored on the server together, and the gateway distinguishes the two types of files by maintaining a list (or list, ledger). It can be understood that the amount of sentinel files equipped by the gateway should be significantly less than the amount of real files from users, so the gateway only needs to maintain the sentinel file list to distinguish the two types of files; users always need to access the server through the gateway, and the gateway always shields the user from any information about the existence of sentinel files, so that the user always only sees the real files created by himself, but cannot perceive any sentinel files. For example, when the user views the used storage space, the gateway tries to exclude the sentinel files; similarly, the gateway will not reveal the difference between sentinel files and real files to the server in any form, so that the server cannot distinguish between real files and sentinel files.

FIG. 3 is a flowchart of step S101 provided in an embodiment of the present invention. Referring to FIG. 3 , as an optional implementation, a plurality of first real files created by a user terminal are obtained, a first sentinel file corresponding to the first real file is created through a gateway, and the first real file and the first sentinel file are stored as target data files in a server. The step specifically includes:

S1011, in response to a file creation operation of the user terminal, obtaining, through the gateway, a plurality of first real files created by the user terminal;

S1012, detecting file attributes of the first real file through the gateway, generating a first sentinel file corresponding to the first real file according to the file attributes and a preset sentinel file configuration strategy, and adding file information of the first sentinel file to the sentinel file list;

S1013, sending the first real file and the first sentinel file as target data files to the server through the gateway, so that the server stores the target data files;

The file attributes include the file type and the file path.

It should be noted that the embodiment of the present invention does not limit the specific ratio of real files to sentinel files. When there are multiple real files, the gateway can generate a corresponding number of sentinel files according to a preset ratio or counting step, or it can generate one or more sentinel files of the corresponding type according to the file type. The specific setting can be made according to actual conditions.

FIG. 4 is a flowchart of step S1012 provided in an embodiment of the present invention. Referring to FIG. 4 , as an optional implementation, the step of generating a first sentinel file corresponding to the first real file according to the file attribute and the preset sentinel file configuration strategy is specifically as follows:

S10121. Randomly obtain a sentinel file sample of the same type from a preset sentinel file sample library according to the file type, use the sentinel file sample as a first sentinel file, and determine a storage location of the first sentinel file according to the file path;

or,

S10122. Obtain a filling template corresponding to the file type, fill the filling template with specific content to obtain a first sentinel file, and determine a storage location of the first sentinel file according to the file path.

Specifically, the user initiates a request to create a file (typically such as uploading), and the gateway automatically creates a data file that simulates a real file, i.e., a sentinel file, on behalf of the user based on the name and other attributes of the file created by the user and in accordance with the "equipment" strategy preset by the administrator. The embodiment of the present invention does not restrict the naming method of the sentinel file, nor does it require that the content of the sentinel file must be generated in real time (it can be prepared offline and placed in a file queue waiting to be retrieved); the gateway updates and maintains a list of sentinel files to know which are the sentinel files (the location of the sentinel files). It should be noted that only the gateway has knowledge about sentinel files, and users always need to go through the gateway to access the server, and the gateway always shields the user from any information about the existence of sentinel files (even disk space usage information), so that the user always sees only the real files he created, but cannot perceive any sentinel files. The real files created by the user and the sentinel files "equipped" by the gateway on behalf of the user are stored on the server, and the server cannot distinguish between the two types of files.

S102: Monitor the file status of each target data file through the server, and report the file status to the gateway.

FIG. 5 is a flowchart of step S102 provided in an embodiment of the present invention. Referring to FIG. 5 , as an optional implementation, the step of monitoring the file status of each target data file by the server and reporting the file status to the gateway specifically includes:

S1021, monitoring the file status of each target data file in real time/periodic manner through the server;

S1022. Generate a file status log according to the file status and monitoring time, and report the file status log to the gateway.

Specifically, the server (which cannot distinguish between real files and sentinel files) reports the status of each file to the gateway in real time or regularly according to a certain strategy for the gateway to monitor. It is understandable that under normal circumstances, those files that have changed their status (such as server log files, note that such files are neither from users nor from gateways) will hit the gateway's whitelist strategy and be ignored. Therefore, the gateway can only pay attention to the sentinel files and not the dynamics of other files.

S103: Determine, through the gateway according to the file status, whether the first sentinel file has changed.

FIG. 6 is a flowchart of step S103 provided in an embodiment of the present invention. Referring to FIG. 6 , as an optional implementation, the step of determining whether the first sentinel file has been changed according to the file status by the gateway specifically includes:

S1031, determining the file status of the first sentinel file according to the sentinel file list and the file status log through the gateway;

S1032: Determine whether the first sentinel file has changed according to the determined file status of the first sentinel file.

Specifically, when a server encounters a ransomware attack, since the automated ransomware virus (and human ransomware attackers) are also unable to distinguish between real files and sentinel files, the sentinel files will most likely be treated as real files and locked. Once the gateway detects that the sentinel file has been changed for unknown reasons (for example, it has disappeared or been overwritten), the gateway determines that the server where the affected sentinel file is located has been attacked, and issues a corresponding alarm for the security department to make a decision. Therefore, it is not difficult to see that the attacks that can be detected by the embodiments of the present invention actually include various data destruction attacks, not just ransomware attacks.

S104: When the first sentinel file changes, it is determined that the server is subjected to a ransomware attack or a data destruction attack, and an alarm message is generated.

FIG. 7 is a flowchart of step S104 provided in an embodiment of the present invention. Referring to FIG. 7 , as an optional implementation, when the first sentinel file is changed, it is determined that the server is subjected to a ransomware attack or a data destruction attack, and a warning message is generated, which specifically includes:

S1041, when it is determined that the first sentinel file has changed, it is determined that the server has been subjected to a ransomware attack or a data destruction attack, and the time of the attack is determined according to the corresponding information in the file status log;

S1042: Generate alarm information according to the attack occurrence time, and send the alarm information to the administrator.

FIG8 is another flowchart of the method for detecting a ransomware attack and a data destruction attack provided by an embodiment of the present invention. Referring to FIG8 , as an optional implementation, the method for detecting a ransomware attack and a data destruction attack further includes the following steps:

S105. When the gateway detects that the file path and file name of the second real file newly created by the user end are the same as those of the second sentinel file stored in the server, the second sentinel file is renamed and the sentinel file list is updated according to the renamed second sentinel file, or the second sentinel file is overwritten by the second real file and the file information of the second sentinel file is removed from the sentinel file list.

Specifically, once the full path (directory + file name) of a file created by a user happens to completely overlap with an existing sentinel file, the existing sentinel file can be renamed to a file name that has not appeared in the same directory, or the sentinel file can be overwritten with a real file and removed from the sentinel file list.

The implementation process of the present invention is further described below in conjunction with two specific embodiments.

Embodiment 1:

In a certain telecommunications company, employees access the servers in the resource pool through a zero-trust gateway, and the gateway only supports users to upload files in SFTP mode. Whenever a user uploads a batch (single or multiple) of files, the gateway classifies the files by extension and generates a sentinel file with the same extension for each category. For example, without loss of generality, when a user wants to upload 1.jpg, 2.docx, 3.docx, 4.mp4, and 5.jpg, the gateway not only faithfully uploads these five real files, but also generates and uploads three sentinel files 6.jpg, 7.docx, and 8.mp4. The embodiment of the present invention does not limit the naming method of the sentinel file. For the sake of simplicity, it is assumed that all files will not encounter the same name in their respective storage directories. These eight files are stored indiscriminately on the server, but only the gateway knows that 6.jpg, 7.docx, and 8.mp4 are sentinel files. The server reports the status of all files every ten minutes, although the gateway never cares about the status changes of 1.jpg, 2.docx, 3.docx, 4.mp4, and 5.jpg. Once the gateway finds that one of 6.jpg, 7.docx, or 8.mp4 has changed, it will issue an alarm.

In the above process, the specific steps of the gateway are as follows:

1) When users upload 1.jpg, 2.docx, 3.docx, 4.mp4, and 5.jpg, the gateway divides them into three categories according to the extensions: jpg, docx, and mp4.

2) The gateway generates a sentinel file for each type of real file (jpg/docx/mp4) according to the pre-configured strategy, and registers the three generated sentinel files 6.jpg, 7.docx, and 8.mp4 into the sentinel file list, recording their status information (which may include file checksums, last modification times, etc.). The pre-configured strategies available here include, but are not limited to: randomly selecting a file of the same type from a self-built file sample library, and filling a predefined template with specific content to generate a file of the same type. As mentioned above, sentinel files can even be prepared offline; when operating online, you only need to take out the existing file from the queue, assign a suitable file name, and register it in the sentinel file list.

3) The server reports the status of all files every ten minutes (it cannot distinguish between real files and sentinel files). Since there may be a large number of files, this status information may be very large. Because the gateway maintains its own sentinel file list, it "can and only needs" to pay attention to the dynamics of the sentinel files without having to conduct a full audit of the status information reported by the server. Once the gateway finds that a file in the sentinel file list (one of 6.jpg, 7.docx, 8.mp4) has a change that is suspected to be caused by a ransomware attack, it will issue an alarm, such as sending a text message or email to the security department.

For the sake of simplicity, the embodiment of the present invention only refers to the real file and the sentinel file by the file name (rather than the complete path such as the directory + file name), and the next embodiment is the same. It should also be noted about the complete path that, as mentioned above, when the complete path of the file created by the user happens to completely overlap with the existing sentinel file, the existing sentinel file can be renamed to a file name that has not appeared in the same directory, or the sentinel file can be overwritten with the real file and removed from the list of sentinel files. This means that the gateway can flexibly update the sentinel file list, rather than just blindly adding new sentinel files according to the above step 2).

Embodiment 2:

A large Internet company provides cloud disk services to the entire Internet. Users can upload and download files from personal computers (desktops, laptops, etc.) or mobile terminals (mobile phones, tablets, etc.) through web browsers or dedicated application clients. When users upload files, the corresponding service portal website will classify and count the files, and then synthesize the corresponding sentinel files. For example, jpg, png, bmp, gif, etc. are all classified as pictures. When the gateway observes 10 uploaded pictures (in the time dimension, whether from the same user or different users), it automatically generates a sentinel picture (extension randomly selected) and uploads them together. For another example, docx, xlsx, pptx, pdf, etc. are all classified as office documents. When the gateway observes 5 uploaded documents, it automatically generates a sentinel document (extension randomly selected) and uploads them together. All sentinel files (regardless of category) are registered by the gateway for identification. The server responsible for the actual file storage of the cloud disk reports the file status to the gateway in real time. Once the gateway detects that a sentinel file has been modified, it will issue an alarm. Since the intelligent behavior of the gateway is completely invisible to the user, the user experience in this embodiment is no different from that of existing mainstream network disks, that is, the present invention has no impact on the user.

In the above process, the specific steps of the gateway are as follows:

1) The gateway classifies the files uploaded by users according to the extensions (e.g. text, pictures, office documents, web pages, audio, video, compressed files, etc.) according to the pre-configured policies, and counts each category. The count here only counts the number of files, regardless of which user the file comes from.

2) When the total number of files in a certain category grows to a multiple of the preset "step length" of the category, the gateway generates and uploads a sentinel file according to the corresponding strategy. This sentinel file can be stored in the same location (the same directory of the same user) as the last file uploaded when the "step length" multiple is reached. For example, every time a user uploads 10 pictures, the gateway uses the AI large model to generate a sentinel picture and upload it. For another example, every time a user uploads 5 office documents, the gateway randomly grabs a sentinel office document from the Internet and uploads it. The gateway maintains a list of sentinel files and records their status information.

3) The storage server reports the status of all files to the gateway in real time, but the gateway only monitors the dynamics of sentinel files (a small proportion, such as 1/10 for pictures and 1/5 for office documents). Once the gateway detects that a sentinel file has been modified for unknown reasons, it will issue an alarm, such as automatically dialing the company's security department's on-call number or displaying an alarm on the situation awareness screen.

The method steps and specific embodiments of the embodiments of the present invention are described above. It can be understood that the embodiments of the present invention create a sentinel file corresponding to a real file through a gateway, store the sentinel file together with the real file to the server, and the sentinel file list of the deployed sentinel file is only maintained by the gateway, so that the user end cannot perceive the sentinel file and the server cannot distinguish between the real file and the sentinel file. In this way, when the server encounters a ransom attack or a data destruction attack, the sentinel file will be changed by the attack. The gateway can determine whether the sentinel file has changed through the file status reported by the server, so as to determine whether the server has encountered a ransom attack or a data destruction attack, thereby reducing the missed report rate and false alarm rate of ransom attack and data destruction attack detection, reducing operation and maintenance costs, and enhancing network security.

Compared with the prior art, the embodiments of the present invention also have the following advantages:

1) Low false negative rate: The detection scheme of the embodiment of the present invention will fail only when all sentinel files are "unfortunately" not hit by the ransomware attack. To this end, when conditions permit (for example, the server has sufficient remaining storage space), the administrator can equip a batch of newly created files with more sentinel files. The so-called more here can be more in terms of the number of files or more in terms of the disk space occupied by the files (so that they look more like real files).

2) Low false alarm rate: Since the sentinel file is completely invisible to the user, user operations cannot involve the sentinel file and will not cause false alarms.

3) Low operation and maintenance cost: The embodiment of the present invention may not even modify the file storage driver of the server (because the solution does not hook the server API and does not require the server to place bait). The server only needs to report the file status to the gateway, which can be easily accomplished through a scheduled task or the like.

4) High applicability: The embodiments of the present invention are also applicable to detecting other data destruction attacks.

FIG9 is a schematic diagram of the structure of a ransomware attack and data destruction attack detection system provided by an embodiment of the present invention. Referring to FIG9 , an embodiment of the present invention provides a ransomware attack and data destruction attack detection system, including:

A sentinel file creation module, used to obtain a plurality of first real files created by the user end, create a first sentinel file corresponding to the first real file through the gateway, and store the first real file and the first sentinel file as target data files in the server;

A file status reporting module, used to monitor the file status of each target data file through the server and report the file status to the gateway;

A file status judgment module, used to judge whether the first sentinel file has changed according to the file status through the gateway;

An alarm information generation module is used to determine that the server is subjected to a ransomware attack or a data destruction attack when the first sentinel file changes, and to generate an alarm information;

The sentinel file list of the first sentinel file is maintained by the gateway, so that the user end cannot perceive the first sentinel file, and the server cannot distinguish between the first real file and the first sentinel file in the target data file.

The contents of the above method embodiments are all applicable to the present system embodiments. The functions specifically implemented by the present system embodiments are the same as those of the above method embodiments, and the beneficial effects achieved are also the same as those achieved by the above method embodiments.

The embodiment of the present invention also provides an electronic device, which includes: a memory, a processor, a program stored in the memory and executable on the processor, and a data bus for realizing connection and communication between the processor and the memory, and the program is executed by the processor to realize the above-mentioned ransomware attack and data destruction attack detection method. The electronic device can be any intelligent terminal including a tablet computer, a car computer, etc.

FIG10 is a schematic diagram of the hardware structure of an electronic device provided by an embodiment of the present invention. Referring to FIG9 , an electronic device is provided by an embodiment of the present invention, including:

The processor 1001 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of the present invention.

The memory 1002 can be implemented in the form of a read-only memory (ROM), a static storage device, a dynamic storage device, or a random access memory (RAM). The memory 1002 can store an operating system and other application programs. When the technical solution provided in the embodiment of this specification is implemented by software or firmware, the relevant program code is stored in the memory 1002, and the processor 1001 calls and executes the ransomware attack and data destruction attack detection method of the embodiment of the present invention;

Input/output interface 1003, used to implement information input and output;

The communication interface 1004 is used to realize the communication interaction between the device and other devices. The communication can be realized through a wired manner (such as USB, network cable, etc.) or a wireless manner (such as mobile network, WIFI, Bluetooth, etc.);

A bus 1005 , which transmits information between various components of the device (e.g., the processor 1001 , the memory 1002 , the input/output interface 1003 , and the communication interface 1004 );

The processor 1001 , the memory 1002 , the input/output interface 1003 and the communication interface 1004 are connected to each other in communication within the device via the bus 1005 .

As shown in Figure 11, it is a structural schematic diagram of the storage medium provided by an embodiment of the present invention. Referring to Figure 11, an embodiment of the present invention further provides a storage medium, which is a computer-readable storage medium used for computer-readable storage. The storage medium stores one or more programs 1101, and the one or more programs 1101 can be executed by one or more processors to implement the above-mentioned ransomware attack and data destruction attack detection method.

The memory, as a non-transient computer-readable storage medium, can be used to store non-transient software programs and non-transient computer executable programs. In addition, the memory may include a high-speed random access memory, and may also include a non-transient memory, such as at least one disk storage device, a flash memory device, or other non-transient solid-state storage device. In some embodiments, the memory may optionally include a memory remotely disposed relative to the processor, and these remote memories may be connected to the processor via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The embodiment of the present invention also discloses a computer program product or a computer program, which includes a computer instruction stored in a computer-readable storage medium. A processor of a computer device can read the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the computer device executes the method shown in FIG1.

In some optional embodiments, the function/operation mentioned in the block diagram may not occur in the order mentioned in the operation diagram. For example, depending on the function/operation involved, the two boxes shown in succession can actually be executed substantially simultaneously or the above-mentioned boxes can sometimes be executed in reverse order. In addition, the embodiment presented and described in the flow chart of the present invention is provided by way of example, for the purpose of providing a more comprehensive understanding of technology. The disclosed method is not limited to the operation and logic flow presented herein. The optional embodiment is expected, wherein the order of various operations is changed and the sub-operation of a part for which is described as a larger operation is performed independently.

In addition, although the present invention is described in the context of functional modules, it should be understood that, unless otherwise specified, one or more of the above-mentioned functions and/or features can be integrated into a single physical device and/or software module, or one or more functions and/or features can be implemented in a separate physical device or software module. It is also understood that a detailed discussion of the actual implementation of each module is unnecessary for understanding the present invention. More specifically, in view of the properties, functions and internal relationships of the various functional modules in the device disclosed herein, the actual implementation of the module will be understood within the conventional skills of the engineer. Therefore, those skilled in the art can implement the present invention set forth in the claims without excessive experimentation using ordinary techniques. It is also understood that the specific concepts disclosed are merely illustrative and are not intended to limit the scope of the present invention, which is determined by the full scope of the appended claims and their equivalents.

If the above functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product. The computer software product is stored in a storage medium, including several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the above methods of each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk and other media that can store program codes.

The logic and/or steps represented in the flowchart or otherwise described herein, for example, can be considered as an ordered list of executable instructions for implementing logical functions, and can be embodied in any computer-readable medium for use by an instruction execution system, device or apparatus (such as a computer-based system, a system including a processor, or other system that can fetch instructions from an instruction execution system, device or apparatus and execute instructions), or in conjunction with such instruction execution systems, devices or apparatuses. For the purposes of this specification, "computer-readable medium" can be any device that can contain, store, communicate, propagate or transmit a program for use by an instruction execution system, device or apparatus, or in conjunction with such instruction execution systems, devices or apparatuses.

More specific examples of computer-readable media (a non-exhaustive list) include the following: an electrical connection with one or more wires (electronic device), a portable computer disk case (magnetic device), a random access memory (RAM), a read-only memory (ROM), an erasable and editable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disk read-only memory (CDROM). In addition, the computer-readable medium may even be a paper or other suitable medium on which the above-mentioned program is printed, since the above-mentioned program can be obtained electronically, for example, by optically scanning the paper or other medium, followed by editing, deciphering or processing in other suitable ways as necessary, and then stored in a computer memory.

It should be understood that the various parts of the present invention can be implemented by hardware, software, firmware or a combination thereof. In the above-mentioned embodiments, a plurality of steps or methods can be implemented by software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented by hardware, as in another embodiment, it can be implemented by any one of the following technologies known in the art or a combination thereof: a discrete logic circuit having a logic gate circuit for implementing a logic function for a data signal, a dedicated integrated circuit having a suitable combination of logic gate circuits, a programmable gate array (PGA), a field programmable gate array (FPGA), etc.

In the above description of this specification, the description with reference to the terms "one embodiment/example", "another embodiment/example" or "certain embodiments/examples" etc. means that the specific features, structures, materials or characteristics described in conjunction with the embodiment or example are included in at least one embodiment or example of the present invention. In this specification, the schematic representation of the above terms does not necessarily refer to the same embodiment or example. Moreover, the specific features, structures, materials or characteristics described may be combined in any one or more embodiments or examples in a suitable manner.

Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that various changes, modifications, substitutions and variations may be made to the embodiments without departing from the principles and spirit of the present invention, and that the scope of the present invention is defined by the claims and their equivalents.

The above is a specific description of the preferred implementation of the present invention, but the present invention is not limited to the above embodiments. Those skilled in the art may make various equivalent modifications or substitutions without violating the spirit of the present invention. These equivalent modifications or substitutions are all included in the scope defined by the claims of this application.

Claims (10)

1. A method for detecting ransomware attacks and data destruction attacks, comprising the following steps: Acquire several first real files created by the user end, create first sentinel files corresponding to the first real files through the gateway, and store the first real files and the first sentinel files as target data files in the server; Monitoring the file status of each of the target data files through the server, and reporting the file status to the gateway; Determining, by the gateway according to the file status, whether the first sentinel file has changed; When the first sentinel file changes, it is determined that the server is subjected to a ransomware attack or a data destruction attack, and an alarm message is generated; The sentinel file list of the first sentinel file is maintained by the gateway, so that the user end cannot perceive the first sentinel file, and the server cannot distinguish between the first real file and the first sentinel file in the target data file. 2. A method for detecting a ransomware attack and a data destruction attack according to claim 1, characterized in that the step of obtaining a plurality of first real files created by a user terminal, creating a first sentinel file corresponding to the first real file through a gateway, and storing the first real file and the first sentinel file as target data files in a server specifically comprises: In response to the file creation operation of the user terminal, acquiring, through the gateway, a plurality of first real files created by the user terminal; Detecting the file attribute of the first real file through the gateway, generating the first sentinel file corresponding to the first real file according to the file attribute and a preset sentinel file configuration strategy, and adding the file information of the first sentinel file to the sentinel file list; Sending the first real file and the first sentinel file as the target data file to the server through the gateway, so that the server stores the target data file; The file attributes include file type and file path. 3. A method for detecting ransomware attacks and data destruction attacks according to claim 2, characterized in that the step of generating the first sentinel file corresponding to the first real file according to the file attributes and a preset sentinel file configuration strategy is specifically: randomly acquiring a sentinel file sample of the same type from a preset sentinel file sample library according to the file type, using the sentinel file sample as the first sentinel file, and determining a storage location of the first sentinel file according to the file path; or, A filling template corresponding to the file type is obtained, the filling template is filled with specific content to obtain the first sentinel file, and a storage location of the first sentinel file is determined according to the file path. 4. A method for detecting a ransomware attack and a data destruction attack according to claim 1, characterized in that the step of monitoring the file status of each target data file by the server and reporting the file status to the gateway specifically comprises: Real-time/regular monitoring of the file status of each of the target data files by the server; A file status log is generated according to the file status and the monitoring time, and the file status log is reported to the gateway. 5. A method for detecting a ransomware attack and a data destruction attack according to claim 4, characterized in that the step of determining whether the first sentinel file has been changed according to the file status by the gateway specifically comprises: Determining, by the gateway, the file status of the first sentinel file according to the sentinel file list and the file status log; It is determined whether the first sentinel file has been changed according to the determined file status of the first sentinel file. 6. A method for detecting a ransomware attack and a data destruction attack according to claim 4, characterized in that when the first sentinel file changes, the step of determining that the server is subjected to a ransomware attack or a data destruction attack and generating an alarm message specifically comprises: When it is determined that the first sentinel file has changed, it is determined that the server has been subjected to a ransomware attack or a data destruction attack, and the time of the attack is determined according to corresponding information in the file status log; Generate alarm information according to the attack occurrence time, and send the alarm information to the administrator. 7. A method for detecting a ransomware attack and a data destruction attack according to any one of claims 1 to 6, characterized in that the method for detecting a ransomware attack and a data destruction attack further comprises the following steps: When the gateway detects that the second real file newly created by the user terminal has the same file path and file name as the second sentinel file stored on the server, the second sentinel file is renamed and the sentinel file list is updated according to the renamed second sentinel file, or the second sentinel file is overwritten by the second real file and the file information of the second sentinel file is removed from the sentinel file list. 8. A ransomware attack and data destruction attack detection system, comprising: A sentinel file creation module, used for acquiring a plurality of first real files created by a user terminal, creating a first sentinel file corresponding to the first real file through a gateway, and storing the first real file and the first sentinel file as target data files in a server; A file status reporting module, used to monitor the file status of each target data file through the server, and report the file status to the gateway; A file status judgment module, used to judge whether the first sentinel file has changed according to the file status through the gateway; An alarm information generation module, configured to determine that the server is subjected to a ransomware attack or a data destruction attack and generate an alarm information when the first sentinel file changes; The sentinel file list of the first sentinel file is maintained by the gateway, so that the user end cannot perceive the first sentinel file, and the server cannot distinguish between the first real file and the first sentinel file in the target data file. 9. An electronic device, characterized in that the electronic device comprises a memory, a processor, a program stored in the memory and executable on the processor, and a data bus for realizing connection and communication between the processor and the memory, wherein when the program is executed by the processor, the steps of the ransomware attack and data destruction attack detection method as described in any one of claims 1 to 7 are realized. 10. A storage medium, which is a computer-readable storage medium used for computer-readable storage, characterized in that the storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of the ransomware attack and data destruction attack detection method as described in any one of claims 1 to 7.