CN119106419A

CN119106419A - Ransomware detection method, distributed system and computer-readable storage medium

Info

Publication number: CN119106419A
Application number: CN202311405723.5A
Authority: CN
Inventors: 欧锻灏; 霍正聃; 王伟
Original assignee: Huawei Cloud Computing Technologies Co Ltd
Current assignee: Huawei Cloud Computing Technologies Co Ltd
Priority date: 2023-06-08
Filing date: 2023-10-26
Publication date: 2024-12-10
Also published as: WO2024250745A1

Abstract

The present application provides a ransomware detection method and related equipment, which is applied to a backup detection system, and the backup detection system is used to perform ransomware detection on backup data in a backup storage system, and the backup data is a backup of business data, and the method includes: obtaining backup data; performing ransomware detection on the backup data; obtaining a signature of the target backup data and its label information based on a private key, and the label information of the target backup data is used to indicate that the target backup data has passed the ransomware detection; sending the target backup data, label information and signature to an isolated storage system, and the signature is used for the isolated storage system to verify the signature based on the public key and store the target backup data after the verification is successful, and the public key is a key pair that matches the private key. In this way, by signing the backup data through the backup detection system, it can be ensured that the backup data stored by the isolated storage system through signature verification has not been attacked by ransomware, so that it can be used for data recovery after the business system passes the signature verification.

Description

Lesu software detection method, distributed system and computer readable storage medium

The present application claims priority from China national intellectual property agency, china patent application with application number 202310678119.3, filed on 6/8 of 2023, and the priority from China patent application with the name of "method, apparatus and other devices for detecting viruses", which are incorporated herein by reference in their entirety.

Technical Field

The present application relates to the field of security technologies, and in particular, to a method for detecting lux software, a distributed system, and a computer readable storage medium.

Background

The Leuch software, also called Leuch virus, is a kind of malicious software, especially the encrypted Leuch software, hijacking the victim's data by means of encrypted files and requiring the victim to pay a high amount ransom for recovering the data.

The anti-lux attack is to quickly detect and backup the service data in the service system in the backup storage system, and recover the service data when the service data in the service system is attacked and polluted by lux software to backup the backup copy data in the storage system. However, once the backup copy data is encrypted and polluted by the luxury software, the service data cannot be recovered, and the service continuity is affected. Therefore, the backup data in the backup storage system needs to be detected by the lux attack, and the backup data is transferred to the safe isolation storage system after confirming that the backup data has no lux attack. However, the backup data may suffer from contamination of the lux virus during the process of streaming to the isolated storage system or transferring to the service system for recovering the data, which may cause failure in recovering the service data.

Disclosure of Invention

The application provides a method, a device and other equipment for detecting luxury software, which can ensure that backup data which is not luxury detected is stored in an isolated storage system based on signature verification so as to be used for data recovery of a service system and ensure continuity of the service.

In a first aspect, a method for detecting lux software is provided, and the method is applied to a backup detection system. The backup detection system is used for carrying out lux detection on backup data in the backup storage system, wherein the backup data is backup of service data; the backup detection system performs lux detection on the backup data, obtains a signature of target backup data and tag information of the target backup data based on a private key, wherein the tag information of the target backup data is used for indicating that the target backup data passes lux detection, and sends the target backup data, the tag information and the signature to the isolation storage system, wherein the signature is used for verifying the signature based on a public key by the isolation storage system and storing the target backup data after the verification is successful, and the public key is a key pair matched with the private key.

In this embodiment, the backup detection system performs the lux detection on the backup data stored in the backup storage system, so as to avoid the attack of the lux software on the backup data in the backup storage system, besides performing the backup storage in the backup storage system, an independent physical isolation area may also be established, and the target backup data detected by the lux detection system is stored in the isolation storage system. The backup detection system signs target backup data passing through the lux detection by using a signature private key after the lux detection, and the isolation storage system performs signature verification by using a local preset public key before storing the target backup data, so that the backup data stored in the isolation storage system can be ensured not to be attacked by lux software, the backup data is used for data recovery of a service system, and the continuity of the service is ensured.

In some possible implementations, the backup detection system obtaining the target backup data and a signature of tag information of the target backup data based on the private key includes the backup detection system calculating a first hash value of the target backup data and the tag information thereof.

In the implementation manner, before signing the target backup data and the label information by adopting the private key, the backup detection system calculates the first hash value of the target backup data and the label information thereof, and then sends the first hash value to the key management system to sign based on the private key, so that the network bandwidth and the transmission cost can be reduced.

In some possible implementations, after the backup detection system calculates the first hash value of the target backup data and the tag information, the backup detection system sends the first hash value to a key management system, wherein the key management system is configured to sign the first hash value based on the private key and send the signature to the backup detection system.

In this implementation, the backup detection system sends the first hash value to the key management system, and the key management system generates a private key and a public key for signing and signing by using a digital signature algorithm, where the private key is used to sign the target backup data and the tag information, and the public key is used to verify and sign.

In some possible implementations, after the backup detection system calculates the first hash value of the target backup data and the tag information, the backup detection system obtains a private key from the key management system, and the backup detection system signs the first hash value based on the private key.

In this implementation, after the backup detection system calculates the first hash value of the target backup data and the tag information, a key acquisition request may be initiated to the key management system, and the key management system may generate a private key and a public key for signing and signing, or send the private key imported by the user through a local trusted encryptor and through a configuration interface or an application program interface (application programming interface, API) of the key management system to the backup detection system.

In some possible implementations, the signature is used to isolate a second hash value calculated by the storage system based on the target backup data and the tag information, and the target backup data is stored when the second hash value is the same as the first hash value obtained by verifying the signature based on the public key.

In this implementation, before storing the target backup data, the isolated storage system performs signature verification on the target backup data and the signature based on the public key, so as to verify whether the target backup data is attacked by the luxury software in the process of transmitting the target backup data from the backup detection system to the isolated storage system. After the public key is successfully verified, namely, the target backup data is determined not to be attacked by the luxury software, the target backup data is stored in the isolated storage system, and after the service data for the service system is attacked by the luxury software, the target backup data stored in the isolated storage system can be restored. By means of the signature verification luxury detection method, the data of the backup data stored in the isolated storage system can be ensured not to be attacked by luxury software.

In some possible implementations, the private key is generated by the key management system or the private key is imported by the user into the key management system.

In this implementation, the key management system uses a digital signature algorithm to generate a private key and a public key for signing and verifying the signature, where the private key is used to sign the target backup data and the tag information, and the public key is used to verify the signature. Or the user generates a private key and a public key for signing and signing by the local trusted encryptor, and imports the private key and the public key generated by the local encryptor through a configuration interface or an API of the key management system, wherein the private key is used for signing the target backup data and the label information, and the public key is used for signing and signing.

The second aspect provides a method for detecting the le-line software, which is applied to an isolated storage system and comprises the steps that the isolated storage system receives target backup data, label information of the target backup data and a signature of the target backup data, wherein the label information is used for indicating that the target backup data is detected through the le-line of the backup detection system, the signature is obtained by the backup detection system based on a private key to sign the target backup data and the label information, the isolated storage system verifies the signature based on a public key, the public key is a key pair matched with the private key, if verification is successful, the isolated storage system stores the target backup data, the isolated storage system receives a recovery request of a service system, the recovery request is used for obtaining the target backup data, and the isolated storage system sends the target backup data, the label information and the signature to the service system according to the recovery request, wherein the signature is used for verifying the service system based on the public key and after verification is successful, the target backup data is used for data recovery.

In this embodiment, in order to avoid the backup data in the backup storage system from being attacked by the luxury, in addition to performing backup storage in the backup storage system, a separate physical isolation area may be established to store the backup data. And the isolated storage system receives the target backup data and the signature which are sent by the backup detection system and are not attacked by the lux after being detected by the lux software. Before the target backup data is stored, the target backup data and the signature are checked on the basis of the public key by the isolation storage system, the checked target backup data are stored into the isolation storage system, and after the business data for the business system are luxed and attacked, the target backup data can be restored. Before the service system uses the target backup data to restore the data, the service system also uses the target backup data to restore the data after checking the target backup data and the signature based on the public key and determining that the target backup data is not attacked by the luxury software, thereby ensuring that the service data is restored successfully.

In some possible implementations, the quarantine storage system verifies the signature based on the public key including the quarantine storage system calculating a first hash value of the target backup data and the tag information.

In this implementation, the isolated storage system located in the physical isolation area disconnects the internet, and the isolated storage system calculates the first hash value of the target backup data and the tag information.

In some possible implementations, after the quarantine storage system calculates the first hash value of the target backup data and the tag information, the quarantine storage system includes comparing a second hash value obtained by verifying the signature based on the public key with the first hash value.

In the implementation mode, the isolated storage system performs signature verification on the signature sent by the backup detection system based on the public key to obtain a second hash value, wherein the public key and a private key of the signature performed by the backup detection system are matched key pairs, and the key pairs are compared with the first hash value. When the first hash value and the second hash value are the same, the backup target data is not destroyed and tampered in the process of being sent to the isolation storage system from the backup detection system, namely, the backup target data is not attacked by the luxury software, namely, the verification is successful, and when the first hash value and the second hash value are different, the backup target data is possibly destroyed and tampered, namely, the backup target data is attacked by the luxury software, namely, the verification is failed.

In some possible implementations, if the verification is successful, the quarantine storage system stores the target backup data including if the second hash value is the same as the first hash value, the quarantine storage system stores the target backup data.

In this implementation manner, after the isolated storage system is successfully verified based on the public key, that is, the target backup data is not attacked by the luxury software, the target backup data is stored in the isolated storage system, and after the service data for the service system is attacked by the luxury software, the target backup data stored in the isolated storage system can be recovered.

In some possible implementations, the signature is used for data recovery by the target backup data when the second hash value obtained by verifying the service system based on the public key is the same as the third hash value obtained by calculating based on the target backup data and the tag information.

In the implementation manner, the service system receives the target backup data, the tag information and the signature sent by the isolation storage system, and performs signature verification on the target backup data and the signature based on the public key before performing data recovery by using the target backup data, so as to verify whether the target backup data is attacked by the luxury software in the process of performing data recovery by transmitting the target backup data from the isolation storage system to the service system. The public key and the private key of the signature acquired by the backup detection system are a matched key pair, and are generated based on the same signature algorithm. And after the public key is successfully verified, namely after the target backup data is determined not to be attacked by the luxury software, carrying out data recovery by utilizing the target backup data.

In a third aspect, a device for detecting a le-line software is provided, which is characterized in that the device is applied to a backup detection system, the backup detection system is used for performing le-line detection on backup data in a backup storage system, the backup data is backup of service data, the device comprises an acquisition module, a processing module, an acquisition module and a sending module, the acquisition module is used for acquiring backup data, the processing module is used for performing le-line detection on the backup data, the acquisition module is further used for acquiring a signature of target backup data and tag information of the target backup data based on a private key, the tag information of the target backup data is used for indicating that the target backup data passes the le-line detection, the sending module is used for sending the target backup data, the tag information and the signature to an isolation storage system, the signature is used for verifying the signature based on a public key and storing the target backup data after verification is successful, and the public key is a key pair matched with the private key.

The device is characterized by comprising a receiving module, a processing module and a restoration module, wherein the receiving module is used for receiving target backup data, label information of the target backup data and a signature of the target backup data, the label information is used for indicating that the target backup data is detected through the le of the backup detection system, the signature is obtained by the backup detection system by signing the target backup data and the label information based on a private key, the processing module is used for verifying the signature based on a public key, the public key is a key pair matched with the private key, the processing module is also used for storing the target backup data if the verification is successful, the receiving module is also used for receiving a restoration request of a service system, the restoration request is used for obtaining the target backup data, and the processing module is also used for sending the target backup data, the label information and the signature to the service system according to the restoration request, and the signature is used for verifying the service system based on the public key and utilizing the target backup data to restore the data after the verification is successful.

Regarding the technical principles and advantages of the third and fourth aspects, reference may be made to the foregoing descriptions of the first and second aspects, and details are not repeated herein.

In a fifth aspect, the present application provides a cluster of computing devices, comprising at least one computing device, each computing device comprising a processor and a memory, the processor of the at least one computing device being operable to execute instructions stored in the memory of the at least one computing device to cause the cluster of computing devices to perform the method of any one of the implementations of the first aspect or the first aspect.

In a sixth aspect, the present application provides a cluster of computing devices, comprising at least one computing device, each computing device comprising a processor and a memory, the processor of the at least one computing device being configured to execute instructions stored in the memory of the at least one computing device, such that the cluster of computing devices performs the method of any one of the implementations of the second aspect or the second aspect described above.

In a seventh aspect, the present application provides a computer program product comprising instructions which, when executed by a cluster of computer devices, cause the cluster of computer devices to perform the method of any one of the implementations of the first aspect or the first aspect.

In an eighth aspect, the application provides a computer program product comprising instructions which, when executed by a cluster of computer devices, cause the cluster of computer devices to perform the method of any one of the implementations of the second or second aspect described above.

In a ninth aspect, the present application provides a computer readable storage medium comprising computer program instructions which, when executed by a cluster of computing devices, perform the method of any one of the implementations of the first aspect or the first aspect described above.

In a tenth aspect, the present application provides a computer readable storage medium comprising computer program instructions which, when executed by a cluster of computing devices, perform the method of any one of the implementations of the first aspect or the first aspect described above.

Drawings

In order to more clearly describe the embodiments of the present application or the technical solutions in the background art, the following description will describe the drawings that are required to be used in the embodiments of the present application or the background art.

Fig. 1 is a schematic diagram of a construction of a lux software detection according to the present application.

Fig. 2 is a schematic diagram of a framework of a lux software detection according to the present application.

Fig. 3 is a schematic flow chart of a method for detecting lux software according to the present application.

Fig. 4 is a flowchart of a method for detecting a lux software according to another embodiment of the present application.

Fig. 5 is a schematic flow diagram of a signature according to an embodiment of the present application.

Fig. 6 is a flowchart of a method for detecting a lux software according to another embodiment of the present application.

Fig. 7 is a flowchart of a method for detecting a lux software according to another embodiment of the present application.

Fig. 8 is a schematic flow chart of a signature verification process according to an embodiment of the present application.

Fig. 9 is a flowchart of a method for detecting a lux software according to another embodiment of the present application.

Fig. 10 is a flowchart of a method for detecting a lux software according to another embodiment of the present application.

Fig. 11 is a schematic structural diagram of a lux software detection device provided by the application.

Fig. 12 is a schematic structural diagram of another lux software detection device provided by the application.

Fig. 13 is a schematic structural diagram of a computing device provided by the present application.

Fig. 14 is a schematic structural diagram of a computing device cluster according to the present application.

Fig. 15 is a schematic diagram of a configuration of a computing device connected by a network according to the present application.

Detailed Description

The term "and/or" is used herein to describe an association relationship of associated objects, and means that there may be three relationships, for example, a and/or B, and that there may be three cases where a exists alone, while a and B exist together, and B exists alone. The symbol "/" herein indicates that the associated object is or is a relationship, e.g., A/B indicates A or B.

The terms "first" and "second" and the like in the description and in the claims are used for distinguishing between different objects and not for describing a particular sequential order of objects. For example, the first request and the second request, etc., are used to distinguish between different requests and are not used to describe a particular order of requests.

In embodiments of the application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

In the description of the embodiments of the present application, unless otherwise specified, the meaning of "plurality" means two or more, for example, a plurality of processing units means two or more processing units and the like, and a plurality of elements means two or more elements and the like.

The application provides a method, a device and other equipment for detecting lux software, which are described below with reference to the accompanying drawings.

In order to make the technical scheme provided by the application clearer, before the technical scheme provided by the application is specifically described, explanation of related terms is firstly carried out.

(1) The lux software, also known as lux virus, lux software, is a special type of malware that is commonly categorized as "block access attacks" (denial-of-ACCESS ATTACK). The biggest difference between the lux virus and other viruses is the manipulation and poisoning pattern. One typical lux virus is a file stored by a systematically encrypted computing device, such as an encryption-critical business/data file, which may be one or more of a database file, office document, compressed file, video, picture, and source code, and then requires the victim to pay ransom to retrieve the decryption password/tool that the victim does not have access to self-help in order to decrypt the file.

(2) Signature refers to a digital string that cannot be forged by others only the sender of the information, and is also a valid proof of the authenticity of the information sent by the sender of the information. The signature is an alphanumeric string that is processed through a one-way function on the information to be transmitted to authenticate the source of the information and verify that the information has changed during transmission. Common signature algorithms are RSA (Rivest-Shamir-Adleman), DSA (Digital Signature Algorithm) digital signature algorithm, ECDSA (Elliptic Curve Digital Signature Algorithm) elliptic curve digital signature algorithm. The tag is used to determine whether the data has been tampered with.

(3) The asymmetric encryption algorithm (ASYMMETRIC CRYPTOGRAPHY) is an algorithm in cryptography that requires two keys, one public and the other private, the public key being used for encryption and the private key for decryption. The ciphertext obtained by encrypting the plaintext by using the public key can be decrypted only by using the corresponding private key and the original plaintext can be obtained, and the public key which is originally used for encryption cannot be used for decryption. Since encryption and decryption require two different keys, they are called asymmetric encryption, unlike symmetric encryption, which uses the same key for both encryption and decryption. The public key can be disclosed and can be released outwards at will. The private key cannot be disclosed, must be kept by the user in strict secret, is never provided to anyone through any way, and is not revealed to the trusted party to communicate.

(4) The key management service (KEY MANAGEMENT SERVICE, KMS) is a safe, reliable, simple and easy-to-use key escrow service, can create and manage the key and protect the security of the key. The KMS helps users create and manage keys by protecting the keys using a hardware security module (Hardware Security Module, HSM), all user keys are protected by root keys in the HSM, and key leakage is avoided.

The trade-off software uses security mechanisms such as encryption to hijack the user files and related resources so that the user cannot access the data asset or use the computing resources, and uses this as a condition to trade-off ransom to the user. Such user data assets include documents, databases, source code, pictures, compressed files, and the like in a variety of file forms. The minority is real currency or other virtual currency.

The luxury software can be divided into three categories, namely frightening luxury software, locking luxury software and encryption luxury software according to the severity of the dangers of the luxury software. Frightening type luxury software is false information warning, damages the victim through a plurality of finger-controlled words, and pays money to the victim by utilizing the mind of the fear of the victim captured by related departments of the government. Locked Lesu software prevents users from accessing these resources by hijacking one or more services on the victim system, such as a desktop, input device, or application, and infected systems have limited functionality. The encryption type lux software uses an encryption algorithm to encrypt all file data in the system, so that a victim is forced to pay ransom to exchange the encrypted file, and under the condition that a decryption key is not available, the attack of the encryption lux software is irreversible.

In order to avoid the lux, the traditional lux attack prevention is to use a firewall, a sandbox, and other systems to prevent the lux software from invading and block the lux software from diffusing, and to use the techniques of access control, security patch, antivirus software, and the like to prevent the lux software from being implanted by attack. However, the luxury software has concealment and disguising, once the luxury software enters the network or the host layer, an attacker can latency to obtain rights and master a large amount of key data, and then the luxury software initiates the luxury, and at this time, the network or the host layer cannot initiate the luxury attack prevention.

At this stage, a lux attack can be prevented by storing the anti-lux. The storage anti-lux means comprises detection of abnormal IO of lux software, active protection of data by adopting a tamper-proof technology and prevention of leakage of stored data by an encryption technology. And secondly, except for the backup data copy, the data copy is stored in a physically isolated safety protection area, so that the copy file in the safety protection area is ensured to be data which is not attacked by the luxury, and the data copy can be used for recovering the service data after the service data is attacked by the luxury, and the continuity of the service is ensured.

As shown in fig. 1, after the production host located in the service system 110 generates service data and enters the production storage device, the production host can backup the generated service data and store the generated service data in the backup storage device of the backup storage system 120 in the same area (region), so that it can be ensured that after the production host is attacked by the lux software, the service data is restored according to the backup data in the backup storage device, and normal operation of the production host is ensured. As shown in fig. 1, in region a, the production host generates service data and stores the service data in the production storage device, and during the process of storing the service data in the production storage device, the detection of the lux software is performed based on the behavior of the lux software, so as to ensure that the service data stored in the production storage device is safe. After the service data is detected by the lux software, the backup service data in step 2 is regularly executed, and the backup service data is stored in the backup storage device of the backup storage system 120 through the internal storage network, wherein the internal storage network is closed and isolated from the external network, but the lux software has concealment and latency, the production host cannot prevent the lux attack, so that part of the service data stored in the production storage device may be attacked by the lux. In addition, during the backup process of step 2, the service data may be attacked by the trade-off software, so that the backup data stored in the backup storage device may be attacked by the trade-off software. Therefore, steps 3 and 4 need to be executed, and the lux software detection module of the backup detection system 130 performs the lux detection on the backup data stored in the backup storage device periodically, and returns the detection result, where the lux software detection module may be deployed on the application server in region a. In order to avoid the investigation, in addition to performing the backup storage in the backup storage system 120, step 5 may be executed to establish a separate physical isolation area, and copy the backup data that is not investigation-oriented after the investigation of the investigation software of the investigation into the isolation storage device of the isolation storage system 140 through the automatic shutdown control of the Air Gap. Next, in order to avoid the data loss caused by the failure of the region a due to the natural disaster, the service data may be backed up through step 6 and stored into the disaster recovery storage device in the disaster recovery storage device system 150 of the region B. After the service data of the production storage device of the service system 110 in the region a is subjected to the lux attack, the backup data can be used for recovering the service data through steps 7-9 shown in fig. 1, so that the normal operation of the service is ensured.

However, after the detection by the lux software detection system, the backup data that is not luxed may be attacked by the lux software again in the process of storing the backup data in the isolated storage device of the isolated storage system 140 or recovering the service data from the isolated storage system to the production host of the service system 110, so that the backup data stored in the isolated storage device of the isolated storage system 140 is contaminated by the lux, or the service data recovery in the production host of the service system 110 fails.

In order to avoid that backup data which is not subjected to the luxury attack is attacked by the luxury software in the circulation process, the embodiment of the application provides a luxury software detection method, a key management system is introduced, after the luxury detection is carried out by the backup detection system, the backup data which is not subjected to the luxury attack is signed, and the backup data is required to be checked before being stored by an isolation storage system or before the service data is restored from the isolation storage system to the service system, so that the backup data is stored to the isolation storage system after the check passes or the service data is restored in the service system. In addition, based on the backup detection system, the lux detection can be only carried out on the backup data which is not signed, so that the waste of calculation and storage resources caused by full detection of the backup data or repeated detection of the backup data is avoided.

For ease of understanding, at least one application scenario of an embodiment of the present application will be described first,

Fig. 2 is a schematic diagram of at least one application scenario in an embodiment of the present application. As shown in fig. 2, service data of a user passing through a production host in the service system 110 is stored in a production storage device, where the production storage device provides cloud storage service for the service data of the user, and the production storage device may be deployed in a distributed storage system, and may store the service data of the user in a plurality of independent storage nodes in a distributed manner, and each storage node may perform communication interaction. It is understood that a storage node is a device, such as a server, desktop computer, etc., that has both computing and storage capabilities. On the software, each storage device is provided with an operating system, which can support to provide corresponding storage application services, for example, a service layer can be deployed to provide storage services such as an object storage OBS, a file storage SFS or a block storage EVS. Other storage nodes may deploy a data persistence layer to provide persistence data storage functionality, and may also deploy an index layer to provide data index functionality. It will be appreciated that the computing resources required by the software layers on the respective storage devices originate from the processor and memory local to the device, and that the storage resources required may originate from the hard disk local to the device or from the hard disk in other storage devices.

In order to prevent the service data in the service system 110 from being attacked by the luxury attack to affect the normal service operation of the user, the service data in the service system 110 is periodically backed up to the backup storage device in the backup storage system 120 in the same area regionA, where the backup storage device is similar to the production storage device and is not repeated herein. The backup storage device and the production storage device may be located in the same available Area (AZ) of the same region (region), or may be located in different AZ of the same region, which is not limited herein. However, since the service data in the service system 110 may be attacked by the luxury software, or the process of backing up the service data to the backup storage system 120 may be attacked by the luxury software, the backup data stored to the backup storage system 120 may be the attacked backup data by the luxury software. Therefore, the backup data in the backup storage system 120 needs to be luxed by the backup detection system 130 based on the file characteristics of the backup data. The file features of the backup data are used for the file searching, and the file searching is performed based on the file features of the backup data, so that file searching prompt information is left in the backup data or the file features of the backup data are affected due to the file searching attack.

In order to avoid the backup data in the backup storage system 120 from being attacked by the lux, besides performing backup storage in the backup storage system 120, a separate physical isolation area may be established, and the backup data in the backup storage system 120, which is detected by the lux software and is not attacked by the lux, is copied to the isolation storage device of the isolation storage system 140 in the same area regionA for storage by automatic shutdown control of Air Gap. The isolation storage device is similar to the production storage device and will not be described in detail herein. The backup data in the isolated storage system 140 is disconnected from the internet through the Air Gap, so that the backup data can be prevented from being accessed online, and further, the backup data is prevented from being attacked by the luxury. When the business data of the production storage device of the business system 110 is compromised, it can be restored based on the backup data in the isolation storage device of the isolation storage system 140.

In some embodiments, in addition to performing service data backup in the same region, a disaster recovery backup system or a data center may be established in another area regionB, that is, another geographical location, and the backup data after the lux detection is copied to the disaster recovery storage system 150 located in regionB in a cross-area manner, so as to ensure that after the service system 110 and the backup storage system 120 located in regionA fail or a disaster occurs, the production service can recover service data based on the backup data in the disaster recovery storage device of the disaster recovery storage system 150, and continue to operate the production service.

In some possible implementations, the disaster recovery storage system 150 may also establish a separate physical isolation area in regionB, and automatically turn off the Air Gap to control and store backup data in the disaster recovery storage device that is not attacked by the lux, similar to the isolation storage system 140, which is not described herein.

Since, after detection by the luxury software detection system, the backup data that is not luxury may be attacked by the luxury software again in the process of storing the backup data in the isolated storage device of the isolated storage system 140 or recovering the service data from the isolated storage system to the production host of the service system 110, which may cause contamination of the backup data stored in the isolated storage device of the isolated storage system 140 or failure in recovering the service data in the production host of the service system 110. After the backup detection system 130 performs the investigation, the key management system 210 signs the backup data that is not attacked by the investigation by using the signature private key, and before the isolated storage system 140 stores the backup data, or before the service system 110 recovers the backup data from the isolated storage system 140, the local preset public key is used or the key management system 210 is requested to perform signature verification, so that the backup data is stored in the isolated storage system after the verification passes, or the service data is recovered in the service system.

In this example, the backup detection system 130 may be implemented by software or hardware, and as a specific example, the backup detection system 130 may be deployed on one or more execution machines, which may be physical machines, virtual machines, or containers.

In this embodiment, the storage device may be deployed in a centralized storage system, for example, a user may store service data in a production storage device, and store backup data of the service data through a backup storage device.

Next, based on the above description, a method for detecting a lux software according to an embodiment of the present application is described. It will be appreciated that the method is set forth based on what has been described above, some or all of which may be found in the description above.

Fig. 3 is a schematic flow chart of a method for detecting a lux software according to an embodiment of the present application. It will be appreciated that the method may be implemented in any suitable computing, processing, storage-capable apparatus, device, platform or cluster of devices. As shown in fig. 3, the method may include steps S301 to S306:

In step S301, the backup detection system acquires backup data.

In this embodiment, the backup detection system and the isolation storage system are independent systems, in the trade check scenario, when service data of a user is backed up to the backup storage system, in order to ensure the security of the backup data, the trade check can be performed on the backup data in the backup storage system regularly by using the backup detection system, and then the backup data which is not attacked by the trade check is stored to the isolation storage system for storage, so as to perform data recovery after the service data in the service system fails. In an example of the present application, the business system may be business system 110 shown in fig. 2, the backup storage system may be backup storage system 120 shown in fig. 2, the backup detection system may be backup detection system 130 shown in fig. 2, and the isolation storage system may be isolation storage system 140 shown in fig. 2, which is also described below as an example.

In the embodiment of the present application, the user sends the service data to the backup storage system 120 for backup storage, and the backup storage system 120 stores the backup data of the service data in the backup storage device. The user may perform a prior investigation of the trade in based on the behavior of the trade in software before sending the business data to the backup storage system 120.

Illustratively, the lux software will encrypt the business data in the business system 110 using an encryption algorithm, forcing the user to pay ransom in exchange for the encrypted business data, whereas the attack of the encrypted lux software is irreversible without the decryption key. The lux software records in the system log of the business system 110 when encrypting the business data. The business system 110 may then determine how the lux attack occurred by looking at the system log, thereby identifying the lux software and determining whether the business system 110 has other malware.

Illustratively, the lux software may create a large number of new files in a short time, and corresponding to a large number of file names, and the business system 110 may be designed to view the total number of new files created in a relatively small time window (e.g., 1 minute), and when the number of new files exceeds a set threshold, determine that the business system 110 is under the lux software attack.

It will be appreciated that the service data sent by the user to the backup storage system 120 may be service data that has not been attacked by the luxury software, or may be service data that has been attacked by the luxury software. For example, the service system 110 does not detect that the service data is attacked by the luxury software, and in the process that the service system 110 sends the service data that is not attacked by the luxury software to the backup storage system 120, the backup storage system 120 stores backup data of the service data that is attacked by the luxury software.

In this embodiment, the backup storage system 120 receives the service data periodically sent by the service system 110 as backup data and stores the backup data in the backup storage device through the internal storage network, where the internal storage network is closed and isolated from the external network, but the lux software has concealment and latency, and the service system 110 cannot prevent the lux attack, so that some of the service data in the production storage device may have been lux attacked. In addition, in the process of sending the service data to the backup storage system, the service system 110 may be attacked by the luxury software, so that the backup data stored in the backup storage system 120 may be attacked by the luxury software. Therefore, the backup detection system 130 is required to periodically perform the investigation of the backup data stored in the backup storage system 120 and return the detection result to the backup storage system.

In step S302, the backup detection system 130 performs a halyard detection on the backup data.

In this embodiment, the backup detection system 130 periodically performs the lux detection on the backup data stored in the backup storage device in the backup storage system 120 based on the file characteristics of the backup data. The file features of the backup data are used for the file searching, and the file searching is performed based on the file features of the backup data, so that file searching prompt information is left in the backup data or the file features of the backup data are affected due to the file searching attack.

Exemplary, the file characteristic based on the backup data may include file suffix detection, file hint information detection, or entropy change detection of the backup data before and after, but is not limited thereto.

In one specific example, the Leuch attack software may traverse the business data in the production storage device or retrieve the business data in a specific number of directories for storing documents, encrypt all or specific high value business data. In addition, the luxury attack software can directly modify the original service data or write the ciphertext into another service data, and delete the original service data after encryption is completed. Since the file traversal and encryption are usually performed by the luxury attack software, when the luxury attack software performs the luxury detection, the backup detection system 130 can eliminate suspicion of the luxury attack software if the number of the file of the business data read and written in the process is small.

In a specific example, the luxury attack software may place luxury prompt information under a file directory after encrypting the luxury attack. The luxury prompt information can be a text file or a webpage file. In addition, most of the luxury attack software modifies the desktop background after the luxury encryption is completed, or notifies the user that the luxury attack is performed by means of a pop-up dialog box, for example, the desktop pops up a dialog box to prompt the user that "you have been luxury encrypted, do not attempt decryption, please pay ransom". Therefore, if the backup detection system 130 observes the lux hint information, it can determine that the service data may be attacked by the lux.

In a specific example, after the trade attack software performs trade attack on the service data, the file name of the service data is modified, and a specific file suffix is added. The file suffix can be used for indicating that the service data is encrypted, avoiding repeated encryption by the luxury attack software, or can be used for prompting the user that the service data is encrypted, or can be used for conveniently identifying the service data needing to be decrypted after ransom is received. Since the lux attack software encrypts the service data, a fixed suffix is generally added to the source file name of the service data, for example, if the source file name is report. Therefore, when the backup detection system 130 detects that the file name of the service data contains a specific file suffix, it can determine that the data has been under a luxury attack.

In a specific example, the file content of the service data may be modified by the le-salve attack software, and since most of the files written by the le-salve attack software are encrypted ciphers, the entropy value of the ciphers is generally higher, or the le-salve attack software may write a large number of data files with different suffixes, and these data files are all high entropy values, the backup detection system 130 may determine whether the service data is under le-salve attack through the change of the entropy value of the service data. For example, the luxury software encrypts the original file content, and the encrypted file data has stronger randomness compared with the data plaintext, so that the information entropy value is higher, and the backup detection system 130 can judge whether the file data is attacked by the luxury software or not through the characteristic of the displayed encrypted data with high entropy value.

In step S303, the backup detection system 130 obtains the target backup data and the signature of the tag information of the target backup data based on the private key.

In this embodiment, after the backup data is luxed, the backup detection system 130 marks the target backup data after the lux detection, and determines the label information, so that the backup detection system 130 can know whether the target backup data is attacked by the lux software based on the label information, and then only sends the target backup data that is detected by the lux, i.e. is not attacked by the lux software, to the isolated storage system 140.

For example, the tag information may be a bit corresponding to the backup data, after the backup detection system 130 performs the lux detection, if the backup data is not attacked by the lux software, the bit corresponding to the backup data may be modified to "1", and if the backup data is attacked by the lux software, the bit corresponding to the backup data may be modified to "0".

In the above example, after the backup detection system marks the backup data, it may determine whether the backup data is attacked by the luxury software based on the bit corresponding to the backup data, and then send the target backup data that is not attacked by the luxury software to the isolated storage system 140 for isolated storage, that is, send the target backup data corresponding to the bit of "1" to the isolated storage system 140.

In another example, after the backup detection system 130 performs the lux detection, if the target backup data is not attacked by the lux software, the target bit corresponding to the target backup data may be modified to "0", and if the target backup data is attacked by the lux software, the target bit corresponding to the target backup data may be modified to "1", which is not limited in the embodiment of the present application.

In some embodiments, the backup detection system 130 sends an alarm message after detecting that the bit corresponding to the backup data is "0", that is, the backup data is attacked by the luxury software, and sends an alarm notification to prompt the user that the backup data stored in the backup storage system 120 has been attacked by the luxury software. Based on this alert information, the user may re-backup the business data for storage in backup storage system 120 or pay ransom to decrypt the backup data.

In this embodiment, after the backup detection system 130 determines the tag information of the target backup data detected by the lux, the backup detection system 130 obtains the signature of the target backup data and the tag information thereof, which are not attacked by the lux detection, and the target backup data is calculated based on the private key. The private key may be stored in advance locally by the backup detection system, may be generated by the key management system 210 based on an encryption algorithm, or may be imported by the user into the key management system to sign the current backup data and tag information.

By way of example, the signature algorithm may include, but is not limited to, an RSA digital signature algorithm, a DSA digital signature algorithm, an ECDSA elliptic curve digital signature algorithm.

In other embodiments, the signature algorithm may further include AES256 anti-quantum symmetric cryptographic algorithm to secondarily protect the signature so that the signature integrity protection may be resistant to quantum computing attacks.

In step S304, the backup detection system 130 sends the target backup data, the tag information, and the signature to the quarantine storage system 140.

In this embodiment, in order to avoid the backup data in the backup storage system 120 from being attacked by the lux, besides performing backup storage in the backup storage system 120, a separate physical isolation area may be established, and the backup detection system sends the target backup data and signature that are not attacked by the lux after being detected by the lux software to the isolation storage system 140 through automatic turn-off control of the Air Gap. The target backup data in the isolated storage system 140 is disconnected with the internet through the Air Gap, so that the target backup data can be prevented from being accessed online, and further the target backup data is prevented from being attacked by the luxury. When the business data of the production storage device of the business system 110 is compromised, it can be restored based on the target backup data in the isolation storage device of the isolation storage system 140.

In step 305, the quarantine storage system 140 signs the signature based on the public key.

In this embodiment, before storing the target backup data, the quarantine storage system 140 performs signature verification on the target backup data and the signature based on the public key, so as to verify whether the target backup data is attacked by the halyard software in the process of transmitting the target backup data from the backup detection system 120 to the quarantine storage system 140. The public key is generated based on the same signature algorithm as a key pair for which the private key of the signature obtained by the backup detection system 120 is a match.

Illustratively, the private key ECDSAPRIVATEKEY used for signing and the public key ECDSAPublicKey used for signing are a pair of mutually matching key pairs, and accordingly, the key corresponds to a key ID (i.e., key identification), and the key ID corresponds to a pair of public and private keys. The private key ECDSAPRIVATEKEY is used for signing the target backup data to obtain the signature of the target backup data, and the public key ECDSAPublicKey is used for verifying the signature of the target backup data so as to verify that the target backup data is not attacked by the luxury software.

In step S306, if the verification is successful, the isolated storage system 140 stores the target backup data.

In this embodiment, after the isolated storage system 140 successfully verifies based on the public key, that is, it is determined that the target backup data is not attacked by the lux software, the target backup data is stored in the isolated storage system 140, and after the service data for the service system 110 is attacked by the lux software, the target backup data stored in the isolated storage system 140 can be recovered.

Thus, in this embodiment, the backup detection system obtains the signature of the backup data in the backup storage system, and the isolated storage system located in the physical isolation area verifies the signature based on the private key, and after the signature verification is successful, the target backup data that is not attacked by the luxury software is stored in the isolated storage system, so as to be used for recovering the service data when the service system fails. By means of the signature verification luxury detection method, the data of the backup data stored in the isolated storage system are ensured not to be attacked by luxury software. In addition, when the backup detection system regularly performs the lux detection on the backup data in the backup storage system, only unsigned backup data is subjected to the lux detection, so that the backup detection system can be prevented from consuming a large amount of resources to perform full-scale lux detection, the calculation cost is reduced, and the lux detection efficiency is improved.

In some possible implementations, as shown in fig. 4, step S303 may specifically include steps S401 to S404 when performing:

in step S401, the backup detection system 130 calculates a first hash value of the target backup data and the tag information.

In this implementation, when the backup detection system 130 obtains the tag information of the target backup data based on the private key, first, a first hash value of the target backup data and the tag information is calculated based on a digital signature algorithm.

Illustratively, the backup detection system 130 may calculate the first hash value of the target backup data and the tag information using a message digest algorithm (MESSAGE DIGEST, MD), a secure hash algorithm (Secure Hash Algorithm, SHA), or a message authentication code algorithm (Message Authentication Code, MAC), but is not limited thereto.

In step S402, the backup detection system 130 sends the first hash value to the key management system 210.

In this implementation, the backup detection system 130 sends the first hash value to the key management system 210 requesting the key management system 210 to sign the target backup data and the tag information based on the private key.

In step S403, the key management system 210 signs the first hash value based on the private key.

In this implementation, the key management system 210 receives the first hash value sent by the backup detection system 130 and signs the first hash value based on the private key.

Illustratively, the key management system 210 uses some digital signature algorithm to generate a private key for signing the target backup data and the tag information, and a public key for signing the target backup data and the tag information.

Illustratively, the user generates a private key and a public key for signing and signing the label through the local trusted encryptor, and imports the private key and the public key generated by the local encryptor through a configuration interface or API of the key management system 210, the private key is used for signing the target backup data and the label information, and the public key is used for signing and signing the label.

In step S404, the key management system 210 sends the signature to the backup detection system 130.

In this implementation, after signing the first hash value based on the private key, the key management system 210 sends the signature to the backup detection system. The backup detection system 130 stores the target backup data, tag information, and signature to the backup detection system. In order to avoid the backup data in the backup storage system 120 from being attacked by the luxury, the target backup data and the signature are copied and stored in the isolated storage system 140, wherein the signature is used for the isolated storage system to verify based on the public key, and if the verification is passed, the isolated storage system 140 stores the target backup data, and the user service system 110 performs data recovery.

In one specific example, as shown in FIG. 5, the backup detection system 130 calculates a first hash value, also referred to as a message digest, of the target backup data and the tag information using a SHA-1 hash algorithm. The SHA-1 hash algorithm hashes target backup data and tag information of any length to obtain a fixed-length pseudo-random result, i.e., a first hash value. The first hash value is unique and irreversible, and the original target backup data and the label information cannot be recovered from the first hash value. For example, the first hash value calculated using the SHA-1 hash algorithm is DFCD3454. The first hash value is then signed based on the private key.

In some possible implementations, as shown in fig. 6, step S303 may specifically include steps S601 to S603 when performed:

in step S601, the backup detection system 130 calculates a first hash value of the target backup data and the tag information.

In this implementation, as in step S401, when the backup detection system 130 obtains the tag information of the target backup data based on the private key, first, the first hash value of the target backup data and the tag information is calculated based on the digital signature algorithm.

In step S602, the key management system 210 sends the private key to the backup detection system 130.

In this implementation, the backup detection system 130 initiates a key acquisition request to the key management system 210, and the key management system 210 may generate a private key and a public key for signing and verifying the signature, or send the private key imported by the user through a local trusted encryptor and through a configuration interface or API of the key management system 210 to the backup detection system 130.

In step S603, the backup detection system 130 signs the first hash value based on the private key.

In this implementation, the backup detection system 130 receives the private key sent by the key management system 210 and signs the first hash value.

In some possible implementation methods, as shown in fig. 7, step S305 may specifically include steps S701 to S703 when performed.

In step S701, the quarantine storage system 140 calculates a second hash value of the target backup data and the tag information.

In this implementation, the quarantine storage system 140 calculates a 5 second hash value of the target backup data and tag information. After the quarantine storage system 140 receives the target backup data and the tag information, a second hash value of the target backup data and the tag information is calculated based on the same digital signature algorithm.

In the above example, the backup detection system 130 calculates a first hash value of the target backup data and the label information using the SHA-1 hash algorithm, and correspondingly, the quarantine storage system 140 also calculates a second hash value of the target backup data and the label information using the SHA-1 hash algorithm.

In step S702, the quarantine storage system 140 performs signature verification based on the public key to obtain a first hash value.

In this implementation, the quarantine storage system 140 performs signature verification on the signature sent by the backup detection system 130 based on the public key to obtain a first hash value, where the private key of the public key and the private key of the backup detection system that performs signature are matched key pairs.

In step S703, the isolated storage system 140 compares the first hash value with the second hash value.

In this implementation manner, the quarantine storage system 140 performs signature verification on the signature sent by the backup detection system 130 based on the public key, compares the first hash value with the calculated second hash value of the target backup data and the label information, and when the first hash value is the same as the second hash value, indicates that the backup target data is not damaged and tampered, i.e., is not attacked by the le software, i.e., the signature verification is successful, in the process of sending the backup target data from the backup detection system 130 to the quarantine storage system 140, and when the first hash value and the second hash value are different, the backup target data may be damaged and tampered, i.e., the backup target data may be attacked by the le software, i.e., the signature verification is failed.

In some implementations, when comparing the first hash value with the second hash value, the isolated storage system 140 detects that the first hash value is different from the second hash value, that is, the target backup data is attacked by the lux software, and may send an alarm message, and send an alarm notification to prompt the user that the target backup data stored in the isolated storage system 140 has been attacked by the lux software. Based on this alert information, the user may re-backup the business data for storage in the quarantine storage system 140 or pay ransom to decrypt the targeted backup data.

In one specific example, as shown in FIG. 8, the backup detection system 130 calculates a first hash value, also referred to as a message digest, of the target backup data and the tag information using a SHA-1 hash algorithm. For example, the first hash value calculated using the SHA-1 hash algorithm is DFCD3454. The first hash value is then signed based on the private key. The backup detection system 130 then sends the target backup data, tag information, and signature to the quarantine storage system 140. Similarly, the isolated storage system 140 calculates the second hash value of the target backup data and the tag information by using the SHA-1 hash algorithm, performs signature verification on the signature based on the public key to obtain a first hash value, and then compares the first hash value with the second hash value, if the first hash value and the second hash value are the same, it is indicated that the backup target data is not destroyed and tampered, i.e. is not attacked by the luxury software, i.e. the signature verification is successful, in the process of sending the backup target data from the backup detection system to the isolated storage system 140, and if the backup target data and the second hash value are different, the backup target data may be destroyed and tampered, i.e. may have been attacked by the luxury software, i.e. the signature verification is failed.

In some possible implementation manners, in order to ensure that after service data in the service system is subjected to a lux attack, when the service data is recovered based on backup data in the isolated storage system, verification is also required to be performed to recover the service data, so as to ensure normal operation of the service, in this embodiment, as shown in fig. 9, on the isolated storage system 140 side, the lux software detection method may further include:

In step S901, the quarantine storage system 140 receives the target backup data, the tag information, and the signature.

In this implementation manner, in order to avoid the backup data in the backup storage system 120 from being attacked by the lux, besides performing backup storage in the backup storage system 120, a separate physical isolation area may be established, and the isolation storage system 140 receives the target backup data and the signature, which are not attacked by the lux after being detected by the lux software, sent by the backup detection system 130 through automatic turn-off control of the Air Gap. The target backup data in the isolated storage system 140 is disconnected with the internet through the Air Gap, so that the target backup data can be prevented from being accessed online, and further the target backup data is prevented from being attacked by the luxury. When the business data of the production storage device of the business system 110 is compromised, it can be restored based on the target backup data in the isolation storage device of the isolation storage system 140.

In step S902, the quarantine storage system 140 verifies the signature based on the public key.

In this implementation, before storing the target backup data, the quarantine storage system 140 verifies the target backup data and the signature based on the public key, thereby verifying whether the target backup data is attacked by the halyard software during the transmission from the backup detection system 120 to the quarantine storage system 140. The public key is generated based on the same signature algorithm as a key pair for which the private key of the signature obtained by the backup detection system 120 is a match.

In step S903, if the verification is successful, the isolated storage system 140 stores the target backup data.

In this implementation manner, after the public key is successfully verified, that is, the target backup data is not attacked by the luxury software, the target backup data is stored in the isolated storage system, and after the service data for the service system 110 is attacked by the luxury software, the isolated storage system 140 can recover based on the stored target backup data of the isolated storage system 140.

In step S904, the service system 110 sends a restoration request to the quarantine storage system 140.

In this implementation, after the service data in the service system 110 is attacked by the lux software, a data recovery request is sent to the isolated storage system 140 to request to obtain the target backup data for data recovery.

In step S905, the quarantine storage system 140 transmits the target backup data, tag information, and signature.

In this implementation manner, the quarantine storage system 140 receives a recovery request sent by the service system 110, and sends target backup data, tag information and a signature according to the recovery request, where the signature is used for performing data recovery based on the target backup data after the service system 110 performs signature verification.

In step S906, the service system 110 verifies the signature based on the public key.

In this implementation, the service system 110 receives the target backup data, the tag information and the signature sent by the isolated storage system 140, and performs signature verification on the target backup data and the signature based on the public key before performing data recovery by using the target backup data, so as to verify whether the target backup data is attacked by the luxury software in the process of transmitting the target backup data from the isolated storage system 140 to the service system 110 for data recovery. The public key is generated based on the same signature algorithm as a key pair for which the private key of the signature obtained by the backup detection system 120 is a match.

In step S907, if the verification is successful, the service system 110 uses the target backup data to perform data recovery.

In this implementation, after the service system 110 successfully verifies the public key, that is, after determining that the target backup data is not attacked by the luxury software, the service system uses the target backup data to perform data recovery.

In some possible implementation methods, as shown in fig. 10, step S906 may specifically include steps S1001 to S1003 when performed.

In step S1001, the service system 110 calculates a third hash value of the target backup data and the tag information.

In this implementation, the business system 110 calculates a third hash value of the target backup data and the label information. After receiving the target backup data and the tag information, the service system 110 calculates a third hash value of the target backup data and the tag information based on the same digital signature algorithm.

In step S1002, the service system 110 performs signature verification based on the public key to obtain a first hash value.

In this implementation, the service system 110 performs signature verification on the signature sent by the quarantine storage system 140 based on the public key to obtain a first hash value, where the private key that performs signature on the public key and the backup detection system is a matched key pair.

In step S1003, the service system 110 compares the first hash value with the third hash value.

In this implementation manner, the service system 110 performs signature verification on the signature sent by the isolated storage system 140 based on the public key, and compares the obtained first hash value with the calculated third hash value of the target backup data and the label information, when the first hash value is the same as the third hash value, it is indicated that the backup target data is not damaged and tampered, i.e. is not attacked by the le-su software, i.e. the signature verification is successful, in the process of sending the backup target data from the isolated storage system 140 to the service system 110, and when the first hash value and the third hash value are different, the backup target data may be damaged and tampered, i.e. may be attacked by the le-su software, i.e. the signature verification is failed.

In some implementations, when comparing the first hash value with the third hash value, the service system 110 detects that the first hash value is different from the third hash value, that is, the target backup data is attacked by the lux software, and may send an alarm message, and send an alarm notification to prompt the user that the target backup data stored in the isolated storage system 140 has been attacked by the lux software. Based on this alert information, the user may re-backup the business data for storage in the quarantine storage system 140 or pay ransom to decrypt the targeted backup data. The process of signing the service system 110 by isolating the storage system 140 is similar and will not be described in detail herein.

The application also provides a device for detecting the lux software, as shown in fig. 11, the device 1100 comprises:

An obtaining module 1101, configured to obtain backup data;

A processing module 1102, configured to perform a halyard detection on the backup data;

the obtaining module 1101 is further configured to obtain, based on the private key, the target backup data and a signature of tag information of the target backup data, where the tag information of the target backup data is used to indicate that the target backup data passes the luxury detection;

The sending module 1103 is configured to send the target backup data, the tag information, and the signature to the quarantine storage system, where the signature is used by the quarantine storage system to verify the signature based on a public key, and store the target backup data after the verification is successful, and the public key is a key pair matched with the private key.

In some possible implementations, the obtaining module 1101 is specifically configured to calculate a first hash value of the target backup data and the tag information.

In some possible implementations, after the obtaining module 1101 calculates the first hash value of the target backup data and the tag information, the sending module 1103 is further configured to send the first hash value to a key management system, where the key management system is configured to sign the first hash value based on the private key and send the signature to the backup detection system.

In some possible implementations, after the obtaining module 1101 calculates the first hash value of the target backup data and the tag information, the obtaining module 1101 is further configured to obtain a private key from the key management system, and the processing module 1103 is further configured to sign the first hash value based on the private key.

The obtaining module 1101, the processing module 1102, and the sending module 1103 may be implemented by software, or may be implemented by hardware. Illustratively, an implementation of the processing module 1102 is described next with respect to the processing module 1102. Similarly, the implementation of the acquisition module 1101 and the transmission module 1103 may refer to the implementation of the processing module 1102.

Module as an example of a software functional unit, the processing module 1102 may include code running on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, and a container, among others. Further, the above-described computing examples may be one or more. For example, the processing module 1102 may include code running on multiple hosts/virtual machines/containers. It should be noted that, multiple hosts/virtual machines/containers for running the code may be distributed in the same region (region), or may be distributed in different regions. Further, multiple hosts/virtual machines/containers for running the code may be distributed among the same AZ, or may be distributed among different AZs, each AZ including one data center or multiple geographically proximate data centers. Wherein typically a region may comprise a plurality of AZs.

Also, multiple hosts/virtual machines/containers for running the code may be distributed in the same virtual private cloud VPC, or may be distributed among multiple VPCs. In general, one VPC is disposed in one region, and a communication gateway is disposed in each VPC for implementing inter-connection between VPCs in the same region and between VPCs in different regions.

Module as an example of a hardware functional unit, the processing module 1102 may include at least one computing device, such as a server or the like. Alternatively, the processing module 1102 may be a device implemented by an application specific integrated circuit ASIC, or a programmable logic device PLD, or the like. Wherein, the PLD can be CPLD, FPGA, GAL or any combination thereof.

The processing module 1102 includes multiple computing devices that may be distributed in the same region or in different regions. The processing module 1102 may include multiple computing devices distributed among the same AZ or among different AZ. Likewise, the multiple computing devices included in the processing module 1102 may be distributed in the same VPC or may be distributed among multiple VPCs. Wherein the plurality of computing devices may be any combination of computing devices such as servers, ASIC, PLD, CPLD, FPGA, and GAL.

It should be noted that, in other embodiments, the obtaining module 1101 may be configured to perform any step in the lux software detection method, the processing module 1102 may be configured to perform any step in the lux software detection method, the sending module 1103 may be configured to perform any step in the lux software detection method, the steps that the obtaining module 1101, the processing module 1102 and the sending module 1103 are responsible for implementing may be specified according to needs, and all functions of the data processing apparatus are implemented by implementing different steps in the lux software detection method by the obtaining module 1101, the processing module 1102 and the sending module 1103, respectively.

The application also provides a device for detecting the lux software, as shown in fig. 12, the device 1200 comprises:

the receiving module 1201 is configured to receive target backup data, tag information of the target backup data, and a signature of the target backup data, where the tag information is used to indicate that the target backup data is detected by a backup detection system through a luxury, and the signature is obtained by signing the target backup data and the tag information by the backup detection system based on a private key;

A processing module 1202 for verifying the signature based on a public key, the public key being a key pair that matches the private key;

if the verification is successful, the processing module 1202 is further configured to store the target backup data;

The receiving module 1202 is further configured to receive a restoration request of the service system, where the restoration request is used to obtain target backup data;

The processing module 1202 is further configured to send, according to the recovery request, the target backup data, the tag information, and the signature to the service system, where the signature is used for verification by the service system based on the public key and for performing data recovery by using the target backup data after verification is successful.

In some possible implementations, the processing module 1202 is specifically configured to calculate a first hash value of the target backup data and the tag information.

In some possible implementations, after the processing module 1202 calculates the first hash value of the target backup data and the tag information, the processing module 1202 is further configured to compare the second hash value obtained by verifying the signature based on the public key with the first hash value.

In some possible implementations, after the processing module 1202 calculates the first hash value of the target backup data and the tag information, the processing module 1202 is further configured to store the target backup data if the second hash value is the same as the first hash value.

The receiving module 1201 and the processing module 1202 may be implemented by software, or may be implemented by hardware. Illustratively, an implementation of the processing module 1202 is described next with respect to the processing module 1202. Similarly, the implementation of the receiving module 1201 may refer to the implementation of the processing module 1202.

Module as an example of a software functional unit, the processing module 1202 may include code that runs on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, and a container, among others. Further, the above-described computing examples may be one or more. For example, the processing module 1202 may include code that runs on multiple hosts/virtual machines/containers. It should be noted that, multiple hosts/virtual machines/containers for running the code may be distributed in the same region (region), or may be distributed in different regions. Further, multiple hosts/virtual machines/containers for running the code may be distributed among the same AZ, or may be distributed among different AZs, each AZ including one data center or multiple geographically proximate data centers. Wherein typically a region may comprise a plurality of AZs.

Module as an example of a hardware functional unit, the processing module 1202 may include at least one computing device, such as a server or the like. Alternatively, the processing module 1202 may be a device implemented using an application specific integrated circuit ASIC, or a programmable logic device PLD, or the like. Wherein, the PLD can be CPLD, FPGA, GAL or any combination thereof.

The processing module 1202 may include multiple computing devices distributed in the same region or in different regions. The processing module 1202 may include multiple computing devices distributed among the same AZ or among different AZ. Likewise, multiple computing devices included in the processing module 1202 may be distributed across the same VPC or across multiple VPCs. Wherein the plurality of computing devices may be any combination of computing devices such as servers, ASIC, PLD, CPLD, FPGA, and GAL.

It should be noted that, in other embodiments, the receiving module 1201 may be used to perform any step in the lux software detection method, the processing module 1202 may be used to perform any step in the lux software detection method, the steps that the receiving module 1201 and the processing module 1202 are responsible for implementing may be specified as required, and the receiving module 1201 and the processing module 1202 implement different steps in the lux software detection method respectively to implement all functions of the data processing apparatus.

The present application also provides a computing device 100. As shown in fig. 13, computing device 100 includes a bus 102, a processor 104, a memory 106, and a communication interface 108. Communication between the processor 104, the memory 106, and the communication interface 108 is via the bus 102. Computing device 100 may be a server or a terminal device. It should be understood that the present application is not limited to the number of processors, memories in computing device 100.

Bus 102 may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one line is shown in fig. 13, but not only one bus or one type of bus. Bus 104 may include a path to transfer information between various components of computing device 100 (e.g., memory 106, processor 104, communication interface 108).

The processor 104 may include any one or more of a central processing unit (central processing unit, CPU), a graphics processor (graphics processing unit, GPU), a Microprocessor (MP), or a digital signal processor (DIGITAL SIGNAL processor, DSP).

The memory 106 may include volatile memory (RAM), such as random access memory (random access memory). The processor 104 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, mechanical hard disk (HARD DISK DRIVE, HDD) or Solid State Disk (SSD).

The memory 106 stores executable program codes, and the processor 104 executes the executable program codes to implement the functions of the acquisition module 1101, the processing module 1102, and the transmission module 1103, respectively, so as to implement the lux software detection method. That is, the memory 106 has stored thereon instructions for performing the lux software detection method. Fig. 13 shows, by way of example only, that the memory 106 stores program codes that implement the functions of the aforementioned acquisition module 1101, processing module 1102, and transmission module 1103.

Communication interface 103 enables communication between computing device 100 and other devices or communication networks using a transceiver module such as, but not limited to, a network interface card, transceiver, or the like.

The embodiment of the application also provides a computing device cluster. The cluster of computing devices includes at least one computing device. The computing device may be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device may also be a terminal device such as a desktop, notebook, or smart phone.

As shown in fig. 14, the cluster of computing devices includes at least one computing device 100. The same instructions for performing the lux software detection method may be stored in memory 106 in one or more computing devices 100 in the computing device cluster.

In some possible implementations, part of the instructions for performing the lux software detection method may also be stored separately in the memory 106 of one or more computing devices 100 in the computing device cluster. In other words, a combination of one or more computing devices 100 may collectively execute instructions for performing the lux software detection method.

It should be noted that the memories 106 in different computing devices 100 in the computing device cluster may store different instructions for performing part of the functions of the data processing apparatus. That is, the instructions stored by the memory 106 in the different computing devices 100 may implement the functionality of one or more of the acquisition module 1101, the processing module 1102, and the transmission module 1103, or the functionality of one or more of the reception module 1201 and the processing module 1202.

In some possible implementations, one or more computing devices in a cluster of computing devices may be connected through a network. Wherein the network may be a wide area network or a local area network, etc. Fig. 15 shows one possible implementation. As shown in fig. 15, two computing devices 100A and 100B are connected by a network. Specifically, the connection to the network is made through a communication interface in each computing device. In this type of possible implementation, instructions to perform the functions of the acquisition module 1101 are stored in the memory 106 in the computing device 100A. In fig. 15, an example is shown in which an instruction for executing the function of the acquisition module 1101 is stored in the memory 106 in the computing device 100A. Meanwhile, instructions for performing the functions of the processing module 1102 and the transmitting module 1103 are stored in the memory 106 in the computing device 100B. In fig. 15, an example is shown in which instructions for executing the functions of the processing module 1102 and the transmitting module 1103 are stored in the memory 106 in the computing device 100B.

The connection manner between the computing device clusters shown in fig. 15 may be that, in consideration of that a large amount of data is required to be calculated by the lux software detection method provided by the present application, the functions implemented by the processing module 1102 and the sending module 1103 are considered to be executed by the computing device 100B.

It should be appreciated that the functionality of computing device 100A shown in fig. 15 may also be performed by multiple computing devices 100. Likewise, the functionality of computing device 100B may also be performed by multiple computing devices 100.

Embodiments of the present application also provide a computer program product comprising instructions. The computer program product may be software or a program product containing instructions capable of running on a computing device or stored in any useful medium. The computer program product, when run on at least one computing device, causes the at least one computing device to perform a lux software detection method, or a lux software detection method.

The embodiment of the application also provides a computer readable storage medium. The computer readable storage medium may be any available medium that can be stored by a computing device or a data storage device such as a data center containing one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), etc. The computer-readable storage medium includes instructions that instruct a computing device to perform a lux software detection method or instruct a computing device to perform a lux software detection method.

It should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention, and not for limiting the same, and although the present invention has been described in detail with reference to the above-mentioned embodiments, it should be understood by those skilled in the art that the technical solution described in the above-mentioned embodiments may be modified or some technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the protection scope of the technical solution of the embodiments of the present invention.

Claims

1. The method is characterized in that the method is applied to a backup detection system, the backup detection system is used for carrying out the lux detection on backup data in a backup storage system, and the backup data is backup of service data, and the method comprises the following steps:

The backup detection system acquires the backup data;

The backup detection system performs lux detection on the backup data;

the backup detection system obtains target backup data and signature of tag information of the target backup data based on a private key, wherein the tag information of the target backup data is used for indicating that the target backup data passes the luxury detection;

the backup detection system sends the target backup data, the tag information and the signature to an isolated storage system, wherein the signature is used for verifying the signature by the isolated storage system based on a public key and storing the target backup data after verification is successful, and the public key is a key pair matched with the private key.

2. The method of claim 1, wherein the backup detection system obtains the signature of the target backup data and the tag information of the target backup data based on a private key, comprising:

the backup detection system calculates a first hash value of the target backup data and the tag information.

3. The method of claim 1 or 2, wherein after the backup detection system calculates the first hash value of the target backup data and the tag information, comprising:

The backup detection system sends the first hash value to a key management system, which is configured to sign the first hash value based on the private key and send the signature to the backup detection system.

4. The method of claim 1 or 2, wherein after the backup detection system calculates the first hash value of the target backup data and the tag information, comprising:

The backup detection system acquires the private key from the key management system;

the backup detection system signs the first hash value based on the private key.

5. The method of any of claims 1 to 4, wherein the signature is used for storing the target backup data when a second hash value calculated by the quarantine storage system based on the target backup data and the tag information is the same as the first hash value obtained by verifying the signature based on the public key.

6. The method of any one of claims 1 to 5, wherein the private key is generated by the key management system or the private key is imported by a user into the key management system.

7. A method of lux software detection, wherein the method is applied to an isolated storage system, the method comprising:

The isolated storage system receives target backup data, tag information of the target backup data and a signature of the target backup data, wherein the tag information is used for indicating that the target backup data is detected by a backup detection system through a lux, and the signature is obtained by the backup detection system by signing the target backup data and the tag information based on a private key;

the isolated storage system verifies the signature based on a public key, wherein the public key is a key pair matched with the private key;

If verification is successful, the isolated storage system stores the target backup data;

The isolated storage system receives a recovery request of a service system, wherein the recovery request is used for acquiring the target backup data;

and the isolated storage system sends the target backup data, the tag information and the signature to the service system according to the recovery request, wherein the signature is used for the service system to verify based on the public key and then to recover the data by using the target backup data after the verification is successful.

8. The method of claim 7, wherein the quarantine storage system verifies the signature based on a public key, comprising:

the isolated storage system calculates a first hash value of the target backup data and the tag information.

9. The method of claim 7 or 8, wherein after the isolated storage system calculates the first hash value of the target backup data and the tag information, comprising:

And comparing a second hash value obtained by verifying the signature by the isolated storage system based on the public key with the first hash value.

10. The method of any of claims 7 to 9, wherein the quarantine storage system stores the target backup data if verification is successful, comprising:

and if the second hash value is the same as the first hash value, the isolated storage system stores the target backup data.

11. The method of claim 7, wherein the signature is used for data recovery with the target backup data when the second hash value obtained by the service system verifying based on the public key is the same as a third hash value calculated based on the target backup data and the tag information.

12. A method according to any of claims 7 to 10, wherein the private key is generated by the key management system or the private key is imported by a user into the key management system.

13. The utility model provides a lux software detection device which characterized in that, the device is applied to backup detection system, backup detection system is used for carrying out lux detection to backup data in the backup storage system, backup data is the backup of business data, and the device includes:

the acquisition module is used for acquiring the backup data;

the processing module is used for carrying out the lux detection on the backup data;

The acquisition module is further used for acquiring target backup data and signature of tag information of the target backup data based on a private key, wherein the tag information of the target backup data is used for indicating that the target backup data passes the luxury detection;

And the sending module is used for sending the target backup data, the tag information and the signature to an isolated storage system, wherein the signature is used for verifying the signature by the isolated storage system based on a public key and storing the target backup data after the verification is successful, and the public key is a key pair matched with the private key.

14. The apparatus of claim 13, wherein the obtaining module is specifically configured to:

And calculating a first hash value of the target backup data and the label information.

15. The apparatus according to claim 13 or 14, wherein after the obtaining module calculates the first hash value of the target backup data and the tag information, the sending module is further configured to:

the first hash value is sent to a key management system, which is used for signing the first hash value based on the private key and sending the signature to the backup detection system.

16. The apparatus of claim 13 or 14, wherein after the obtaining module calculates the first hash value of the target backup data and the tag information, the obtaining module comprises:

the acquisition module is further used for acquiring the private key from the key management system;

the processing module is further configured to sign the first hash value based on the private key.

17. The apparatus of any of claims 13 to 16, wherein the signature is used for storing the target backup data when a second hash value calculated by the quarantine storage system based on the target backup data and the tag information is the same as the first hash value obtained by verifying the signature based on the public key.

18. The apparatus of any of claims 13 to 17, wherein the private key is generated by the key management system or is imported by a user into the key management system.

19. A lux software testing apparatus, wherein the method is applied to an isolated storage system, the apparatus comprising:

the receiving module is used for receiving target backup data, tag information of the target backup data and a signature of the target backup data, wherein the tag information is used for indicating that the target backup data is detected through a luxury of a backup detection system, and the signature is obtained by signing the target backup data and the tag information by the backup detection system based on a private key;

The processing module is used for verifying the signature based on a public key, wherein the public key is a key pair matched with the private key;

If the verification is successful, the processing module is further used for storing the target backup data;

the receiving module is further configured to receive a recovery request of the service system, where the recovery request is used to obtain the target backup data;

The processing module is further configured to send, according to the recovery request, the target backup data, the tag information, and the signature to the service system, where the signature is used for verification by the service system based on the public key and after verification is successful, performing data recovery by using the target backup data.

20. The apparatus according to claim 19, wherein the processing module is specifically configured to:

21. The apparatus of claim 19 or 20, wherein after the processing module calculates the first hash value of the target backup data and the tag information, the processing module comprises:

And the processing module is further used for comparing a second hash value obtained by verifying the signature based on the public key with the first hash value.

22. The apparatus of any of claims 19 to 21, wherein after the processing module calculates the first hash value of the target backup data and the tag information, the processing module comprises:

And if the second hash value is the same as the first hash value, the processing module is further configured to store the target backup data.

23. The apparatus of claim 19, wherein the signature is used for data recovery with the target backup data when the second hash value obtained by the service system verifying based on the public key is the same as a third hash value calculated based on the target backup data and the tag information.

24. The apparatus of any of claims 19 to 23, wherein the private key is generated by the key management system or is imported by a user into the key management system.

25. A cluster of computing devices, comprising at least one computing device, each computing device comprising a processor and a memory;

The processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device to cause the cluster of computing devices to perform the method of any one of claims 1 to 6.

26. A cluster of computing devices, comprising at least one computing device, each computing device comprising a processor and a memory;

The processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device to cause the cluster of computing devices to perform the method of any of claims 7 to 12.

27. A computer program product containing instructions that, when executed by a cluster of computing devices, cause the cluster of computing devices to perform the method of any of claims 1 to 6.

28. A computer program product containing instructions that, when executed by a cluster of computing devices, cause the cluster of computing devices to perform the method of any of claims 7 to 12.

29. A computer readable storage medium comprising computer program instructions which, when executed by a cluster of computing devices, perform the method of any of claims 1 to 6.

30. A computer readable storage medium comprising computer program instructions which, when executed by a cluster of computing devices, perform the method of any of claims 7 to 12.