[go: up one dir, main page]

TW202307703A - Method for preventing data kidnapping and related computer program - Google Patents

Method for preventing data kidnapping and related computer program Download PDF

Info

Publication number
TW202307703A
TW202307703A TW110128727A TW110128727A TW202307703A TW 202307703 A TW202307703 A TW 202307703A TW 110128727 A TW110128727 A TW 110128727A TW 110128727 A TW110128727 A TW 110128727A TW 202307703 A TW202307703 A TW 202307703A
Authority
TW
Taiwan
Prior art keywords
directory
protected
target
files
character
Prior art date
Application number
TW110128727A
Other languages
Chinese (zh)
Other versions
TWI769038B (en
Inventor
林長毅
Original Assignee
林長毅
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 林長毅 filed Critical 林長毅
Priority to TW110128727A priority Critical patent/TWI769038B/en
Application granted granted Critical
Publication of TWI769038B publication Critical patent/TWI769038B/en
Publication of TW202307703A publication Critical patent/TW202307703A/en

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A method for preventing data kidnapping and related computer program are disclosed. The method includes the steps: (a) setting a protected directory and protected files with a designated extension in the protected directory; (b) creating a target directory in a root directory or a user directory where the protected directory is located, wherein a first character of the name of the directory is ranked higher than a first character of the names of all directories in the root directory or the user directory in the Unicode character list; (c) creating at least 100 target files with the specified extension in the target directory; (d) cyclically creating an image file with a first frequency for all the protected files in the protected directory are storing them in a designated space; (e) checking if specific target files in the target directory with a second frequency whether they have been modified or deleted; and (f) if the total number of modified or deleted target files checked in step (e) reaches a specific value, stopping creating the image file and setting the handle values of these protected files to restrict writing.

Description

防資料綁架的方法及相關電腦程式Method for preventing data hijacking and related computer program

本發明關於一種資訊運作方法與相關電腦程式產品,特別是一種防資料綁架的方法及相關電腦程式產品。The present invention relates to an information operation method and related computer program products, especially a method for preventing data hijacking and related computer program products.

在資訊科技發達的今日,資訊安全是非常重要的。小至個人使用的電子產品,大到國家級別的公共工程,若是其使用的軟體或資料被”駭”,相對應的服務便有可能減低效能,甚至停擺。一種常見的駭客手法是藉由網路入侵電腦主機,使用惡意軟體透過作業系統的漏洞或特殊設定而將儲存設備(如硬碟、SSD)裡的資料加密,從而讓該電腦主機無法運作,這就是所謂的資料綁架。這些發動網路攻擊的駭客們可以對電腦主機的擁有者提出贖金要求,獲得贖金後才解密該些資料,讓系統恢復正常。In today's advanced information technology, information security is very important. From small electronic products for personal use to large public projects at the national level, if the software or data used by them is "hacked", the corresponding services may be reduced in performance or even shut down. A common hacker method is to invade the host computer through the network, and use malicious software to encrypt the data in the storage device (such as hard disk, SSD) through the loopholes or special settings of the operating system, so that the host computer cannot operate. This is the so-called data kidnapping. These hackers who launch cyber attacks can demand a ransom from the owner of the computer host, and only after receiving the ransom will they decrypt the data and restore the system to normal.

這些惡意軟體在入侵電腦主機後,會依照一定的規則對電腦儲存設備中的資料進行加密。由於在執行過程中電腦主機會展現與平時運作上不同的特徵,一些雲端防駭系統便能藉由監測這些特徵,提出相對的防護措施來對抗惡意軟體,以確保資訊安全。但另一方面來說,這些雲端防駭系統也有可能獲得甚至是竊取用戶的資料,反而成為了另一個資安隱憂。因此,為了解決這種矛盾的問題,最好是有單機版的應用程式來防止惡意軟體資料綁架,而這些應用程式只在使用者所允許的範圍內設定操作。本發明即為一種新穎的解決方案。After invading the host computer, these malicious software will encrypt the data in the computer storage device according to certain rules. Since the host computer will display different characteristics from normal operation during the execution process, some cloud anti-hacking systems can monitor these characteristics and propose relative protective measures against malicious software to ensure information security. But on the other hand, these cloud anti-hacking systems may also obtain or even steal user data, which has become another security concern. Therefore, in order to solve this contradictory problem, it is better to have stand-alone applications to prevent malware data hijacking, and these applications only set operations within the scope allowed by the user. The present invention is a novel solution.

本段文字提取和編譯本發明的某些特點。其它特點將被揭露於後續段落中。其目的在涵蓋附加的申請專利範圍之精神和範圍中,各式的修改和類似的排列。This paragraph extracts and compiles certain features of the present invention. Other features will be disclosed in subsequent paragraphs. It is intended to cover various modifications and similar arrangements within the spirit and scope of the appended claims.

為了滿足前述需求,本發明揭露一種防資料綁架的方法,其包含步驟:a) 於一電腦的檔案系統中設定一受保護目錄及該受保護目錄中具有一指定副檔名的受保護檔案;b) 在該受保護目錄所在之根目錄或使用者目錄中,創建一標的目錄,該標的目錄的名稱之第一字元較所在之根目錄或使用者目錄中所有目錄的名稱之第一字元於Unicode字元列表中的排序為前;c) 在該標的目錄中創建至少100個具有該指定副檔名的標的檔案;d) 將該受保護目錄中的所有受保護檔案以一第一頻率循環製成映像檔,並儲存於一指定空間;e) 以一第二頻率檢查該標的目錄中,依檔名前A個與倒數B個被讀取的標的檔案是否被修改或刪除,其中A與B為正整數;及f) 若步驟e)中受檢查的標的檔案被修改或刪除的總數達到C個時,將該些受保護檔案的控制代碼設定為限制寫入,其中C為正整數不大於A且不大於B。In order to meet the aforementioned needs, the present invention discloses a method for preventing data hijacking, which includes the steps of: a) setting a protected directory and a protected file with a designated extension in the protected directory in the file system of a computer; b) Create a target directory in the root directory or user directory where the protected directory is located. The first character of the name of the target directory is higher than the first character of the names of all directories in the root directory or user directory. The order of the element in the Unicode character list is first; c) create at least 100 target files with the specified extension in the target directory; d) all protected files in the protected directory with a first Make an image file in a frequency cycle and store it in a designated space; e) Check the target directory with a second frequency, whether the first A and the last B target files read according to the file name have been modified or deleted, wherein A and B are positive integers; and f) if the total number of modified or deleted target files in step e) reaches C, the control codes of these protected files are set to restrict writing, where C is a positive integer Not greater than A and not greater than B.

前述的防資料綁架的方法,可進一步於步驟d)後包含步驟:d1) 檢查受保護檔案中有無被修改或刪除者,若有,則於下一輪循環製成的映像檔中將該被修改或刪除的受保護檔案列於一待刪區內;及d2) 重複步驟d),並於下下一輪製成映像檔前判斷該被修改或刪除之標的檔案是否恢復原狀:若否,則將該被修改或刪除之標的檔案自該待刪區內刪除,移回原位;若是,則將該被修改或刪除之標的檔案自該待刪區內刪除且依照當時所有的受保護檔案現狀製成映像檔。The aforementioned method for preventing data hijacking can further include steps after step d): d1) check whether there is any modified or deleted person in the protected file, and if so, it will be modified in the image file made in the next cycle or deleted protected files are listed in an area to be deleted; and d2) repeat step d), and judge whether the modified or deleted target file is restored to its original state before the image file is made in the next next round: if not, then The modified or deleted subject file is deleted from the area to be deleted, and moved back to its original position; if so, the subject file to be modified or deleted is deleted from the area to be deleted, and the current system of all protected files at that time is followed. into an image file.

若於所在之根目錄或使用者目錄中存在一特異名稱目錄的名稱之第一字元與該標的目錄的名稱之第一字元於Unicode字元列表中的排序相同,則該標的目錄的名稱之第二字元起將使用Unicode字元列表中排序最前的符號,直至該標的目錄的名稱之第二字元後的某字元較該特異名稱目錄同位置之字元於Unicode字元列表中排序為前。If there is a unique name in the root directory or user directory where the first character of the name of the directory is in the same order as the first character of the name of the target directory in the Unicode character list, the name of the target directory From the second character of the Unicode character list, the first character in the Unicode character list will be used until a certain character after the second character of the target directory name is in the Unicode character list. Sort first.

最好,A為5,B為5,C為3;每一標的檔案的大小不小於64kB;該指定空間為該電腦不附屬的儲存設備或一雲端儲存平台;該第一頻率至少為每10分鐘一次;該第二頻率至少為100微秒一次。Preferably, A is 5, B is 5, and C is 3; the size of each target file is not less than 64kB; the designated space is a storage device not attached to the computer or a cloud storage platform; the first frequency is at least every 10 once a minute; the second frequency is at least once every 100 microseconds.

本發明亦揭露一種電腦程式,包括可讀代碼,安裝於一電腦中,當前述可讀代碼於該電腦中運行時,該電腦的處理器執行前述的防資料綁架的方法。The present invention also discloses a computer program, including readable codes, installed in a computer. When the readable codes are run in the computer, the processor of the computer executes the aforementioned data hijacking prevention method.

最好,當前述可讀代碼於該電腦中運行時,該電腦的處理器顯示一操作介面於一螢幕上,該操作介面引導使用者設定該受保護目錄與該受保護檔案。Preferably, when the aforementioned readable codes are running in the computer, the processor of the computer displays an operation interface on a screen, and the operation interface guides the user to set the protected directory and the protected file.

由於防資料綁架的方法是由運行於單機的電腦程式所執行,不會造成竊取用戶資料的情形。此外,本發明提供受保護檔案兩重保護,實為業界首創。Since the method for preventing data hijacking is executed by a computer program running on a single machine, it will not cause the situation of stealing user data. In addition, the present invention provides double protection for protected files, which is the first in the industry.

本發明將藉由參照下列的實施方式而更具體地描述。The present invention will be described more specifically by referring to the following embodiments.

請見圖1,該圖為依照本發明實施方式的一種防資料綁架的方法(以下簡稱本方法)的流程圖。實作上,本方法是藉由電腦程式安裝於一電腦中,當該電腦執行該電腦程式而進行。本方法的第一步驟為於一電腦的檔案系統中設定一受保護目錄及該受保護目錄中具有一指定副檔名的受保護檔案(S01)。為了對此有較佳的理解,請見圖2,該圖繪示本方法之應用場景。在圖2中,電腦1具有一硬碟2,硬碟2是儲存資料的物理裝置。透過電腦1的作業系統可將硬碟中的磁區有效管理,以便能儲存結構是0與1組合的資料(檔案),並能指向檔案存在的位置,以進行讀取與寫入。依照本發明,受保護的對象是指定的受保護目錄中的指定檔案,並非所有硬碟2中儲存的檔案。依照駭客的侵擾方式,若是使用綁架手段,一般都是針對特定附檔名的檔案,進行加密,從而讓該檔案無法被讀取,形成無用資料型態。常見會被綁架檔案的副檔名如doc、xls、bin、rft、pdf、dbf、jpg、dwg、cdr、psd、cd、mdb、png、lcd、zip、rar、csv、log等,這些都是步驟S01中的指定副檔名的態樣。使用該電腦程式的使用者,可以設定受保護目錄為何。在圖2中,電腦1的硬碟在邏輯上分為一系統槽21(C槽)與一檔案槽22(D槽),系統槽21與檔案槽22都是一個「目錄」(根目錄)。以檔案槽22為例,在本實施例中具有3個目錄,其名稱分別是”document”、”!!important”及”figure”。依照需求,需要保護的受保護檔案位於”document”目錄中,”document”目錄即所謂的受保護目錄。然而,在受保護目錄中也並非所有的檔案都受到保護,必須要有指定的副檔名之檔案才受到保護。在本實施例中,”document”目錄中有6個檔案,分別是abc.doc、friend.doc、mydata.log、time1937.log、time245.log與ffnuefne.bin。經設定,副檔名為”log”的3個檔案為受保護檔案。要注意的是,實施例中僅使用一個受保護目錄與一個指定副檔名的受保護檔案來說明,但實作上受保護目錄可以有複數個,指定副檔名也同時有多個。Please refer to FIG. 1 , which is a flow chart of a method for preventing data hijacking (hereinafter referred to as the method) according to an embodiment of the present invention. In practice, the method is implemented by installing a computer program in a computer, and when the computer executes the computer program. The first step of the method is to set a protected directory and a protected file with a designated extension in the protected directory in the file system of a computer (S01). In order to have a better understanding of this, please refer to Figure 2, which shows the application scenario of this method. In FIG. 2, a computer 1 has a hard disk 2, which is a physical device for storing data. The magnetic fields in the hard disk can be effectively managed through the operating system of the computer 1, so that data (files) whose structure is a combination of 0 and 1 can be stored, and the location where the file exists can be pointed to for reading and writing. According to the present invention, the protected object is the specified file in the specified protected directory, not all the files stored in the hard disk 2 . According to hackers' intrusion methods, if kidnapping is used, it is usually encrypted for a file with a specific file name, so that the file cannot be read and forms useless data. File extensions that are commonly kidnapped include doc, xls, bin, rft, pdf, dbf, jpg, dwg, cdr, psd, cd, mdb, png, lcd, zip, rar, csv, log, etc. The designation of the extension in step S01. Users of this computer program can set the protected directory. In Figure 2, the hard disk of computer 1 is logically divided into a system slot 21 (C slot) and a file slot 22 (D slot). The system slot 21 and the file slot 22 are both a "directory" (root directory). . Taking the file slot 22 as an example, in this embodiment, there are three directories whose names are "document", "!!important" and "figure". According to the requirements, the protected files that need to be protected are located in the "document" directory, which is the so-called protected directory. However, not all files in the protected directory are protected, only files with specified extensions are protected. In this embodiment, there are 6 files in the "document" directory, namely abc.doc, friend.doc, mydata.log, time1937.log, time245.log and ffnuefne.bin. After setting, the 3 files with the extension "log" are protected files. It should be noted that in the embodiment, only one protected directory and one protected file with a specified extension are used for illustration, but in practice, there may be multiple protected directories and multiple specified extensions at the same time.

本方法的第二步驟為在該受保護目錄所在之根目錄或使用者目錄中,創建一標的目錄,該標的目錄的名稱之第一字元較所在之根目錄或使用者目錄中所有目錄的名稱之第一字元於Unicode字元列表中的排序為前(S02)。依照步驟S02,電腦程式在檔案槽22(”document”目錄所在之根目錄)中創建了名稱為”!!!”的標的目錄221。標的目錄221的名稱之第一字元為”!”,其在Unicode字元列表中的排序較現有目錄名稱”document”與”figure”的第一字元來的為前。然而,”!!important”目錄名稱的第一字元不巧也是”!”。如果沒有”!!important”目錄存在,電腦程式創建的標的目錄221之名稱可以簡單地使用”!”。為了解決”!!important”目錄名稱存在的問題,也就是若於所在之根目錄中存在一特異名稱目錄(”!!important”目錄)的名稱之第一字元與標的目錄221的名稱之第一字元於Unicode字元列表中的排序相同,則標的目錄221的名稱之第二字元起將使用Unicode字元列表中排序最前的符號(不包含控制代碼與空格等排序更前的”非符號”),直至標的目錄221的名稱之第二字元後的某字元較該特異名稱目錄同位置之字元於Unicode字元列表中排序為前。由於”!!important”目錄名稱的前二個字元都是”!”,因此標的目錄221要延伸到第三字元皆為”!”,才能符合以上的要求。創建標的目錄221之目的在於創造一個最先被駭客綁架軟體攻擊的對象。一般來說,如果綁架軟體要對硬碟2中的檔案進行加密綁架,其優先順序也是要按照作業系統定義的讀取優先順序,也就是由目錄名稱之第一字元的Unicode字元列表中的排序前後來決定,排序較前的目錄中的檔案會最先被攻擊。要注意的是,特異名稱目錄也有可能是受保護目錄。此外,依照本發明,如果受保護目錄是在作業系統切分的邏輯槽,使用者目錄之下,也可在該使用者目錄中創建標的目錄。如果在作業系統運作下有兩個以上的使用者可以依其帳號操控電腦1,就會有兩個以上的使用者目錄,該二使用者目錄都可以是本方法第二步驟的應用對象。The second step of this method is to create a target directory in the root directory or user directory where the protected directory is located. The first character of the name of the target directory is higher than that of all directories in the root directory or user directory. The first character of the name is first in the list of Unicode characters (S02). According to step S02, the computer program creates a target directory 221 named "!!!" in the file slot 22 (the root directory where the "document" directory is located). The first character of the name of the target directory 221 is "!", and its order in the Unicode character list is higher than the first character of the existing directory names "document" and "figure". However, the first character of the "!!important" directory name also happens to be "!". If no "!!important" directory exists, the name of the target directory 221 created by the computer program can simply use "!". In order to solve the problem of the name of the "!!important" directory, that is, if there is a special name directory ("!!important" directory) in the root directory, the first character of the name and the first character of the name of the target directory 221 If a character is in the same order in the Unicode character list, then the second character of the name of the target directory 221 will use the symbol that is sorted first in the Unicode character list (excluding control codes and spaces, etc. symbol"), until a certain character after the second character of the name of the target category 221 is sorted before the character in the same position of the unique name category in the Unicode character list. Since the first two characters of the "!!important" directory name are both "!", the target directory 221 must be extended to the third character with "!" to meet the above requirements. The purpose of creating the target directory 221 is to create an object that is first attacked by the hacker kidnapping software. Generally speaking, if the hijacking software wants to encrypt and hijack the files in the hard disk 2, its priority should follow the reading priority defined by the operating system, that is, the Unicode character list of the first character of the directory name. The files in the directory with the earlier sorting will be attacked first. It should be noted that the distinguished name directory may also be a protected directory. In addition, according to the present invention, if the protected directory is in the logical slot divided by the operating system, under the user directory, the target directory can also be created in the user directory. If there are more than two users who can control the computer 1 according to their accounts under the operation of the operating system, there will be more than two user directories, and the two user directories can be the application objects of the second step of the method.

接著,本方法的第三步驟為在標的目錄221中創建至少100個具有該指定副檔名的標的檔案(S03)。為了對本步驟有較佳的理解,請見圖3,該圖繪示標的目錄221中的標的檔案態樣。在本實施例中創建了1000個副檔名為log的標的檔案,!0000001.log、!0000002.log、…、!0001000.log。標的檔案的命名方式並不限定,因為這些標的檔案會由作業系統決定其全讀取時的優先順序,不必特別命名也可以分出那些檔案會先被讀取,那些會較後。依照綁架軟體攻擊的實務,較先讀取的檔案可能會較先被攻擊,也有可能較後讀取的檔案先被攻擊。要說明的是,本步驟創建眾多的標的檔案之目的是要引誘綁架軟體來攻擊(加密綁架),藉由監控該些標的檔案的狀況來決定電腦1是否受到綁架軟體攻擊。當遭受綁架軟體攻擊時,該些標的檔案的加密時間會延後綁架軟體攻擊受保護檔案的時點,進而可以對該些受保護檔案進行一些特別保護。策略上來說,是一種以「時間換取空間」的對抗方式。由於對檔案加密的時間會與檔案大小正相關,在不影響電腦1運作及佔據太多儲存空間下,標的檔案的大小最好有最小值的限制。依照本發明,每一標的檔案的大小最好不小於64kB。Next, the third step of the method is to create at least 100 target files with the designated extension in the target directory 221 ( S03 ). For a better understanding of this step, please refer to FIG. 3 , which shows the status of the target file in the target directory 221 . In this embodiment, 1000 target files with the extension name log are created, !0000001.log, !0000002.log, ..., !0001000.log. The naming method of the target files is not limited, because these target files will be determined by the operating system when they are read in priority, and it is not necessary to specify which files will be read first, and which will be later. According to the practice of kidnapping software attacks, the files read earlier may be attacked first, and the files read later may be attacked first. It should be noted that the purpose of creating numerous target files in this step is to lure the kidnapping software to attack (encryption kidnapping), and determine whether the computer 1 is attacked by the kidnapping software by monitoring the status of these target files. When attacked by kidnapping software, the encryption time of these target files will delay the time point when the kidnapping software attacks the protected files, so that some special protection can be performed on these protected files. In terms of strategy, it is a way of confrontation in which time is exchanged for space. Since the time for encrypting a file is positively related to the file size, the size of the target file should preferably be limited to a minimum value without affecting the operation of the computer 1 and occupying too much storage space. According to the present invention, the size of each target file is preferably not less than 64kB.

本方法的第四步驟為將受保護目錄中的所有受保護檔案以一第一頻率循環製成映像檔,並儲存於一指定空間(S04)。為了對本步驟有較佳的理解,請見圖4,該圖繪示映像檔的態樣及其儲存方式。依照本發明,儲存受保護檔案的指定空間可以是電腦1不附屬的儲存設備(比如一台網路硬碟或抽取式隨身固態硬碟),也可以是一個雲端儲存平台(比如Google Drive),透過網路進行儲存。指定空間必須要不為綁架軟體所攻擊。本實施例中,指定空間是雲端儲存平台4,透過網路3與電腦1資訊連接。本發明對受保護檔案的第一重保護是將之以映像檔形式保留現況,且持續在一段時間後(第一頻率),針對該些受保護檔案再做一次映像檔,必要時回復。依照本發明,第一頻率至少為每10分鐘一次。但依照實際需求,也可以是每一小時一次,端視電腦1的工作量及被攻擊的可能性決定。In the fourth step of the method, all protected files in the protected directory are cyclically made into image files at a first frequency, and stored in a designated space (S04). In order to have a better understanding of this step, please refer to Figure 4, which shows the appearance of the image file and its storage method. According to the present invention, the designated space for storing protected files can be a storage device not attached to the computer 1 (such as a network hard disk or a portable solid-state disk), or a cloud storage platform (such as Google Drive), Save over the network. The specified space must not be attacked by hijacking software. In this embodiment, the designated space is a cloud storage platform 4 , which is connected to the computer 1 through the network 3 . The first level of protection of the protected files in the present invention is to keep them in the form of image files, and after a period of time (the first frequency), make another image file for these protected files, and restore them when necessary. According to the invention, the first frequency is at least once every 10 minutes. However, according to actual needs, it may also be once every hour, depending on the workload of the computer 1 and the possibility of being attacked.

接著,本方法的第五步驟為以一第二頻率檢查該標的目錄中,依檔名前A個與倒數B個被讀取的標的檔案是否被修改或刪除,其中A與B為正整數(S05)。本步驟主要是在極短的時間內,持續觀察最容易先被綁架軟體攻擊的標的檔案是否遭受加密攻擊。實作上,第二頻率至少為100微秒一次。這是非常快的速度,因此在不影響電腦1效能的情況下,能夠監測的標的目錄數量不會太多。在本實施例中,取A為5及B為5,也就是每次觀察依檔名前5個與倒數5個被讀取的標的檔案(圖3中虛線框框示者)是否被修改或刪除。如果該些標的檔案被修改或刪除,表示可能被綁架軟體攻擊過了。值得注意的是,雖然本步驟是於製作映像檔後開始執行,但步驟S04是持續不斷地與本步驟同時進行,僅啟動時間上有差異。本步驟也是持續不斷地反覆進行。Then, the fifth step of the method is to check with a second frequency whether the first A and the last B read target files according to the file names in the target directory have been modified or deleted, wherein A and B are positive integers (S05 ). This step is mainly to continuously observe whether the target files that are most likely to be attacked by the kidnapping software are subjected to encryption attacks in a very short period of time. In practice, the second frequency is at least once every 100 microseconds. This is a very fast speed, so the number of target directories that can be monitored will not be too many without affecting the performance of the computer 1 . In this embodiment, A is 5 and B is 5, that is, whether the first 5 and the last 5 read target files (shown by the dotted line in FIG. 3 ) are modified or deleted according to the file name. If these target files are modified or deleted, it may be attacked by hijacking software. It is worth noting that although this step is executed after the image file is created, step S04 is continuously performed simultaneously with this step, and there is only a difference in the start-up time. This step is also continuously repeated.

本方法的最後一個步驟為若步驟S05中受檢查的標的檔案被修改或刪除的總數達到C個時,將該些受保護檔案的控制代碼(handle)設定為限制寫入,並停止製成映像檔,其中C為正整數不大於A且不大於B(S06)。在本實施例中,C取值為3(實作上並不限置於此,而是可隨著A與B變動)。也就是當電腦程式發現一次觀察中,依檔名前5個或倒數5個被讀取的標的檔案中有3個被修改或刪除,就認定了綁架軟體已經在攻擊。此時,由於綁架軟體在短時間內還得對標的目錄221中其它的標的檔案進行加密,還有時間為受保護檔案於電腦1中進行保護,電腦程式便會透過作業系統,取得保護檔案的控制代碼迅速鎖定為限制寫入。如此,之後綁架軟體便無法對該些保護檔案進行加密。這就是本發明對受保護檔案的第二重保護。停止製成映像檔的目的在於,如果綁架軟體的攻擊速度還是太快,造成一部分受保護檔案被加密了,且不巧此時又在進行映像檔製作,那麼最新的映像檔中就有可能包含了部分的被綁架的受保護檔案。為了防止此種情況發生,釜底抽薪的作法便是停止製成映像檔。待所有受攻擊的狀況清理後,本方法啟用,映像檔也就繼續循環地製作了。The last step of this method is to set the control codes (handles) of these protected files to restrict writing if the total number of the checked target files has been modified or deleted in step S05, and stop making images file, wherein C is a positive integer not greater than A and not greater than B (S06). In this embodiment, the value of C is 3 (it is not limited to this in practice, but can vary with A and B). That is, when the computer program finds that 3 of the top 5 or bottom 5 read target files according to the file name have been modified or deleted during an observation, it is determined that the kidnapping software is already attacking. At this time, since the kidnapping software has to encrypt other target files in the target directory 221 within a short period of time, and there is still time to protect the protected files in the computer 1, the computer program will obtain the protected files through the operating system. Control codes are quickly locked to restrict writing. In this way, the kidnapping software cannot encrypt these protected files afterwards. Here it is the second protection of the present invention to protected archives. The purpose of stopping the production of image files is that if the attack speed of the kidnapping software is still too fast, causing some protected files to be encrypted, and unfortunately the image file is being produced at this time, the latest image file may contain Part of the kidnapped protected file. In order to prevent this from happening, the best way to do it is to stop making image files. After all the attacked situations are cleared up, this method is enabled, and the image file will continue to be made cyclically.

依照本發明,若有保護檔案不小心被使用者誤刪、改寫或因儲存裝置磁區損壞而導致檔案遺失,映像檔中的儲存方式可以略做修改,以確定其成因並採取適當的處理措施。因此,本方法可進一步於步驟S04後包含步驟兩個步驟。首先,檢查受保護檔案中有無被修改或刪除者,若有,則於下一輪循環製成的映像檔中將該被修改或刪除的受保護檔案列於一待刪區4a內(S041)。關於本步驟的細節說明,請復見圖4。當於本輪映像檔製成時,包含mydata.log、time1937.log與time245.log3個檔案的映像檔,被儲存於雲端儲存平台4的第一儲存區41中(實體儲存區)。在下一輪映像檔製成前,電腦程式透過作業系統發現time1937.log被修改了,新的time1937.log便會於下一輪映像檔時,拉到待刪區4a中儲存,下一輪的映像檔則整體儲存於第二儲存區42中(邏輯上,下一輪的映像檔會將本輪的映像檔覆蓋)。接著,重複步驟S04,並於下下一輪製成映像檔前判斷該被修改或刪除之標的檔案是否恢復原狀:若否,則將該被修改或刪除之標的檔案自該待刪區4a內刪除,移回原位;若是,則將該被修改或刪除之標的檔案自該待刪區4a內刪除且依照當時所有的受保護檔案現狀製成映像檔(S042)。在”否”的情況下,也就是確認time1937.log因非駭客攻擊緣故而消失或修改,新的time1937.log檔案便由待刪區4a內刪除,移回原位於下下一輪製成的映像檔中(消失的情況則待刪區4a是空的,下下一輪製成的映像檔中原time1937.log檔案的位置也空了)。在”是”的情況下,也就是確認time1937.log消失或修改的原因不存在了,此時電腦程式便刪除待刪區4a內的新的time1937.log檔案,繼續依照步驟S04對受保護檔案進行映像檔的製作。如圖4所示,此時使用者多增加了一個受保護檔案time359.log,製成的映像檔整體儲存於第三儲存區43中(邏輯上,下下一輪的映像檔會將下一輪的映像檔覆蓋)。According to the present invention, if a protected file is accidentally deleted or rewritten by the user or the file is lost due to damage to the magnetic sector of the storage device, the storage method in the image file can be slightly modified to determine the cause and take appropriate measures . Therefore, the method may further include two steps after step S04. First, check whether the protected files have been modified or deleted, and if so, list the modified or deleted protected files in an area 4a to be deleted in the image file made in the next cycle (S041). For details on this step, please refer to Figure 4 again. When the current image file is created, the image file including mydata.log, time1937.log and time245.log is stored in the first storage area 41 (physical storage area) of the cloud storage platform 4 . Before the next round of image file is made, the computer program finds that time1937.log has been modified through the operating system, and the new time1937.log will be pulled into the area 4a to be deleted for storage in the next round of image file, and the next round of image file will be The whole is stored in the second storage area 42 (logically, the image file of the next round will overwrite the image file of the current round). Then, repeat step S04, and judge whether this modified or deleted target file is restored to its original state before the image file is made in the next next round: if not, then the modified or deleted target file is deleted from the area 4a to be deleted , move back to the original position; if so, delete the modified or deleted target file from the to-be-deleted area 4a and make an image file according to the current status of all protected files at that time (S042). In the case of "No", that is, it is confirmed that time1937.log has disappeared or been modified due to non-hacker attacks, and the new time1937.log file will be deleted from the area 4a to be deleted, and moved back to the one made in the next round In the image file (in the case of disappearance, the area 4a to be deleted is empty, and the position of the original time1937.log file in the image file made in the next round is also empty). In the case of "Yes", that is, it is confirmed that the time1937.log disappears or the reason for the modification does not exist. At this time, the computer program deletes the new time1937.log file in the area 4a to be deleted, and continues to follow the step S04 for the protected file. Make an image file. As shown in Figure 4, now the user has added a protected file time359. image file overwrite).

值得注意的是步驟S041與S042可能發生於步驟S05之前、步驟S05與步驟S06之間,甚至是步驟S06後,並沒有固定發生的時點。It should be noted that steps S041 and S042 may occur before step S05 , between step S05 and step S06 , or even after step S06 , and there is no fixed timing.

前述的電腦程式包括了可讀代碼,安裝於電腦1中,當可讀代碼於電腦1中運行時,電腦1的處理器可執行以上所述的防資料綁架的方法。最好,當前述可讀代碼於電腦1中運行時,電腦1的處理器還可顯示一操作介面於一螢幕(未繪示)上,該操作介面可引導使用者設定受保護目錄與受保護檔案。The aforementioned computer program includes readable codes and is installed in the computer 1. When the readable codes are run in the computer 1, the processor of the computer 1 can execute the above-mentioned method for preventing data hijacking. Preferably, when the aforementioned readable codes are running in the computer 1, the processor of the computer 1 can also display an operation interface on a screen (not shown), the operation interface can guide the user to set the protected directory and the protected directory. file.

雖然本發明已以實施方式揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。Although the present invention has been disclosed above in terms of implementation, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field may make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, The scope of protection of the present invention should be defined by the scope of the appended patent application.

1:電腦 2:硬碟 21:系統槽 22:檔案槽 221:標的目錄 3:網路 4:雲端儲存平台 4a:待刪區 41:第一儲存區 42:第二儲存區 43:第三儲存區 S01~S06:步驟 1: computer 2: hard disk 21: System slot 22: File slot 221: Target directory 3: Internet 4: Cloud storage platform 4a: area to be deleted 41: The first storage area 42: The second storage area 43: The third storage area S01~S06: Steps

圖1為依照本發明實施方式的一種防資料綁架的方法的流程圖。FIG. 1 is a flowchart of a method for preventing data hijacking according to an embodiment of the present invention.

圖2繪示該防資料綁架的方法之應用場景。FIG. 2 shows an application scenario of the method for preventing data hijacking.

圖3繪示一標的目錄中的標的檔案態樣。FIG. 3 shows the appearance of object files in an object directory.

圖4繪示映像檔的態樣及其儲存方式。FIG. 4 shows the appearance of the image file and its storage method.

S01~S06:步驟 S01~S06: Steps

Claims (10)

一種防資料綁架的方法,包含步驟: a) 於一電腦的檔案系統中設定一受保護目錄及該受保護目錄中具有一指定副檔名的受保護檔案; b) 在該受保護目錄所在之根目錄或使用者目錄中,創建一標的目錄,該標的目錄的名稱之第一字元較所在之根目錄或使用者目錄中所有目錄的名稱之第一字元於Unicode字元列表中的排序為前; c) 在該標的目錄中創建至少100個具有該指定副檔名的標的檔案; d) 將該受保護目錄中的所有受保護檔案以一第一頻率循環製成映像檔,並儲存於一指定空間; e) 以一第二頻率檢查該標的目錄中,依檔名前A個與倒數B個被讀取的標的檔案是否被修改或刪除,其中A與B為正整數;及 f) 若步驟e)中受檢查的標的檔案被修改或刪除的總數達到C個時,將該些受保護檔案的控制代碼設定為限制寫入,並停止製成映像檔,其中C為正整數不大於A且不大於B。 A method for preventing data hijacking, comprising steps: a) Setting up a protected directory and a protected file with a designated extension in the protected directory in the file system of a computer; b) Create a target directory in the root directory or user directory where the protected directory is located. The first character of the name of the target directory is higher than the first character of the names of all directories in the root directory or user directory. Elements are sorted first in the list of Unicode characters; c) Create at least 100 target files with the specified extension in the target directory; d) All protected files in the protected directory are cycled into image files at a first frequency and stored in a designated space; e) Check with a second frequency whether the first A and last B target files read according to the file name in the target directory have been modified or deleted, wherein A and B are positive integers; and f) If the total number of modified or deleted target files under inspection in step e) reaches C, set the control codes of these protected files to restrict writing, and stop making image files, where C is a positive integer Not greater than A and not greater than B. 如請求項1所述的防資料綁架的方法,進一步於步驟d)後包含步驟: d1) 檢查受保護檔案中有無被修改或刪除者,若有,則於下一輪循環製成的映像檔中將該被修改或刪除的受保護檔案列於一待刪區內;及 d2) 重複步驟d),並於下下一輪製成映像檔前判斷該被修改或刪除之標的檔案是否恢復原狀:若否,則將該被修改或刪除之標的檔案自該待刪區內刪除,移回原位;若是,則將該被修改或刪除之標的檔案自該待刪區內刪除且依照當時所有的受保護檔案現狀製成映像檔。 The method for preventing data hijacking as described in claim item 1 further includes steps after step d): d1) Check if any of the protected files has been modified or deleted, and if so, list the modified or deleted protected files in an area to be deleted in the image file made in the next cycle; and d2) Repeat step d), and judge whether the modified or deleted target file is restored to its original state before the image file is made in the next round: if not, then delete the modified or deleted target file from the area to be deleted , move back to the original position; if so, delete the modified or deleted target file from the area to be deleted and make an image file according to the status of all protected files at that time. 如請求項1所述的防資料綁架的方法,若於所在之根目錄或使用者目錄中存在一特異名稱目錄的名稱之第一字元與該標的目錄的名稱之第一字元於Unicode字元列表中的排序相同,則該標的目錄的名稱之第二字元起將使用Unicode字元列表中排序最前的符號,直至該標的目錄的名稱之第二字元後的某字元較該特異名稱目錄同位置之字元於Unicode字元列表中排序為前。The method for preventing data hijacking as described in claim item 1, if the first character of the name of a special name directory and the first character of the name of the target directory exist in the Unicode character in the root directory or user directory If the ordering in the meta list is the same, the first character in the Unicode character list will be used from the second character of the name of the target directory until a character after the second character of the name of the target directory is more specific than the character Characters at the same position in the name directory are sorted first in the Unicode character list. 如請求項1所述的防資料綁架的方法,其中A為5,B為5,C為3。The method for preventing data hijacking as described in Claim 1, wherein A is 5, B is 5, and C is 3. 如請求項1所述的防資料綁架的方法,其中每一標的檔案的大小不小於64kB。The method for preventing data hijacking as described in Claim 1, wherein the size of each target file is not less than 64kB. 如請求項1所述的防資料綁架的方法,其中該指定空間為該電腦不附屬的儲存設備或一雲端儲存平台。The method for preventing data hijacking as described in Claim 1, wherein the designated space is a storage device not attached to the computer or a cloud storage platform. 如請求項1所述的防資料綁架的方法,其中該第一頻率至少為每10分鐘一次。The method for preventing data hijacking according to claim 1, wherein the first frequency is at least once every 10 minutes. 如請求項1所述的防資料綁架的方法,其中該第二頻率至少為100微秒一次。The method for preventing data hijacking according to claim 1, wherein the second frequency is at least once every 100 microseconds. 一種電腦程式,包括可讀代碼,安裝於一電腦中,當前述可讀代碼於該電腦中運行時,該電腦的處理器執行請求項1至8中的任意請求項中所述的防資料綁架的方法。A computer program, including readable codes, installed in a computer, when the aforementioned readable codes are run in the computer, the processor of the computer executes the anti-data hijacking described in any of the request items 1 to 8 Methods. 如請求項9所述的防資料綁架的方法,其中當前述可讀代碼於該電腦中運行時,該電腦的處理器顯示一操作介面於一螢幕上,該操作介面引導使用者設定該受保護目錄與該受保護檔案。The method for preventing data hijacking as described in claim 9, wherein when the aforementioned readable code is running in the computer, the processor of the computer displays an operation interface on a screen, and the operation interface guides the user to set the protected directory and the protected file.
TW110128727A 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program TWI769038B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110128727A TWI769038B (en) 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110128727A TWI769038B (en) 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program

Publications (2)

Publication Number Publication Date
TWI769038B TWI769038B (en) 2022-06-21
TW202307703A true TW202307703A (en) 2023-02-16

Family

ID=83104186

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110128727A TWI769038B (en) 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program

Country Status (1)

Country Link
TW (1) TWI769038B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10057298B2 (en) * 2011-02-10 2018-08-21 Architecture Technology Corporation Configurable investigative tool
CN102902928B (en) * 2012-09-21 2017-02-15 杭州迪普科技有限公司 Method and device for webpage integrity assurance
US10135836B2 (en) * 2015-06-29 2018-11-20 International Business Machines Corporation Managing data privacy and information safety
TWI607338B (en) * 2016-07-19 2017-12-01 資富電子股份有限公司 Storage device, data protection method therefor, and data protection system
CN107871089B (en) * 2017-12-04 2020-11-24 杭州安恒信息技术股份有限公司 File protection method and device
CN110414258B (en) * 2018-04-28 2023-05-30 阿里巴巴集团控股有限公司 File processing method and system and data processing method

Also Published As

Publication number Publication date
TWI769038B (en) 2022-06-21

Similar Documents

Publication Publication Date Title
KR102116573B1 (en) Dynamic reputation indicators for optimizing computer security operations
US9306956B2 (en) File system level data protection during potential security breach
US10169586B2 (en) Ransomware detection and damage mitigation
JP7537661B2 (en) Advanced Ransomware Detection
EP3430559B1 (en) Systems and methods for generating tripwire files
US11714907B2 (en) System, method, and apparatus for preventing ransomware
WO2018130904A1 (en) Early runtime detection and prevention of ransomware
CA2984007A1 (en) File-modifying malware detection
US10831888B2 (en) Data recovery enhancement system
McIntosh et al. Large scale behavioral analysis of ransomware attacks
US20230231881A1 (en) Method and system for generating decoy files using a deep learning engine for protection against ransomware attacks
Ami et al. Ransomware prevention using application authentication-based file access control
US20240330447A1 (en) Ransomware detection via monitoring open file or process
US12541595B2 (en) Ransomware detection via detecting system calls pattern in encryption phase
US11762806B2 (en) Hardening system clock for retention lock compliance enabled systems
May et al. Combating ransomware using content analysis and complex file events
WO2023124041A1 (en) Ransomware detection method and related system
US12531904B2 (en) Ransomware detection via monitoring open file or process
US12505213B2 (en) Cyber recovery forensics kit configured to maintain communication and send return malware
Lemmou et al. Infection, self-reproduction and overinfection in ransomware: the case of teslacrypt
TWI769038B (en) Method for preventing data kidnapping and related computer program
US12505217B2 (en) Snapshot scoring for intelligent recovery
US12437070B2 (en) Ransomware detection via monitoring open file or process
US20250173430A1 (en) Virtual canary files to mitigate ransomware attacks
US20260037627A1 (en) Malware detection via tracing calls rate to obtain file attributes