[go: up one dir, main page]

TWI769038B - Method for preventing data kidnapping and related computer program - Google Patents

Method for preventing data kidnapping and related computer program Download PDF

Info

Publication number
TWI769038B
TWI769038B TW110128727A TW110128727A TWI769038B TW I769038 B TWI769038 B TW I769038B TW 110128727 A TW110128727 A TW 110128727A TW 110128727 A TW110128727 A TW 110128727A TW I769038 B TWI769038 B TW I769038B
Authority
TW
Taiwan
Prior art keywords
directory
protected
file
files
target
Prior art date
Application number
TW110128727A
Other languages
Chinese (zh)
Other versions
TW202307703A (en
Inventor
林長毅
Original Assignee
林長毅
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 林長毅 filed Critical 林長毅
Priority to TW110128727A priority Critical patent/TWI769038B/en
Application granted granted Critical
Publication of TWI769038B publication Critical patent/TWI769038B/en
Publication of TW202307703A publication Critical patent/TW202307703A/en

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A method for preventing data kidnapping and related computer program are disclosed. The method includes the steps: a) setting a protected directory and protected files with a designated extension in the protected directory; b) creating a target directory in a root directory or a user directory where the protected directory is located, wherein a first character of the name of the directory is ranked higher than a first character of the names of all directories in the root directory or the user directory in the Unicode character list; c) creating at least 100 target files with the specified extension in the target directory; d) cyclically creating an image file with a first frequency for all the protected files in the protected directory are storing them in a designated space; e) checking if specific target files in the target directory with a second frequency whether they have been modified or deleted; and f) if the total number of modified or deleted target files checked in step e) reaches a specific value, stopping creating the image file and setting the handle values of these protected files to restrict writing.

Description

防資料綁架的方法及相關電腦程式 Methods for preventing data kidnapping and related computer programs

本發明關於一種資訊運作方法與相關電腦程式產品,特別是一種防資料綁架的方法及相關電腦程式產品。 The present invention relates to an information operation method and related computer program products, in particular to a method for preventing data kidnapping and related computer program products.

在資訊科技發達的今日,資訊安全是非常重要的。小至個人使用的電子產品,大到國家級別的公共工程,若是其使用的軟體或資料被”駭”,相對應的服務便有可能減低效能,甚至停擺。一種常見的駭客手法是藉由網路入侵電腦主機,使用惡意軟體透過作業系統的漏洞或特殊設定而將儲存設備(如硬碟、SSD)裡的資料加密,從而讓該電腦主機無法運作,這就是所謂的資料綁架。這些發動網路攻擊的駭客們可以對電腦主機的擁有者提出贖金要求,獲得贖金後才解密該些資料,讓系統恢復正常。 In today's advanced IT world, information security is very important. From electronic products for personal use to public works at the national level, if the software or data used by them are "hacked", the corresponding services may be reduced in performance or even shut down. A common hacking method is to invade the computer host through the network, and use malicious software to encrypt the data in the storage device (such as hard disk, SSD) through the loopholes or special settings of the operating system, so as to make the computer host inoperable, This is called data kidnapping. The hackers who launch the cyberattack can demand a ransom from the owner of the host computer, and only after receiving the ransom can decrypt the data and restore the system to normal.

這些惡意軟體在入侵電腦主機後,會依照一定的規則對電腦儲存設備中的資料進行加密。由於在執行過程中電腦主機會展現與平時運作上不同的特徵,一些雲端防駭系統便能藉由監測這些特徵,提出相對的防護措施來對抗惡意軟體,以確保資訊安全。但另一方面來說,這些雲端防駭系統也有可能獲得甚至是竊取用戶的資料,反而成為了另一個資安隱憂。因此,為了解決這種矛盾的問題,最好是有單機版的應用程式來防止惡意軟體資料綁架,而這些應用程式只在使用者所允許的範圍內設定操作。本發明即為一種新穎的解決方案。 After these malicious software invades the computer host, it will encrypt the data in the computer storage device according to certain rules. Since the computer host will display different characteristics from the usual operation during the execution process, some cloud anti-hack systems can monitor these characteristics and propose relative protection measures to fight against malicious software to ensure information security. But on the other hand, these cloud anti-hack systems may also obtain or even steal user data, which has become another information security concern. Therefore, in order to solve this contradiction, it is better to have stand-alone applications to prevent data kidnapping by malicious software, and these applications are only configured to operate within the scope allowed by the user. The present invention is a novel solution.

本段文字提取和編譯本發明的某些特點。其它特點將被揭露於後續段落中。其目的在涵蓋附加的申請專利範圍之精神和範圍中,各式的修改和類似的排列。 This text extracts and compiles certain features of the invention. Other features will be disclosed in subsequent paragraphs. It is intended to cover various modifications and similar arrangements within the spirit and scope of the appended claims.

為了滿足前述需求,本發明揭露一種防資料綁架的方法,其包含步驟:a)於一電腦的檔案系統中設定一受保護目錄及該受保護目錄中具有一指定副檔名的受保護檔案;b)在該受保護目錄所在之根目錄或使用者目錄中,創建一標的目錄,該標的目錄的名稱之第一字元較所在之根目錄或使用者目錄中所有目錄的名稱之第一字元於Unicode字元列表中的排序為前;c)在該標的目錄中創建至少100個具有該指定副檔名的標的檔案;d)將該受保護目錄中的所有受保護檔案以一第一頻率循環製成映像檔,並儲存於一指定空間;e)以一第二頻率檢查該標的目錄中,依檔名前A個與倒數B個被讀取的標的檔案是否被修改或刪除,其中A與B為正整數;及f)若步驟e)中受檢查的標的檔案被修改或刪除的總數達到C個時,將該些受保護檔案的控制代碼設定為限制寫入,其中C為正整數不大於A且不大於B。 In order to meet the aforementioned requirements, the present invention discloses a method for preventing data kidnapping, which comprises the steps of: a) setting a protected directory in a file system of a computer and a protected file with a specified file extension in the protected directory; b) In the root directory or user directory where the protected directory is located, create a target directory, the first character of the name of the target directory is higher than the first character of the names of all the directories in the root directory or user directory. elements in the Unicode character list are sorted first; c) create at least 100 subject files with the specified extension in the subject directory; d) start all protected files in the protected directory with a first The frequency cycle makes an image file, and stores it in a designated space; e) Check the target directory with a second frequency to see whether the first A and last B read target files have been modified or deleted according to the file name. Among them, A and B is a positive integer; and f) if the total number of modified or deleted target files checked in step e) reaches C, set the control codes of these protected files to limit writing, where C is a positive integer Not greater than A and not greater than B.

前述的防資料綁架的方法,可進一步於步驟d)後包含步驟:d1)檢查受保護檔案中有無被修改或刪除者,若有,則於下一輪循環製成的映像檔中將該被修改或刪除的受保護檔案列於一待刪區內;及d2)重複步驟d),並於下下一輪製成映像檔前判斷該被修改或刪除之標的檔案是否恢復原狀:若否,則將該被修改或刪除之標的檔案自該待刪區內刪除,移回原位;若是,則將該被修改或刪除之標的檔案自該待刪區內刪除且依照當時所有的受保護檔案現狀製成映像檔。 The aforementioned method for preventing data kidnapping may further include steps after step d): d1) Check whether the protected file has been modified or deleted, and if so, the modified image file will be modified in the image file produced in the next cycle. or deleted protected files are listed in a to-be-deleted area; and d2) repeat step d), and determine whether the modified or deleted target file is restored to its original state before making an image file in the next round: if not, then The modified or deleted subject file is deleted from the to-be-deleted area and moved back to its original position; if so, the modified or deleted subject file will be deleted from the to-be-deleted area and the current status of all protected files at that time will be followed. into an image file.

若於所在之根目錄或使用者目錄中存在一特異名稱目錄的名稱之第一字元與該標的目錄的名稱之第一字元於Unicode字元列表中的排序相同,則該標的目錄的名稱之第二字元起將使用Unicode字元列表中排序最前的符號,直至該標的目錄的名稱之第二字元後的某字元較該特異名稱目錄同位置之字元於Unicode字元列表中排序為前。 If the first character of the name of a distinctively named directory exists in the root directory or user directory where it is located, the first character of the name of the target directory is in the same order in the Unicode character list as the first character of the name of the target directory, then the name of the target directory The first character in the Unicode character list will be used from the second character of the name of the target directory until a character after the second character of the target directory name is in the Unicode character list Sort by top.

最好,A為5,B為5,C為3;每一標的檔案的大小不小於64kB;該指定空間為該電腦不附屬的儲存設備或一雲端儲存平台;該第一頻率至少為每10分鐘一次;該第二頻率至少為100微秒一次。 Preferably, A is 5, B is 5, and C is 3; the size of each target file is not less than 64kB; the designated space is a storage device not attached to the computer or a cloud storage platform; the first frequency is at least every 10 Once every minute; the second frequency is at least once every 100 microseconds.

本發明亦揭露一種電腦程式,包括可讀代碼,安裝於一電腦中,當前述可讀代碼於該電腦中運行時,該電腦的處理器執行前述的防資料綁架的方法。 The present invention also discloses a computer program, including readable code, installed in a computer. When the readable code is executed in the computer, the processor of the computer executes the aforementioned method for preventing data kidnapping.

最好,當前述可讀代碼於該電腦中運行時,該電腦的處理器顯示一操作介面於一螢幕上,該操作介面引導使用者設定該受保護目錄與該受保護檔案。 Preferably, when the aforementioned readable code is executed in the computer, the processor of the computer displays an operation interface on a screen, and the operation interface guides the user to configure the protected directory and the protected file.

由於防資料綁架的方法是由運行於單機的電腦程式所執行,不會造成竊取用戶資料的情形。此外,本發明提供受保護檔案兩重保護,實為業界首創。 Since the method of preventing data kidnapping is executed by a computer program running on a single machine, it will not cause the situation of stealing user data. In addition, the present invention provides double protection of protected files, which is the first in the industry.

1:電腦 1: Computer

2:硬碟 2: Hard Disk

21:系統槽 21: System slot

22:檔案槽 22: File slot

221:標的目錄 221: target directory

3:網路 3: Internet

4:雲端儲存平台 4: Cloud storage platform

4a:待刪區 4a: Area to be deleted

41:第一儲存區 41: The first storage area

42:第二儲存區 42: Second storage area

43:第三儲存區 43: The third storage area

S01~S06:步驟 S01~S06: Steps

圖1為依照本發明實施方式的一種防資料綁架的方法的流程圖。 FIG. 1 is a flowchart of a method for preventing data kidnapping according to an embodiment of the present invention.

圖2繪示該防資料綁架的方法之應用場景。 FIG. 2 illustrates an application scenario of the method for preventing data kidnapping.

圖3繪示一標的目錄中的標的檔案態樣。 FIG. 3 shows the aspect of a target file in a target directory.

圖4繪示映像檔的態樣及其儲存方式。 FIG. 4 shows the state of the image file and its storage method.

本發明將藉由參照下列的實施方式而更具體地描述。 The present invention will be described more specifically by referring to the following embodiments.

請見圖1,該圖為依照本發明實施方式的一種防資料綁架的方法(以下簡稱本方法)的流程圖。實作上,本方法是藉由電腦程式安裝於一電腦中,當該電腦執行該電腦程式而進行。本方法的第一步驟為於一電腦的檔案系統中設定一受保護目錄及該受保護目錄中具有一指定副檔名的受保護檔案(S01)。為了對此有較佳的理解,請見圖2,該圖繪示本方法之應用場景。在圖2中,電腦1具有一硬碟2,硬碟2是儲存資料的物理裝置。透過電腦1的作業系統可將硬碟中的磁區有效管理,以便能儲存結構是0與1組合的資料(檔案),並能指向檔案存在的位置,以進行讀取與寫入。依照本發明,受保護的對象是指定的受保護目錄中的指定檔案,並非所有硬碟2中儲存的檔案。依照駭客的侵擾方式,若是使用綁架手段,一般都是針對特定附檔名的檔案,進行加密,從而讓該檔案無法被讀取,形成無用資料型態。常見會被綁架檔案的副檔名如doc、xls、bin、rft、pdf、dbf、jpg、dwg、cdr、psd、cd、mdb、png、lcd、zip、rar、csv、log等,這些都是步驟S01中的指定副檔名的態樣。使用該電腦程式的使用者,可以設定受保護目錄為何。在圖2中,電腦1的硬碟在邏輯上分為一系統槽21(C槽)與一檔案槽22(D槽),系統槽21與檔案槽22都是一個「目錄」(根目錄)。以檔案槽22為例,在本實施例中具有3個目錄,其名稱分別是”document”、”!!important”及”figure”。依照需求,需要保護的受保護檔案位於”document”目錄中,”document”目錄即所謂的受保護目錄。然而,在受保護目錄中也並非所有的檔案都受到保護,必須要有指定的副檔名之檔案才受到保護。在本實施例中,”document”目錄中有6個檔案,分別是abc.doc、friend.doc、mydata.log、time1937.log、time245.log與ffnuefne.bin。經設定,副檔名為”log”的3個檔案為受保護檔案。要注意的是,實施例中僅使用一個受保護目錄與一個指定副檔名的受保護檔案來說明,但實作上受保護目錄可以有複數個,指定副檔名也同時有多個。 Please refer to FIG. 1 , which is a flowchart of a method for preventing data kidnapping (hereinafter referred to as the method) according to an embodiment of the present invention. In practice, the method is performed by a computer program installed in a computer when the computer executes the computer program. The first step of the method is to set a protected directory in a file system of a computer and a protected file with a specified file extension in the protected directory (S01). For a better understanding of this, please refer to FIG. 2 , which illustrates an application scenario of the method. In FIG. 2, the computer 1 has a hard disk 2, and the hard disk 2 is a physical device for storing data. The operating system of the computer 1 can effectively manage the magnetic areas in the hard disk, so as to store data (files) whose structure is a combination of 0 and 1, and point to the location where the files exist for reading and writing. According to the present invention, the protected object is the designated file in the designated protected directory, not all files stored in the hard disk 2 . According to the intrusion method of hackers, if kidnapping is used, the files with specific filenames are usually encrypted, so that the files cannot be read and form useless data types. Common file extensions that will be kidnapped are doc, xls, bin, rft, pdf, dbf, jpg, dwg, cdr, psd, cd, mdb, png, lcd, zip, rar, csv, log, etc. These are The aspect of the specified file extension in step S01. Users of this computer program can set what the protected directory is. In Fig. 2, the hard disk of the computer 1 is logically divided into a system slot 21 (C slot) and a file slot 22 (D slot), and the system slot 21 and the file slot 22 are both a "directory" (root directory) . Taking the file slot 22 as an example, in this embodiment, there are three directories whose names are "document", "!!important" and "figure" respectively. According to requirements, the protected files to be protected are located in the "document" directory, which is the so-called protected directory. However, not all files in a protected directory are protected, and only files with a specified extension can be protected. In this embodiment, there are 6 files in the "document" directory, namely abc.doc, friend.doc, mydata.log, time1937.log, time245.log and ffnuefne.bin. By setting, the 3 files with the extension "log" are protected files. It should be noted that, in the embodiment, only one protected directory and one protected file with a specified file extension are used for description, but in practice, there may be multiple protected directories and multiple specified file extensions at the same time.

本方法的第二步驟為在該受保護目錄所在之根目錄或使用者目錄中,創建一標的目錄,該標的目錄的名稱之第一字元較所在之根目錄或使用者目錄中所有目錄的名稱之第一字元於Unicode字元列表中的排序為前(S02)。依照步驟112,電腦程式在檔案槽22(”document”目錄所在之根目錄)中創建了名稱為”!!!”的標的目錄221。標的目錄221的名稱之第一字元為”!”,其在Unicode字元列表中的排序較現有目錄名稱”document”與”figure”的第一字元來的為前。然而,”!!important”目錄名稱的第一字元不巧也是”!”。如果沒有”!!important”目錄存在,電腦程式創建的標的目錄221之名稱可以簡單地使用”!”。為了解決”!!important”目錄名稱存在的問題,也就是若於所在之根目錄中存在一特異名稱目錄(”!!important”目錄)的名稱之第一字元與標的目錄221的名稱之第一字元於Unicode字元列表中的排序相同,則標的目錄221的名稱之第二字元起將使用Unicode字元列表中排序最前的符號(不包含控制代碼與空格等排序更前的”非符號”),直至標的目錄221的名稱之第二字元後的某字元較該特異名稱目錄同位置之字元於Unicode字元列表中排序為前。由於”!!important”目錄名稱的前二個字元都是”!”,因此標的目錄221要延伸到第三字元皆為”!”,才能符合以上的要求。創建標的目錄221之目的在於創造一個最先被駭客綁架軟體攻擊的對象。一般來說,如果綁架軟體要對硬碟2中的檔案進行加密綁架,其優先順序也是要按照作業系統定義的讀取優先順序,也就是由目錄名稱之第一字元的Unicode字元列表中的排序前後來決定,排序較前的目錄中的檔案會最先被攻擊。要注意的是,特異名稱目錄也有可能是受保護目錄。此外,依照本發明,如果受保護目錄是在作業系統切分的邏輯槽,使用者目錄之下,也可在該使用者目錄中創建標的目錄。如果在作業系統運作下有兩個以上的使用者可以依其帳號操控電腦1,就會有兩個以上的使用者目錄,該二使用者目錄都可以是本方法第二步驟的應用對象。 The second step of the method is to create a target directory in the root directory or user directory where the protected directory is located, and the first character of the name of the target directory is compared with the root directory or user directory where the protected directory is located. The first character of the name is ranked first in the Unicode character list (S02). According to step 112, the computer program creates a target directory 221 named "!!!" in the file slot 22 (the root directory where the "document" directory is located). The first character of the name of the target directory 221 is "!", and its order in the Unicode character list is higher than the first character of the existing directory names "document" and "figure". However, the first character of the "!!important" directory name also happens to be "!". If no "!!important" directory exists, the name of the target directory 221 created by the computer program may simply use "!". In order to solve the problem of the "!!important" directory name, that is, if there is a unique name directory ("!!important" directory) in the root directory where the first character of the name and the first character of the name of the target directory 221 exist The order of a character in the Unicode character list is the same, then the second character of the name of the target directory 221 will use the first-ordered symbol in the Unicode character list (excluding control codes and spaces, etc. symbol "), until a certain character after the second character of the name of the target directory 221 is ranked higher in the Unicode character list than the character in the same position of the unique name directory. Since the first two characters of the "!!important" directory name are both "!", the target directory 221 must be extended to the third character "!" in order to meet the above requirements. The purpose of creating the target directory 221 is to create an object that is first attacked by hacker kidnapping software. Generally speaking, if the kidnapping software wants to encrypt and kidnap the files in hard disk 2, the priority order is also according to the read priority order defined by the operating system, that is, the list of Unicode characters from the first character of the directory name. The ordering is determined before and after, and the files in the higher-ordered directory will be attacked first. Note that the distinguished name directory may also be a protected directory. In addition, according to the present invention, if the protected directory is a logical slot divided by the operating system, under the user directory, the target directory can also be created in the user directory. If there are more than two users who can control the computer 1 according to their accounts under the operation of the operating system, there will be more than two user directories, both of which can be the application objects of the second step of the method.

接著,本方法的第三步驟為在標的目錄221中創建至少100個具有該指定副檔名的標的檔案(S03)。為了對本步驟有較佳的理解,請見圖3,該圖繪示標的目錄221中的標的檔案態樣。在本實施例中創建了1000個副檔名為log的標的檔案,!0000001.log、!0000002.log、...、!0001000.log。標的檔案的命名方式並不限定,因為這些標的檔案會由作業系統決定其全讀取時的優先順序,不必特別命名也可以分出那些檔案會先被讀取,那些會較後。依照綁架軟體攻擊的實務,較先讀取的檔案可能會較先被攻擊,也有可能較後讀取的檔案先被攻擊。要說明的是,本步驟創建眾多的標的檔案之目的是要引誘綁架軟體來攻擊(加密綁架),藉由監控該些標的檔案的狀況來決定電腦1是否受到綁架軟體攻擊。當遭受綁架軟體攻擊時,該些標的檔案的加密時間會延後綁架軟體攻擊受保護檔案的時點,進而可以對該些受保護檔案進行一些特別保護。策略上來說,是一種以「時間換取空間」的對抗方式。由於對檔案加密的時間會與檔案大小正相關,在不影響電腦1運作及佔據太多儲存空間下,標的檔案的大小最好有最小值的限制。依照本發明,每一標的檔案的大小最好不小於64kB。 Next, the third step of the method is to create at least 100 target files with the specified file extension in the target directory 221 (S03). For a better understanding of this step, please refer to FIG. 3 , which illustrates the aspect of the target file in the target directory 221 . In this embodiment, 1000 target files with the extension name of log are created, ! 0000001.log,! 0000002.log,...,! 0001000.log. The naming method of the target files is not limited, because the operating system determines the priority order of the target files when they are fully read. You can also separate which files will be read first and those will be later without special naming. According to the practice of kidnapping software attack, the file read earlier may be attacked first, or the file read later may be attacked first. It should be noted that the purpose of creating numerous target files in this step is to induce kidnapping software to attack (encrypt kidnapping), and determine whether the computer 1 is attacked by kidnapping software by monitoring the status of these target files. When attacked by kidnapping software, the encryption time of the target files will delay the time when the kidnapping software attacks the protected files, so that these protected files can be specially protected. In terms of strategy, it is a confrontation method of "time for space". Since the time for encrypting a file is positively related to the file size, the size of the target file is preferably limited to a minimum value without affecting the operation of the computer 1 and occupying too much storage space. According to the present invention, the size of each target file is preferably not less than 64kB.

本方法的第四步驟為將受保護目錄中的所有受保護檔案以一第一頻率循環製成映像檔,並儲存於一指定空間(S04)。為了對本步驟有較佳的理解,請見圖4,該圖繪示映像檔的態樣及其儲存方式。依照本發明,儲存受保護檔案的指定空間可以是電腦1不附屬的儲存設備(比如一台網路硬碟或抽取式隨身固態硬碟),也可以是一個雲端儲存平台(比如Google Drive),透過網路進行儲存。指定空間必須要不為綁架軟體所攻擊。本實施例中,指定空間是雲端儲存平台4,透過網路3與電腦1資訊連接。本發明對受保護檔案的第一重保護是將之以映像檔形式保留現況,且持續在一段時間後(第一頻率),針對該些受保護檔案再做一次映像檔,必要時回復。依照本發明,第一頻率至少為每10分鐘一次。但 依照實際需求,也可以是每一小時一次,端視電腦1的工作量及被攻擊的可能性決定。 The fourth step of the method is to rotate all the protected files in the protected directory into image files at a first frequency, and store them in a designated space (S04). In order to have a better understanding of this step, please refer to FIG. 4 , which shows the state of the image file and the storage method thereof. According to the present invention, the designated space for storing protected files can be a storage device not attached to the computer 1 (such as a network hard disk or a removable portable solid-state hard disk), or a cloud storage platform (such as Google Drive), Storage over the network. The designated space must not be attacked by kidnapping software. In this embodiment, the designated space is the cloud storage platform 4 , which is connected to the computer 1 for information through the network 3 . The first protection of the protected files in the present invention is to keep the current state of the protected files in the form of image files, and after a period of time (the first frequency), make another image file for the protected files, and restore if necessary. According to the invention, the first frequency is at least once every 10 minutes. but According to actual needs, it can also be once every hour, depending on the workload of the computer 1 and the possibility of being attacked.

接著,本方法的第五步驟為以一第二頻率檢查該標的目錄中,依檔名前A個與倒數B個被讀取的標的檔案是否被修改或刪除,其中A與B為正整數(S05)。本步驟主要是在極短的時間內,持續觀察最容易先被綁架軟體攻擊的標的檔案是否遭受加密攻擊。實作上,第二頻率至少為100微秒一次。這是非常快的速度,因此在不影響電腦1效能的情況下,能夠監測的標的目錄數量不會太多。在本實施例中,取A為5及B為5,也就是每次觀察依檔名前5個與倒數5個被讀取的標的檔案(圖3中虛線框框示者)是否被修改或刪除。如果該些標的檔案被修改或刪除,表示可能被綁架軟體攻擊過了。值得注意的是,雖然本步驟是於製作映像檔後開始執行,但步驟S04是持續不斷地與本步驟同時進行,僅啟動時間上有差異。本步驟也是持續不斷地反覆進行。 Next, the fifth step of the method is to check, at a second frequency, whether the first A and last B read target files in the target directory have been modified or deleted, wherein A and B are positive integers (S05 ). ). This step is mainly to continuously observe whether the target file that is most likely to be attacked by kidnapping software suffers an encryption attack in a very short period of time. In practice, the second frequency is at least once every 100 microseconds. This is very fast, so the number of target directories that can be monitored is not too large without affecting the performance of the computer 1. In this embodiment, take A as 5 and B as 5, that is, to observe whether the first 5 and last 5 read target files (indicated by the dashed box in FIG. 3 ) are modified or deleted each time. If these target files are modified or deleted, it means that they may have been attacked by kidnapping software. It is worth noting that although this step is executed after the image file is created, step S04 is continuously performed simultaneously with this step, and only the activation time is different. This step is also repeated continuously.

本方法的最後一個步驟為若步驟S05中受檢查的標的檔案被修改或刪除的總數達到C個時,將該些受保護檔案的控制代碼(handle)設定為限制寫入,並停止製成映像檔,其中C為正整數不大於A且不大於B(S06)。在本實施例中,C取值為3(實作上並不限置於此,而是可隨著A與B變動)。也就是當電腦程式發現一次觀察中,依檔名前5個或倒數5個被讀取的標的檔案中有3個被修改或刪除,就認定了綁架軟體已經在攻擊。此時,由於綁架軟體在短時間內還得對標的目錄221中其它的標的檔案進行加密,還有時間為受保護檔案於電腦1中進行保護,電腦程式便會透過作業系統,取得保護檔案的控制代碼迅速鎖定為限制寫入。如此,之後綁架軟體便無法對該些保護檔案進行加密。這就是本發明對受保護檔案的第二重保護。停止製成映像檔的目的在於,如果綁架軟體的攻擊速度還是太快,造成一部分受保護檔案被加密了,且不巧此時又在進行映像檔製作,那麼最新的映像檔中就有可能包含了部分的被綁架的受保護檔案。為了防止此種 情況發生,釜底抽薪的作法便是停止製成映像檔。待所有受攻擊的狀況清理後,本方法啟用,映像檔也就繼續循環地製作了。 The last step of the method is to set the control codes (handles) of these protected files to limit writing and stop making images when the total number of modified or deleted target files to be checked in step S05 reaches C. file, wherein C is a positive integer not greater than A and not greater than B (S06). In this embodiment, the value of C is 3 (in practice, it is not limited to this, but can vary with A and B). That is, when the computer program finds that in an observation, 3 of the first 5 or last 5 read target files have been modified or deleted, it is determined that the kidnapping software has been attacked. At this time, since the kidnapping software has to encrypt other target files in the target directory 221 in a short period of time, and there is still time to protect the protected files in the computer 1, the computer program will obtain the protected files through the operating system. The control code is quickly locked to restrict writes. This way, kidnapping software cannot encrypt these protected files later. This is the second layer of protection for protected archives of the present invention. The purpose of stopping the image file creation is that if the attack speed of the kidnapping software is still too fast, causing some protected files to be encrypted, and unfortunately, the image file creation is being performed at this time, the latest image file may contain Part of the kidnapped protected file. To prevent this When this happens, the best way to draw money from the bottom line is to stop making image files. After all the attacked conditions are cleared, this method is enabled, and the image file will continue to be created cyclically.

依照本發明,若有保護檔案不小心被使用者誤刪、改寫或因儲存裝置磁區損壞而導致檔案遺失,映像檔中的儲存方式可以略做修改,以確定其成因並採取適當的處理措施。因此,本方法可進一步於步驟S04後包含步驟兩個步驟。首先,檢查受保護檔案中有無被修改或刪除者,若有,則於下一輪循環製成的映像檔中將該被修改或刪除的受保護檔案列於一待刪區4a內(S041)。關於本步驟的細節說明,請復見圖4。當於本輪映像檔製成時,包含mydata.log、time1937.log與time245.log3個檔案的映像檔,被儲存於雲端儲存平台4的第一儲存區41中(實體儲存區)。在下一輪映像檔製成前,電腦程式透過作業系統發現time1937.log被修改了,新的time1937.log便會於下一輪映像檔時,拉到待刪區4a中儲存,下一輪的映像檔則整體儲存於第二儲存區42中(邏輯上,下一輪的映像檔會將本輪的映像檔覆蓋)。接著,重複步驟S04,並於下下一輪製成映像檔前判斷該被修改或刪除之標的檔案是否恢復原狀:若否,則將該被修改或刪除之標的檔案自該待刪區4a內刪除,移回原位;若是,則將該被修改或刪除之標的檔案自該待刪區4a內刪除且依照當時所有的受保護檔案現狀製成映像檔(S042)。在”否”的情況下,也就是確認time1937.log因非駭客攻擊緣故而消失或修改,新的time1937.log檔案便由待刪區4a內刪除,移回原位於下下一輪製成的映像檔中(消失的情況則待刪區4a是空的,下下一輪製成的映像檔中原time1937.log檔案的位置也空了)。在”是”的情況下,也就是確認time1937.log消失或修改的原因不存在了,此時電腦程式便刪除待刪區4a內的新的time1937.log檔案,繼續依照步驟S04對受保護檔案進行映像檔的製作。如圖4所示,此時使用者多增加了一個受保護檔案time359.log,製成的映像檔整體儲存於第三儲存區43中(邏輯上,下下一輪的映像檔會將下一輪的映像檔覆蓋)。 According to the present invention, if the protected file is accidentally deleted or rewritten by the user or the file is lost due to the damage to the magnetic area of the storage device, the storage method in the image file can be slightly modified to determine the cause and take appropriate measures. . Therefore, the method can further include two steps after step S04. First, it is checked whether any of the protected files has been modified or deleted, and if so, the modified or deleted protected files are listed in a to-be-deleted area 4a in the image file created in the next cycle (S041). For a detailed description of this step, please refer to Figure 4 again. When the image file in this round is created, the image file including the three files mydata.log, time1937.log and time245.log is stored in the first storage area 41 (physical storage area) of the cloud storage platform 4 . Before the next round of image files is created, the computer program finds that time1937.log has been modified through the operating system, and the new time1937.log will be stored in the to-be-deleted area 4a in the next round of image files, and the next round of image files will be The whole is stored in the second storage area 42 (logically, the image file of the next round will overwrite the image file of the current round). Next, step S04 is repeated, and it is judged whether the modified or deleted subject file is restored to its original state before the next round of creating an image file: if not, the modified or deleted subject file is deleted from the to-be-deleted area 4a , move back to the original position; if so, delete the modified or deleted target file from the to-be-deleted area 4a and create an image file according to the current status of all protected files at that time (S042). In the case of "No", that is, it is confirmed that time1937.log has disappeared or been modified due to non-hacking attacks, the new time1937.log file will be deleted from the to-be-deleted area 4a, and moved back to the original file created in the next round. In the image file (if it disappears, the to-be-deleted area 4a is empty, and the location of the original time1937.log file in the image file produced in the next round is also empty). In the case of "Yes", that is to say, the reason for the disappearance or modification of time1937.log does not exist. At this time, the computer program deletes the new time1937.log file in the to-be-deleted area 4a, and continues to follow step S04 for the protected file. Create an image file. As shown in FIG. 4 , at this time, the user adds a protected file time359.log, and the created image file is stored in the third storage area 43 as a whole (logically, the image file of the next round will image file overwrite).

值得注意的是步驟S041與S042可能發生於步驟S05之前、步驟S05與步驟S06之間,甚至是步驟S06後,並沒有固定發生的時點。 It should be noted that steps S041 and S042 may occur before step S05, between steps S05 and S06, or even after step S06, and there is no fixed time point for them to occur.

前述的電腦程式包括了可讀代碼,安裝於電腦1中,當可讀代碼於電腦1中運行時,電腦1的處理器可執行以上所述的防資料綁架的方法。最好,當前述可讀代碼於電腦1中運行時,電腦1的處理器還可顯示一操作介面於一螢幕(未繪示)上,該操作介面可引導使用者設定受保護目錄與受保護檔案。 The aforementioned computer program includes readable code, which is installed in the computer 1 . When the readable code is executed in the computer 1 , the processor of the computer 1 can execute the above-mentioned method for preventing data kidnapping. Preferably, when the aforementioned readable code is executed in the computer 1, the processor of the computer 1 can also display an operation interface on a screen (not shown), and the operation interface can guide the user to set the protected directory and the protected directory. file.

雖然本發明已以實施方式揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。 Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, The protection scope of the present invention shall be determined by the scope of the appended patent application.

S01~S06:步驟 S01~S06: Steps

Claims (10)

一種防資料綁架的方法,透過一電腦程式安裝於一電腦中,藉由該電腦執行該電腦程式而進行,包含步驟:a)於該電腦的檔案系統中設定一受保護目錄及該受保護目錄中具有一指定副檔名的受保護檔案;b)在該受保護目錄所在之根目錄或使用者目錄中,創建一標的目錄,該標的目錄的名稱之第一字元較所在之根目錄或使用者目錄中所有目錄的名稱之第一字元於Unicode字元列表中的排序為前;c)在該標的目錄中創建至少100個具有該指定副檔名的標的檔案;d)將該受保護目錄中的所有受保護檔案以一第一頻率循環製成映像檔,並儲存於一指定空間;e)以一第二頻率檢查該標的目錄中,依檔名前A個與倒數B個被讀取的標的檔案是否被修改或刪除,其中A與B為正整數;及f)若步驟e)中受檢查的標的檔案被修改或刪除的總數達到C個時,將該些受保護檔案的控制代碼設定為限制寫入,並停止製成映像檔,其中C為正整數不大於A且不大於B。 A method for preventing data kidnapping, which is carried out by installing a computer program in a computer and executing the computer program by the computer, comprising the steps of: a) setting a protected directory and the protected directory in a file system of the computer A protected file with a specified extension in it; b) In the root directory or user directory where the protected directory is located, create a target directory, the first character of the name of the target directory is longer than the root directory or the user directory where it is located The first character of the names of all directories in the user directory is ranked first in the Unicode character list; c) Create at least 100 object files with the specified extension in the object directory; d) The recipient All protected files in the protected directory are cyclically made into image files with a first frequency, and stored in a designated space; e) Check the target directory with a second frequency, and read according to the first A and the last B of the file names Whether the selected subject file has been modified or deleted, where A and B are positive integers; and f) If the total number of modified or deleted subject files checked in step e) reaches C, control these protected files The code is set to limit writing and stop mapping, where C is a positive integer not greater than A and not greater than B. 如請求項1所述的防資料綁架的方法,進一步於步驟d)後包含步驟:d1)檢查受保護檔案中有無被修改或刪除者,若有,則於下一輪循環製成的映像檔中將該被修改或刪除的受保護檔案列於一待刪區內;及d2)重複步驟d),並於下下一輪製成映像檔前判斷該被修改或刪除之標的檔案是否恢復原狀:若否,則將該被修改或刪除之標的檔案自該待刪區內刪除,移 回原位;若是,則將該被修改或刪除之標的檔案自該待刪區內刪除且依照當時所有的受保護檔案現狀製成映像檔。 The method for preventing data kidnapping as described in claim 1, further comprising a step after step d): d1) checking whether the protected file has been modified or deleted, and if so, in the image file produced in the next round of circulation List the modified or deleted protected file in a to-be-deleted area; and d2) Repeat step d), and determine whether the modified or deleted target file is restored to its original state before creating an image file in the next round: if If not, the modified or deleted target file will be deleted from the to-be-deleted area and moved to Return to the original position; if so, delete the modified or deleted target file from the to-be-deleted area and create an image file according to the current status of all protected files at that time. 如請求項1所述的防資料綁架的方法,若於所在之根目錄或使用者目錄中存在一特異名稱目錄的名稱之第一字元與該標的目錄的名稱之第一字元於Unicode字元列表中的排序相同,則該標的目錄的名稱之第二字元起將使用Unicode字元列表中排序最前的符號,直至該標的目錄的名稱之第二字元後的某字元較該特異名稱目錄同位置之字元於Unicode字元列表中排序為前。 According to the method for preventing data kidnapping as described in claim 1, if the first character of the name of a unique name directory and the first character of the name of the target directory exist in the Unicode word If the ordering in the metalist is the same, the first character in the Unicode character list will be used from the second character of the name of the target directory until a character after the second character of the name of the target directory is more specific Characters in the same position in the name directory are sorted first in the Unicode character list. 如請求項1所述的防資料綁架的方法,其中A為5,B為5,C為3。 The method for preventing data kidnapping according to claim 1, wherein A is 5, B is 5, and C is 3. 如請求項1所述的防資料綁架的方法,其中每一標的檔案的大小不小於64kB。 The method for preventing data kidnapping according to claim 1, wherein the size of each target file is not less than 64kB. 如請求項1所述的防資料綁架的方法,其中該指定空間為該電腦不附屬的儲存設備或一雲端儲存平台。 The method for preventing data kidnapping according to claim 1, wherein the designated space is a storage device not attached to the computer or a cloud storage platform. 如請求項1所述的防資料綁架的方法,其中該第一頻率至少為每10分鐘一次。 The method for preventing data kidnapping according to claim 1, wherein the first frequency is at least once every 10 minutes. 如請求項1所述的防資料綁架的方法,其中該第二頻率至少為100微秒一次。 The method for preventing data kidnapping according to claim 1, wherein the second frequency is at least once every 100 microseconds. 一種電腦程式,包括可讀代碼,安裝於一電腦中,當前述可讀代碼於該電腦中運行時,該電腦的處理器執行請求項1至8中的任意請求項中所述的防資料綁架的方法。 A computer program, comprising readable code, installed in a computer, when the aforementioned readable code is run in the computer, the processor of the computer executes the anti-data kidnapping described in any of the request items 1 to 8 Methods. 如請求項9所述的電腦程式,其中當前述可讀代碼於該電腦中運行時,該電腦的處理器顯示一操作介面於一螢幕上,該操作介面引導使用者設定該受保護目錄與該受保護檔案。 The computer program of claim 9, wherein when the readable code is executed in the computer, the processor of the computer displays an operation interface on a screen, the operation interface guides the user to configure the protected directory and the protected directory Protected files.
TW110128727A 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program TWI769038B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110128727A TWI769038B (en) 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110128727A TWI769038B (en) 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program

Publications (2)

Publication Number Publication Date
TWI769038B true TWI769038B (en) 2022-06-21
TW202307703A TW202307703A (en) 2023-02-16

Family

ID=83104186

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110128727A TWI769038B (en) 2021-08-04 2021-08-04 Method for preventing data kidnapping and related computer program

Country Status (1)

Country Link
TW (1) TWI769038B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902928A (en) * 2012-09-21 2013-01-30 杭州迪普科技有限公司 Method and device for webpage integrity assurance
US20160381034A1 (en) * 2015-06-29 2016-12-29 International Business Machines Corporation Managing data privacy and information safety
TWI607338B (en) * 2016-07-19 2017-12-01 資富電子股份有限公司 Storage device, data protection method therefor, and data protection system
CN107871089A (en) * 2017-12-04 2018-04-03 杭州安恒信息技术有限公司 File protection method and device
TW201945969A (en) * 2018-04-28 2019-12-01 香港商阿里巴巴集團服務有限公司 File processing method and system, and data processing method
US11057438B1 (en) * 2011-02-10 2021-07-06 Architecture Technology Corporation Configurable investigative tool

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11057438B1 (en) * 2011-02-10 2021-07-06 Architecture Technology Corporation Configurable investigative tool
CN102902928A (en) * 2012-09-21 2013-01-30 杭州迪普科技有限公司 Method and device for webpage integrity assurance
US20160381034A1 (en) * 2015-06-29 2016-12-29 International Business Machines Corporation Managing data privacy and information safety
TWI607338B (en) * 2016-07-19 2017-12-01 資富電子股份有限公司 Storage device, data protection method therefor, and data protection system
CN107871089A (en) * 2017-12-04 2018-04-03 杭州安恒信息技术有限公司 File protection method and device
TW201945969A (en) * 2018-04-28 2019-12-01 香港商阿里巴巴集團服務有限公司 File processing method and system, and data processing method

Also Published As

Publication number Publication date
TW202307703A (en) 2023-02-16

Similar Documents

Publication Publication Date Title
US12530343B2 (en) Database transaction log writing and integrity checking
US10503897B1 (en) Detecting and stopping ransomware
Huang et al. Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware
Baek et al. SSD-insider: Internal defense of solid-state drive against ransomware with perfect data recovery
US10685111B2 (en) File-modifying malware detection
US9306956B2 (en) File system level data protection during potential security breach
JP6789308B2 (en) Systems and methods for generating tripwire files
US9639540B2 (en) Retention management in a worm storage system
JP7537661B2 (en) Advanced Ransomware Detection
US20180211038A1 (en) Ransomware attack remediation
IL267241B2 (en) System and methods for detection of cryptoware
KR20120087128A (en) Secure storage of temporary secrets
WO2021028131A1 (en) Automatic ransomware detection with an on-demand file system lock down and automatic repair function
US20240330447A1 (en) Ransomware detection via monitoring open file or process
WO2021028740A1 (en) Automatic ransomware detection with an on-demand file system lock down and automatic repair function
Shu et al. Why data deletion fails? A study on deletion flaws and data remanence in Android systems
May et al. Combating ransomware using content analysis and complex file events
US12531904B2 (en) Ransomware detection via monitoring open file or process
Chakraborti et al. Dm-x: protecting volume-level integrity for cloud volumes and local block devices
KR102538694B1 (en) Data Protection System for Protecting Data from the Ransomware
TWI769038B (en) Method for preventing data kidnapping and related computer program
US20250238513A1 (en) Snapshot scoring for intelligent recovery
US12437070B2 (en) Ransomware detection via monitoring open file or process
US10664595B2 (en) Managing reads and writes to data entities experiencing a security breach from a suspicious process
US20250173430A1 (en) Virtual canary files to mitigate ransomware attacks