TWI913596B - Internet ransomware virus vaccine protection system and operation method thereof - Google Patents

Abstract

An internet ransomware virus vaccine protection system and an operation method thereof are disclosed. The internet ransomware virus vaccine protection system includes a transmission unit, a mark collection and analysis unit, a feature screening and marking unit, a mark database, a mark implantation unit, a virus detection unit and a virus infection control unit. The internet ransomware virus vaccine protection system protects computer host files or operating systems from ransomware attacks, thereby protecting computer files or operating systems from hackers' encryption and ransomware threats. The ransomware virus vaccine is a preventive measure designed to protect the infected computer host systems from ransomware attacks.

Description

Ransomware Vaccine Protection System and its Operation Method

This invention relates to a ransomware vaccine protection system and its operating method, and more particularly to a ransomware vaccine protection system and its operating method that can effectively prevent ransomware infection of hosts and protect host data files.

Ransomware is a destructive cyber threat that jeopardizes the data security of individual users and organizations. Ransomware is malware that encrypts a victim's files or system and then demands a ransom for decryption. When a user inadvertently downloads ransomware and their computer files are encrypted, the files cannot be restored to their previous normal state. This creates a blind spot in ransomware security mechanisms, a situation that remains a technical challenge to be addressed.

In recent years, ransomware attacks and their variants have shown a rapid growth trend, threatening all types of users, from individual users to large enterprises. To address this threat, security experts and researchers have been working to develop digital antidote and vaccine to help infected users recover their data and reduce the impact of ransomware attacks.

Ransomware vaccines are preventative measures against virus encryption and file deletion, while ransomware solutions are remedial measures taken after a virus attack, generating decryption keys to decrypt infected files and recover host data. Digital solutions focus on developing methods for generating encryption keys to create tools compatible with specific ransomware variants to crack and attempt to recover encrypted data files. However, they cannot guarantee 100% recovery of encrypted files and are more suitable for remediation after a virus outbreak than for prevention. Furthermore, when a virus attack encrypts folders and files and deletes the original files, it increases the risk of losing important company data. Even if the company performs data backups, it usually only backs up data shared in operations (such as data on NAS backup hosts) and cannot promptly back up data on each client workstation. When ransomware attacks occur, it usually causes server downtime, operating system resets, and data recovery, severely impacting business operations. Therefore, developing a vaccine that can proactively detect and prevent various forms of ransomware is one of the directions the cybersecurity community is striving towards.

In 2016, cybersecurity company Bitdefender developed "digital vaccines" to combat ransomware such as Crypto, Wall CTB-Locker, Locky, and TeslaCrypt. These ransomware programs hide within systems and delete file copies, making data recovery more difficult. In 2021, the company released Raccine, a digital vaccine designed to prevent the vssadmin.exe ransomware family from deleting files on Windows systems. Raccine uses a DNS registry patch to terminate the vssadmin.exe trojan's calls, thus stopping file encryption. Digital vaccines are becoming a new tool for combating ransomware and certain variants.

In 2022, German cybersecurity company G Data CyberDefense released the digital vaccine STOP/DJVU to combat common ransomware families. Its design aims to trick ransomware into believing that the target host system has already been compromised (avoiding repeated attacks) and, once the host is infected, prevent it from encrypting files and sending ransom notes. According to G Data CyberDefense malware analysts Karsten Hahn and John Parol, the digital vaccine works by inserting a harmless portion of the malware into the vaccine system (a marker), using reverse engineering to prevent ransomware from infecting the system and encrypting files.

ZeroOne Technology distributes the TrustONE ransomware vaccine solution, providing ransomware protection for server files. TrustONE's stealth protection mechanism uses the concept of "protected zones," giving critical server files vaccine-like protection. It sets up "stealth protection zones" in folders containing critical system files, which are the most targeted by hackers and ransomware. This makes the protected zones invisible to ransomware, rendering their attacks ineffective and preventing the encryption and theft of important files.

In view of this, most existing digital vaccines provide protection after a virus outbreak, rather than before, during, or after detection and operation, leaving system files at risk of damage or loss. To address this, the inventors of this invention have conceived and designed a ransomware vaccine protection system and its operating method, improving upon the shortcomings of existing technologies and thereby enhancing its practical application in industry.

In view of the problems of the aforementioned prior art, the purpose of this invention is to provide a ransomware vaccine protection system and its operating method, as a means and basis for improving the above-mentioned shortcomings. One objective of this invention is to provide a system and method for protecting against ransomware. When ransomware is inadvertently downloaded, this vaccine protection can induce the ransomware to stop attacking.

According to one objective of this invention, a ransomware vaccine protection system is proposed. This system includes a transmission unit, a tag collection and analysis unit, a feature filtering and marking unit, a tag database, a tag implantation unit, a virus detection unit, and a virus infection control unit. The tag collection and analysis unit collects intrusion evidence of ransomware through the transmission unit and checks whether the intrusion evidence possesses newly discovered virus characteristics. The feature filtering and marking unit, connected to the tag collection and analysis unit, filters and marks virus characteristics to form newly discovered tags. The tag database receives newly discovered tags through the transmission unit and stores multiple tag data. The tag implantation unit accesses multiple tag data from the tag database. The virus detection unit, through the tag implantation unit, implants multiple tags. By comparing these tags, it determines whether a file transmitted over the network contains ransomware and analyzes the type of ransomware. The virus infection control unit is connected to the virus detection unit. When it receives a notification indicating the presence of ransomware, it stops the connection for transmitting files over the network and prevents the opening or execution of files.

Preferably, virus signatures may include keywords in the binary file header, the name of the caller, commented keywords, or external URL entries.

Ideally, the feature filtering and labeling unit can update and maintain the label database based on newly discovered labels.

Preferably, when a notification is received indicating the presence of ransomware, the virus infection control unit can send an alert notification.

According to one objective of this invention, an operating method for a ransomware vaccine protection system is proposed, which includes the following steps: setting up a ransomware vaccine protection system, which includes a transmission unit, a tag collection and analysis unit, a feature filtering and marking unit, a tag database, a tag implantation unit, a virus detection unit, and a virus infection control unit; the tag collection and analysis unit collects intrusion evidence of ransomware through the transmission unit and checks whether the intrusion evidence has newly discovered virus characteristics; the feature filtering and marking unit filters the virus characteristics and... The system identifies newly discovered markers; the marker database receives these markers through the transmission unit and stores multiple marker data; the marker implantation unit accesses the multiple marker data from the marker database and implants them into the virus detection unit; the virus detection unit compares the multiple marker data to determine whether the file being transmitted over the network contains ransomware and analyzes the type of ransomware; the virus infection control unit determines whether it has received a notification of ransomware presence. If so, it stops the connection to the file being transmitted over the network and prevents the opening or execution of the file; otherwise, it continues normal network connection and transmission.

Preferably, virus signatures may include keywords in the binary file header, the name of the caller, commented keywords, or external URL entries.

Ideally, the feature filtering and labeling unit can update and maintain the label database based on newly discovered labels.

Preferably, when a notification is received indicating the presence of ransomware, the virus infection control unit can send an alert notification.

Based on the foregoing, the ransomware vaccine protection system and its operation method of this invention may have one or more of the following advantages:

(1) This ransomware vaccine protection system and its operation method can serve as a preventative measure to protect infected computer host systems from ransomware attacks. Its working principle involves developing a mark-based ransomware vaccine through vaccine engineering, and pre-implanting the host with a vaccine containing mark (virus characteristics). The vaccine monitors system activity on a permanent basis. Once it detects downloaded network packets or files with ransomware signatures, the vaccine tool takes measures to prevent malware from encrypting files and further spreading, and alerts other users within the enterprise, informing them that the network's host system has been attacked by a potential ransomware virus, and allowing for measures to remove the malware. This disclosure can prevent users' data files from being encrypted by hackers and extorted for money, effectively improving data file security.

(2) This ransomware vaccine protection system and its operation method can operate proactively, acting as a virus detection and notification system for the protected computer host, without performing decryption or system recovery tasks. Therefore, when the protected computer host installs the vaccine system, it does not need to install a large antivirus engine program and perform a large amount of computation to decrypt files encrypted by hackers, and it has low system performance requirements. The difference between this system and existing ransomware solutions is that the ransomware vaccine uses a pre-installed virus marker as a function to prevent the virus from occurring. The vaccine uses an antibody detection program to filter downloaded information for virus markers. If the downloaded information contains a marker, it will notify the antivirus engine program to stop running, which can prevent data from being encrypted and deleted in time. In addition, marker-based digital vaccines can also be used to detect variant computer viruses, including code obfuscation, packaging, polymorphism, and metamorphism.

(3) This ransomware vaccine protection system and its operation method combine machine learning algorithms and virus identification to proactively protect users' important files before a threat occurs. Unlike traditional decryption and system recovery methods, this prevents viruses from encrypting user data. This disclosure provides proactive protection for users' important files, rather than reactive file decryption and information system recovery. Furthermore, the vaccine's deep learning can detect subtle feature changes and can handle the identification of continuously emerging virus variants. The deep algorithm has self-learning and adjustment capabilities, which can cope with the problem of detecting constantly evolving virus variants.

To facilitate understanding of the technical features, content, advantages, and effects of this invention, the invention is described in detail below with accompanying drawings and in the form of embodiments. The drawings used are for illustrative and explanatory purposes only and may not represent the actual scale and precise configuration of the invention in practice. Therefore, the scale and configuration of the accompanying drawings should not be interpreted or used to limit the scope of the invention in actual practice. This is stated above.

Please refer to Figure 1, which is a schematic diagram of the ransomware vaccine protection system of this invention. As shown in the figure, the ransomware vaccine protection system 100 includes a tag collection and analysis unit 1, a feature screening and tagging unit 2, a tag implantation unit 3, a transmission unit 4, a tag database 5, a virus detection unit 6, and a virus infection control unit 7.

The tag collection and analysis unit 1 can collect and analyze various possible characteristics of ransomware intrusions as markers to identify specific viruses. Through the transmission unit 4, it collects evidence of ransomware intrusions and checks whether the evidence contains newly discovered virus characteristics. These virus characteristics include, for example, keywords in binary file headers, names of call subroutines, commented keywords, or external URLs. The feature filtering and marking unit 2 is connected to the tag collection and analysis unit 1 to filter and mark virus characteristics, forming newly discovered markers. The feature filtering and marking unit 2 can filter feature sets with low contribution, reducing the number of calculations required by the virus detection unit 6 and accelerating virus identification efficiency. Once the feature filtering and labeling unit 2 has completed the filtering and labeling of virus features, it writes the virus feature code and the family association into the label database 5. The label database 5 stores multiple label data.

The tag implantation unit 3 transmits multiple tag data to the tag database 5 via the transmission unit 4, and implants this tag data into the system's virus detection unit 6. Newly discovered virus tags are transmitted to the tag database 5 and stored there. The tag database 5 is updated and maintained to ensure that the stored multiple tag data are the latest versions. The virus detection unit 6 receives the multiple tag data from the tag database 5 via the transmission unit 4, compares this virus tag data with network connection data, and when it finds that the connection or download data contains these specific virus tag data, it determines that the system is infected with ransomware and analyzes the type of ransomware. At this time, the virus detection unit 6 notifies the virus infection control unit 7 to prevent the download and execution of ransomware based on the antibody's preset functions, such as stopping the connection for network file transfer and the opening or execution of files.

The essence of ransomware is an executable malware program, typically including specific operational code and algorithms used for propagation, infection, and malicious operations. Antivirus software companies usually collect virus samples and use various reverse engineering techniques to analyze the virus's behavior, characteristics, and patterns. These analytical results are used to create a unique signature or virus pattern characteristic for the virus, serving as the basis for antivirus programs to identify the virus's features, thus facilitating scanning and detection. Vaccines work similarly to flu vaccines, using a small number of viral characteristics or markers to inform the virus scanning system. The tag collection and analysis unit 1 can collect samples in various ways, including extracting samples from infected systems, obtaining samples from online threat intelligence sources, or obtaining intrusion evidence of these viruses through partners. Next, automated tools are used to extract the virus signatures of ransomware samples. These automated tools can quickly analyze and extract feature sets, improving the speed of virus feature analysis. Commonly used automated virus feature analysis tools include YARA, Cuckoo Sandbox, or VirusTotal.

Feature filtering and labeling unit 2 can appropriately filter feature sets with low contribution, reducing the number of comparisons required by the vaccine system and accelerating virus identification efficiency. The appropriateness of the feature filtering method depends on the nature of the problem and the characteristics of the data. To select a suitable feature set to identify virus families, it is necessary to analyze the correlation between ransomware features and target categories, as well as the correlation between features. Once sample features are filtered, feature labeling can begin, establishing the association between virus feature codes and families to facilitate subsequent virus scanning systems in detecting virus features.

Virus detection unit 6 can be a deep learning-based vaccine system, capable of detecting and identifying ransomware characteristics. Deep learning algorithms play a crucial role in ransomware identification, providing a more accurate method to identify ransomware features and markers. The use of artificial intelligence-based deep learning algorithms is due to the ability of deep learning to recognize subtle feature differences, thus improving the accuracy of virus identification. Virus detection unit 6 learns through deep learning to identify the relationship between tags and virus families, in order to detect whether the user's file system has been modified by ransomware. If specific tag information is detected, it will notify virus infection control unit 7, indicating that a ransomware infection event has occurred. Under the operation of virus infection control unit 7, the download, opening or execution of the file will be stopped.

Please refer to Figure 2, which is a flowchart of the operation method of the ransomware vaccine protection system according to an embodiment of the present invention. As shown in the figure, the operation method of the ransomware vaccine protection system includes the following steps (S100~S700).

Step S100: Configure the ransomware vaccine protection system. The ransomware vaccine protection system includes a transmission unit, a tag collection and analysis unit, a feature filtering and tagging unit, a tag database, a tag implantation unit, a virus detection unit, and a virus infection control unit. For the configuration of the ransomware vaccine protection system 100, please refer to the aforementioned embodiment; the same content will not be repeated.

Step S200: The tag collection and analysis unit collects evidence of ransomware intrusion through the transmission unit, examining whether the intrusion evidence possesses newly discovered virus characteristics. The tag collection and analysis unit performs ransomware feature analysis offline, collecting harmless features from the virus program as potential virus identifiers. These identifiers include, for example, keywords in the binary file header, the name of the caller subroutine, commented keywords, or external URLs, etc.

Step S300: The feature filtering and labeling unit filters and labels virus features to form newly discovered markers. The possible markers collected from the virus program are analyzed for correlation to filter out marker sets with low contribution, leaving a sufficient set of markers to identify the virus family.

Step S400: The tag database receives newly discovered tags through this transmission unit and stores multiple tag data. The feature filtering and tagging unit transmits the collected tags from the transmission unit to the tag database, which can store tag data for multiple viruses.

Step S500: The tag implantation unit accesses multiple tag data from the tag database and implants the multiple tag data into the virus detection unit. The tag implantation unit obtains tag data from the tag database via the transmission unit and implants the tag data into the system's virus detection unit.

Step S600: The virus detection unit compares multiple tag data to determine whether a file transmitted over the network contains ransomware and analyzes the type of ransomware. The system's virus detection unit checks connection data for specific tags that match the tag data to determine whether ransomware is present, and notifies the virus infection control unit through the transmission unit.

Step S700: The virus infection control unit determines whether it has received a notification of ransomware. If so, it stops the network file transfer connection and the opening or execution of files. If not, it continues normal network connection and transmission. When a virus infection is confirmed, the virus infection control unit blocks the download and execution of ransomware based on the antibody's preset function. If not infected, it maintains normal computer network transmission operation.

Please refer to Figure 3, which is a schematic diagram of the virus infection control unit of this embodiment. As shown in the figure, after receiving the detection results from the virus detection unit 6, if the virus infection control unit 7 detects ransomware as in step S701, it will proceed to step S702: stop the connection for network file transfer and the opening or execution of files. At the same time, the virus infection control unit 7 will generate an alert message 8 through the transmission unit 4 upon discovering a ransomware infection event, and transmit the notification to the user 9 of the ransomware protection system. The user 9 will be notified to check the notification for further processing via SMS notification or email notification, etc.

On the other hand, the virus infection control unit 7 can also transmit detected ransomware to the feature filtering and labeling unit 2. Based on newly discovered virus features, the feature filtering and labeling unit 2 generates newly discovered labels and updates the maintenance database 10, i.e., updates the maintenance label database 5. After injecting the confirmed virus code into the system, the various computing units of this case are installed into the host system, and the compatibility of the vaccine protection system with the operating system and security software is ensured so that the vaccine protection system can identify ransomware. Digital vaccines need to periodically update the virus feature database of the vaccine system with the captured features and labels to ensure its effectiveness. This is a continuous updating process because virus features and behaviors are constantly evolving. It is important to note that digital vaccines are typically made based on the characteristics of known viruses, so they may not be able to completely protect against attacks from unknown viruses, but can only defend against variant viruses.

The goal of designing a vaccine protection system is to provide a suitable set of features to a deep learning algorithm to identify different ransomware families. This is because different virus families may have different characteristics and variants, and sufficiently rich labeled feature information is needed for accurate identification. Therefore, appropriate feature selection and labeling will help ensure that the vaccine protection system can correctly identify different ransomware families. Variant viruses do not differ much from the original family in characteristics. To solve the problem of identifying variant viruses, this paper discloses a feature screening method as a screening method for correlation analysis. By calculating the correlation between each feature and the virus family, and then calculating the correlation between features, it ensures that the selected feature set is diverse and highly relevant to the target category. This method can find features that are highly relevant to the target category, while reducing redundant features and ensuring the correlation between features.

In system validation, machine learning models can be repeatedly trained to evaluate whether the selected feature sets meet the classification accuracy, and to exclude features that contribute the least to the model performance, so as to determine that the selected feature subset has enough information to identify different ransomware families.

In summary, the ransomware vaccine protection system and its operation method of this invention have at least the following advantages:

Active Protection: The vaccine protection system and its operation method employ deep learning algorithms and ransomware identification to proactively protect users' important files before a threat occurs. This differs from traditional decryption and host system recovery methods, preventing viruses from encrypting user data.

Highly efficient and accurate: Deep learning algorithms can identify subtle feature differences, improving the accuracy of ransomware identification. The combination of automation tools and virus analysis tools enables the rapid identification of new threats.

Real-time monitoring: The vaccine protection system and its operation methods can detect and prevent potential ransomware attacks in a timely manner through the activity of a resident monitoring system. This helps prevent data loss and system damage.

Adaptability: Deep learning algorithms are self-adjusting and can cope with constantly evolving virus variants.

Enhanced data security: The vaccine protection system and its operation methods effectively improve the security of users' important files, ensuring that they are not encrypted and locked by ransomware, thereby protecting users' data and privacy.

The above description is illustrative and not restrictive. Any equivalent modifications or alterations made to this invention without departing from its spirit and scope shall be included in the scope of the appended patent application.

1: Tag Collection and Analysis Unit 2: Feature Filtering and Tagging Unit 3: Tag Implantation Unit 4: Transmission Unit 5: Tag Database 6: Virus Detection Unit 7: Virus Infection Control Unit 8: Warning Messages 9: Users 10: Database Update and Maintenance 100: Ransomware Vaccine Protection System S100~S700, S701, S702: Steps

To make the technical features, content, advantages, and effects of this invention more apparent, the invention is described in detail below with reference to the accompanying drawings and in the form of embodiments: Figure 1 is a schematic diagram of the ransomware vaccine protection system of this invention. Figure 2 is a flowchart of the operation method of the ransomware vaccine protection system of this invention. Figure 3 is a schematic diagram of the virus infection control unit of this invention.

1: Tag Collection and Analysis Unit 2: Feature Filtering and Tagging Unit 3: Tag Implantation Unit 4: Transmission Unit 5: Tag Database 6: Virus Detection Unit 7: Virus Infection Control Unit 100: Ransomware Vaccine Protection System

Claims (8)

A ransomware vaccine protection system includes: a transmission unit; a tag collection and analysis unit, which collects intrusion evidence of ransomware through the transmission unit and checks whether the intrusion evidence has a newly discovered virus feature; a feature filtering and marking unit connected to the tag collection and analysis unit, which selects a set of features to identify virus families, and analyzes the correlation between the newly discovered virus feature and the virus family and the correlation between the feature and the set of features to filter and mark the virus feature, forming a newly discovered tag; and a tag database, which receives the newly discovered tag through the transmission unit, and stores a plurality of tag data containing the newly discovered tag. A tag implantation unit accesses the plurality of tag data from the tag database; a virus detection unit implants the plurality of tag data through the tag implantation unit, and determines whether a network-transmitted file contains ransomware and analyzes the type of ransomware by comparing the plurality of tag data; and a virus infection control unit connected to the virus detection unit, which stops the connection to the network-transmitted file and the opening or execution of the file when it receives a notification that a network ransomware virus has been detected; wherein, the feature filtering and tagging unit further filters out tag sets with low contribution and leaves a tag set sufficient to identify the virus family, thereby reducing the number of calculations performed by the virus detection unit and accelerating the virus identification performance. The ransomware vaccine protection system described in claim 1, wherein the virus characteristics include keywords in the binary file header, the name of the caller, commented keywords, or external link URL entries. As described in Request 1, in the ransomware vaccine protection system, the feature filtering and labeling unit updates and maintains the label database based on the newly discovered labels. The ransomware vaccine protection system as described in claim 1, wherein when a ransomware notification is received, the virus infection control unit sends an alert notification. An operating method for a ransomware vaccine protection system includes the following steps: Setting up a ransomware vaccine protection system, which includes a transmission unit, a tag collection and analysis unit, a feature filtering and marking unit, a tag database, a tag implantation unit, a virus detection unit, and a virus infection control unit; The tag collection and analysis unit collects intrusion evidence of ransomware through the transmission unit and checks whether the intrusion evidence has a newly discovered virus characteristic; A feature selection and labeling unit selects a set of features to identify virus families. This unit analyzes the correlation between newly discovered virus features and the virus family, as well as the correlation with the feature set, to filter and label the virus features, forming a newly discovered marker. The marker database receives the newly discovered marker through the transmission unit and stores multiple marker data containing the newly discovered marker. The marker implantation unit accesses the multiple marker data from the marker database and implants the multiple marker data into the virus detection unit. The virus detection unit compares the multiple marker data to determine whether a network-transmitted file contains ransomware and analyzes the type of ransomware. The virus infection control unit determines whether it has received a notification of a network ransomware attack. If so, it stops the network connection for file transmission and the opening or execution of files. If not, it continues normal network connection and transmission. The feature filtering and labeling unit further filters out label sets with low contribution and leaves a sufficient label set to identify the virus family, thereby reducing the number of calculations required by the virus detection unit and accelerating the virus identification efficiency. The method of operating the ransomware vaccine protection system as described in claim 5, wherein the virus characteristics include keywords in the binary file header, the name of the call subroutine, the commented keywords, or external link URL entries. The method of operating the ransomware vaccine protection system as described in claim 5, wherein the feature filtering and marking unit updates and maintains the marking database based on the newly discovered markings. The method of operating the ransomware vaccine protection system as described in claim 5, wherein when a notification is received indicating the presence of ransomware, the virus infection control unit sends an alert notification.