CN108616510A

CN108616510A - It is a kind of that virus detection techniques are extorted based on digital immune reclusion

Info

Publication number: CN108616510A
Application number: CN201810281216.8A
Authority: CN
Inventors: 张瑜; 孙葭
Original assignee: Individual
Current assignee: Individual
Priority date: 2018-03-24
Filing date: 2018-03-24
Publication date: 2018-10-02

Abstract

The present invention extorts the ineffective security dilemma of virus for traditional detection method reply reclusion, by using for reference Immune System principle, it is proposed that a kind of to extort virus detection techniques based on digital immune reclusion.By injecting the modes such as the digital vaccine of digital vaccine, real time monitoring, realize that virus is extorted in intelligent measurement reclusion.First, digital vaccine is injected, that is, a certain number of trapping trap files and file are set, in order to extort viral triggering.Secondly, it monitors digital vaccine in real time, i.e., monitors digital vaccine simultaneously in application layer and inner nuclear layer.Inner nuclear layer is monitored in real time, the system kernel data tampering behavior of virus is extorted in main monitoring, evades detection concealment itself to prevent it.Application layer is monitored in real time, then lays particular emphasis on the file system tampering that virus is extorted in monitoring, user file is encrypted to prevent it and then ransoms.The present invention can fast and efficiently detect reclusion and extort virus, it is ensured that it is difficult to escape, have no place to hide.

Description

It is a kind of that virus detection techniques are extorted based on digital immune reclusion

One, technical field

The present invention relates to cyberspace security technology areas, and viral inspection is extorted more particularly to a kind of reclusion immune based on number Survey technology.

Two, background technology

In recent years, with network technology and digital economy accelerated development and depth integration, the network crime becomes more and more active and goes after profit or gain, and makes At serious economic loss, it has also become a kind of new network security threat.According to American strategy and the newest report in national research center It accuses^[1]：The network crime in 2017 leads to nearly 600,000,000,000 dollars of global economy loss, accounts for the 0.8% of global GDP；Online extortion, skill Art supports swindle etc. to have become most active between user and enterprise and influences network crime activity the most serious.According to another the U.S. McAfee Labs research reports^[2]Display：The network crime in 2017 causes China's economic loss more than 13,800,000,000 dollars.

The going after profit or gain of the network crime promotes attacker constantly to reform attack theory, innovation attack pattern, does one's utmost to occupy attacking and defending Game technical advantage.It is exactly to occur and develop rapidly in this context to extort virus attack (Ransomware Attacks) A kind of novel malicious network attack, great harmfulness and destructive power^[3-5].It is sent out according to famous American security firm Carbon Black The newest of cloth extorts software survey report^[6]：Network crime person, using virus attack is extorted, obtains more golden eggs by more.According to another U.S.'s Malwarebytes Labs current research report [7]：It extorts virus attack within 2017 and increases 10 times, have become network criminal The first-selected instrument of crime, and more hidden, more complicated development trend will be presented in following virus attack technology of extorting.

It is that by kidnapping user data resource, (encryption user file, locks refusal user access one kind to extort virus attack User's screen etc.), and as condition the malicious network attacks to pay ransom are propped up to coerce user.All kinds of virus is extorted existing In attack pattern, the most threatening property of software attacks is extorted in reclusion.Software attacks are extorted in so-called reclusion^[8,9], refer to utilizing reclusion skill Security system detection and evidence obtaining are evaded or hindered to art by pretending or modify attack trace, and then quiet kidnaps data Resource (encryption file, denied access, lock-screen etc.), maintains a kind of long-term hidden novel malicious net at ransom money of blackmailing Network is attacked.

It is as follows that the viral mode for evading security system is extorted in reclusion：1. resident system registration table, 2. hooking systems service tune With 3. distorting system kernel data.Its menace major embodiment in：1. persistently existing, being long-term hidden.This leads to traditional safety Defense technique is difficult to effectively detect.2. kidnapping data, ransoming.This causes user by data and economic double loss.Always It, reclusion extorts virus and gives attack in virtually, removes no shadow come no track, attack power is very big, and attack consequence is miserable.According to the U.S. The latest survey of Carbon Black companies is studied^[6]：53% malicious network attacks are reclusion attacks.Therefore, we have reason It is believed that：Reclusion is extorted virus attack and is widely used by network crime person, this, which will become enterprise, can't get rid of with individual, prevents not The anti-network security nightmare of victory.

Currently, China has become the severely afflicated area that virus attack is extorted in reclusion^[2], and everyone is target, everybody is by nothing Method is escaped by luck.Virus attack is extorted in frequent and miserable reclusion, has declared publicly the bills due for extorting virus attack technical research.Especially send out It is born in WannaCry, NotPetya, Bad Rabbit etc. in 2017 and extorts virus attack, attack means are hidden, attack Consequence is rough, has showed global sprawling situation, has caused extremely miserable loss.Evil is had become due to extorting virus attack It the new normality of network attack of anticipating and carries all before one, after using reclusion technology in addition, traditional safe practice is caused more to be difficult to detect With strick precaution, this undoubtedly makes the matter worse for the threat of cyberspace safety.Therefore, from reclusion extort virus attack harmfulness, Miserable property extorts virus attack to reclusion and is detected defense technique research and development, be that trend of the times, gesture exist with from the point of view of development trend It must go.This is undoubtedly containment and extorts viral concealmentization, prevents network reclusion attack, the effective way of the strike network crime and solution Road.

Three, invention content

The ineffective security dilemma of virus is extorted for traditional detection method reply reclusion, it is proposed that a kind of based on immune hidden of number It escapes and extorts virus detection techniques.The technology is strangled by injecting the digital vaccine of digital vaccine, real time monitoring, monitoring file encryption in real time The abnormal behaviours such as rope reach and extort virus and the unknown detection and defence for extorting virus to reclusion.

(1) technical problem

Currently, traditional virus detection techniques of extorting can be summarized as 2 major class：1. static state is defendd, 2. dynamic security.

In terms of static defense technique, mainly there are 2 kinds of methods：1. condition code method, 2. honey jar method.Condition code method is by searching Virus signature is extorted to be judged in file or memory.Its logic flow is：Virus Sample → carry is extorted known to analysis Its condition code is taken to be put in storage → scan file to be detected → with whether matching characteristic code judges it.

Currently, commercialization safety product mostly uses condition code method and carries out extorting software detection.The advantages of this method is：It can essence Virus is extorted known to quasi- detection；But the disadvantage is that：Resident system registration table, hook would generally be taken by extorting virus due to no file type It hangs system service dispatch or distorts the modes such as system kernel data, its static file or dynamic are hidden in file system or memory Process causes condition code method that can not detect at all.Therefore, for no file type extorts virus attack, because not yet managing completely Solve its operating mechanism, extraction makes this method be difficult to successfully manage less than individual features code.

If condition code method is to try to locate by following up a clue, then honey jar rule is to try what you have devised against others.Honey jar method is artificial by monitoring The trapping trap of setting goes the attack of perception attacker.Its logic flow is：Conversed analysis extorts virus → ground bait Virus attack is extorted in file, setting trapping trap → monitoring bait, perception.The advantages of this method is：Know that it so, can quickly be detected To extorting virus attack.Its deficiency is：Do not know its reason, it can not seat offence source.

In dynamic security technical aspect, traditional defense technique mostly uses real time monitoring process dynamic behaviour method.It is such Method is judged by monitoring the abnormal behaviour of file system or memory process^[17-19].Due to dynamic behaviour analysis side Whether method judged extremely according to process behavior, has that rate of false alarm is low, can quickly and effectively cope with and unknown extort virus attack Technical advantage.However, dynamic behaviour analysis defence method be a kind of completely black box technological means, only pay attention to process behavior as a result, And ignores its inherent mechanism such as alternative mechanism between system kernel, file system and analyze.Such method has positioning to be lacked with killing It falls into.It is considered as black box since such method will extort virus attack process, has ignored to extorting virus attack mechanism and interacting row For analysis, causes to be difficult to be accurately positioned its concealment place, can not precisely kill reclusion and extort process, disease is extorted so as to cause reclusion Poison attack revives, stages a comeback.

The deficiency that virus detection techniques are extorted for tradition, we have proposed a kind of reclusions immune based on number to extort disease Malicious detection technique.Immune System mechanism confirms, can be generated by being inoculated in body with antigenic vaccine (Vaccine) Special active immunity power, when biology is contacted again such pathogen, the immune system of body will follow its original Memory manufactures more Protective substances to prevent the injury of pathogen, and therefore infects sick generation or prevalence to resist.It uses for reference Immune System principle is being applied by injecting digital vaccine (a certain number of trapping trap files of setting and file) Layer and inner nuclear layer monitor the behavior of digital vaccine and other processes to realize that virus is extorted in intelligent measurement reclusion simultaneously.It is specific and Speech, once digital vaccine terminates the process and runs and alert immediately operated by associated process；Such as monitor the frequency of other processes Numerous reading and writing of files operation behavior equally terminates the process and runs and alert immediately.

(2) technical solution

Technical scheme of the present invention is as shown in Figure 1 (see Figure of description).

The digital vaccine of injection

Vaccine (Vaccine) is that have antigenicity, and special active immunity power can be generated by being inoculated in body, can resist infection disease Generation or prevalence preparation.Vaccine is by producing pathogenic microorganism (such as bacterium, Richettsia, virus) and its metabolism Object remains the spy of pathogen stimulating organism body immune system by being manually attenuated, inactivating or be made using the methods of transgenosis Property.After organism touches this pathogen for not having injury power, immune system will generate certain Protective substances, such as exempt from Epidemic disease hormone, active physiological substances, distinct antibodies etc.；When biology is contacted again this pathogen, the immune system of organism Its original memory will be followed, manufactures more Protective substances to prevent the injury of pathogen.

The digital vaccine of so-called injection, it is exactly a certain number of by being created in extorting the catalogue that virus often accesses in reclusion Bait file presss from both sides and file.When reclusion extorts virus or unknown virus of extorting when reading and writing these digital vaccines, it will triggering class Like the immune response of organism, gain time advantage to terminate the behavior of extorting in time.

The digital vaccine of real time monitoring

The present invention takes dual real time monitoring number vaccine technologies, i.e., in inner nuclear layer and application layer while the digital epidemic disease to having injected Seedling is monitored in real time.Since the behavior that virus is extorted in reclusion generally comprises 2 classes：System kernel data tampering, file system are usurped Change.Inner nuclear layer is monitored in real time, main monitoring extort virus the behavior of system kernel data tampering (system hook behavior, DKOM behaviors etc.), evade detection concealment itself to prevent it.Application layer is monitored in real time, then lays particular emphasis on monitoring and extorts virus File system tampering (read-write registration table, search file, encryption file etc.), encrypts user file and then extorts and redeem to prevent it Gold.This dual monitoring technology can ensure that once extorting viral traverse folder and file, application layer and inner nuclear layer without file type It can real-time perception this generic operation.In addition, being to avoid extorting disease by reclusion the reason of application layer and inner nuclear layer monitor simultaneously Related api function is hung or filtered out to malicious hook so that even if having escaped application layer monitoring, still there is inner nuclear layer monitoring in real time, to It allows no file type to extort virus to have no place to hide.

Windows systems are the operating system of the second order permission based on layered architecture：Application program runs on CPU's The client layer of 3 permission rings of Ring, kernel program run the inner nuclear layer of the 0 permission rings of Ring of CPU, client layer program and inner nuclear layer The contact tie of program is system API (Application Programming Interface, application programming interfaces).This Interface is responsible for by the dynamic link library file of one entitled " NTDLL.DLL ", and the processing of all client layer API all needs to call this What the related API entrances in dll file were realized, but it is one and provides the interface for jumping to inner nuclear layer from client layer, not It is final execution body.After API Calls are converted into the related api function in NTDLL, system will be referred to as SSDT at one The ground of this API is searched in the tables of data of (System Service Descriptor Table, system service descriptor table) Then it is veritably called in location, the API at this time executed is exactly real primary API, they are located at the real kernel program of system Function in NTOSKRNL.EXE.This process is exactly system service dispatch.Therefore, SSDT is in Windows systems by Ring The important terminal that the kernel Native API of 3 Win32 API and Ring 0 are connected.

Since SSDT includes huge address reference table and other important informations, the base address of such as allocation index, clothes Function number of being engaged in etc., therefore, the function address by changing this table can hook common Windows api functions, from And realize the filtering acted to related system, monitoring.

(3) advantageous effect

Since using digital vaccine, dual monitoring number vaccinology approach is injected, viral diagnosis scheme is extorted relative to traditional, this Invention has following advantage：

1. simplifying defense system, detection performance is improved.

Using the digital vaccinology approach of injection, by creating bait file folder and text in the important catalogue of Windows systems Part, setting trapping trap, this invention simplifies extort the design of viral diagnosis defense system.When extort virus begin stepping through file and Still unencrypted file when, trapping will be triggered at once and trap and be perceived, to improve detection performance.

2. virus behavior is extorted in timely and effective detection.

Digital vaccine is monitored in real time in application layer, any behavior for attempting to change digital vaccine can trigger trapping trap, To by timely perception, effectively detection.When extorting virus and attempting to encrypt digital vaccine, it can be captured, perceive at the first time, from And it is that the subsequent encryption behavior of extorting is prevented to gain time.

3. virus is extorted in effectively detection reclusion

Digital vaccine is monitored in real time in inner nuclear layer, and any unknown reclusion for attempting to hide itself behavior extorts virus, passes through kernel The cross-view detection method of layer and application layer, can effectively be detected, to make it be difficult to reclusion.

Four, it illustrates

Fig. 1 is that virus detection techniques scheme is extorted in the reclusion of patent of the present invention.Wherein injecting digital vaccine includes：Create bait text Part folder creates different types of bait file；Inner nuclear layer monitors digital vaccine：Monitor and preserve MFT and VSS, in hook Core SSDT tables, Kernel Filtering driving monitoring bait file and the other abnormal behaviours of file system；The digital vaccine packet of application layer monitoring It includes：Bait file is monitored using ReadDirectoryChangesW functions.

Five, specific implementation mode

Shown in Figure 1, specific implementation mode of the invention is as follows：

1. the digital vaccine of injection

(1) bait file folder is created in Windows system relevant positions

Due to the vital document of Windows systems be distributed in disk root, Users catalogues, Users Administrator The positions such as Documents catalogue, downloads catalogue, Temp catalogue, %AppData% catalogues, it is right that virus is extorted in reclusion The cryptographic operation of file and file in above-mentioned catalogue is Great possibility.Therefore, it is necessary to create bait text in above-mentioned position Part presss from both sides, and plants trapping trap, to wait extorting virus triggering trap.

For perceive in time extort virus encryption behavior, arrangement trap trap when, will be respectively created A%, B%, C%, The series bait file folder such as X%, Y%, Z%.Which kind of sort algorithm is taken to remove reading folder, equal energy no matter extorting virus in this way Ensure that bait file folder is operated at first, thus trigger trap at first, grasps the opportunity in advance for follow-up real time monitoring.

(2) a variety of different types of bait files are created

Due to user significant data data mostly with .txt .doc .docx .xls .xlsx .ppt .pptx .pdf, .jpg, the file types such as .bmp preserve, and extort virus when carrying out file traversal with encryption, the data of above-mentioned file format is equal Within its search range.This prompt should create it is including above-mentioned file format and respectively with A%, B%, C%, X%, Y%, The bait file of the names such as Z% triggers bait file at first to ensure to extort virus in file traversal and encryption.

2. the digital vaccine of real time monitoring

(1) the digital vaccine of application layer real time monitoring

Digital vaccine is monitored in real time in application layer, uses the api function ReadDirectoryChangesW of Windows systems.It should Function uses CreateFile functions to obtain the handle for wanting monitored directory first；Then judge to call in cycle at one ReadDirectoryChangesW functions, and memory first address, the memory for being used to store catalogue change notification that oneself is distributed Length, catalogue handle are transmitted to the function.When having file to change in catalogue, catalogue change notification is stored in finger by control function In fixed region of memory, and catalogue where the filename to changing, file and change notice are handled.In short, passing through ReadDirectoryChangesW functions will can ensure that the state change of quick sensing bait file and file.

(2) the digital vaccine of inner nuclear layer real time monitoring

Inner nuclear layer real time monitoring mainly uses 2 kinds of methods：1. hook SSDT (System Service Descriptor Table, System service describes table), 2. filtration drive captures IRPs (I/O Request packets, input output request packet).It hooks SSDT tables are avoided that reclusion extorts virus and distorts api function ReadDirectoryChangesW and alternative document operation class function； Filtration drive captures IRPs, can receive the I/O requests for All Files in kernel mode, it is ensured that the digital vaccine of capture in time And other file system abnormal behaviours.In short, inner nuclear layer monitors in real time, it can identify that behavior and reclusion behavior are extorted in encryption simultaneously, Ensure that virus is extorted in timely and effective discovery reclusion.

(3) it monitors and preserves MFT and VSS

MFT (Master File Table, main file table) is the index text of Map Disk storage object in new technology file system Part.In MFT, at least one mapping item of All Files (including MFT itself) on disk --- comprising filename, size, The data such as timestamp, security attribute, document location.It can be seen that monitoring and protecting MFT files, encryption can be perceived and extort behavior, And it is most important to subsequent file access pattern.

VSS (Volume Shadow Copy Service, volume shadow copy service), is that COW is based in Windows systems The snapshot service of (Copy-On-Write, Copy on write) technology.VSS is by providing Requestor, Writer, Provider The simplicity for communicating authenticity and recovery to ensure backup between these three important entities.Majority is extorted software and can be deleted VSS, so that victim can not restore impacted file.Therefore, it from the angle of detection defence, is monitored from inner nuclear layer and protects MFT And VSS, encryption can be perceived and extort behavior, also will be helpful to subsequent file reparation.

Bibliography：

1.The Center for Strategic and International Studies with McAfee.Economic Impact of Cybercrime- No Slowing Down [R], https：//www.a51.nl/sites/default/ Files/pdf/economic-impact-cybercrime.pdf, 2018.

2.McAfee Labs.Chinese Cybercriminals Develop Lucrative Hacking Services, https：//securingtomorrow.mcafee.com/mcafee-labs/chinese-cybercriminals- Develop-lucrative- hacking-services/, 2018.

3.Alexandre Gazet.Comparative Analysis of Various Ransomware Virii[J] .Journal in Computer Virology, 2010,6 (1)：77-90.

4.Akashdeep Bhardwaj, Subrahmanyam, Vinay Avasthi, et al.Ransomware：A Rising Threat of New Age Digital Extortion [J] .Computer Science, 2015,9 (14)：10-43.

5.Amin Kharraz, William Robertson, David Balzarotti, et al.Cutting the Gordian Knot：A Look Under the Hood of Ransomware Attacks[J].Lecture Notes in Computer Science, 2016,9148：3-24.

6.Carbon Black.The Ransomware Economy [R], https：//www.carbonblack.com/wp- Content/uploads/2017/10/Carbon-Black-Ransomware-Economy- Report-101117.pdf, 2018.

7.Malwarebytes Labs.Cybercrime Tactics and Techniques：2017 State of Malware [R], https：//www.malwarebytes.com/pdf/white-papers/CTNT-Q4-17.pdf, 2018.

8.Steve Mansfield-Devine.Fileless Attacks：Compromising Targets without Malware [J] .Network Security, 2017,4：7-11.

9.Greg Hoglund, James Butler.Rootkits：Subverting the Windows Kernel[M] .Addison-Wesley Professional, 2006.

10.Gandhi Krunal, Patel Viral.Survey on Ransomware：A New Era of Cyber Attack [J] .International Journal of Computer Applications, 2017,168：38-41.

11.Bander Ali Saleh Al-Rimy, Mohd Aizaini Maarof, Syed Zainudeen Mohd Shaid.Ransomware Threat Success Factors, Taxonomy, and Countermeasures：a Survey And Research Directions [J] Computers＆Security, 2018,74：144-166.

12.Brewer R.Ransomware Attacks：Detection, Prevention and Cure [J] .Network Security, 2016, (9)：5-9.

13.Kevin Savage, Peter Coogan, Hon Lau.The Evolution of Ransomware. http：// www.symantec.com/content/en/us/enterprise/media/securityresponse/whitepapers/ The- evolution-of-ransomware.pdf, 2015.

14.Aws Naser Jaber, Hasan Shakir.Ransomware：Pros and Cons Review [C], The International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 2017,26-32.

15.Christ Moore.Detecting Ransomware with Honeypot Techniques [C], IEEE Cybersecurity and Cyberforensics Conference, 2016,77-81.

16.Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, et al.Know Abnormal, Find Evil： Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence [J] .IEEE Transactions on Emerging Topics in Computing, 2017, (99)： 1-10.

17.Daniele Sgandurra, LuisRabih Mohsen, et al.Automated Dynamic Analysis of Ransomware：Benefits, Limitations and Use for Detection [J], 2016,1-12.

18.Jesper B.S.Christensen, Niels Beuschau.Ransomware Detection and Mitigation Tool [D], Technical University of Denmark, 2017.

19.Amin Kharraz, Sajjad Arshad, Collin Mulliner, et al.UNVEIL：A Large-scale, Automated Approach to Detecting Ransomware [C], IEEE International Conference On Software Analysis, Evolution and Reengineering, 2017,1-15.

Claims

1. virus detection techniques, including the digital vaccine of injection, application layer real time monitoring are extorted in a kind of reclusion immune based on number Digital vaccine, the digital vaccine of inner nuclear layer real time monitoring, it is characterised in that：By the digital vaccine of injection, trapping trap is set, and The number vaccine is monitored in application layer and inner nuclear layer simultaneously, it is ensured that timely and effective can be detected the reclusion hidden and be extorted virus, protect User equipment and data safety.

2. virus detection techniques are extorted in the reclusion immune based on number according to claim 1, it is characterised in that：In reclusion Extort the disk root of Windows systems that virus often accesses, Users catalogues, Users Administrator The positions such as Documents catalogue, downloads catalogue, Temp catalogue, %AppData% catalogues, be respectively created A%, The series bait file folder such as B%, C%, D%, W%, X%, Y%, Z%.

3. virus detection techniques are extorted in the reclusion immune based on number according to claim 1, it is characterised in that：Above-mentioned Bait file folder in, create respectively using A%, B%, C%, D%, W%, X%, Y%, Z% as filename, with .TXT .DOC, .DOCX、.XLS、.XLSX、.PPT、.PPTX、.PDF、.JPG、.BMP、.MP4、.AVI、.WMV、.MPEG、.MOV、.MKV、 .FLV .F4V .M4V .RMVB .RM .3GP .DAT .TS .MTS .VOB. etc. are the bait file (number of file suffixes name Word vaccine).

4. virus detection techniques are extorted in the reclusion immune based on number according to claim 1, it is characterised in that：It is applying Layer carries out monitoring digital vaccine in real time by ReadDirectoryChangesW functions, at the same time, passes through hook in inner nuclear layer SSDT (System Service Descriptor Table, system service describe table), IRP (I/O Request packets, Input output request packet) etc. modes carry out monitoring digital vaccine in real time using filtration drive.