CN108616510A - It is a kind of that virus detection techniques are extorted based on digital immune reclusion - Google Patents
It is a kind of that virus detection techniques are extorted based on digital immune reclusion Download PDFInfo
- Publication number
- CN108616510A CN108616510A CN201810281216.8A CN201810281216A CN108616510A CN 108616510 A CN108616510 A CN 108616510A CN 201810281216 A CN201810281216 A CN 201810281216A CN 108616510 A CN108616510 A CN 108616510A
- Authority
- CN
- China
- Prior art keywords
- virus
- reclusion
- extorted
- vaccine
- digital
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Storage Device Security (AREA)
Abstract
The present invention extorts the ineffective security dilemma of virus for traditional detection method reply reclusion, by using for reference Immune System principle, it is proposed that a kind of to extort virus detection techniques based on digital immune reclusion.By injecting the modes such as the digital vaccine of digital vaccine, real time monitoring, realize that virus is extorted in intelligent measurement reclusion.First, digital vaccine is injected, that is, a certain number of trapping trap files and file are set, in order to extort viral triggering.Secondly, it monitors digital vaccine in real time, i.e., monitors digital vaccine simultaneously in application layer and inner nuclear layer.Inner nuclear layer is monitored in real time, the system kernel data tampering behavior of virus is extorted in main monitoring, evades detection concealment itself to prevent it.Application layer is monitored in real time, then lays particular emphasis on the file system tampering that virus is extorted in monitoring, user file is encrypted to prevent it and then ransoms.The present invention can fast and efficiently detect reclusion and extort virus, it is ensured that it is difficult to escape, have no place to hide.
Description
One, technical field
The present invention relates to cyberspace security technology areas, and viral inspection is extorted more particularly to a kind of reclusion immune based on number
Survey technology.
Two, background technology
In recent years, with network technology and digital economy accelerated development and depth integration, the network crime becomes more and more active and goes after profit or gain, and makes
At serious economic loss, it has also become a kind of new network security threat.According to American strategy and the newest report in national research center
It accuses[1]:The network crime in 2017 leads to nearly 600,000,000,000 dollars of global economy loss, accounts for the 0.8% of global GDP;Online extortion, skill
Art supports swindle etc. to have become most active between user and enterprise and influences network crime activity the most serious.According to another the U.S.
McAfee Labs research reports[2]Display:The network crime in 2017 causes China's economic loss more than 13,800,000,000 dollars.
The going after profit or gain of the network crime promotes attacker constantly to reform attack theory, innovation attack pattern, does one's utmost to occupy attacking and defending
Game technical advantage.It is exactly to occur and develop rapidly in this context to extort virus attack (Ransomware Attacks)
A kind of novel malicious network attack, great harmfulness and destructive power[3-5].It is sent out according to famous American security firm Carbon Black
The newest of cloth extorts software survey report[6]:Network crime person, using virus attack is extorted, obtains more golden eggs by more.According to another
U.S.'s Malwarebytes Labs current research report [7]:It extorts virus attack within 2017 and increases 10 times, have become network criminal
The first-selected instrument of crime, and more hidden, more complicated development trend will be presented in following virus attack technology of extorting.
It is that by kidnapping user data resource, (encryption user file, locks refusal user access one kind to extort virus attack
User's screen etc.), and as condition the malicious network attacks to pay ransom are propped up to coerce user.All kinds of virus is extorted existing
In attack pattern, the most threatening property of software attacks is extorted in reclusion.Software attacks are extorted in so-called reclusion[8,9], refer to utilizing reclusion skill
Security system detection and evidence obtaining are evaded or hindered to art by pretending or modify attack trace, and then quiet kidnaps data
Resource (encryption file, denied access, lock-screen etc.), maintains a kind of long-term hidden novel malicious net at ransom money of blackmailing
Network is attacked.
It is as follows that the viral mode for evading security system is extorted in reclusion:1. resident system registration table, 2. hooking systems service tune
With 3. distorting system kernel data.Its menace major embodiment in:1. persistently existing, being long-term hidden.This leads to traditional safety
Defense technique is difficult to effectively detect.2. kidnapping data, ransoming.This causes user by data and economic double loss.Always
It, reclusion extorts virus and gives attack in virtually, removes no shadow come no track, attack power is very big, and attack consequence is miserable.According to the U.S.
The latest survey of Carbon Black companies is studied[6]:53% malicious network attacks are reclusion attacks.Therefore, we have reason
It is believed that:Reclusion is extorted virus attack and is widely used by network crime person, this, which will become enterprise, can't get rid of with individual, prevents not
The anti-network security nightmare of victory.
Currently, China has become the severely afflicated area that virus attack is extorted in reclusion[2], and everyone is target, everybody is by nothing
Method is escaped by luck.Virus attack is extorted in frequent and miserable reclusion, has declared publicly the bills due for extorting virus attack technical research.Especially send out
It is born in WannaCry, NotPetya, Bad Rabbit etc. in 2017 and extorts virus attack, attack means are hidden, attack
Consequence is rough, has showed global sprawling situation, has caused extremely miserable loss.Evil is had become due to extorting virus attack
It the new normality of network attack of anticipating and carries all before one, after using reclusion technology in addition, traditional safe practice is caused more to be difficult to detect
With strick precaution, this undoubtedly makes the matter worse for the threat of cyberspace safety.Therefore, from reclusion extort virus attack harmfulness,
Miserable property extorts virus attack to reclusion and is detected defense technique research and development, be that trend of the times, gesture exist with from the point of view of development trend
It must go.This is undoubtedly containment and extorts viral concealmentization, prevents network reclusion attack, the effective way of the strike network crime and solution
Road.
Three, invention content
The ineffective security dilemma of virus is extorted for traditional detection method reply reclusion, it is proposed that a kind of based on immune hidden of number
It escapes and extorts virus detection techniques.The technology is strangled by injecting the digital vaccine of digital vaccine, real time monitoring, monitoring file encryption in real time
The abnormal behaviours such as rope reach and extort virus and the unknown detection and defence for extorting virus to reclusion.
(1) technical problem
Currently, traditional virus detection techniques of extorting can be summarized as 2 major class:1. static state is defendd, 2. dynamic security.
In terms of static defense technique, mainly there are 2 kinds of methods:1. condition code method, 2. honey jar method.Condition code method is by searching
Virus signature is extorted to be judged in file or memory.Its logic flow is:Virus Sample → carry is extorted known to analysis
Its condition code is taken to be put in storage → scan file to be detected → with whether matching characteristic code judges it.
Currently, commercialization safety product mostly uses condition code method and carries out extorting software detection.The advantages of this method is:It can essence
Virus is extorted known to quasi- detection;But the disadvantage is that:Resident system registration table, hook would generally be taken by extorting virus due to no file type
It hangs system service dispatch or distorts the modes such as system kernel data, its static file or dynamic are hidden in file system or memory
Process causes condition code method that can not detect at all.Therefore, for no file type extorts virus attack, because not yet managing completely
Solve its operating mechanism, extraction makes this method be difficult to successfully manage less than individual features code.
If condition code method is to try to locate by following up a clue, then honey jar rule is to try what you have devised against others.Honey jar method is artificial by monitoring
The trapping trap of setting goes the attack of perception attacker.Its logic flow is:Conversed analysis extorts virus → ground bait
Virus attack is extorted in file, setting trapping trap → monitoring bait, perception.The advantages of this method is:Know that it so, can quickly be detected
To extorting virus attack.Its deficiency is:Do not know its reason, it can not seat offence source.
In dynamic security technical aspect, traditional defense technique mostly uses real time monitoring process dynamic behaviour method.It is such
Method is judged by monitoring the abnormal behaviour of file system or memory process[17-19].Due to dynamic behaviour analysis side
Whether method judged extremely according to process behavior, has that rate of false alarm is low, can quickly and effectively cope with and unknown extort virus attack
Technical advantage.However, dynamic behaviour analysis defence method be a kind of completely black box technological means, only pay attention to process behavior as a result,
And ignores its inherent mechanism such as alternative mechanism between system kernel, file system and analyze.Such method has positioning to be lacked with killing
It falls into.It is considered as black box since such method will extort virus attack process, has ignored to extorting virus attack mechanism and interacting row
For analysis, causes to be difficult to be accurately positioned its concealment place, can not precisely kill reclusion and extort process, disease is extorted so as to cause reclusion
Poison attack revives, stages a comeback.
The deficiency that virus detection techniques are extorted for tradition, we have proposed a kind of reclusions immune based on number to extort disease
Malicious detection technique.Immune System mechanism confirms, can be generated by being inoculated in body with antigenic vaccine (Vaccine)
Special active immunity power, when biology is contacted again such pathogen, the immune system of body will follow its original
Memory manufactures more Protective substances to prevent the injury of pathogen, and therefore infects sick generation or prevalence to resist.It uses for reference
Immune System principle is being applied by injecting digital vaccine (a certain number of trapping trap files of setting and file)
Layer and inner nuclear layer monitor the behavior of digital vaccine and other processes to realize that virus is extorted in intelligent measurement reclusion simultaneously.It is specific and
Speech, once digital vaccine terminates the process and runs and alert immediately operated by associated process;Such as monitor the frequency of other processes
Numerous reading and writing of files operation behavior equally terminates the process and runs and alert immediately.
(2) technical solution
Technical scheme of the present invention is as shown in Figure 1 (see Figure of description).
The digital vaccine of injection
Vaccine (Vaccine) is that have antigenicity, and special active immunity power can be generated by being inoculated in body, can resist infection disease
Generation or prevalence preparation.Vaccine is by producing pathogenic microorganism (such as bacterium, Richettsia, virus) and its metabolism
Object remains the spy of pathogen stimulating organism body immune system by being manually attenuated, inactivating or be made using the methods of transgenosis
Property.After organism touches this pathogen for not having injury power, immune system will generate certain Protective substances, such as exempt from
Epidemic disease hormone, active physiological substances, distinct antibodies etc.;When biology is contacted again this pathogen, the immune system of organism
Its original memory will be followed, manufactures more Protective substances to prevent the injury of pathogen.
The digital vaccine of so-called injection, it is exactly a certain number of by being created in extorting the catalogue that virus often accesses in reclusion
Bait file presss from both sides and file.When reclusion extorts virus or unknown virus of extorting when reading and writing these digital vaccines, it will triggering class
Like the immune response of organism, gain time advantage to terminate the behavior of extorting in time.
The digital vaccine of real time monitoring
The present invention takes dual real time monitoring number vaccine technologies, i.e., in inner nuclear layer and application layer while the digital epidemic disease to having injected
Seedling is monitored in real time.Since the behavior that virus is extorted in reclusion generally comprises 2 classes:System kernel data tampering, file system are usurped
Change.Inner nuclear layer is monitored in real time, main monitoring extort virus the behavior of system kernel data tampering (system hook behavior,
DKOM behaviors etc.), evade detection concealment itself to prevent it.Application layer is monitored in real time, then lays particular emphasis on monitoring and extorts virus
File system tampering (read-write registration table, search file, encryption file etc.), encrypts user file and then extorts and redeem to prevent it
Gold.This dual monitoring technology can ensure that once extorting viral traverse folder and file, application layer and inner nuclear layer without file type
It can real-time perception this generic operation.In addition, being to avoid extorting disease by reclusion the reason of application layer and inner nuclear layer monitor simultaneously
Related api function is hung or filtered out to malicious hook so that even if having escaped application layer monitoring, still there is inner nuclear layer monitoring in real time, to
It allows no file type to extort virus to have no place to hide.
Windows systems are the operating system of the second order permission based on layered architecture:Application program runs on CPU's
The client layer of 3 permission rings of Ring, kernel program run the inner nuclear layer of the 0 permission rings of Ring of CPU, client layer program and inner nuclear layer
The contact tie of program is system API (Application Programming Interface, application programming interfaces).This
Interface is responsible for by the dynamic link library file of one entitled " NTDLL.DLL ", and the processing of all client layer API all needs to call this
What the related API entrances in dll file were realized, but it is one and provides the interface for jumping to inner nuclear layer from client layer, not
It is final execution body.After API Calls are converted into the related api function in NTDLL, system will be referred to as SSDT at one
The ground of this API is searched in the tables of data of (System Service Descriptor Table, system service descriptor table)
Then it is veritably called in location, the API at this time executed is exactly real primary API, they are located at the real kernel program of system
Function in NTOSKRNL.EXE.This process is exactly system service dispatch.Therefore, SSDT is in Windows systems by Ring
The important terminal that the kernel Native API of 3 Win32 API and Ring 0 are connected.
Since SSDT includes huge address reference table and other important informations, the base address of such as allocation index, clothes
Function number of being engaged in etc., therefore, the function address by changing this table can hook common Windows api functions, from
And realize the filtering acted to related system, monitoring.
(3) advantageous effect
Since using digital vaccine, dual monitoring number vaccinology approach is injected, viral diagnosis scheme is extorted relative to traditional, this
Invention has following advantage:
1. simplifying defense system, detection performance is improved.
Using the digital vaccinology approach of injection, by creating bait file folder and text in the important catalogue of Windows systems
Part, setting trapping trap, this invention simplifies extort the design of viral diagnosis defense system.When extort virus begin stepping through file and
Still unencrypted file when, trapping will be triggered at once and trap and be perceived, to improve detection performance.
2. virus behavior is extorted in timely and effective detection.
Digital vaccine is monitored in real time in application layer, any behavior for attempting to change digital vaccine can trigger trapping trap,
To by timely perception, effectively detection.When extorting virus and attempting to encrypt digital vaccine, it can be captured, perceive at the first time, from
And it is that the subsequent encryption behavior of extorting is prevented to gain time.
3. virus is extorted in effectively detection reclusion
Digital vaccine is monitored in real time in inner nuclear layer, and any unknown reclusion for attempting to hide itself behavior extorts virus, passes through kernel
The cross-view detection method of layer and application layer, can effectively be detected, to make it be difficult to reclusion.
Four, it illustrates
Fig. 1 is that virus detection techniques scheme is extorted in the reclusion of patent of the present invention.Wherein injecting digital vaccine includes:Create bait text
Part folder creates different types of bait file;Inner nuclear layer monitors digital vaccine:Monitor and preserve MFT and VSS, in hook
Core SSDT tables, Kernel Filtering driving monitoring bait file and the other abnormal behaviours of file system;The digital vaccine packet of application layer monitoring
It includes:Bait file is monitored using ReadDirectoryChangesW functions.
Five, specific implementation mode
Shown in Figure 1, specific implementation mode of the invention is as follows:
1. the digital vaccine of injection
(1) bait file folder is created in Windows system relevant positions
Due to the vital document of Windows systems be distributed in disk root, Users catalogues, Users Administrator
The positions such as Documents catalogue, downloads catalogue, Temp catalogue, %AppData% catalogues, it is right that virus is extorted in reclusion
The cryptographic operation of file and file in above-mentioned catalogue is Great possibility.Therefore, it is necessary to create bait text in above-mentioned position
Part presss from both sides, and plants trapping trap, to wait extorting virus triggering trap.
For perceive in time extort virus encryption behavior, arrangement trap trap when, will be respectively created A%, B%, C%,
The series bait file folder such as X%, Y%, Z%.Which kind of sort algorithm is taken to remove reading folder, equal energy no matter extorting virus in this way
Ensure that bait file folder is operated at first, thus trigger trap at first, grasps the opportunity in advance for follow-up real time monitoring.
(2) a variety of different types of bait files are created
Due to user significant data data mostly with .txt .doc .docx .xls .xlsx .ppt .pptx .pdf,
.jpg, the file types such as .bmp preserve, and extort virus when carrying out file traversal with encryption, the data of above-mentioned file format is equal
Within its search range.This prompt should create it is including above-mentioned file format and respectively with A%, B%, C%, X%, Y%,
The bait file of the names such as Z% triggers bait file at first to ensure to extort virus in file traversal and encryption.
2. the digital vaccine of real time monitoring
(1) the digital vaccine of application layer real time monitoring
Digital vaccine is monitored in real time in application layer, uses the api function ReadDirectoryChangesW of Windows systems.It should
Function uses CreateFile functions to obtain the handle for wanting monitored directory first;Then judge to call in cycle at one
ReadDirectoryChangesW functions, and memory first address, the memory for being used to store catalogue change notification that oneself is distributed
Length, catalogue handle are transmitted to the function.When having file to change in catalogue, catalogue change notification is stored in finger by control function
In fixed region of memory, and catalogue where the filename to changing, file and change notice are handled.In short, passing through
ReadDirectoryChangesW functions will can ensure that the state change of quick sensing bait file and file.
(2) the digital vaccine of inner nuclear layer real time monitoring
Inner nuclear layer real time monitoring mainly uses 2 kinds of methods:1. hook SSDT (System Service Descriptor Table,
System service describes table), 2. filtration drive captures IRPs (I/O Request packets, input output request packet).It hooks
SSDT tables are avoided that reclusion extorts virus and distorts api function ReadDirectoryChangesW and alternative document operation class function;
Filtration drive captures IRPs, can receive the I/O requests for All Files in kernel mode, it is ensured that the digital vaccine of capture in time
And other file system abnormal behaviours.In short, inner nuclear layer monitors in real time, it can identify that behavior and reclusion behavior are extorted in encryption simultaneously,
Ensure that virus is extorted in timely and effective discovery reclusion.
(3) it monitors and preserves MFT and VSS
MFT (Master File Table, main file table) is the index text of Map Disk storage object in new technology file system
Part.In MFT, at least one mapping item of All Files (including MFT itself) on disk --- comprising filename, size,
The data such as timestamp, security attribute, document location.It can be seen that monitoring and protecting MFT files, encryption can be perceived and extort behavior,
And it is most important to subsequent file access pattern.
VSS (Volume Shadow Copy Service, volume shadow copy service), is that COW is based in Windows systems
The snapshot service of (Copy-On-Write, Copy on write) technology.VSS is by providing Requestor, Writer, Provider
The simplicity for communicating authenticity and recovery to ensure backup between these three important entities.Majority is extorted software and can be deleted
VSS, so that victim can not restore impacted file.Therefore, it from the angle of detection defence, is monitored from inner nuclear layer and protects MFT
And VSS, encryption can be perceived and extort behavior, also will be helpful to subsequent file reparation.
Bibliography:
1.The Center for Strategic and International Studies with McAfee.Economic
Impact of Cybercrime- No Slowing Down [R], https://www.a51.nl/sites/default/
Files/pdf/economic-impact-cybercrime.pdf, 2018.
2.McAfee Labs.Chinese Cybercriminals Develop Lucrative Hacking Services,
https://securingtomorrow.mcafee.com/mcafee-labs/chinese-cybercriminals-
Develop-lucrative- hacking-services/, 2018.
3.Alexandre Gazet.Comparative Analysis of Various Ransomware Virii[J]
.Journal in Computer Virology, 2010,6 (1):77-90.
4.Akashdeep Bhardwaj, Subrahmanyam, Vinay Avasthi, et al.Ransomware:A Rising
Threat of New Age Digital Extortion [J] .Computer Science, 2015,9 (14):10-43.
5.Amin Kharraz, William Robertson, David Balzarotti, et al.Cutting the
Gordian Knot:A Look Under the Hood of Ransomware Attacks[J].Lecture Notes in
Computer Science, 2016,9148:3-24.
6.Carbon Black.The Ransomware Economy [R], https://www.carbonblack.com/wp-
Content/uploads/2017/10/Carbon-Black-Ransomware-Economy- Report-101117.pdf,
2018.
7.Malwarebytes Labs.Cybercrime Tactics and Techniques:2017 State of
Malware [R], https://www.malwarebytes.com/pdf/white-papers/CTNT-Q4-17.pdf,
2018.
8.Steve Mansfield-Devine.Fileless Attacks:Compromising Targets without
Malware [J] .Network Security, 2017,4:7-11.
9.Greg Hoglund, James Butler.Rootkits:Subverting the Windows Kernel[M]
.Addison-Wesley Professional, 2006.
10.Gandhi Krunal, Patel Viral.Survey on Ransomware:A New Era of Cyber
Attack [J] .International Journal of Computer Applications, 2017,168:38-41.
11.Bander Ali Saleh Al-Rimy, Mohd Aizaini Maarof, Syed Zainudeen Mohd
Shaid.Ransomware Threat Success Factors, Taxonomy, and Countermeasures:a Survey
And Research Directions [J] Computers&Security, 2018,74:144-166.
12.Brewer R.Ransomware Attacks:Detection, Prevention and Cure [J] .Network
Security, 2016, (9):5-9.
13.Kevin Savage, Peter Coogan, Hon Lau.The Evolution of Ransomware. http://
www.symantec.com/content/en/us/enterprise/media/securityresponse/whitepapers/
The- evolution-of-ransomware.pdf, 2015.
14.Aws Naser Jaber, Hasan Shakir.Ransomware:Pros and Cons Review [C], The
International Conference on P2P, Parallel, Grid, Cloud and Internet Computing,
2017,26-32.
15.Christ Moore.Detecting Ransomware with Honeypot Techniques [C], IEEE
Cybersecurity and Cyberforensics Conference, 2016,77-81.
16.Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, et al.Know
Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and
Intelligence [J] .IEEE Transactions on Emerging Topics in Computing, 2017, (99):
1-10.
17.Daniele Sgandurra, LuisRabih Mohsen, et al.Automated
Dynamic Analysis of Ransomware:Benefits, Limitations and Use for Detection [J],
2016,1-12.
18.Jesper B.S.Christensen, Niels Beuschau.Ransomware Detection and
Mitigation Tool [D], Technical University of Denmark, 2017.
19.Amin Kharraz, Sajjad Arshad, Collin Mulliner, et al.UNVEIL:A Large-scale,
Automated Approach to Detecting Ransomware [C], IEEE International Conference
On Software Analysis, Evolution and Reengineering, 2017,1-15.
Claims (4)
1. virus detection techniques, including the digital vaccine of injection, application layer real time monitoring are extorted in a kind of reclusion immune based on number
Digital vaccine, the digital vaccine of inner nuclear layer real time monitoring, it is characterised in that:By the digital vaccine of injection, trapping trap is set, and
The number vaccine is monitored in application layer and inner nuclear layer simultaneously, it is ensured that timely and effective can be detected the reclusion hidden and be extorted virus, protect
User equipment and data safety.
2. virus detection techniques are extorted in the reclusion immune based on number according to claim 1, it is characterised in that:In reclusion
Extort the disk root of Windows systems that virus often accesses, Users catalogues, Users Administrator
The positions such as Documents catalogue, downloads catalogue, Temp catalogue, %AppData% catalogues, be respectively created A%,
The series bait file folder such as B%, C%, D%, W%, X%, Y%, Z%.
3. virus detection techniques are extorted in the reclusion immune based on number according to claim 1, it is characterised in that:Above-mentioned
Bait file folder in, create respectively using A%, B%, C%, D%, W%, X%, Y%, Z% as filename, with .TXT .DOC,
.DOCX、.XLS、.XLSX、.PPT、.PPTX、.PDF、.JPG、.BMP、.MP4、.AVI、.WMV、.MPEG、.MOV、.MKV、
.FLV .F4V .M4V .RMVB .RM .3GP .DAT .TS .MTS .VOB. etc. are the bait file (number of file suffixes name
Word vaccine).
4. virus detection techniques are extorted in the reclusion immune based on number according to claim 1, it is characterised in that:It is applying
Layer carries out monitoring digital vaccine in real time by ReadDirectoryChangesW functions, at the same time, passes through hook in inner nuclear layer
SSDT (System Service Descriptor Table, system service describe table), IRP (I/O Request packets,
Input output request packet) etc. modes carry out monitoring digital vaccine in real time using filtration drive.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810281216.8A CN108616510A (en) | 2018-03-24 | 2018-03-24 | It is a kind of that virus detection techniques are extorted based on digital immune reclusion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810281216.8A CN108616510A (en) | 2018-03-24 | 2018-03-24 | It is a kind of that virus detection techniques are extorted based on digital immune reclusion |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108616510A true CN108616510A (en) | 2018-10-02 |
Family
ID=63659466
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810281216.8A Pending CN108616510A (en) | 2018-03-24 | 2018-03-24 | It is a kind of that virus detection techniques are extorted based on digital immune reclusion |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108616510A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110555306A (en) * | 2019-09-02 | 2019-12-10 | 慧盾信息安全科技(苏州)股份有限公司 | system and method for automatically controlling process access server data authority |
CN111625828A (en) * | 2020-07-29 | 2020-09-04 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
CN112560040A (en) * | 2020-12-25 | 2021-03-26 | 安芯网盾(北京)科技有限公司 | General detection method and device for computer infectious virus |
CN112818346A (en) * | 2020-08-17 | 2021-05-18 | 北京辰信领创信息技术有限公司 | Method for trapping Lerso virus by file |
CN114036517A (en) * | 2021-11-02 | 2022-02-11 | 安天科技集团股份有限公司 | Virus identification method and device, electronic equipment and storage medium |
CN114175575A (en) * | 2020-07-02 | 2022-03-11 | 华为技术有限公司 | Apparatus and method for generating, using and optimizing honeypots |
WO2023124041A1 (en) * | 2021-12-31 | 2023-07-06 | 华为云计算技术有限公司 | Ransomware detection method and related system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018200A (en) * | 2006-02-10 | 2007-08-15 | 3柯姆公司 | Bi-planar network architecture |
CN102662741A (en) * | 2012-04-05 | 2012-09-12 | 华为技术有限公司 | Method, device and system for realizing virtual desktop |
-
2018
- 2018-03-24 CN CN201810281216.8A patent/CN108616510A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101018200A (en) * | 2006-02-10 | 2007-08-15 | 3柯姆公司 | Bi-planar network architecture |
CN102662741A (en) * | 2012-04-05 | 2012-09-12 | 华为技术有限公司 | Method, device and system for realizing virtual desktop |
Non-Patent Citations (1)
Title |
---|
李江涛: "《基于行为的病毒检测***的设计与实现》", 《中国优秀硕士论文辑》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110555306A (en) * | 2019-09-02 | 2019-12-10 | 慧盾信息安全科技(苏州)股份有限公司 | system and method for automatically controlling process access server data authority |
CN110555306B (en) * | 2019-09-02 | 2024-02-06 | 慧盾信息安全科技(苏州)股份有限公司 | System and method for automatically controlling access authority of process to server data |
CN114175575A (en) * | 2020-07-02 | 2022-03-11 | 华为技术有限公司 | Apparatus and method for generating, using and optimizing honeypots |
CN114175575B (en) * | 2020-07-02 | 2023-04-18 | 华为技术有限公司 | Apparatus and method for generating, using and optimizing honeypots |
CN111625828A (en) * | 2020-07-29 | 2020-09-04 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
CN112818346A (en) * | 2020-08-17 | 2021-05-18 | 北京辰信领创信息技术有限公司 | Method for trapping Lerso virus by file |
CN112560040A (en) * | 2020-12-25 | 2021-03-26 | 安芯网盾(北京)科技有限公司 | General detection method and device for computer infectious virus |
CN114036517A (en) * | 2021-11-02 | 2022-02-11 | 安天科技集团股份有限公司 | Virus identification method and device, electronic equipment and storage medium |
WO2023124041A1 (en) * | 2021-12-31 | 2023-07-06 | 华为云计算技术有限公司 | Ransomware detection method and related system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Oz et al. | A survey on ransomware: Evolution, taxonomy, and defense solutions | |
JP7046111B2 (en) | Automatic detection during malware runtime | |
CN108616510A (en) | It is a kind of that virus detection techniques are extorted based on digital immune reclusion | |
Kao et al. | The dynamic analysis of WannaCry ransomware | |
Kharraz et al. | Redemption: Real-time protection against ransomware at end-hosts | |
Kharaz et al. | {UNVEIL}: A {Large-Scale}, automated approach to detecting ransomware | |
Scaife et al. | Cryptolock (and drop it): stopping ransomware attacks on user data | |
US11531753B2 (en) | Preventing ransomware from encrypting files on a target machine | |
US11232201B2 (en) | Cloud based just in time memory analysis for malware detection | |
WO2017053745A1 (en) | Malware detection via data transformation monitoring | |
WO2018099206A1 (en) | Apt detection method, system, and device | |
Patyal et al. | Multi-layered defense architecture against ransomware | |
Grégio et al. | Toward a taxonomy of malware behaviors | |
Bijitha et al. | A survey on ransomware detection techniques | |
Keong Ng et al. | VoterChoice: A ransomware detection honeypot with multiple voting framework | |
JP5326063B1 (en) | Malicious shellcode detection apparatus and method using debug events | |
Kardile | Crypto ransomware analysis and detection using process monitor | |
Deng et al. | Lexical analysis for the webshell attacks | |
Lemmou et al. | A behavioural in‐depth analysis of ransomware infection | |
Han et al. | On the effectiveness of behavior-based ransomware detection | |
Kunwar et al. | Framework to detect malicious codes embedded with JPEG images over social networking sites | |
Rashmitha et al. | Malware analysis and detection using reverse Engineering | |
JP2010182020A (en) | Illegality detector and program | |
Mansor et al. | Crytojacking Classification based on Machine Learning Algorithm | |
Kharraz | Techniques and Solutions for Addressing Ransomware Attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20181002 |