TW201814577A - Method and system for preventing malicious alteration of data in computer system - Google Patents

Method and system for preventing malicious alteration of data in computer system Download PDF

Info

Publication number
TW201814577A
TW201814577A TW106134309A TW106134309A TW201814577A TW 201814577 A TW201814577 A TW 201814577A TW 106134309 A TW106134309 A TW 106134309A TW 106134309 A TW106134309 A TW 106134309A TW 201814577 A TW201814577 A TW 201814577A
Authority
TW
Taiwan
Prior art keywords
file
computer device
data
malicious
files
Prior art date
Application number
TW106134309A
Other languages
Chinese (zh)
Inventor
翟本喬
Original Assignee
網擎資訊軟體股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US15/286,593 external-priority patent/US20170206353A1/en
Application filed by 網擎資訊軟體股份有限公司 filed Critical 網擎資訊軟體股份有限公司
Publication of TW201814577A publication Critical patent/TW201814577A/en

Links

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present disclosure includes a detection method for files infected by malware, especially ransomware, and an anti-malware system implemented with the method during file transmission, especially for backup or synchronization. Applying the detection method in the present disclosure before file transmission may prevent infection spreading by replace uninfected files with infected files. In one embodiment, the method includes: creating files as"baits"for being accessed by ransomware; and detecting whether files being to be transmitted due to updates including the"baits". The present disclosure also includes file recovery method while finding malware infection by the detection method of in the present disclosure.

Description

用於防止計算機系統中數據惡意更改的方法和系統    Method and system for preventing malicious change of data in computer system   

本發明屬於雲端儲存服務的資訊安全機制。更具體地說,係用於保護數據(例如檔案)避免遭受惡意軟體危害,特別是在用戶端計算機設備和雲端儲存之間的備份和還原(或同步)期間的惡意軟體所造成的惡意更改的儲存環境。此外,本發明會用至少一個實例來說明上述基於雲端儲存環境的混合雲檔案系統中,如何保護數據免受惡意更改。 The invention belongs to the information security mechanism of a cloud storage service. More specifically, it is used to protect data (such as files) from malicious software, especially malicious changes caused by malware during backup and restore (or synchronization) between client computer devices and cloud storage. Storage environment. In addition, the present invention will use at least one example to explain how to protect data from malicious changes in the hybrid cloud file system based on the cloud storage environment.

資訊安全,特別是防止電腦病毒、蠕蟲、木馬或惡意軟體(例如勒索軟體(Ransomware))的危害,通常的做法是通過掃描檢測和定期備份,並透過還原程式恢復受到惡意軟體攻擊而更改的檔案數據。常見的安全防護軟體可能會將掃描工作程式和檔案儲存在設備中,以識別是否有惡意軟體的攻擊及運作。即使發現惡意軟體已經運作,這些相關的檔案或數據也可能已經被更改或刪除。對於惡意軟體更改檔案及數據的危害,一般的安全防護軟體通常只會定期儲存相對應的副本(或整個系統的快照),一旦識別到惡意軟體已經更改數據或檔案數據(例如由勒索軟體引起的檔案加密或刪除),就可以因應用戶的要求用這個備份進行還原。 Information security, especially to prevent the harm of computer viruses, worms, Trojans or malicious software (such as Ransomware), usually through scanning and detection and regular backup, and through recovery programs to recover from malware attacks and changes Archive data. Common security software may store scan jobs and files on the device to identify malware attacks and operations. Even if the malware is found to be functioning, these related files or data may have been altered or deleted. For the harm of changing files and data by malware, general security protection software usually only saves the corresponding copy (or a snapshot of the entire system) on a regular basis. Once it is identified that the malware has changed the data or the file data (such as caused by ransomware File encryption or deletion), you can use this backup to restore at the user's request.

一般而言,掃描的機制可以經由識別惡意軟體更改數據或數據的模式,並維護已知模式的數據庫來實現。通常,惡意數據更改的模式會因為它的更新頻率而受到限制。對應驗證最新版本的惡意軟體通常無法立即被儲存到模式數據庫。因此,掃描機制通常無法因應最新惡意軟體相對應的惡意更改而表現不佳,特別是勒索軟體之類的惡意軟體,可以快速且簡單地將檔案加密並更新。 In general, the scanning mechanism can be implemented by identifying malware changing data or data patterns and maintaining a database of known patterns. Normally, the pattern of malicious data changes is limited by how often it is updated. Correspondence to verifying the latest version of malware is usually not immediately stored in the pattern database. As a result, scanning mechanisms often fail to perform well with malicious changes corresponding to the latest malware, especially malware such as ransomware, which can quickly and simply encrypt and update files.

由於雲端儲存服務的快速流行,運用備份和還原的機制也可以是惡意數據更改的解決方案之一。然而,上述解決方案的限制取決於儲存副本可以使用的資源。如果超過資源可使用範圍,那些被惡意更改的數據可能就無法還原。此外,當將多個儲存資源合併在一起的情況下,由於檔案會在多個儲存資源之間進行同步,反而導致惡意數據經由同步程式而在多個儲存資源之間傳播。換句話說,一旦儲存資源中的檔案被惡意更改。通過同步,其他儲存資源中的檔案也可能會被惡意更改。例如,相較於勒索軟體的惡意更改可能包括檔案加密和檔案名稱或檔案位置的更改,勒索軟體惡意軟體通常會要求電腦系統的用戶支付費用以取得密碼,作為解密檔案或其他解決方案,好讓檔案可以還原。因為勒索軟體的出現,傳統提供掃描機制和備份機制的軟體沒有辦法在備份和還原的機制做得很好。 Due to the rapid popularity of cloud storage services, the use of backup and restore mechanisms can also be one of the solutions for malicious data changes. However, the limitations of the above solution depend on the resources available to the storage copy. If the resources are beyond the available range, maliciously changed data may not be restored. In addition, when multiple storage resources are merged together, because files are synchronized between multiple storage resources, malicious data is transmitted between multiple storage resources via a synchronization program. In other words, once the files in the storage resource are maliciously changed. Through synchronization, files in other storage resources may also be maliciously changed. For example, compared to malicious changes in ransomware, which may include file encryption and changes in file names or file locations, ransomware malware often requires users of computer systems to pay for passwords as a decryption file or other solution, so that Files can be restored. Because of the emergence of ransomware, traditional software that provides scanning mechanisms and backup mechanisms cannot do a good job of backup and restore mechanisms.

為了用於防止上述包括電腦病毒、蠕蟲、特洛伊木馬和勒索軟體在內的惡意軟體的數據在不同設備之間作備份或同步傳播,本發明提 供了具有安全驗制的檔案管理和系統整合的解決方案。本發明還可以通過用在不同設備中未被惡意更改的保留副本或版本來替換對應於該惡意更改的檔案來提供檔案還原的實作方法。本發明也可以提供將檔案管理和用戶端設備之間的同步,以混合雲端的儲存環境。 In order to prevent the data of the above-mentioned malware including computer viruses, worms, Trojan horses, and ransomware from being backed up or transmitted synchronously between different devices, the present invention provides file management and system integration with security verification. solution. The present invention can also provide an implementation method of archive restoration by replacing the archive corresponding to the malicious change with a reserved copy or version that has not been maliciously changed in different devices. The invention can also provide synchronization between the file management and the client device to mix the cloud storage environment.

100‧‧‧用戶端設備 100‧‧‧user terminal equipment

100a-d‧‧‧用戶端設備 100a-d‧‧‧user terminal equipment

110‧‧‧本地儲存媒體 110‧‧‧ local storage media

110a‧‧‧智能電話 110a‧‧‧smartphone

110b‧‧‧筆記型電腦 110b‧‧‧ Notebook

110c‧‧‧可穿戴設備 110c‧‧‧ Wearable

110d‧‧‧網路攝影機 110d‧‧‧webcam

140‧‧‧用戶行為分析模組 140‧‧‧User Behavior Analysis Module

200‧‧‧雲端儲存伺服器集群 200‧‧‧ cloud storage server cluster

210‧‧‧儲存節點 210‧‧‧Storage Node

230‧‧‧重複數據刪除伺服器 230‧‧‧ Deduplication Server

240‧‧‧用戶行為分析伺服器 240‧‧‧User Behavior Analysis Server

300‧‧‧網路 300‧‧‧Internet

400‧‧‧反惡意軟體系統 400‧‧‧Anti-Malware System

410‧‧‧誘餌檔管理模組 410‧‧‧Bait File Management Module

420‧‧‧惡意軟體檢測模組 420‧‧‧ Malware Detection Module

421‧‧‧模式識別器 421‧‧‧ pattern recognizer

422‧‧‧訊息接收器 422‧‧‧Message Receiver

430‧‧‧同步管理模組 430‧‧‧Synchronous Management Module

431‧‧‧備份管理組件 431‧‧‧Backup management component

210a-c‧‧‧儲存節點 210a-c‧‧‧Storage node

220‧‧‧管理伺服器 220‧‧‧Management Server

500‧‧‧操作系統 500‧‧‧ operating system

510‧‧‧混合雲檔案系統 510‧‧‧ Hybrid Cloud File System

520‧‧‧檔案系統管理模組 520‧‧‧File System Management Module

530‧‧‧高速快取管理系統 530‧‧‧High-speed cache management system

540‧‧‧同步管理模組 540‧‧‧Synchronous Management Module

541‧‧‧預取管理組件 541‧‧‧Prefetch Management Module

543‧‧‧重複數據刪除組件 543‧‧‧ Deduplication component

545‧‧‧上傳管理組件 545‧‧‧ upload management component

547‧‧‧取出管理組件 547‧‧‧Remove management component

549‧‧‧刪除管理組件 549‧‧‧ Delete management component

432‧‧‧還原管理組件 432‧‧‧Restore management component

433‧‧‧停止管理組件 433‧‧‧Stop management component

541‧‧‧預取管理組件 541‧‧‧Prefetch Management Module

550‧‧‧儲存裝置 550‧‧‧Storage device

550a-c‧‧‧儲存裝置 550a-c‧‧‧Storage device

570‧‧‧高速快取設備 570‧‧‧High-speed cache device

600‧‧‧電子設備 600‧‧‧Electronic equipment

610‧‧‧儲存媒體 610‧‧‧Storage media

630‧‧‧處理器 630‧‧‧Processor

650‧‧‧記憶體 650‧‧‧Memory

670‧‧‧通訊模組 670‧‧‧Communication Module

S101~S630‧‧‧步驟 S101 ~ S630‧‧‧step

請參考圖式,以下將詳細說明本發明各面向的內容。按照一般的標準做法,為了清楚說明,圖式並不會依其比例,而會為了特別強調某個功能的特徵.而放大或縮小。 With reference to the drawings, the aspects of the present invention will be described in detail below. In accordance with general standard practice, for clarity, the drawings are not scaled, but are enlarged or reduced to emphasize the characteristics of a function.

圖1顯示根據本發明的實施例,所呈現的雲端儲存系統和具有檔案管理系統的用戶端設備。 FIG. 1 shows a cloud storage system and a client device with a file management system according to an embodiment of the present invention.

圖2是根據本發明的實施例,在該用戶端設備和基於雲端儲存系統之間的驗證和檔案傳輸過程的流程圖。 2 is a flowchart of a verification and file transfer process between the client device and a cloud-based storage system according to an embodiment of the present invention.

圖3A和3B是分別呈現了根據本發明的實施例所對應上述用戶端設備和該基於雲端儲存系統的驗證和檔案發送處理的流程圖。 3A and 3B are flowcharts respectively showing the above-mentioned client device corresponding to the embodiment of the present invention and the cloud storage system-based verification and file sending process.

圖4A和4B是呈現根據本發明的一些實施例,所分別創建對應於該用戶端設備和該基於雲端儲存系統的誘餌的驗證過程的流程圖。 4A and 4B are flowcharts showing a verification process created corresponding to the client device and the cloud storage system-based decoy, respectively, according to some embodiments of the present invention.

圖5是呈現根據本發明的一些實施例的典型的反惡意軟體(或惡毒軟體)系統的示意圖。 FIG. 5 is a schematic diagram showing a typical anti-malware (or malware) system according to some embodiments of the present invention.

圖6呈現根據本發明的一些實施例的分別具有反惡意軟體系統的典型的雲端儲存系統和用戶端設備。 FIG. 6 presents a typical cloud storage system and a client device with anti-malware systems, respectively, according to some embodiments of the invention.

圖7A呈現根據本發明的一些實施例的典型的混合雲端儲存 系統。 Figure 7A presents a typical hybrid cloud storage system according to some embodiments of the invention.

圖7B是呈現與用戶端設備和雲端儲存系統的雲端儲存集群相關聯的典型操作系統的示意圖。 FIG. 7B is a schematic diagram showing a typical operating system associated with a cloud storage cluster of a client device and a cloud storage system.

圖7C是呈現根據圖7B中的描述,在用戶端設備100進行典型操作系統的示意圖。 FIG. 7C is a schematic diagram showing a typical operating system performed on the client device 100 according to the description in FIG. 7B.

圖7D是呈現根據本發明的一些實施例的雲端儲存系統的典型的網路架構的示意圖。 FIG. 7D is a schematic diagram showing a typical network architecture of a cloud storage system according to some embodiments of the present invention.

圖7E是呈現根據圖7C中的描述,實施例典型反惡意軟體系統的示意圖。 FIG. 7E is a schematic diagram showing a typical anti-malware system according to the embodiment described in FIG. 7C.

圖8是參照圖6到圖7D的一些實施例的典型電子設備的功能框。 FIG. 8 is a functional block diagram of a typical electronic device with reference to some embodiments of FIGS. 6 to 7D.

為了一致性目的和易於理解,在典型的圖中具有相似數字的特徵被識別(儘管在某些情況下未呈現)。然而,不同實施例中的特徵在其它方面可能不同,因此不應該局限於圖中所描述的部份。 For consistency purposes and ease of understanding, features with similar numbers are identified in typical figures (though not shown in some cases). However, the features in different embodiments may differ in other respects, and therefore should not be limited to the parts described in the figures.

圖1顯示根據本發明的實施例的典型雲端儲存系統。典型雲端儲存系統包括用戶端設備100能夠通過網路300在雲端儲存伺服器集群200中發送或接收不同類型的檔案。如圖1所示,用戶端設備100可以對應於具有用於檔案儲存的一個或多個檔案夾的檔案系統和用於同步檔案和檔案目錄(分別在圖1中描繪為“Document”和“Folde”)的“Sync Folder”的檔案夾。)到雲端儲存伺服器集群200。在用戶端裝置100中執行的軟體程式可以週期性地檢查“Sync Folde”中的檔案的更改,並且將更改的更改訊息或 檔案傳送到雲端儲存伺服器集群200,以使雲端儲存伺服器集群200在其中進行相應的檔案更改。在本發明的實施例中,可以在同步檔案夾中創建沒有實質內容的假檔案。這些假檔案可能包含元數據(metadata),吸引惡意軟體的惡意更改,尤其是勒索軟體。在上述原因方面,假檔案在圖1中被描繪為“誘餌”。例如,誘餌可以具有與檔案和圖像相同的檔案擴展名,例如“.txt”、“.csv”、“.jpg”等。在本發明的實施例中,可以產生誘餌並將其混合一組檔案儲存在檔案系統目錄中的同一檔案夾中。在實施例上,誘餌可以具有檔案名稱,檔案建立日期,以及其他檔案被排序和執行的遵循規則等。另一方面,誘餌可能具有不被用戶讀取的特徵,以防止將用戶讀取誘餌檔而誤認為是惡意軟體而將其刪除或更改。例如,誘餌的檔案名可以應用用戶被標識為假檔案的規則,例如“ab4687h”。雖然誘餌是圖像檔案,但是作為假的指示可以被包括在用於檔案系統呈現給用戶以進行識別的圖像中,例如“這是假檔案”的圖像。通過監控與誘餌檔相對應的數據更改,可以實施例知道惡意數據更改,特別是勒索軟體的數據更改的驗證。假設電腦系統的用戶不能讀取和編輯誘餌,而誘餌檔的數據更改可能僅由惡意軟體所引起,且沒有通知用戶及沒有使用用戶的權限。為了檢測儲存設備的“每個角落”中的惡意數據變化,可以有系統地創建多個甚至大量的誘檔餌,並分佈在不同的檔案夾(檔案系統中的路徑)中,特別是具有一組檔案的檔案夾。在本發明的一實施例中,為了檢測諸如檔案加密的檔案加密的惡意數據更改,檔案加密將檔案更改為僅具有相同檔案名和檔案元數據的一部分的另一檔案類型,可以通過監控新的檔案生成和識別具有相同檔案名(或至少一部分檔案元數據)的來自該新創建檔案的誘餌檔。在一實施例中,藉由 產生和維護誘餌檔的數據庫,以便與電腦系統中的數據更改進行比較,以監測誘餌檔的狀態並識別誘餌檔的變化。誘餌檔的監控可以通過定期掃描包括誘餌的檔案夾來實現。然而,為了節省系統資源,可以通過對電腦系統的儲存媒介的過程或指令的監控來代替掃描。經由捕獲諸如檔案創建,檔案更新和檔案刪除之類的指令,並將其與上述的誘餌數據庫進行比較,以識別誘餌檔是否被更改數據。誘餌檔的數據更改可能會作為惡意數據更改的信號發揮作用,因為誘餌的更改被假定為僅由軟體引起,特別是可疑的惡意軟體。 FIG. 1 shows a typical cloud storage system according to an embodiment of the present invention. A typical cloud storage system includes that the client device 100 can send or receive different types of files in the cloud storage server cluster 200 through the network 300. As shown in FIG. 1, the client device 100 may correspond to a file system having one or more folders for file storage and for synchronizing files and file directories (depicted as “Document” and “Folde respectively in FIG. 1 ")" Folder of "Sync Folder". ) To the cloud storage server cluster 200. The software program executed in the client device 100 may periodically check the file changes in the “Sync Folde” and send the changed change message or file to the cloud storage server cluster 200 so that the cloud storage server cluster 200 Make the appropriate file changes there. In the embodiment of the present invention, a fake file without substantial content can be created in the synchronization file folder. These fake files may contain metadata that attracts malicious changes from malware, especially ransomware. For these reasons, the fake file is depicted as "bait" in FIG. For example, the bait may have the same file extension as the files and images, such as ".txt", ".csv", ".jpg", and so on. In an embodiment of the present invention, a bait can be generated and mixed with a set of files and stored in the same folder in a file system directory. In an embodiment, the bait may have a file name, a file creation date, and other rules that the files are sorted and executed according to. On the other hand, the decoy may have a feature that is not readable by the user to prevent the user from reading the decoy file and mistakenly thinking it as malicious software to delete or change it. For example, the file name of the decoy may apply the rules that the user is identified as a fake file, such as "ab4687h". Although the bait is an image archive, an indication as a fake may be included in an image for the archive system to present to the user for identification, such as an image of "this is a fake archive". By monitoring data changes corresponding to decoy files, embodiments can be aware of malicious data changes, especially verification of data changes by ransomware. It is assumed that the users of the computer system cannot read and edit the decoy, and the data change of the decoy file may be caused only by malware, and the user is not notified and has no permission to use the user. In order to detect malicious data changes in "every corner" of the storage device, multiple or even large numbers of bait can be systematically created and distributed in different folders (paths in the file system), especially with a Folder for group files. In an embodiment of the present invention, in order to detect malicious data changes such as archive encryption, archive encryption, archive encryption changes an archive to another archive type that has only the same archive name and a part of archive metadata, and can monitor new archives Generate and identify decoy files from the newly created archive with the same archive name (or at least a portion of the archive metadata). In one embodiment, a database of decoy files is generated and maintained for comparison with data changes in a computer system to monitor the status of the decoy files and identify changes in the decoy files. The bait file can be monitored by periodically scanning the file folder containing the bait. However, in order to save system resources, scanning or monitoring of the process or instructions of the storage medium of the computer system can be used instead. Instructions such as archive creation, archive update, and archive deletion are captured and compared with the above-mentioned decoy database to identify whether the decoy file has been changed. The data change of the decoy file may serve as a signal of malicious data change, because the change of the decoy is assumed to be caused solely by software, especially suspicious malware.

用戶端設備100可以是個人電腦、筆記型電腦、個人數據助理、手機、車用電腦、遊戲機、智慧型手機或能夠運行軟體應用並能夠運行軟體應用的其他可以存取網路的電子設備。網路300可以是任何類型的數據網路,包括網際網路、蜂巢式網路、區域網路、廣域網路、或其它任何形式的網路、或其組合,或經由網路的通信可以進行有線和無線部署。雲端儲存伺服器集群200可以是任何物理和虛擬架構中的一個或多個伺服器。在一實施例中,雲端儲存伺服器集群200可以被實施在單個地理位置,其中一個或多個伺服器中可以進行相關溝通及連接。在實施例中,雲端儲存伺服器集群200可以利用一個或多個電腦網路進行有線或無線通信網路的連接。在實施例中,雲端儲存伺服器集群200可以是建立於不同的地理位置中的電腦設備所提供的軟體定義資源池上的一個或多個虛擬機。在實施例中,雲端儲存伺服器群集200的一部分可以選擇性地採用前述物理和虛擬部署。 The client device 100 may be a personal computer, a notebook computer, a personal data assistant, a mobile phone, a car computer, a game console, a smart phone, or other electronic devices capable of running a software application and capable of accessing a network. The network 300 may be any type of data network, including the Internet, a cellular network, a local area network, a wide area network, or any other form of network, or a combination thereof, or communication via the network may be wired And wireless deployment. The cloud storage server cluster 200 may be one or more servers in any physical and virtual architecture. In one embodiment, the cloud storage server cluster 200 may be implemented in a single geographic location, and one or more servers may perform related communication and connection. In an embodiment, the cloud storage server cluster 200 may use one or more computer networks to connect to a wired or wireless communication network. In an embodiment, the cloud storage server cluster 200 may be one or more virtual machines on a software-defined resource pool provided by computer equipment established in different geographical locations. In an embodiment, a portion of the cloud storage server cluster 200 may selectively employ the aforementioned physical and virtual deployments.

根據本發明的一些實施例,圖2描述了圖1中的用戶端設備 100和雲端儲存伺服器群集200之間的檔案傳輸的典型的驗證過程。而參考圖2,在步驟S101中,用戶端裝置100中執行的上述軟體程式可以通過識別對應的模式來週期性地檢查數據的惡意更改,並且確定數據是否被惡意地竄改,特別是將檔案傳送(或同步)到雲端儲存伺服器集群200。這些模式可以包括上述的誘餌檔的數據更改或導致大量檔案在短時間內被同步的重要的數據更改。在本發明的一個實施例中,模式識別可以與定期檔案同步同時進行。在每次開始檔案同步之前,用戶端設備100可以檢查要同步(或備份)的兩個檢查檔案的檔案更新以及惡意數據更改模式,包括檔案更新頻率和對應於誘餌檔的數據更改。在步驟S110中,如果用戶端設備100發現惡意數據更改的模式,則用戶端設備100可以暫停或停止檔案同步,並且在本發明的一個實施例中,用戶端設備100可以向用戶提供惡意數據更改警告訊息。在一些實施例中,也可以向雲端儲存伺服器集群200提供警告消息。本發明的實施例中,可以套用上述惡意數據更改模式的多個檢測裝置。在通過第一段檢測裝置發現惡意數據更改的模式開始發生時,可以將同步暫停一段時間。在這段時間內,用戶端設備100可以通過檢測其它裝置來發現是否有惡意數據更改動作。如果通過上述的檢測過程確認惡意數據更改,則用戶端設備100可以停止檔案同步。另一方面,如果在這段停止期間尚無法識別上述惡意數據更改的情況,則用戶端設備100可以繼續檔案同步。例如,用戶端設備100可以在發現面臨大規模檔案的頻繁數據更改時,會暫停檔案同步及傳輸一段時間,如果發現誘餌檔正在更新並發送傳送的請求,則用戶端設備100可以進一步停止檔案傳輸。否則,用戶端設備100可以在上述週期之後進一步繼續檔案傳輸。上述示例不限 於本發明中的檢測裝置,例如,用戶端設備100也可以啟動監控任何惡意軟體(特別是勒索軟體)與其中正在執行的更改誘餌檔數據的指令,以確認是否有惡意數據更改的行為。在本發明實施例中,用戶端設備100還可以向用戶端設備100中,安裝和操作的防惡意軟體提供上述警告消息,以用於惡意軟體警報和相應的檔案還原。在本發明的實施例中,用戶端設備100還可以向雲端儲存伺服器集群200進一步提供上述警告消息和對應於惡意數據更改的檔案的範圍,用於接收相應的備份檔案不被惡意地更改為檔案還原。在步驟S102中,如果用戶端裝置100沒有發現惡意檔案更改,則用戶端裝置100可以通過將檔案更新資訊和更新檔案發送到雲端儲存伺服器集群200來開始檔案同步,並且在一些實例中,基於檔案更新來檢查哪個可以與步驟S101同時進行。在步驟S201中,於本發明實施例中,上述軟體過程也可以在雲端儲存伺服器集群200中執行,用於將儲存接收到的檔案的雲端儲存伺服器集群200更新或更新之前檢查惡意數據更改模式檔案作相對應的位置的同步。這些模式還可以包括在一段時間內對應於大量檔案(待儲存以用於同步)的誘餌檔的數據更改或頻繁數據更改。在步驟S202中,如果雲端儲存伺服器群集200沒有發現惡意數據更改,則雲端儲存伺服器集群200可以通過將儲存設備接收到的檔案或替換檔案來開始檔案同步,並且在本發明的一個實施例中,基於與步驟S201同時進行的檔案更新檢查。在步驟S210中,如果雲端儲存伺服器群集200發現惡意數據更改,則雲端儲存伺服器群集200可以通過刪除所接收的檔案來暫停或停止檔案同步,並且在本發明的實施例中,用戶端設備100還可以提供向用戶端設備100發送惡意數據更改的警告訊息。如前所述,發現由第一檢測裝 置發現的惡意數據更改,可以暫停同步一段時間,在此期間,雲端儲存伺服器集群200可以通過其他檢測裝置來確認惡意數據更改。如果惡意數據更改被確認,雲端儲存伺服器集群200可能會停止檔案同步。另一方面,如果無法通過上述其他檢測裝置確認惡意數據更改,則雲端儲存伺服器集群200可以繼續檔案同步。例如,雲端儲存伺服器集群200可以停止檔案同步,並且僅在一段時間內持續接收檔案同步請求,同時在一段時間內發現相對於大規模檔案的頻繁數據更改。如果任何誘餌檔被更改並請求同步,雲端儲存伺服器集群200可能會停止檔案同步。否則,雲端儲存伺服器集群200可以在上述週期之後進一步繼續檔案傳輸。在步驟S120中,在本發明實施例中,用戶端設備100還可以向用戶端設備100的用戶或其中安裝和操作的反惡意軟體提供惡意數據更改的警告訊息,用於惡意軟體刪除或檔案恢復。 According to some embodiments of the present invention, FIG. 2 illustrates a typical verification process for file transfer between the client device 100 and the cloud storage server cluster 200 in FIG. 1. Referring to FIG. 2, in step S101, the software program executed in the client device 100 can periodically check for malicious changes in data by identifying corresponding patterns, and determine whether the data has been tampered with maliciously, especially by transmitting files. (Or sync) to the cloud storage server cluster 200. These modes can include data changes to the decoy files described above or important data changes that cause a large number of files to be synchronized in a short period of time. In one embodiment of the present invention, pattern recognition can be performed simultaneously with periodic file synchronization. Before starting the file synchronization each time, the client device 100 can check the file update and malicious data change mode of the two check files to be synchronized (or backed up), including the file update frequency and the data change corresponding to the decoy file. In step S110, if the client device 100 finds a pattern of malicious data change, the client device 100 may suspend or stop file synchronization, and in one embodiment of the present invention, the client device 100 may provide the user with malicious data changes. Warning message. In some embodiments, a warning message may also be provided to the cloud storage server cluster 200. In the embodiment of the present invention, a plurality of detection devices of the aforementioned malicious data modification mode may be applied. When the pattern of malicious data changes detected by the first detection device starts to occur, the synchronization may be suspended for a period of time. During this time, the client device 100 can detect whether there is a malicious data modification action by detecting other devices. If malicious data changes are confirmed through the above detection process, the client device 100 may stop file synchronization. On the other hand, if the situation of the malicious data change cannot be identified during this stop period, the client device 100 can continue to synchronize the files. For example, the client device 100 may suspend file synchronization and transmission for a period of time when it finds frequent data changes in large-scale files. If it is found that the decoy file is being updated and sending a transmission request, the client device 100 may further stop the file transmission. . Otherwise, the client device 100 may further continue the file transmission after the above period. The above examples are not limited to the detection device in the present invention. For example, the client device 100 may also start monitoring any malicious software (especially ransomware) and the instructions that are being executed to change the data of the decoy file to confirm whether any malicious data has been changed. behavior. In the embodiment of the present invention, the client device 100 may further provide the above-mentioned warning message to the anti-malware software installed and operated in the client device 100, for use in malware alert and corresponding file restoration. In the embodiment of the present invention, the client device 100 may further provide the above-mentioned warning message and the range of the archive corresponding to the malicious data change to the cloud storage server cluster 200 for receiving the corresponding backup archive that is not maliciously changed to File restoration. In step S102, if the client device 100 does not find a malicious file change, the client device 100 can start file synchronization by sending file update information and update files to the cloud storage server cluster 200, and in some examples, based on The file is updated to check which can be performed simultaneously with step S101. In step S201, in the embodiment of the present invention, the software process described above may also be executed in the cloud storage server cluster 200, and used to update the cloud storage server cluster 200 storing the received files before updating or checking for malicious data changes. The pattern files are synchronized at the corresponding positions. These modes may also include data changes or frequent data changes of the decoy file corresponding to a large number of files (to be stored for synchronization) over a period of time. In step S202, if the cloud storage server cluster 200 does not find malicious data changes, the cloud storage server cluster 200 may start file synchronization by replacing or receiving files received by the storage device, and in an embodiment of the present invention In the process, the file update check is performed simultaneously with step S201. In step S210, if the cloud storage server cluster 200 finds a malicious data change, the cloud storage server cluster 200 may suspend or stop file synchronization by deleting the received file, and in the embodiment of the present invention, the client device 100 may also provide a warning message that sends malicious data changes to the client device 100. As described above, when malicious data changes discovered by the first detection device are discovered, synchronization can be suspended for a period of time, during which the cloud storage server cluster 200 can confirm the malicious data changes through other detection devices. If malicious data changes are confirmed, the cloud storage server cluster 200 may stop file synchronization. On the other hand, if the malicious data change cannot be confirmed by the other detection devices, the cloud storage server cluster 200 can continue to synchronize files. For example, the cloud storage server cluster 200 can stop file synchronization and continuously receive file synchronization requests for only a period of time, while discovering frequent data changes relative to large-scale files over a period of time. If any decoy files are changed and synchronization is requested, the cloud storage server cluster 200 may stop file synchronization. Otherwise, the cloud storage server cluster 200 may further continue the file transmission after the above period. In step S120, in the embodiment of the present invention, the client device 100 may also provide a warning message of malicious data changes to the user of the client device 100 or anti-malware installed and operated therein, for use in malware removal or file recovery. .

圖3A呈現了圖1中的用戶端設備100的檔案傳輸的典型驗證過程。根據本發明的一些實施例。參考如圖3A所示,在步驟S310中,在用戶端設備100中執行的上述軟體過程可以週期性地將當前檔案資訊與前一檔案同步之前的檔案資訊進行比較,以確認數據是否有不一致來確定是否有惡意檔案更改,這也決定了與雲端儲存伺服器集群200的檔案同步情況。在一些實施例中,也可以通過檢查數據更改指令的頻率和對應的檔案規模來檢測惡意數據更改。在步驟S320中,用戶端設備100還可以檢查誘餌檔的檔案狀態以確定惡意數據更改。在本發明實施例中,可以簡單地通過在更新的檔案列表中,識別要傳送到雲端儲存伺服器集群200的上述誘餌檔來完成檢查。在本發明的實施例中,如果用戶端設備100發現惡意 數據在步驟S330中,用戶端設備100可以停止檔案同步過程並停止將檔案傳送到雲端儲存伺服器集群200,用戶端設備100還可以請求來自雲端儲存伺服器集群200的備份檔案來替換惡意修改檔案進行檔案還原。還原檔案的範圍可以通過掃描來識別惡意更改的檔案或簡單地根據識別惡意數據更改的時間在特定時間段內更新的所有檔案來確定。在本發明的實施例中,如果用戶端設備100找不到惡意數據更改,則在步驟S340中,用戶端設備100可以繼續將檔案傳送到雲端儲存伺服器集群200。本發明不限於步驟S310和S320以及步驟S310和S320之間,如果沒有發現惡意數據更改,則可以存在用於指示步驟S310和S320的下一步驟,步驟S315,並且在發現數據的惡意更改時進入步驟S330。同樣的,如果沒有發現惡意數據更改,則可能存在從步驟S310和S320的下一步引導到步驟S340的步驟S325,並且在發現惡意數據更改時進入步驟S330。在本發明的實施例中,由第一檢測裝置發現有數據被異動是可以暫停同步一段時間。在這段時間則會不斷執行步驟S310和步驟S320的惡意數據更改的檢查。例如,當發現惡意數據更改時,用戶端設備100可以通過其他步驟來確定檔案同步過程來確認是否有惡意數據的更改。一旦確認惡意數據更改,用戶端設備100可以停止檔案同步並請求檔案還原;反之,用戶端設備100可以在步驟S340中繼續檔案同步。 FIG. 3A presents a typical verification process of the file transfer of the client device 100 in FIG. 1. According to some embodiments of the invention. Referring to FIG. 3A, in step S310, the software process executed in the client device 100 may periodically compare the current file information with the file information before the previous file synchronization to confirm whether the data is inconsistent. It is determined whether there are malicious file changes, which also determines the file synchronization with the cloud storage server cluster 200. In some embodiments, malicious data changes can also be detected by checking the frequency of data change instructions and the corresponding file size. In step S320, the client device 100 may also check the file status of the decoy file to determine malicious data changes. In the embodiment of the present invention, the inspection can be completed simply by identifying the above-mentioned bait file to be transmitted to the cloud storage server cluster 200 in the updated file list. In the embodiment of the present invention, if the client device 100 finds malicious data in step S330, the client device 100 may stop the file synchronization process and stop transmitting files to the cloud storage server cluster 200. The client device 100 may also request Backup files from the cloud storage server cluster 200 are used to replace maliciously modified files for file restoration. The scope of the restored archives can be determined by scanning to identify maliciously altered archives or simply by updating all archives within a specific time period based on the time at which malicious data changes were identified. In the embodiment of the present invention, if the client device 100 cannot find malicious data changes, in step S340, the client device 100 may continue to transmit the file to the cloud storage server cluster 200. The present invention is not limited to steps S310 and S320 and between steps S310 and S320. If no malicious data change is found, there may be a next step for indicating steps S310 and S320, step S315, and enter when a malicious change of data is found Step S330. Similarly, if no malicious data change is found, there may be step S325 leading from the next step of steps S310 and S320 to step S340, and when the malicious data change is found, it proceeds to step S330. In the embodiment of the present invention, if the first detection device finds that the data is changed, the synchronization may be suspended for a period of time. During this period, the check of malicious data changes in step S310 and step S320 is continuously performed. For example, when malicious data changes are found, the client device 100 may determine the archive synchronization process to determine whether there are changes in the malicious data through other steps. Once the malicious data is confirmed to be changed, the client device 100 may stop the file synchronization and request the file restoration; otherwise, the client device 100 may continue the file synchronization in step S340.

圖3B呈現圖1中的雲端儲存伺服器集群200的檔案接收和儲存的典型的驗證過程。根據本發明的一些實施例。參考如圖3B所示,在步驟S410中,雲端儲存伺服器集群200可以週期性地從用戶端設備100接收檔案或檔案更新,並維護或更新所接收的檔案的相應副本,以便與用戶 端設備100進行檔案同步。雲端儲存伺服器集群200可以進一步保留要在用戶端設備100(被同步的檔案)中被更新或刪除的相應檔案被替換或刪除的副本。在本發明的一個實施例中,在步驟S415中,也可以在雲端儲存伺服器集群200中執行上述軟體過程,並且週期性地檢查在特定時間段內是否要同步的檔案或檔案更新(表示為“檔案更新頻率”)達到通過數據不一致性確定惡意數據更改的上限值。如果上述檔案更新頻率不符合上限值,意味著沒有惡意數據更改,則軟體程式可能會繼續監控檔案更新頻率。在本發明的另一實施例中,還可以通過檢查接收到的檔案更新(對應於用戶端設備100中更新的檔案)是否包括在用戶端設備100中生成的誘餌檔來確定是否有惡意數據更改,一旦上述誘餌檔發現更新,雲端儲存伺服器集群200可以確定與誘餌檔相鄰接收的檔案更新是可疑的惡意更改。因此可以確定檔案還原的範圍。在本發明的一個實施例中,如果符合檔案更新頻率上限值,表示惡意數據更改確有發生,則在步驟S420中,雲端儲存伺服器集群200可以停止檔案同步,以防止惡意更改的檔案在設備之間傳播。在本發明的一個實施例中,雲端儲存伺服器集群200可以進一步確定懷疑被惡意更改(通過惡意軟體)的檔案並檢索相應的保留副本以替換上述惡意更改的檔案以進行檔案還原。在本發明的一個實施例中,雲端儲存伺服器集群200可以向用戶端設備100發送惡意數據更改的確認訊息,以發起包括用戶端設備100中的惡意軟體刪除或檔案還原的反惡意軟體過程。在本發明的一個實施例,用戶端設備100還可以從雲端儲存伺服器集群200請求檔案還原,並且雲端儲存伺服器集群200還可以將上述保留副本發送回用戶端設備100,以同步返回以替換被保留副本惡意更改的檔案。在用戶 端設備100(或雲端儲存伺服器集群200)向用戶提供警告訊息之後,還可以由用戶端設備100(或雲端儲存伺服器集群200)的用戶發起上述檔案還原。在本發明的一個實施例中,由第一檢測裝置發現可能有惡意更改數據的情況時,同步會暫時停止,並且持續僅一段時間。在發現惡意數據更改的同時,雲端儲存伺服器集群200可以通過其他方式停止檔案同步過程一段時間以進行確認,例如,等待從數據更改觸發的用戶端設備100接收惡意數據更改的警告訊息的上述誘餌檔。一旦確認惡意數據更改,雲端儲存伺服器集群200可以停止檔案同步並將檔案同步回到用戶端設備100;反之,雲端儲存伺服器集群200可以在步驟S410中繼續檔案同步。 FIG. 3B presents a typical verification process for receiving and storing files in the cloud storage server cluster 200 in FIG. 1. According to some embodiments of the invention. Referring to FIG. 3B, in step S410, the cloud storage server cluster 200 may periodically receive files or file updates from the client device 100, and maintain or update corresponding copies of the received files to communicate with the client device 100 for file synchronization. The cloud storage server cluster 200 may further retain a copy of the corresponding file to be updated or deleted in the client device 100 (synchronized file). In one embodiment of the present invention, in step S415, the software process described above may also be executed in the cloud storage server cluster 200, and the files or file updates (represented as "Archive Update Frequency") reaches the upper limit for determining malicious data changes through data inconsistencies. If the above file update frequency does not meet the upper limit, which means that there are no malicious data changes, the software program may continue to monitor the file update frequency. In another embodiment of the present invention, it is also possible to determine whether there are malicious data changes by checking whether the received file update (corresponding to the updated file in the client device 100) includes a decoy file generated in the client device 100 Once the bait file is found to be updated, the cloud storage server cluster 200 may determine that the file update received adjacent to the bait file is a suspicious malicious change. Therefore, the scope of file restoration can be determined. In an embodiment of the present invention, if the upper limit of the file update frequency is met, indicating that malicious data changes do occur, in step S420, the cloud storage server cluster 200 may stop file synchronization to prevent maliciously changed files from being Spread between devices. In one embodiment of the present invention, the cloud storage server cluster 200 may further determine files suspected of being maliciously changed (by malware) and retrieve corresponding reserved copies to replace the maliciously changed files for file restoration. In one embodiment of the present invention, the cloud storage server cluster 200 may send a confirmation message of malicious data change to the client device 100 to initiate an anti-malware process including malware deletion or file restoration in the client device 100. In an embodiment of the present invention, the client device 100 may also request file restoration from the cloud storage server cluster 200, and the cloud storage server cluster 200 may also send the above-mentioned reserved copy back to the client device 100 for synchronous return to replace A maliciously altered archive of retained copies. After the client device 100 (or the cloud storage server cluster 200) provides the user with a warning message, the user of the client device 100 (or the cloud storage server cluster 200) may also initiate the foregoing file restoration. In an embodiment of the present invention, when the first detection device finds that there may be malicious changes to the data, the synchronization is temporarily stopped and lasts only for a period of time. When malicious data changes are found, the cloud storage server cluster 200 may stop the file synchronization process for a period of time for confirmation, for example, waiting for receiving the malicious data change warning message from the client device 100 triggered by the data change. files. Once the malicious data is confirmed to be changed, the cloud storage server cluster 200 may stop the file synchronization and synchronize the files back to the client device 100; otherwise, the cloud storage server cluster 200 may continue the file synchronization in step S410.

圖4A呈現了圖1中的用戶端設備100的檔案傳輸的典型驗證過程。根據本發明的一些實施例。參考圖4A所示,在步驟S510中,用戶端設備100可以創建作為上述誘餌檔的檔案,並且將誘餌檔儲存到檔案夾中作為由勒索軟體進行的惡意數據更改的指標,甚至具有較高優先級的指標將被勒索軟體(或其他類型的惡意軟體)。在本發明的一個實施例中,可以產生誘餌檔並將其混合到父檔案夾中的一組檔案和子檔案夾中,以便被勒索軟體視為同一批檔案而進行感染動作。在本發明的一個實施例中,誘餌檔會具有以更高優先級排列的勒索軟體處理的特徵,諸如以字母順序首先排序的檔案名稱,或以時間遞減順序排列的檔案更新日期。在本發明的一個實施例中,誘餌檔也可以具有被識別為誘餌檔的特徵,以避免用戶意外地讀取或更改檔案名稱,以被識別為無意義,並且被識別為“誘餌檔”。例如,用戶端設備100可以創建包括“這是一個誘餌檔”的圖像,以在檔案系統讀取圖像時提供預覽,以避免用戶更改檔案。在步驟S520中,用戶端設 備100可以週期性地檢查誘餌檔的檔案狀態以識別勒索軟體對數據的惡意更改。在本發明的一個實施例中,用戶端設備100可以將更新的檔案發送到雲端儲存伺服器集群200以進行備份。用戶端設備100可以檢查包括用於識別誘餌的惡意更改的誘餌的檔案的更新是否被假設不被用戶更改。在本發明的一個實施例中,用戶端設備100還可以檢查包括具有相同檔案名的檔案或檔案元數據的至少一部分的檔案的更新是否是用於識別勒索軟體的惡意加密的誘餌,這通常導致檔案為加密成另一種檔案類型,只有相同的檔案名和檔案元數據的一部分。雖然誘餌的數據被更改,但它可能意味著同一檔案夾中的檔案或相關檔案夾中的誘餌檔也被勒索軟體惡意地更改(例如加密或刪除)。在本發明的一個實施例中,在步驟S525中,用戶端設備100在檢測到由勒索軟體進行的數據的惡意更改之後,可以停止檔案傳輸(或檔案備份),以防止數據擴散到雲端儲存伺服器集群200的惡意更改在步驟S530中,從用戶端設備100替換惡意更改的檔案的雲端儲存伺服器群集200中的檔案.在本發明的一個實施例中,用戶端設備100還可以啟動監控對應於正在其中執行的誘餌的數據更改的指令的過程,以確認惡意數據更改。在本發明的一個實施例中,當識別到誘餌檔被異動而發現懷疑惡意數據更改的情況下,會停止同步一段時間。在此期間,用戶端設備100可以檢查是否更改了第二個或者更多的誘餌檔來確認通常是惡意地更改大規模檔案的勒索軟體的惡意的數據更改。如果在該期間沒有其他誘餌更改,則用戶端設備100可能由於沒有惡意數據更改的確認而繼續檔案備份傳輸。在本發明的一個實施例中,也在步驟S530中,用戶端設備100還可以從雲端儲存伺服器集群200請求還原惡意更改的檔案(例如由勒索軟 體加密的檔案)。用戶端設備100可以確定可疑惡意更改並請求還原的檔案的範圍。用戶端設備100還可以從雲端儲存伺服器集群200接收相應的檔案,並且替換可疑的被接收檔案惡意更改的檔案。在本發明的一個實施例中,用戶端設備100可以提供用於引導和用戶介面的訊息,以在上述檔案還原的每個步驟中進行確認。如果在步驟S525中沒有檢測到勒索軟體數據的惡意更改,則在步驟S540中,用戶端設備100可以繼續向雲端儲存伺服器集群200發送檔案以進行檔案備份。 FIG. 4A illustrates a typical verification process of the file transfer of the client device 100 in FIG. 1. According to some embodiments of the invention. Referring to FIG. 4A, in step S510, the client device 100 can create a file as the above-mentioned decoy file, and store the decoy file in the folder as an indicator of malicious data modification by the ransomware, even with higher priority. Level indicators will be ransomware (or other types of malware). In one embodiment of the present invention, a bait file can be generated and mixed into a group of files and child folders in a parent folder, so as to be infected by the ransomware as the same batch of files. In one embodiment of the invention, the decoy file will have features of higher-priority ransomware processing, such as file names sorted first in alphabetical order, or file update dates sorted in descending order. In one embodiment of the present invention, the decoy file may also have the feature of being identified as a decoy file to prevent the user from accidentally reading or changing the file name to be recognized as meaningless and identified as a "bait file". For example, the client device 100 may create an image including "This is a decoy file" to provide a preview when the image is read by the file system to prevent the user from changing the file. In step S520, the client device 100 may periodically check the file status of the decoy file to identify malicious changes to the data by the ransomware. In one embodiment of the present invention, the client device 100 may send the updated file to the cloud storage server cluster 200 for backup. The client device 100 may check whether an update of an archive including a maliciously altered decoy used to identify the decoy is assumed not to be altered by the user. In an embodiment of the present invention, the client device 100 may also check whether the update of the archive including the archive or at least a part of the archive metadata with the same filename is a bait for identifying malicious encryption of the ransomware, which usually results in The file is encrypted into another file type with only the same file name and part of the file metadata. Although the data of the bait is changed, it may mean that files in the same folder or bait files in related folders have also been maliciously changed (eg, encrypted or deleted) by ransomware. In an embodiment of the present invention, in step S525, after detecting the malicious change of the data by the ransomware, the client device 100 may stop the file transmission (or file backup) to prevent the data from spreading to the cloud storage server. Malicious changes to the server cluster 200 In step S530, the files in the cloud storage server cluster 200 of the maliciously changed files are replaced from the client device 100. In one embodiment of the present invention, the client device 100 may also start monitoring the corresponding The process of decoy data change instructions being executed to confirm malicious data changes. In one embodiment of the present invention, when it is identified that the decoy file is changed and it is found that suspected malicious data is changed, synchronization will be stopped for a period of time. In the meantime, the client device 100 can check whether the second or more decoy files have been changed to confirm malicious data changes by ransomware that usually maliciously changes large-scale files. If there are no other decoy changes during this period, the client device 100 may continue the archive backup transmission due to no confirmation of malicious data changes. In an embodiment of the present invention, also in step S530, the client device 100 may also request to restore a maliciously changed file (for example, a file encrypted by ransomware) from the cloud storage server cluster 200. The client device 100 may determine the range of the suspicious malicious change and request a restore. The client device 100 may also receive the corresponding files from the cloud storage server cluster 200 and replace the suspiciously changed files of the received files. In one embodiment of the present invention, the client device 100 may provide information for guiding and user interface for confirmation in each step of the above file restoration. If the malicious change of the ransomware data is not detected in step S525, in step S540, the client device 100 may continue to send files to the cloud storage server cluster 200 for file backup.

圖4B呈現了根據本發明的一些實施例的圖1中的雲端儲存伺服器集群200的檔案傳輸的典型驗證過程。參考如圖4B所示,在步驟S610中,雲端儲存伺服器群集200可以從用戶端設備100接收用於備份的檔案。雲端儲存伺服器集群200還可以在用戶端設備100中保留對應於其被更新或刪除的待替換或刪除的檔案的副本。在本發明的一個實施例中,雖然沒有從用戶端設備100接收請求,但雲端儲存伺服器集群200可以繼續接收用於更新的檔案(重複步驟S610)。在本發明的一個實施例中,如果雲端儲存伺服器集群200從用戶端設備100接收到檔案還原請求(根據圖4A中的步驟S530),指示用戶端設備100中的檔案被勒索軟體惡意地更改,則雲端儲存伺服器集群200可以停止檔案接收,從用戶端設備100檢索對應於檔案還原請求的上述保留副本,並且替換可能在雲端儲存伺服器集群200中被惡意更改的同步檔案。在本發明的一個實施例中,上述可疑惡意更改的檔案可以由用戶端設備100確定並發送到雲端儲存伺服器集群200。在本發明的另一個實施例中,上述可疑惡意更改的檔案可以由雲端儲存伺服器集群200來確定,作為可疑惡意更改的檔案的範圍,雲端儲存伺服器集 群200確定檔案夾的範圍(檔案的位置)以及與用戶端設備100相鄰的檔案還原請求的發送時間的範圍。在本發明的一個實施例中,在步驟S630中,雲端儲存伺服器集群200可以進一步發送上述保留檔案,以替換由用戶端設備100中的勒索軟體惡意更改的檔案。 FIG. 4B presents a typical verification process for file transfer of the cloud storage server cluster 200 in FIG. 1 according to some embodiments of the present invention. Referring to FIG. 4B, in step S610, the cloud storage server cluster 200 may receive a file for backup from the client device 100. The cloud storage server cluster 200 may also retain a copy of the file to be replaced or deleted corresponding to the updated or deleted file in the client device 100. In an embodiment of the present invention, although the request is not received from the client device 100, the cloud storage server cluster 200 may continue to receive the file for updating (repeat step S610). In an embodiment of the present invention, if the cloud storage server cluster 200 receives a file restoration request from the client device 100 (in accordance with step S530 in FIG. 4A), it indicates that the files in the client device 100 have been maliciously changed by ransomware. Then, the cloud storage server cluster 200 may stop receiving files, retrieve the above-mentioned reserved copy corresponding to the file restoration request from the client device 100, and replace the synchronized files that may be maliciously changed in the cloud storage server cluster 200. In one embodiment of the present invention, the suspicious malicious change file may be determined by the client device 100 and sent to the cloud storage server cluster 200. In another embodiment of the present invention, the suspicious maliciously changed files may be determined by the cloud storage server cluster 200. As the range of the suspicious maliciously changed files, the cloud storage server cluster 200 determines the range of the folders (the file's Location) and the time range for sending the archive restore request adjacent to the client device 100. In an embodiment of the present invention, in step S630, the cloud storage server cluster 200 may further send the above-mentioned reserved file to replace the file maliciously changed by the ransomware in the client device 100.

圖5呈現根據本發明的一些實施例的在用戶端設備100或雲端儲存伺服器群集200內實現的典型反惡意軟體(或特定於反篡改軟體)系統。在本發明的一個實施例中,在用戶端設備100中,可以提供能夠管理與雲端儲存伺服器集群200的檔案同步的典型反惡意軟體系統400,檢測惡意數據更改和管理誘餌檔作為對惡意數據的支援改造。反惡意軟體系統400可以包括用於在用戶端設備100中創建誘餌檔的誘餌檔管理模組410,用於檢測惡意軟體感染的惡意軟體檢測模組420以及用於停止備份過程並在發現惡意軟體感染時請求檔案還原的同步管理模組430。在本發明的一個實施例中,誘餌檔管理模組410可以創建誘餌檔作為由惡意軟體(或特定的勒索軟體)惡意數據更改的指示符,並且維護用於由惡意軟體檢測模組420進行的惡意數據更改的誘餌檔列表的比較檔案或數據更改說明與列表。惡意軟體檢測模組420可以包括用於維護諸如前述數據更改頻率(或同步的兩側之間的數據不一致)和誘餌檔更改的惡意數據更改的模式清單的模式識別器421。例如,在本發明的一個實施例中,模式識別器421可以檢查檔案更新(或與檔案更新相對應的指令),以查找是否存在任何更新的誘餌檔,指示在用反病毒軟體實現的計算系統中惡意數據更改的發生,惡意軟體系統400。惡意軟體檢測模組420還可以包括訊息接收機421,用於從諸如雲端儲存伺服器集群200的其他設備接收惡意數據更改的訊息。例 如,根據圖3中的步驟S430,如圖3B所示,雲端儲存伺服器集群200可以在識別惡意數據更改的模式(例如從用戶端設備100接收的檔案中的高更新頻率或誘餌檔的數據更改)中向用戶端設備100發送惡意數據更改訊息。用戶端設備100中的惡意軟體系統400可以確認來自雲端儲存伺服器集群200發送的前述訊息的惡意數據更改。在本發明的一個實施例中,同步管理模組430可以包括用於管理的備份管理組件431檔案傳輸到雲端儲存伺服器集群200,特別是用於將檔案更新維護為用於模式識別器421確定惡意數據更改的數據集之一;停止管理組件433,用於暫停檔案傳輸(特別是用於檔案備份),同時模式識別器421識別惡意數據更改,以及還原管理組件432從雲端儲存伺服器集群200尋求檔案還原,並根據前面段落的實施例,將從雲端儲存伺服器集群200接收到的相應的檔案替換為惡意更改的檔案。 FIG. 5 presents a typical anti-malware (or anti-tampering software) system implemented within a client device 100 or a cloud storage server cluster 200 according to some embodiments of the invention. In an embodiment of the present invention, in the client device 100, a typical anti-malware system 400 capable of managing synchronization with the files of the cloud storage server cluster 200 can be provided, detecting malicious data changes and managing decoy files as malicious data. Support transformation. The anti-malware system 400 may include a bait file management module 410 for creating a bait file in the client device 100, a malware detection module 420 for detecting a malware infection, and a software for stopping the backup process and detecting malware. Synchronous management module 430 requesting file restoration when infected. In one embodiment of the present invention, the decoy file management module 410 may create a decoy file as an indicator of malicious data changed by malware (or specific ransomware), and maintain the information for use by the malware detection module 420 Comparison of a list of decoy files for malicious data changes or data change instructions and lists. The malware detection module 420 may include a pattern recognizer 421 for maintaining a pattern list of malicious data changes such as the aforementioned data change frequency (or data inconsistency between the two sides of the synchronization) and decoy file changes. For example, in one embodiment of the present invention, the pattern recognizer 421 may check the file update (or the instruction corresponding to the file update) to find whether there are any updated decoy files, indicating that the computing system is implemented with anti-virus software. Malicious data changes occur in the malware system 400. The malware detection module 420 may further include a message receiver 421 for receiving a message of malicious data changes from other devices such as the cloud storage server cluster 200. For example, according to step S430 in FIG. 3, as shown in FIG. 3B, the cloud storage server cluster 200 may identify patterns of malicious data changes (such as a high update frequency in a file received from the client device 100 or data of a decoy file). Change) to send a malicious data change message to the client device 100. The malware system 400 in the client device 100 can confirm the malicious data change from the aforementioned message sent by the cloud storage server cluster 200. In one embodiment of the present invention, the synchronization management module 430 may include a backup management component 431 for management, and the files are transmitted to the cloud storage server cluster 200, and are particularly used for maintaining and updating the files for the pattern identifier 421 to determine. One of the data sets for malicious data change; stop management component 433 for pausing file transfer (especially for file backup), while pattern recognizer 421 identifies malicious data changes, and restore management component 432 from cloud storage server cluster 200 A file restoration is sought, and according to the embodiment of the previous paragraph, the corresponding file received from the cloud storage server cluster 200 is replaced with a maliciously changed file.

圖6呈現了根據本發明的一些實施例的在用戶端設備100和雲端儲存伺服器群集200內實現的典型反惡意軟體(或特定於反篡改軟體)系統。在本發明的一個實施例中,在雲端儲存伺服器集群200中,可以提供典型的反惡意軟體系統400,其能夠管理來自用戶端設備100的檔案同步,並檢測用戶端設備100中的數據的惡意更改。雲端儲存伺服器集群200內的典型的反惡意軟體系統中的誘餌檔管理模組410還可以維護在本發明的一個實施例中在用戶端設備100中生成並從用戶端設備100接收的誘餌檔列表。惡意軟體檢測模組420的模式識別器421可以通過各種檢測手段識別從用戶端裝置100接收到的檔案的惡意數據更改,包括根據實施例將用戶端裝置100中的檔案更新映射到誘餌檔列表或監控檔案更新頻率在 前面的段落。在本發明的一個實施例中,惡意軟體檢測模組420的訊息接收器422可以從用戶端設備100接收用戶端設備100中的惡意數據更改的檔案還原請求。檔案同步模組430的備份管理組件431還可以管理用戶端設備100的檔案接收,其還可以是模式識別器421的數據集之一,用於確定來自用戶端設備100的上述檔案中的惡意數據更改。停止檔案同步模組430的管理部件433也可以在模式識別器421發現惡意數據更改的同時停止檔案接收。檔案同步模組430的還原管理組件432可以保留與從用戶端設備100接收到的檔案更新相對應的待刪除和更新的檔案的副本。還原管理組件432可以根據檔案還原請求進一步從副本中檢索檔案從用戶端設備100接收到,並根據檔案還原請求,用檢索到的副本替換在雲端儲存伺服器集群200中被惡意更改的檔案。在一些實施例中,還原管理組件432可以將檢索到的副本作為對檔案還原請求的響應來發送到用戶端設備100,以替換在用戶端設備100中惡意更改的檔案。參考圖6,反惡意軟體系統可以在用戶端設備100和雲端儲存伺服器群集200中實現,用於根據前面段落中所示的實施例來管理同步和檢測惡意數據更改。因此,反惡意軟體系統400可能不限於在特定類型的設備中實現。根據本發明的一些實施例,包括要備份的檔案或用於接收用於備份的檔案的設備可以與典型的反惡意軟體系統400一起實施。 FIG. 6 presents a typical anti-malware (or anti-tampering software) system implemented within a client device 100 and a cloud storage server cluster 200 according to some embodiments of the invention. In one embodiment of the present invention, in the cloud storage server cluster 200, a typical anti-malware system 400 can be provided, which can manage file synchronization from the client device 100 and detect the data in the client device 100. Malicious changes. The decoy file management module 410 in a typical anti-malware system in the cloud storage server cluster 200 can also maintain a decoy file generated in the client device 100 and received from the client device 100 in one embodiment of the present invention. List. The pattern recognizer 421 of the malware detection module 420 can identify malicious data changes of files received from the client device 100 through various detection methods, including mapping file updates in the client device 100 to a list of bait files or The monitoring file update frequency is in the previous paragraph. In an embodiment of the present invention, the message receiver 422 of the malware detection module 420 may receive a file restoration request for malicious data changes in the client device 100 from the client device 100. The backup management component 431 of the file synchronization module 430 can also manage the file reception of the client device 100, which can also be one of the data sets of the pattern recognizer 421, which is used to determine malicious data from the above files from the user device 100 change. The management component 433 of the stop file synchronization module 430 may also stop receiving files when the pattern recognizer 421 detects malicious data changes. The restoration management component 432 of the file synchronization module 430 may retain a copy of the file to be deleted and updated corresponding to the file update received from the client device 100. The restoration management component 432 may further retrieve the archive from the copy according to the archive restoration request and receive it from the client device 100, and replace the maliciously changed archive in the cloud storage server cluster 200 with the retrieved copy according to the archive restoration request. In some embodiments, the restoration management component 432 may send the retrieved copy as a response to the archive restoration request to the client device 100 to replace the maliciously changed archive in the client device 100. Referring to FIG. 6, an anti-malware system may be implemented in the client device 100 and the cloud storage server cluster 200 to manage synchronization and detect malicious data changes according to the embodiment shown in the previous paragraph. Therefore, the anti-malware system 400 may not be limited to being implemented in a specific type of device. According to some embodiments of the present invention, a device including an archive to be backed up or a device for receiving an archive for backup may be implemented with a typical anti-malware system 400.

圖7A至7E呈現了根據本發明的實施例的混合雲檔案系統中的反惡意軟體系統400。參考如圖7A所示,用戶端設備100可以對應於具有被描繪為“Disk(C:)”,“Disk(D:)”和“Disk(E:)”)中的一個或多個儲存裝置的檔案系統。每個儲存裝置可以對應於不同的儲存媒體。例 如,用戶端設備100可以包括呈現為“SSD”圖示的本地儲存媒體110,其儲存位置呈現在戶端設備100的右側。本地儲存媒體110的部分可以被分配給具有32GB大小的儲存裝置“Disk(C:)”。儲存裝置“Disk(E:)”可以對應於諸如具有USB埠的電腦週邊儲存設備的外部儲存媒體。具有明顯更大尺寸的儲存裝置“Disk(D:)”可對應於分配給雲端儲存伺服器集群200中的用戶端設備100的儲存裝置。儲存在雲端儲存伺服器集群200中的分配的儲存裝置中的內容可以是呈現為儲存在用戶端設備100的操作系統中的儲存裝置“Disk(D:)”中。儲存和讀取儲存裝置“Disk(D:)”中的檔案的數據的手動操作可能與儲存裝置“Disk(C:)”和“Disk(E:)”中的檔案相同。因此,用戶端裝置100的用戶甚至可能不注意儲存在儲存裝置“Disk(D:)”中的內容的物理位置。此外,通過在雲端計算技術和雲端儲存服務模型的現有技術中調整雲端儲存伺服器集群200中的分配的儲存量,可以靈活地佈置儲存裝置“Disk(D:)”的大小。根據本發明的雲端儲存系統可以使得用戶端設備100中的用戶體驗顯著地大於其物理提供的內部組件。在一些實施例中,本地儲存媒體110的一部分可以被分配為用於儲存裝置“Disk(D:)”的高速快取磁區。在這種情況下,儲存在雲端儲存伺服器集群200中的一部分數據內容可以被複製並儲存在高速快取磁區中以加速數據讀取。用戶端設備110以及雲端儲存伺服器集群200通常可以包括提供用於該設備的一般管理和操作的可執行程式指令的操作系統(例如,用戶端設備100,雲端儲存伺服器群集200的伺服器)。此外,本地儲存媒體110可以是非暫時電腦可讀媒體,其儲存指令,該指令在由該設備的處理器執行時允許該設備執行其預期功能。每個設備的合適的操作系統可以 根據設備的類型和性質而不同。例如,用戶端設備100可以是在市售的Windows操作系統上運行的個人電腦;用戶端設備100還可以是在Android操作系統上運行的蜂巢式電話;而雲端儲存伺服器集群200可以在基於Linux的操作系統上操作。用於操作系統和伺服器的一般功能的合適實施方式可以是已知的或可商購的,並且由本領域普通技術人員容易地實施,特別是根據本文的公開內容。 7A to 7E present an anti-malware system 400 in a hybrid cloud file system according to an embodiment of the present invention. Referring to FIG. 7A, the client device 100 may correspond to having one or more storage devices depicted as "Disk (C :)", "Disk (D :)", and "Disk (E :)"). File system. Each storage device may correspond to a different storage medium. For example, the client device 100 may include a local storage medium 110 presented as an “SSD” icon, and its storage location is presented on the right side of the client device 100. A portion of the local storage medium 110 may be allocated to a storage device “Disk (C :)” having a size of 32 GB. The storage device "Disk (E :)" may correspond to an external storage medium such as a computer peripheral storage device having a USB port. The storage device “Disk (D :)” having a significantly larger size may correspond to a storage device allocated to the client device 100 in the cloud storage server cluster 200. The content stored in the allocated storage device in the cloud storage server cluster 200 may be a storage device “Disk (D :)” presented as stored in the operating system of the client device 100. The manual operation of storing and reading the data of the files in the storage device "Disk (D :)" may be the same as the files in the storage devices "Disk (C :)" and "Disk (E :)". Therefore, the user of the client device 100 may not even notice the physical location of the content stored in the storage device “Disk (D :)”. In addition, by adjusting the allocated storage amount in the cloud storage server cluster 200 in the existing technologies of the cloud computing technology and the cloud storage service model, the size of the storage device “Disk (D :)” can be flexibly arranged. The cloud storage system according to the present invention can make the user experience in the client device 100 significantly larger than the internal components it physically provides. In some embodiments, a portion of the local storage medium 110 may be allocated as a high-speed cache sector for the storage device "Disk (D :)". In this case, a part of the data content stored in the cloud storage server cluster 200 can be copied and stored in the high-speed cache magnetic region to speed up data reading. The client device 110 and the cloud storage server cluster 200 may generally include an operating system that provides executable program instructions for general management and operation of the device (eg, the client device 100, the server of the cloud storage server cluster 200) . In addition, the local storage medium 110 may be a non-transitory computer-readable medium that stores instructions that, when executed by a processor of the device, allow the device to perform its intended function. The appropriate operating system for each device can vary depending on the type and nature of the device. For example, the client device 100 may be a personal computer running on a commercially available Windows operating system; the client device 100 may also be a cellular phone running on an Android operating system; and the cloud storage server cluster 200 may be based on Linux Operating system. Suitable implementations for the general functions of the operating system and server may be known or commercially available and easily implemented by one of ordinary skill in the art, particularly in light of the disclosure herein.

圖7B呈現了根據本發明的一些實施例的與用戶端設備100和雲端儲存系統的雲端儲存集群200相關聯的典型的操作系統。在用戶端設備100中,可以提供典型的操作系統500,其能夠管理用戶端設備100的硬體資源並提供用於運行應用(例如,在移動設備上運行的移動應用)的服務。在一些實施例中,操作系統400和應用軟體可以儲存在諸如本地儲存媒體110的用戶端設備100的本地儲存媒體中。在一些實施例中,操作系統500還可以儲存在雲端儲存伺服器集群200在啟動階段提供下載到用戶端設備100中並由用戶端設備100執行。應用軟體也可以儲存在雲端儲存伺服器集群200中,提供啟動後的下載。在一些實施例中,儲存在用戶端設備100中的應用可以包括用於一般生產力和資訊檢索的應用,包括電子郵件、日曆、連絡人和天氣資訊,或者包括其他類別的應用,諸如遊戲、GPS和其他基於位置服務、銀行、訂單追蹤,購票或本領域普通技術人員所設想的任何其他類別。在一些實施例中,儲存在用戶端設備100中的應用可以提供與操作系統500有關的功能。例如,用戶行為分析模組140,用於收集由操作系統400執行的數據讀取操作的數據讀取模式並發送到雲端儲存伺服器集群200進行各種分析。雲端儲存伺服器集群200可以包括一 個或多個儲存節點210a,210b和210c。每個儲存節點210可以包含一個或多個處理器和儲存設備。儲存設備可以包括可用於儲存數據內容的光碟儲存設備、RAM、ROM、EEPROM、閃存、相變儲存設備、磁帶盒、磁帶、磁碟儲存設備或任何其他電腦儲存媒體。 FIG. 7B presents a typical operating system associated with a client device 100 and a cloud storage cluster 200 of a cloud storage system according to some embodiments of the invention. In the client device 100, a typical operating system 500 may be provided, which can manage hardware resources of the client device 100 and provide services for running applications (for example, mobile applications running on mobile devices). In some embodiments, the operating system 400 and application software may be stored in a local storage medium of the client device 100 such as the local storage medium 110. In some embodiments, the operating system 500 may also be stored in the cloud storage server cluster 200 and provided for download to the client device 100 and executed by the client device 100 during the startup phase. The application software may also be stored in the cloud storage server cluster 200 to provide downloading after startup. In some embodiments, the applications stored in the client device 100 may include applications for general productivity and information retrieval, including email, calendar, contacts, and weather information, or include other categories of applications such as gaming, GPS And others based on location services, banking, order tracking, ticket purchases, or any other category contemplated by one of ordinary skill in the art. In some embodiments, the application stored in the client device 100 may provide functions related to the operating system 500. For example, the user behavior analysis module 140 is configured to collect a data reading mode of a data reading operation performed by the operating system 400 and send the data reading mode to the cloud storage server cluster 200 for various analyses. The cloud storage server cluster 200 may include one or more storage nodes 210a, 210b, and 210c. Each storage node 210 may include one or more processors and storage devices. Storage devices may include optical disk storage devices, RAM, ROM, EEPROM, flash memory, phase change storage devices, tape cartridges, magnetic tapes, magnetic disk storage devices, or any other computer storage media that can be used to store data content.

參考圖1。再次地,圖7B還可以提供用戶端設備100的典型操作系統500,其包括混合雲檔案系統510和描繪為550a,550b和550c的一個或多個儲存裝置。可以經由網路300由雲端儲存伺服器集群200中的授權儲存裝置來定義和提供儲存裝置550c。在一些實施例中,可以對應於本地儲存媒體110分配高速快取設備570。在一些實施例中,如圖2所示,高速快取設備570可以是虛擬地定義在對應於本地儲存媒體110的儲存裝置550中的數據儲存空間。如圖7B所示,高速快取設備570還可以是虛擬地定義並對應於儲存裝置550的獨立數據儲存空間。高速快取設備570可以被定義為向混合雲檔案系統和儲存裝置550提供與儲存設備管理系統中的頁面檔案在概念上相似的緩衝區域。儲存在儲存裝置550c中的數據內容可以被上傳到雲端儲存伺服器集群200,並且數據內容的副本可以儲存在高速快取設備570中,以通過直接讀取高速快取設備570中的副本來加速讀取。高速快取設備570與雲端儲存伺服器群集200中的儲存裝置相比是非常有限的。因此,可以應用空間釋放機制。也就是說,高速快取設備570中的數據內容可以被允許被覆蓋並被其他數據內容替換。在一些實施例方法中,可以在高速快取設備570中提供儲存鎖定機制。也就是說,鎖定的數據可以被保留並且不會被覆蓋在高速快取設備570中,同時解鎖的數據不被保留並被允許被覆蓋。高速快取設備570中的數據內容可以被分配為 被鎖定以加速讀取。通常,動詞“pin”可用於描述鎖定的操作。固定數據內容可以總是保存在高速快取設備570中以加速讀取,並且不被允許被覆蓋。類似地,另一個術語“unpin”可以用於描述解鎖的操作。固定的數據內容可能被取消固定,以通過允許覆蓋來釋放空間。在一些實施例中,高速快取設備570可以被多個儲存裝置共用。例如,可以定義共用高速快取設備570並將其分配給儲存裝置550a、550b和550c。可以允許儲存裝置550a、550b和550c中的數據內容臨時儲存在高速快取設備570中以加速數據讀取。上述“pin”/“unpin”機制也可以應用於高速快取設備570。在一些實施例方法中,本地儲存媒體110中的空間可以被分配給高速快取設備570。類似地,在一些實施例中,多個空間包括本地儲存媒體110的本地儲存媒體也可以被分配用於高速快取設備570。在一些實施例中,當為用戶端設備100創建多於一個雲端儲存卷時(其物理儲存容量對應於雲),也可以為多個新創建的雲端儲存卷分配單個本地高速快取設備570。 Refer to Figure 1. Again, FIG. 7B may also provide a typical operating system 500 of the client device 100, which includes a hybrid cloud file system 510 and one or more storage devices depicted as 550a, 550b, and 550c. The storage device 550c may be defined and provided by an authorized storage device in the cloud storage server cluster 200 via the network 300. In some embodiments, a high-speed cache device 570 may be assigned corresponding to the local storage medium 110. In some embodiments, as shown in FIG. 2, the high-speed cache device 570 may be a data storage space virtually defined in the storage device 550 corresponding to the local storage medium 110. As shown in FIG. 7B, the high-speed cache device 570 may also be an independent data storage space that is virtually defined and corresponds to the storage device 550. The high-speed cache device 570 may be defined as providing the hybrid cloud file system and the storage device 550 with a buffer area similar in concept to a page file in the storage device management system. The data content stored in the storage device 550c can be uploaded to the cloud storage server cluster 200, and a copy of the data content can be stored in the high-speed cache device 570 to accelerate by directly reading the copy in the high-speed cache device 570 Read. The high-speed cache device 570 is very limited compared to the storage devices in the cloud storage server cluster 200. Therefore, a space release mechanism can be applied. That is, the data content in the high-speed cache device 570 may be allowed to be overwritten and replaced with other data content. In some embodiment methods, a storage lock mechanism may be provided in the high-speed cache device 570. That is, the locked data can be retained and not overwritten in the high-speed cache device 570, while the unlocked data is not retained and allowed to be overwritten. The data content in the high-speed cache device 570 may be allocated as locked to speed up reading. In general, the verb "pin" can be used to describe the operation of a lock. The fixed data content can always be saved in the high-speed cache device 570 to speed up reading, and is not allowed to be overwritten. Similarly, another term "unpin" can be used to describe the operation of unlocking. Fixed data content may be unpinned to free up space by allowing overwriting. In some embodiments, the high-speed cache device 570 may be shared by multiple storage devices. For example, a common high-speed cache device 570 may be defined and allocated to the storage devices 550a, 550b, and 550c. The data content in the storage devices 550a, 550b, and 550c may be allowed to be temporarily stored in the high-speed cache device 570 to speed up data reading. The above-mentioned "pin" / "unpin" mechanism can also be applied to the high-speed cache device 570. In some embodiment methods, space in the local storage medium 110 may be allocated to the high-speed cache device 570. Similarly, in some embodiments, the local storage media in which the plurality of spaces include the local storage media 110 may also be allocated for the high-speed cache device 570. In some embodiments, when more than one cloud storage volume is created for the client device 100 (its physical storage capacity corresponds to the cloud), a single local high-speed cache device 570 may also be allocated for multiple newly created cloud storage volumes.

混合雲檔案系統510可以包括用於管理儲存裝置550中的數據內容的檔案系統管理模組520和用於管理用戶端設備100和雲端儲存伺服器集群200之間的數據同步的同步管理模組540。檔案系統管理模組520可以從用戶介面接收用於數據操作的命令,並相應地更新目錄資訊。同步管理模組540可以根據包括數據儲存、數據獲取、數據更新和數據刪除的命令操縱儲存在雲端儲存伺服器集群200中的數據。同步管理模組540可以根據命令生成數據操作請求,並發送到雲端儲存伺服器集群200以進行相應的執行。在一些實施例中,應用程式可以讀取數據或向數據寫入數據,就好像檔案被儲存在儲存裝置550中一樣。檔案系統管理模組520可以在 執行應用程式期間接收讀取或寫入請求,並且同步管理模組540以從雲端伺服器250檢索檔案的內容數據以符合讀或寫請求。例如,檔案系統管理模組520可以從儲存裝置550c中的特定位置接收用於處理檔案的命令。同步管理模組540可以發送用於下載檔案的請求並從雲端儲存伺服器集群200接收檔案以進行數據處理。如果在數據處理期間發生任何更新,則檔案系統管理模組520可以進一步接收用於將更新的檔案儲存到儲存裝置550c中的特定目的地(或數據路徑)中的命令。同步管理模組540還可以將檔案的上傳請求發送到雲端儲存伺服器集群200,以儲存在雲端儲存伺服器集群200中的分配的儲存裝置中。檔案系統管理模組520可以進一步將儲存在目的地中的數據進行記錄並相應地更新對應於儲存裝置550c的目錄信息。 The hybrid cloud file system 510 may include a file system management module 520 for managing data content in the storage device 550 and a synchronization management module 540 for managing data synchronization between the client device 100 and the cloud storage server cluster 200 . The file system management module 520 can receive commands for data operations from the user interface and update the directory information accordingly. The synchronization management module 540 can manipulate data stored in the cloud storage server cluster 200 according to commands including data storage, data acquisition, data update, and data deletion. The synchronization management module 540 can generate a data operation request according to a command and send it to the cloud storage server cluster 200 for corresponding execution. In some embodiments, the application can read or write data as if the files were stored in the storage device 550. The file system management module 520 may receive a read or write request during the execution of the application program, and synchronize the management module 540 to retrieve the content data of the file from the cloud server 250 to meet the read or write request. For example, the file system management module 520 may receive a command for processing files from a specific location in the storage device 550c. The synchronization management module 540 may send a request for downloading a file and receive the file from the cloud storage server cluster 200 for data processing. If any update occurs during data processing, the file system management module 520 may further receive a command to store the updated file to a specific destination (or data path) in the storage device 550c. The synchronization management module 540 may also send a file upload request to the cloud storage server cluster 200 to be stored in an allocated storage device in the cloud storage server cluster 200. The file system management module 520 can further record the data stored in the destination and update the directory information corresponding to the storage device 550c accordingly.

在一些實施例中,用於管理高速快取設備570中的數據內容的高速快取管理模組530也可以被包括在混合雲檔案系統510中。檔案系統管理模組520可以從用戶介面接收用於數據操作的命令,以及相應地更新目錄資訊。高速快取管理可以在數據上傳到雲端儲存伺服器集群之前,將數據提取或儲存在高速快取設備570中用於加速數據讀取或作為本地緩衝器。例如,檔案系統管理模組520可以從儲存裝置550c中的特定位置接收用於處理檔案的命令。高速快取管理模組530可以在高速快取設備570中為檔案分配空間,並且同步管理模組540可以從雲端儲存伺服器集群200獲取檔案。如果在數據處理期間發生任何更新,則高速快取管理模組530可以更新高速快取設備570中的檔案。同步管理模組540還可以將檔案的上傳請求發送到雲端儲存伺服器集群200,並且檔案系統管理模組520可以進一步相應地更新目錄資訊。在一些實施例中,高速快取管理模組530還 可以配置要被固定或取消固定用於空間管理的數據內容。高速快取管理模組530可以通過允許覆蓋未被取消的數據內容來釋放高速快取設備570中的未固定數據內容的儲存。 In some embodiments, a high-speed cache management module 530 for managing data content in the high-speed cache device 570 may also be included in the hybrid cloud file system 510. The file system management module 520 can receive commands for data operations from the user interface and update directory information accordingly. The high-speed cache management may extract or store the data in the high-speed cache device 570 for speeding up data reading or serving as a local buffer before the data is uploaded to the cloud storage server cluster. For example, the file system management module 520 may receive a command for processing files from a specific location in the storage device 550c. The high-speed cache management module 530 may allocate space for files in the high-speed cache device 570, and the synchronization management module 540 may obtain files from the cloud storage server cluster 200. If any updates occur during data processing, the high-speed cache management module 530 may update the files in the high-speed cache device 570. The synchronization management module 540 can also send a file upload request to the cloud storage server cluster 200, and the file system management module 520 can further update the directory information accordingly. In some embodiments, the high-speed cache management module 530 may also configure data content to be pinned or unpinned for space management. The high-speed cache management module 530 may release the storage of the unfixed data content in the high-speed cache device 570 by allowing overwriting of the data content that is not cancelled.

圖7C還呈現圖7B根據本發明的一些典型操作系統。同步管理模組540還可以包括預取管理組件541,用於在用戶發起之前確定提取數據內容的預取計劃,用於檢查用於數據壓縮的重複數據內容的重複數據刪除組件543,用於上傳數據的上傳管理組件545內容根據上傳策略到雲端儲存伺服器集群200,根據用戶命令或預取計劃從雲端儲存伺服器集群200下載所請求的數據內容的取出管理組件547和用於從數據內容中刪除數據內容的刪除管理組件549本地儲存媒體110和雲端儲存伺服器集群200。 Figure 7C also presents some typical operating systems of Figure 7B according to the present invention. The synchronization management module 540 may further include a prefetch management component 541 for determining a prefetch plan for extracting data content before the user initiates, a deduplication component 543 for checking deduplicated content for data compression, and uploading The content of the data upload management component 545 is transmitted to the cloud storage server cluster 200 according to the upload policy, and the requested data content is downloaded from the cloud storage server cluster 200 according to a user command or a prefetch plan. The deletion management component 549 for deleting data content includes a local storage medium 110 and a cloud storage server cluster 200.

如圖7C所示,預取管理組件541可以確定識別具有被應用程式讀取的高概率的特定數據內容的預取計劃。根據本發明的一些實施例的預取操作是在由用戶動作發起之前從雲端儲存伺服器集群200下載數據檔案。因為在雲端儲存環境中,檔案的數據內容通常儲存在雲端儲存伺服器集群200中,檔案讀取可能需要更長的時間。為了緩解這種情況,用戶端設備100的預取管理組件541可以具有識別用戶可能被讀取的檔案的數據內容的能力,並且可以相應地預取數據內容並將其儲存在本地定義高速快取設備570。預取計劃可以用於基於儲存對象的使用模式來識別可能使用的儲存對象。此外,可以針對與相同或不同用戶相關聯的多個設備生成不同的預取計劃。高速快取管理模組530可以根據預取計劃進一步發起將某些數據內容快取到本地儲存媒體110中。在一些實施例中,電子檔案的元數據(例如,描述、參數、優先級、日期、時間和與數據內容有關的其他 相關資訊)可以儲存在儲存裝置550中,而檔案的內容可以儲存在雲端儲存伺服器集群200。檔案系統管理模組520可以將檔案呈現給用戶端設備的應用和用戶,就像內容數據在本地儲存一樣。另一方面,預取管理組件541可以負責從雲端儲存伺服器集群200檢索內容數據作為高速快取數據,以基於數據內容的元數據,讀取模式和其他因素來加速數據讀取。在一些實施例中,圖7B中的用戶行為分析模組140可以收集用於預取管理組件541的上述讀取模式,以相應地確定和更新預取計劃。 As shown in FIG. 7C, the prefetch management component 541 can determine a prefetch plan that identifies specific data content with a high probability of being read by the application. The prefetch operation according to some embodiments of the present invention is to download a data file from the cloud storage server cluster 200 before being initiated by a user action. Because in a cloud storage environment, the data content of the files is usually stored in the cloud storage server cluster 200, the file reading may take longer. To alleviate this situation, the prefetch management component 541 of the client device 100 may have the ability to identify the data content of the archives that the user may be reading, and may prefetch the data content accordingly and store it locally in a high-speed cache Equipment 570. The prefetch plan can be used to identify possible storage objects based on their usage patterns. In addition, different prefetch plans can be generated for multiple devices associated with the same or different users. The high-speed cache management module 530 may further initiate caching of certain data content to the local storage medium 110 according to a prefetch plan. In some embodiments, metadata (e.g., description, parameters, priority, date, time, and other relevant information related to the data content) of the electronic file may be stored in the storage device 550, and the content of the file may be stored in the cloud Storage server cluster 200. The file system management module 520 can present files to applications and users of the client device, just as content data is stored locally. On the other hand, the prefetch management component 541 may be responsible for retrieving content data from the cloud storage server cluster 200 as high-speed cache data to accelerate data reading based on the metadata of the data content, reading mode, and other factors. In some embodiments, the user behavior analysis module 140 in FIG. 7B may collect the above-mentioned reading modes for the prefetch management component 541 to determine and update the prefetch plan accordingly.

再次參考圖7C,重複數據刪除組件543可以確定要儲存在雲端儲存伺服器集群200中的數據內容是否與已經儲存在雲端儲存伺服器集群200中的另一個數據內容重複。根據本發明的一些實施例的重複數據刪除操作當儲存的數據內容與雲端儲存伺服器集群200中的另一數據內容重複時,公開是儲存指向已儲存在雲端儲存伺服器集群200中的上述重複數據內容的指針而不是數據內容本身。重複數據刪除的目的是為了最小化儲存具有重複部分的數據內容所需的總儲存空間。代替儲存所有重複部分,儲存複製部分的一個副本和用於識別和檢索副本的指針可以顯著地節省總空間。重複數據刪除操作通常可以通過兩個簡化步驟來表達:查找數據內容衝突(與另一個重複的數據內容),並儲存用於衝突數據內容和指針(例如副本的地址)的副本以及標識(例如元數據的檔案)用於其他相關的數據內容。散列通常用於查找數據內容衝突。散列可以是字串(例如,數據內容)到表示原始字串的較短的固定長度值或鍵的變換。在一些實施例中,使用散列來索引和檢索雲端儲存伺服器集群200中的數據內容。使用較短散列索引來查找數據內容通常更快。在一些實施例中,使用散列函 數來創建對應於數據內容的所表示值的索引版本。散列函數可以利用諸如分割餘數法、折疊、基數變換、數位重排或MD2、MD4、MD5、SH等加密方案或非加密方案。例如,在一個實施例中,檔案可以被劃分為固定大小(例如2MB byte)的數據塊作為數據內容,而可以相應於數據內容分別生成具有較小大小(例如,256KB)的散列數據。 Referring again to FIG. 7C, the deduplication component 543 may determine whether the data content to be stored in the cloud storage server cluster 200 is duplicated with another data content already stored in the cloud storage server cluster 200. The deduplication operation according to some embodiments of the present invention When the stored data content overlaps with another data content in the cloud storage server cluster 200, it is disclosed that the storage points to the above-mentioned repetition already stored in the cloud storage server cluster 200 A pointer to the data content, not the data content itself. The purpose of deduplication is to minimize the total storage space required to store data content with duplicate parts. Instead of storing all duplicate parts, storing a copy of the duplicate part and pointers for identifying and retrieving the copy can significantly save total space. Deduplication operations can usually be expressed in two simplified steps: finding data content conflicts (with another duplicate data content), and storing copies of conflicting data content and pointers (such as the address of the copy) and identifiers (such as meta Data archives) are used for other related data content. Hashing is often used to find data content conflicts. A hash can be a transformation of a string (eg, data content) into a shorter fixed-length value or key representing the original string. In some embodiments, a hash is used to index and retrieve data content in the cloud storage server cluster 200. Finding data content using a shorter hash index is usually faster. In some embodiments, a hash function is used to create an indexed version corresponding to the represented value of the data content. The hash function can use encryption schemes such as division remainder method, folding, radix transformation, digital rearrangement, or MD2, MD4, MD5, SH, or non-encryption schemes. For example, in one embodiment, the archive may be divided into data blocks of a fixed size (for example, 2 MB byte) as data content, and hash data having a smaller size (for example, 256 KB) may be generated corresponding to the data content.

在一些實施例中,典型的重複數據刪除組件543可以被配置為生成與要上傳到雲端儲存伺服器集群200的對應數據內容(例如,檔案的模塊或區塊)相關聯的散列。重複數據刪除組件543可以在上傳數據內容之前將分散發送到雲端儲存伺服器集群200,以檢查數據衝突。如果沒有發生數據衝突,則用戶端設備100可以將數據內容上傳到雲端儲存伺服器集群200。如果發生數據衝突,則不需要將重複的數據內容上傳到雲端儲存伺服器集群200。雲端儲存伺服器集群200可以儲存指標及數據內容的標籤,而不是儲存數據內容本身。在一些實施例方法中,重複數據刪除策略可以由重複數據刪除組件543來維護。重複數據刪除策略可以定義一個或多個規則來規定用戶端設備100是否執行重複數據刪除操作。例如,一些用戶端設備可能缺少必要的計算能力生成要上傳的數據內容的雜湊值。在這種情況下,重複數據刪除部件543可以直接將數據內容上傳到雲端儲存伺服器群集200,以便將散列生成和衝突檢查任務委託給雲端儲存伺服器群集200(例如,伺服器端雜湊值生成)。重複數據刪除策略中也可能涉及其他因素,例如用戶端設備100的頻寛可用性。在一些實施例中,根據本發明的多個用戶端設備可以讀取雲端儲存伺服器群集200,可以分別為用戶端設備儲存數據內容。在一些實施例中,可以在用於重複數據刪除操作的所 分配的儲存裝置之間保留非重複數據內容的副本。可以將各個用戶端設備中的數據內容的元數據上傳到雲端儲存伺服器集群200,作為用於識別屬於相應數據內容的衝突數據內容的參考。在一些實施例中,可以儲存從衝突數據內容的元數據生成的標籤和用於讀取獨立儲存的衝突數據內容的副本的指針,以替換其他衝突的數據內容。因此,可以提供用於不同用戶端設備(例如,用戶端設備100)的不同儲存裝置(例如儲存裝置550c)的全域重複數據刪除操作。 In some embodiments, a typical deduplication component 543 may be configured to generate a hash associated with corresponding data content (eg, a module or block of an archive) to be uploaded to the cloud storage server cluster 200. The deduplication component 543 may send the scattered data to the cloud storage server cluster 200 before uploading the data content to check for data conflicts. If no data conflict occurs, the client device 100 can upload the data content to the cloud storage server cluster 200. If a data conflict occurs, there is no need to upload duplicate data content to the cloud storage server cluster 200. The cloud storage server cluster 200 may store indicators and tags of data content, instead of storing the data content itself. In some embodiments, the deduplication policy may be maintained by the deduplication component 543. The deduplication policy may define one or more rules to specify whether the client device 100 performs a deduplication operation. For example, some client devices may lack the necessary computing power to generate a hash value of the data content to be uploaded. In this case, the deduplication component 543 can directly upload the data content to the cloud storage server cluster 200 in order to delegate hash generation and conflict checking tasks to the cloud storage server cluster 200 (for example, a server-side hash value) generate). Other factors may also be involved in the deduplication strategy, such as the frequency availability of the client device 100. In some embodiments, multiple client devices according to the present invention may read the cloud storage server cluster 200, and may separately store data content for the client devices. In some embodiments, a copy of the non-duplicated data content may be maintained between the allocated storage devices used for the deduplication operation. The metadata of the data content in each client device may be uploaded to the cloud storage server cluster 200 as a reference for identifying conflicting data content belonging to the corresponding data content. In some embodiments, tags generated from metadata of conflicting data content and pointers for reading copies of conflicting data content that are stored separately can be stored to replace other conflicting data content. Therefore, a global deduplication operation can be provided for different storage devices (for example, the storage device 550c) for different client devices (for example, the client device 100).

上傳管理組件545可以發送要儲存在雲端儲存伺服器集群200中的數據內容。上傳管理組件545還可以維護包含確定是否或何時將數據內容上傳到雲端儲存伺服器集群200的規則的上傳策略上傳策略還可以與諸如用戶端設備100可用的頻寛,用戶端設備100的電池電量和可用的高速快取設備570等幾個因素相關聯。例如,上傳管理組件545可以將數據內容上傳到雲端儲存伺服器集群200,而可用於用戶端設備100讀取互聯網的頻寛符合特定級別。僅當用戶端設備100的電池電量超過特定電力時,上傳管理組件545還可以將數據內容上傳到雲端儲存伺服器集群200。此外,如果高速快取設備570的可用空間處於特定級別,則上傳管理組件545可以將數據內容上傳到雲端儲存伺服器集群200。在本發明的一個實施例中,在檔案上傳期間,由於資訊安全性原因,可以啟動惡意數據更改的檢測。在本發明的另一實施例中,可以禁用檢測,因為檔案刪除不是由勒索軟體啟動,而是混合雲檔案系統510。 The upload management component 545 may send data content to be stored in the cloud storage server cluster 200. The upload management component 545 may also maintain an upload policy that includes rules to determine whether or when to upload data content to the cloud storage server cluster 200. The upload policy may also be compatible with frequencies such as the client device 100 and the battery power of the client device 100 Associated with several factors such as the available high-speed cache device 570. For example, the upload management component 545 may upload the data content to the cloud storage server cluster 200, and the frequency with which the client device 100 can read the Internet conforms to a specific level. The upload management component 545 can also upload the data content to the cloud storage server cluster 200 only when the battery power of the client device 100 exceeds a specific power. In addition, if the available space of the high-speed cache device 570 is at a certain level, the upload management component 545 may upload the data content to the cloud storage server cluster 200. In one embodiment of the present invention, during file upload, detection of malicious data changes may be initiated due to information security reasons. In another embodiment of the present invention, detection can be disabled because file deletion is not initiated by ransomware, but hybrid cloud file system 510.

取出管理組件547可以從雲端儲存伺服器集群200下載要處理或預取的數據內容。在一些實施例中,下載的數據內容可以臨時保存在 用戶端設備100的儲存設備中或儲存在高速快取設備570。取出管理組件547可以根據來自用戶的下載請求從雲端儲存伺服器集群200請求數據內容。取出管理組件547還可以請求由預取管理組件541維護的預取計劃的數據內容。 The fetch management component 547 can download data content to be processed or pre-fetched from the cloud storage server cluster 200. In some embodiments, the downloaded data content may be temporarily stored in the storage device of the client device 100 or stored in the high-speed cache device 570. The fetch management component 547 may request data content from the cloud storage server cluster 200 according to a download request from a user. The fetch management component 547 may also request the data content of the prefetch plan maintained by the prefetch management component 541.

圖7D呈現根據本發明的一些實施例的雲端儲存系統的典型的網路架構。雖然為了說明的目的而將典型的環境呈現為基於網際網路的環境,但是習知技術者應當理解可以適當地使用不同的網路環境來實現各種實施例。典型的環境包括能夠通過網路300發送或接收不同類型的數據內容的多個用戶端設備110a-d。用戶端設備可以包括能夠運行移動應用和通過移動應用讀取檔案的智能電話110a,能夠通過其中實現的檔案系統讀取和處理檔案的筆記型電腦110b,具有用於收集數據的傳感器和用於僅處理收集的數據的有限資源的可穿戴設備110c,收集大尺寸視頻數據的網路攝影機110d,並且通常不具有本地儲存視頻數據等。 FIG. 7D presents a typical network architecture of a cloud storage system according to some embodiments of the present invention. Although the typical environment is presented as an Internet-based environment for the purpose of illustration, those skilled in the art will understand that various network environments may be used appropriately to implement various embodiments. A typical environment includes multiple client devices 110a-d capable of sending or receiving different types of data content over the network 300. The client device may include a smartphone 110a capable of running and reading archives through the mobile application, a notebook computer 110b capable of reading and processing archives through an archive system implemented therein, having sensors for collecting data and for A wearable device 110c that handles limited resources of the collected data, a webcam 110d that collects large-sized video data, and does not usually have a local storage of video data and the like.

雲端儲存伺服器群集200(圖7C中未呈現)可以包括具有用於儲存數據的儲存設備的一個或多個儲存節點210a-c。每個儲存節點210中的儲存裝置可以被聚合併分配給每個用戶端設備100,並可以通過實現更多的儲存節點來擴展總儲存容量。管理伺服器220可以為每個用戶端設備100a-d分配由儲存節點210提供的儲存裝置。在一些實施例中,管理伺服器220可以通過與其相關聯的邏輯來操作,以從用戶端設備100a-d接收指令,並響應於此獲得,更新或以其他方式處理數據。例如,用戶可以提交對某種類型的數據內容的請求。管理伺服器220可以讀取用戶資訊以驗證用戶的身份,並授予讀取儲存在儲存節點210中的數據內容的權限。然後 可以即時有效地將數據內容返回給用戶的用戶端設備,如果數據內容在本地託管在用戶端設備上。 A cloud storage server cluster 200 (not shown in FIG. 7C) may include one or more storage nodes 210a-c having storage devices for storing data. The storage devices in each storage node 210 can be aggregated and allocated to each user-end device 100, and the total storage capacity can be expanded by implementing more storage nodes. The management server 220 may allocate a storage device provided by the storage node 210 to each client device 100a-d. In some embodiments, the management server 220 may operate through logic associated with it to receive instructions from the client devices 100a-d and obtain, update, or otherwise process data in response thereto. For example, a user can submit a request for some type of data content. The management server 220 can read the user information to verify the identity of the user, and grant the permission to read the data content stored in the storage node 210. The data content can then be returned to the user's client device immediately and effectively if the data content is hosted locally on the client device.

可以在儲存節點210和用戶端設備100a-d之間佈置重複數據刪除伺服器230。在相關聯的儲存硬體設備成本高昂且網路頻寛資源稀缺的雲端儲存系統中,重複數據刪除伺服器230的實施可以協作地提供有助於有效利用現有儲存容量並減少雲中的頻寛需求的重複數據刪除能力的系統。重複數據刪除伺服器230可以與圖7C所示的用戶端設備100a-d的重複數據刪除組件443協作。作為示例,在雲端儲存系統中添加重複數據刪除機制能夠減少所需的儲存容量,因為只儲存唯一的數據或檔案。除了儲存空間節省的好處之外,可以減少設備獲取成本、功耗、設備冷卻要求和網路頻寛要求。 A deduplication server 230 may be arranged between the storage node 210 and the client devices 100a-d. In cloud storage systems where associated storage hardware equipment is costly and network resources are scarce, the implementation of the deduplication server 230 can collaboratively provide help to effectively use existing storage capacity and reduce frequency in the cloud Systems that require deduplication capabilities. The deduplication server 230 may cooperate with the deduplication component 443 of the client devices 100a-d shown in FIG. 7C. As an example, adding a deduplication mechanism to a cloud storage system can reduce the required storage capacity because only unique data or files are stored. In addition to the benefits of storage space savings, you can reduce equipment acquisition costs, power consumption, equipment cooling requirements, and network frequency requirements.

在一些實施例中,用戶行為分析伺服器240可以包含在雲端儲存伺服器集群200中。用戶行為分析伺服器240可以與用戶端設備100a中的操作系統500的用戶行為分析模組140協作,d收集和分析檔案讀取行為。在本發明的一個實施例中,可以通過將分析提供給預取管理組件541來應用分析來改進預取計劃。在一個實施例中,分析還可以用於通過提供惡意數據更改來增加或優化惡意數據更改模式對圖5所示的上述反惡意軟體系統400的模式識別器421的分析。例如,用戶端設備100a-d和儲存節點210a-c中的每一個可以包含上述反惡意軟體系統400。儘管在用戶端設備100a-d之一和儲存節點210a-c,反惡意軟體系統400可以將與惡意數據更改相對應的數據讀取操作的歷史傳送給用戶行為分析伺服器240,以便從歷史中更新惡意軟體的惡意數據更改模式。用戶行為分析伺服器240可以 將更新的惡意數據更改模式提供給每個用戶端設備100a-d和儲存節點210a-c,作為其中結合在其中的每個防惡意軟體系統400的模式識別器421的新基礎惡意數據更改。因此,一旦在多個設備之一中發現惡意數據更改,相關讀取歷史可以被傳送到用戶行為分析伺服器240,以識別惡意數據更改的相關模式(“新模式”)。然後,用戶行為分析伺服器240可以向多個設備提供惡意數據更改的新模式,以使併入其中的反惡意軟體系統400識別具有新模式的惡意數據更改。因此,用戶行為分析伺服器240可以基於與反惡意軟體系統400併入的設備中的惡意數據更改對應的數據讀取歷史來更新惡意數據更改模式,並且可以將更新的模式提供給與反惡意軟體系統400,在設備中發現的任何惡意數據更改可能對其他具有相應數據讀取歷史的設備作出貢獻。 In some embodiments, the user behavior analysis server 240 may be included in the cloud storage server cluster 200. The user behavior analysis server 240 may cooperate with the user behavior analysis module 140 of the operating system 500 in the client device 100a to collect and analyze the file reading behavior. In one embodiment of the invention, the prefetch plan can be improved by applying the analysis to the prefetch management component 541 to apply the analysis. In one embodiment, the analysis can also be used to increase or optimize the pattern of malicious data change by providing malicious data changes. The analysis of the pattern recognizer 421 of the anti-malware system 400 shown in FIG. 5 described above. For example, each of the client devices 100a-d and the storage nodes 210a-c may include the anti-malware system 400 described above. Although at one of the client devices 100a-d and the storage nodes 210a-c, the anti-malware system 400 may transmit a history of data read operations corresponding to malicious data changes to the user behavior analysis server 240 to retrieve from the history Update the malware's malicious data change mode. The user behavior analysis server 240 may provide the updated malicious data change mode to each client device 100a-d and the storage node 210a-c as a pattern recognizer 421 of each anti-malware system 400 incorporated therein. New basic malicious data changes. Therefore, once a malicious data change is found in one of the multiple devices, the relevant read history may be transmitted to the user behavior analysis server 240 to identify the relevant pattern of the malicious data change ("new mode"). The user behavior analysis server 240 may then provide multiple devices with a new pattern of malicious data changes to cause the incorporated anti-malware system 400 to identify malicious data changes with the new pattern. Therefore, the user behavior analysis server 240 may update the malicious data change mode based on the data reading history corresponding to the malicious data change in the device incorporated by the anti-malware system 400, and may provide the updated mode to the anti-malware software. System 400. Any malicious data changes found in the device may contribute to other devices with corresponding data reading history.

在一些實施例中,額外的伺服器可以被包括在雲端儲存伺服器集群200中。例如,系統環境可以包括web伺服器(未呈現),用於回應從用戶設備接收請求並向其提供內容。雲端儲存伺服器集群200還可以包括應用伺服器(未呈現),其包括適當的硬體和軟體,用於根據需要與儲存在其中的數據進行集成,以執行用戶端設備的一個或多個應用的各個方面,以及處理數據讀取和應用程式的業務邏輯。數據請求和響應的處理以及一個或多個用戶端設備(例如,用戶端設備110)和雲端儲存伺服器群集200之間的內容傳送可以由Web伺服器來處理。 In some embodiments, additional servers may be included in the cloud storage server cluster 200. For example, the system environment may include a web server (not presented) for responding to receiving requests from user devices and providing content to them. The cloud storage server cluster 200 may also include an application server (not shown), which includes appropriate hardware and software for integrating with the data stored therein as needed to execute one or more applications of the client device Aspects, as well as the business logic that handles data reading and applications. The processing of data requests and responses and the transfer of content between one or more client devices (eg, the client device 110) and the cloud storage server cluster 200 may be handled by a web server.

圖7E呈現根據本發明的一些實施例的在包括混合雲檔案系統510的用戶端設備100內實現的典型反惡意軟體系統。在本發明的一個實施例中,可以提供典型的的反惡意軟體(特別是勒索軟體)系統400,其 能夠檢測惡意軟體的惡意數據更改(例如勒索軟體的檔案加密)和管理誘餌檔以檢測惡意數據更改。例如,當反惡意軟體系統400查找由勒索軟體加密的高速快取設備570中的檔案時,混合雲檔案系統510可以將檔案上傳停止到雲端儲存伺服器集群200。在本發明的一個實施例中,混合雲檔案系統510可以進一步請求並提取物理儲存在雲端儲存伺服器集群200中的相應數據內容以替換高速快取設備570中的加密檔案。在本發明的另一實施例中混合雲檔案系統510可能只能從雲端儲存伺服器集群200獲取“固定檔案”,並且由於數據內容被物理儲存在雲端儲存伺服器集群200中,並且刪除了高速快取設備570中的其他“未固定檔案”,並且拷貝儲存在高速快取設備570中的數據內容僅用於快速讀取。在本發明的一個實施例中,對於物理儲存在雲端儲存伺服器集群200中的數據內容並且僅包括用於重複數據刪除的用戶端設備100中的散列值,雲端儲存伺服器集群200可以從與可疑檔案相對應的數據內容生成散列值被勒索軟體加密,並將雜湊值發送到用戶端設備100進行還原。參考圖在圖7D中,典型反惡意軟體系統400可以包括用於在高速快取設備570中創建上述誘餌檔的誘餌檔管理模組410,並且通過勒索軟體維護用於檢測檔案加密(或其他惡意數據更改)的誘餌檔列表。典型反惡意軟體系統400可以進一步包括惡意軟體檢測模組420,用於通過監控誘餌檔的檔案狀態或與誘餌檔對應的數據更改指令來在本發明的一個實施例中通過勒索軟體檢測檔案加密。一旦發現由勒索軟體加密的誘餌檔,則惡意軟體檢測模組420可以確認混合雲檔案系統510的同步管理模組540停止檔案上傳,並進一步獲取物理儲存在雲端儲存伺服器集群200中的檔案,透過快取管理模組530來獲取的檔案替換儲存在高 速快取設備570中的檔案。在本發明的一個實施例中,惡意軟體檢測模組420還可以接收基於來自用戶行為分析伺服器240的其他設備中的惡意數據更改生成的模式,並更新其維護的惡意數據更改模式。在一些實施例中,惡意軟體檢測模組420還可以向用戶行為分析伺服器240提供與所識別的惡意數據更改相對應的監控歷史,以生成新模式。 FIG. 7E presents a typical anti-malware system implemented within a client device 100 including a hybrid cloud file system 510 according to some embodiments of the invention. In one embodiment of the present invention, a typical anti-malware (especially ransomware) system 400 can be provided, which can detect malicious data changes of the malware (such as file encryption of ransomware) and manage bait files to detect malicious Data changes. For example, when the anti-malware system 400 looks for files in the high-speed cache device 570 encrypted by ransomware, the hybrid cloud file system 510 may stop file upload to the cloud storage server cluster 200. In one embodiment of the present invention, the hybrid cloud file system 510 may further request and extract the corresponding data content physically stored in the cloud storage server cluster 200 to replace the encrypted file in the high-speed cache device 570. In another embodiment of the present invention, the hybrid cloud file system 510 may only obtain "fixed files" from the cloud storage server cluster 200, and because the data content is physically stored in the cloud storage server cluster 200, and high-speed data is deleted Other "unfixed files" in the cache device 570, and copying the data content stored in the high-speed cache device 570 is only used for fast reading. In one embodiment of the present invention, for the data content physically stored in the cloud storage server cluster 200 and including only the hash value in the client device 100 for deduplication, the cloud storage server cluster 200 may be changed from The generated hash value of the data content corresponding to the suspicious file is encrypted by the ransomware, and the hash value is sent to the client device 100 for restoration. Referring to Figure 7D, a typical anti-malware system 400 may include a decoy file management module 410 for creating the above-mentioned decoy file in the high-speed cache device 570, and maintained by ransomware for detecting file encryption (or other malicious software) Data change) decoy list. The typical anti-malware system 400 may further include a malware detection module 420 for detecting file encryption by ransomware in one embodiment of the present invention by monitoring the file status of the decoy file or data change instructions corresponding to the decoy file. Once a bait file encrypted by ransomware is found, the malware detection module 420 can confirm that the synchronization management module 540 of the hybrid cloud file system 510 stops file upload and further obtains the files physically stored in the cloud storage server cluster 200. The files obtained through the cache management module 530 replace the files stored in the high-speed cache device 570. In one embodiment of the present invention, the malware detection module 420 may also receive patterns generated based on malicious data changes in other devices from the user behavior analysis server 240 and update the malicious data change patterns maintained by it. In some embodiments, the malware detection module 420 may also provide the user behavior analysis server 240 with a monitoring history corresponding to the identified malicious data changes to generate a new pattern.

圖8呈現根據本發明的一些實施例的用典型反惡意軟體系統400實現的典型電子設備600。在本發明的一個實施例中,電子設備600可以是用戶端設備100的圖示。如先前段落所述,電子設備600可以包括用於儲存檔案的本地儲存媒體610,並且在一些實施例中,提供快取另外,電子設備600通常可以包括用於執行反惡意軟體系統400(和本發明的一些實施例中的操作系統500)的指令的處理器630,連接到處理器的記憶體650用於臨時保持要由處理器630處理的檔案,用於讀取網路300以用於向或從雲端儲存伺服器集群200上傳或下載檔案的通信模組670。處理器630可以在儲存媒體610中產生誘餌檔並且通過以下方式檢測勒索軟體感染,通過確認通訊模組670檢查包含在要上傳到雲端儲存伺服器集群200的檔案中的誘餌檔。一旦發現了勒索軟體感染,處理器630可以進一步確定可疑的被勒索軟體加密的檔案的範圍,並通過通訊模組670從雲端儲存伺服器集群200請求相應的副本。通訊模組670可以從雲接收檔案儲存伺服器集群200用於處理器630用可接收的檔案替換可疑的在儲存媒體610中被加密的檔案。 FIG. 8 presents a typical electronic device 600 implemented with a typical anti-malware system 400 according to some embodiments of the invention. In one embodiment of the present invention, the electronic device 600 may be an illustration of the client device 100. As described in the previous paragraph, the electronic device 600 may include a local storage medium 610 for storing archives, and in some embodiments, a cache is provided. In addition, the electronic device 600 may generally include an anti-malware system 400 (and The processor 630 of the instruction of the operating system 500) in some embodiments of the invention is connected to the processor's memory 650 for temporarily holding files to be processed by the processor 630 for reading the network 300 for Or a communication module 670 for uploading or downloading files from the cloud storage server cluster 200. The processor 630 may generate a bait file in the storage medium 610 and detect the ransomware infection in the following manner, and check the bait file included in the file to be uploaded to the cloud storage server cluster 200 by confirming the communication module 670. Once a ransomware infection is found, the processor 630 may further determine the range of the suspicious encrypted file by the ransomware and request a corresponding copy from the cloud storage server cluster 200 through the communication module 670. The communication module 670 may receive the file storage server cluster 200 from the cloud for the processor 630 to replace the suspiciously encrypted file in the storage medium 610 with the receivable file.

在圖8中,在本發明的另一個實施例中,電子設備600可以是雲端儲存伺服器集群200中的圖示。電子設備600可以包括用於儲存從 用戶端設備100接收的檔案的儲存媒體610。此外,電子設備600通常可以包括用於執行反惡意軟體系統(和本發明的一些實施例中的操作系統500)的指令的處理器630,連接到處理器的記憶體650,用於暫時保存要處理的檔案通過處理器630,通訊模組670用於讀取網路300以從用戶端設備100接收或發送檔案。處理器630可以維護由用戶端設備100創建的誘餌檔列表,並通過檢查誘餌檔來檢測勒索軟體感染包括在通過本發明的一個實施例中通過通訊模組670從用戶端設備100接收的檔案。在本發明的一個實施例中,電子設備600根據從用戶端設備100接收到的檔案更新來同步其檔案的至少一部分。處理器630可以進一步保留由於檔案而被更新或刪除的檔案的副本一旦找到檔案被勒索軟體加密(感染)的檔案,收到的更新被收到。一旦發現勒索軟體感染,處理器630可以進一步確定可疑地被勒索軟體加密的檔案的範圍,並將可疑檔案替換為儲存媒體610中的相應的保留副本。在本發明的一個實施例中,電子設備600可以通過通訊模組670從用戶端設備100接收檔案還原請求,並通過通訊模組670將上述保留的副本發送回用戶端設備100。 In FIG. 8, in another embodiment of the present invention, the electronic device 600 may be an illustration in a cloud storage server cluster 200. The electronic device 600 may include a storage medium 610 for storing archives received from the client device 100. In addition, the electronic device 600 may generally include a processor 630 for executing instructions of an anti-malware system (and the operating system 500 in some embodiments of the present invention), and a memory 650 connected to the processor for temporarily storing The processed files pass through the processor 630 and the communication module 670 is used to read the network 300 to receive or send files from the client device 100. The processor 630 may maintain a list of decoy files created by the client device 100 and detect the ransomware infection by checking the decoy files, including files received from the client device 100 through the communication module 670 in an embodiment of the present invention. In one embodiment of the present invention, the electronic device 600 synchronizes at least a part of its file according to the file update received from the client device 100. The processor 630 may further retain a copy of the file that has been updated or deleted due to the file. Once a file that is encrypted (infected) by the ransomware is found, the received update is received. Once a ransomware infection is found, the processor 630 may further determine the range of the file that was suspiciously encrypted by the ransomware and replace the suspicious file with a corresponding reserve copy in the storage medium 610. In one embodiment of the present invention, the electronic device 600 may receive the file restoration request from the client device 100 through the communication module 670, and send the reserved copy to the client device 100 through the communication module 670.

上述圖8中的本地儲存媒體610可以是嵌入在電子設備600中的電腦可讀記錄媒體,並且還可以包括ROM、RAM、EPROM、EEPROM、硬碟、固態硬碟、軟碟、CD-ROM、DVD-ROM或其他形式的電子,電磁或光記錄媒體。在一些實施例中,本地儲存媒體610可以進一步是能夠讀取上述電腦可讀記錄媒體的一個或多個介面。處理器630可以是用於在記憶體650中執行程式指令的處理器或控制器,並且還可以包括具有嵌入式程式指令的嵌入式系統或專用集成電路(ASIC)。通訊模組670可以是有線 網路介面或採用一種或多種定制協議或遵循現有或事實上的標準的無線收發器,諸如乙太網、IEEE 802.11或IEEE 802.15系列、無線USB或電信標準,例如GSM、CDMAone、CDMA2000、WCDMA、TD-SCDMA、WiMAX、3GPP-LTE、TD-LTE和LTE-Advanced。 The above-mentioned local storage medium 610 in FIG. 8 may be a computer-readable recording medium embedded in the electronic device 600, and may further include ROM, RAM, EPROM, EEPROM, hard disk, solid-state hard disk, floppy disk, CD-ROM, DVD-ROM or other forms of electronic, electromagnetic or optical recording media. In some embodiments, the local storage medium 610 may further be one or more interfaces capable of reading the computer-readable recording medium. The processor 630 may be a processor or a controller for executing program instructions in the memory 650, and may further include an embedded system or an application specific integrated circuit (ASIC) with embedded program instructions. The communication module 670 may be a wired network interface or a wireless transceiver using one or more custom protocols or following existing or de facto standards, such as Ethernet, IEEE 802.11 or IEEE 802.15 series, wireless USB or telecommunications standards, such as GSM , CDMAone, CDMA2000, WCDMA, TD-SCDMA, WiMAX, 3GPP-LTE, TD-LTE and LTE-Advanced.

上述概述了若干實施例的特徵,使得本領域技術人員可以更好地理解本發明的各個面向。本領域技術人員應當理解,其可容易地將本發明內容用作設計或修改用於執行本文介紹的實施例的相同目的或實現相同優點的其它過程和結構的基礎。本領域技術人員還應該意識到,這種相同的結構不脫離本發明的精神和範圍,並且在不脫離本發明的精神和範圍的情況下,它們可以在此進行各種更改、替換和更改。 The foregoing outlines features of several embodiments so that those skilled in the art may better understand the aspects of the present invention. Those skilled in the art will understand that they can readily use the present disclosure as a basis for designing or modifying other processes and structures for carrying out the same purposes or achieving the same advantages of the embodiments described herein. Those skilled in the art should also realize that such identical structures do not depart from the spirit and scope of the present invention, and that they can make various changes, substitutions and alterations herein without departing from the spirit and scope of the present invention.

Claims (84)

一種機器實現的方法,用於檢測可通信地連接到第二電腦裝置的第一電腦裝置中的數據的惡意更改,其中第一電腦裝置將檔案更新資訊和更新的檔案傳送到第二電腦裝置,方法包括:將第一電腦裝置的檔案夾中的多個檔案及多個檔案夾產生對應的一個或多個誘餌檔;在該第一電腦裝置處檢查用於識別與該誘餌檔相對應的數據更改的誘餌檔的檔案狀態;以及如果識別出與誘餌檔相對應的數據更改:在第一電腦裝置處停止將檔案更新資訊和更新的檔案從第一電腦裝置傳輸到第二電腦裝置;以及在第一電腦裝置處產生對應於數據的惡意更改的訊息。     A machine-implemented method for detecting malicious changes to data in a first computer device communicably connected to a second computer device, wherein the first computer device transmits file update information and updated files to the second computer device, The method includes: generating a plurality of files and a plurality of folders in a folder of a first computer device to generate corresponding one or more decoy files; checking at the first computer device to identify data corresponding to the decoy file The file status of the changed decoy file; and if a data change corresponding to the decoy file is identified: stopping the transfer of file update information and updated files from the first computer device to the second computer device at the first computer device; and at A message corresponding to a malicious alteration of the data is generated at the first computer device.     如請求項1所述的機器實現方法,進一步包括:在第一電腦裝置處檢查是否符合與檔案更新資訊相對應的至少一個準則;以及在第一電腦裝置處停止將檔案更新資訊和更新的檔案從第一電腦裝置傳輸到第二電腦裝置,只有當至少一個準則被單獨地符合時,識別與誘餌檔相對應的數據更改。     The method according to claim 1, further comprising: checking at the first computer device whether at least one criterion corresponding to the file update information is met; and stopping the file update information and the updated file at the first computer device. The transfer from the first computer device to the second computer device identifies a data change corresponding to the bait file only when at least one criterion is individually met.     如請求項2所述的機器實現方法,進一步包括:如果符合該至少一個準則,則在該第一電腦裝置處停止將檔案更新資訊和更新的檔案從該第一電腦裝置傳輸到該第二電腦裝置一段時間;以及 在第一電腦裝置處重新啟動檔案更新資訊和從第一電腦裝置更新的檔案到第二電腦裝置的傳輸;若:在該期間,在該第一電腦裝置中不符合該至少一個準則;則於該期間不會識別出與誘餌檔相對應的數據更改。     The method for implementing a machine according to claim 2, further comprising: if the at least one criterion is met, stopping transmitting the file update information and the updated file from the first computer device to the second computer at the first computer device Install the device for a period of time; and restart the file update information at the first computer device and the transfer of files updated from the first computer device to the second computer device; if: during this period, the at least one first computer device does not meet the at least A criterion; no data changes corresponding to the bait stall will be identified during this period.     如請求項2所述的機器實現方法,其中該至少一個準則包括檔案更新頻率的上限值。     The machine-implemented method according to claim 2, wherein the at least one criterion includes an upper limit value of an archive update frequency.     如請求項1所述的機器實現方法,進一步包括:在第一電腦裝置處識別與基於識別的誘餌檔相對應的數據更改對應於數據的惡意更改的檔案的範圍;在第一電腦裝置請求對應於來自第二電腦裝置的檔案的範圍的副本;以及在該第一電腦裝置處接收來自該第二電腦裝置的該副本,並且替換與該副本的惡意數據更改相對應的檔案的範圍。     The method for implementing a machine according to claim 1, further comprising: identifying, at the first computer device, a range of a file corresponding to a data change corresponding to a malicious change of the data based on the identified decoy file; and requesting the corresponding at the first computer device A copy of the range of the file from the second computer device; and receiving the copy of the second computer device at the first computer device and replacing the range of the file corresponding to the malicious data change of the copy.     如請求項1所述的機器實現方法,其中對應於該誘餌檔的數據更改包括該誘餌檔的加密或刪除。     The method according to claim 1, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項2所述的機器實現方法,其中可通信地連接到該第二電腦裝置的第三電腦裝置和包括該第一電腦裝置的電腦裝置組生成從該電腦裝置組收集的數據讀取歷史中的數據的惡意更改模式,並且該方法進一步包括:在與從第一電腦裝置到第三電腦裝置的誘餌檔對應的數據更改相關聯的時間段期間發送數據讀取歷史,以產生數據的惡意更改模式;在該第一電腦裝置處接收來自該第三電腦裝置的數據的惡意更改的一種 或多種模式;以及在該第一電腦裝置處更新該至少一個準則以包括該模式的識別。     The machine implementation method according to claim 2, wherein a third computer device communicably connected to the second computer device and a computer device group including the first computer device generate a data reading history collected from the computer device group And a method for maliciously altering data in the data, and the method further includes transmitting a data read history during a time period associated with the data change corresponding to the decoy file from the first computer device to the third computer device to generate malicious data Changing a mode; receiving one or more modes of malicious alteration of data from the third computer device at the first computer device; and updating the at least one criterion at the first computer device to include identification of the mode.     一種機器實現的方法,用於檢測可通信地連接到第二電腦裝置的第一電腦裝置中的數據的惡意更改,其中該第一電腦裝置被配置為獲得該第二電腦裝置中的授權雲端儲存裝置的認證,定義混合雲將要被物理儲存在授權雲端儲存裝置中的混合雲端儲存裝置中的檔案的與授權雲端儲存磁區相對應的第一電腦裝置中的儲存裝置定義在第一電腦裝置中具有分配的儲存容量的高速快取設備,用於保留副本該混合雲端儲存裝置中的檔案的一部分用於處理檔案並將該混合雲端儲存裝置中的檔案的更新同步到該授權雲端儲存裝置,並且該方法包括:在發送檔案更新資訊之前,基於檔案更新資訊,在第一電腦裝置處檢查混合雲端儲存裝置中的數據的一個或多個惡意更改模式,以及用於第二設備的更新檔案,以根據授權雲端儲存裝置操縱檔案到檔案更新資訊和更新檔案;如果識別出數據的惡意更改的至少一種模式,則在第一電腦裝置處停止將檔案更新資訊和更新的檔案從第一電腦裝置傳輸到第二電腦裝置;以及在第一電腦裝置處提供對應於數據的惡意更改的訊息。     A machine-implemented method for detecting malicious alteration of data in a first computer device communicably connected to a second computer device, wherein the first computer device is configured to obtain authorized cloud storage in the second computer device Device authentication, which defines that the hybrid cloud will be physically stored in the hybrid cloud storage device in the authorized cloud storage device. The storage device in the first computer device corresponding to the authorized cloud storage volume is defined in the first computer device. A high-speed cache device with allocated storage capacity for retaining a copy of a portion of the files in the hybrid cloud storage device for processing the files and synchronizing updates of the files in the hybrid cloud storage device to the authorized cloud storage device, and The method includes: before sending the file update information, based on the file update information, checking one or more malicious change modes of the data in the hybrid cloud storage device at the first computer device, and updating the file for the second device to Manipulate files to file update information and update files based on authorized cloud storage devices If at least one pattern of malicious alteration of the data is identified, transmitting the file update information and the updated file from the first computer device to the second computer device at the first computer device; and providing the first computer device corresponding to Message of malicious change of data.     如請求項8所述的機器實現方法,進一步包括:在第一電腦裝置處,基於數據的惡意更改的至少一種模式,從第二電腦裝置請求儲存在授權雲端儲存裝置中的一個或多個檔案;在該第一電腦裝置處接收來自該第二電腦裝置的該一個或多個檔案;以 及基於數據的惡意更改的至少一種模式來替換高速快取設備中的一個或多個保留副本與一個或多個檔案。     The method for implementing a machine according to claim 8, further comprising: at the first computer device, requesting one or more files stored in the authorized cloud storage device from the second computer device based on at least one mode of malicious modification of data Receiving the one or more files from the second computer device at the first computer device; and replacing at least one mode of malicious alteration of data based on one or more reserved copies and one or more of the cache device Multiple files.     如請求項8所述的機器實現方法,其中該一個或多個數據的惡意更改模式包括高速快取設備中的檔案更新頻率的上限值。     The method for implementing a machine according to claim 8, wherein the malicious change mode of the one or more data includes an upper limit value of a file update frequency in the high-speed cache device.     如請求項8所述的機器實現方法,進一步包括:如果在特定期間的傳輸停止期間沒有識別出一個或多個惡意數據變化模式,則在第一電腦裝置處重新啟動檔案更新資訊的傳輸和更新的檔案。     The method for implementing a machine according to claim 8, further comprising: if one or more malicious data change patterns are not recognized during the transmission stop of the specific period, restarting the transmission and update of the file update information at the first computer device File.     如請求項8所述的機器實現方法,進一步包括:在第一電腦裝置處產生一個或多個檔案作為高速快取設備中的誘餌檔;以及其中數據的惡意更改的一種或多種模式包括與高速快取設備中的誘餌檔相對應的數據更改。     The method for implementing a machine according to claim 8, further comprising: generating one or more files at the first computer device as a decoy file in the high-speed cache device; and wherein one or more modes of malicious modification of the data include high-speed Changes to the data corresponding to the decoy file in the cache device.     如請求項12所述的機器實現方法,其中對應於該誘餌檔的數據更改包括該誘餌檔的加密或刪除。     The method according to claim 12, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項8所述的機器實現方法,其中可通信地連接到該第二電腦裝置的第三電腦裝置和包括該第一電腦裝置的一組電腦裝置生成來自從該電腦組中收集的數據讀取歷史中的數據的惡意更改的更新模式裝置,該方法進一步包括:在與從該第一電腦裝置到該第三電腦裝置的該數據的惡意更改的該至少一種模式的識別相關聯的時間段期間傳輸數據讀取歷史,用於產生數 據的惡意更改模式;在該第一電腦裝置處接收來自該第三電腦裝置的數據的惡意更改的一個或多個更新模式;以及在第一電腦裝置處修改從第三電腦裝置到第一電腦裝置中數據的惡意更改的一種或多種模式的更新模式。     The machine implementation method of claim 8, wherein a third computer device communicably connected to the second computer device and a group of computer devices including the first computer device generate data read from data collected from the computer group An update mode device for taking maliciously changed data in history, the method further comprising: at a time period associated with the identification of the at least one mode of the malicious change of the data from the first computer device to the third computer device Transmitting a data read history during the generation of a malicious change mode of the data; receiving one or more update modes of the malicious change of data from the third computer device at the first computer device; and at the first computer device An update mode that modifies one or more modes of malicious change of data from the third computer device to the first computer device.     一種儲存用於檢測第一電腦裝置中的數據的惡意更改的程式的非暫時機器可讀媒體,包括能夠將檔案更新資訊和更新檔案傳送到第二電腦裝置的通信模組,該程式可由至少一個處理單元的第一電腦裝置,該程式包括的指令集用於:在第一電腦裝置中生成一個或多個檔案作為包含其中的檔案和檔案夾的檔案夾中的誘餌檔;檢查誘餌檔的檔案狀態,以識別與誘餌檔相對應的數據更改;和如果識別出與誘餌檔相對應的數據更改:停止從第一電腦裝置向第二電腦裝置傳輸檔案更新資訊和更新的檔案;以及生成對應於數據惡意更改的訊息。     A non-transitory machine-readable medium storing a program for detecting malicious changes in data in a first computer device, which includes a communication module capable of transmitting file update information and update files to a second computer device, and the program may be composed of at least one The first computer device of the processing unit, the program includes a set of instructions for: generating one or more files in the first computer device as bait files in the folder containing the files and folders therein; checking the files of the bait file Status to identify data changes corresponding to the decoy file; and if data changes corresponding to the decoy file are identified: stop transmitting file update information and updated files from the first computer device to the second computer device; and generate a file corresponding to Maliciously changed data.     如請求項15所述的非暫時機器可讀媒體,其中該程式的一組指令還包括:檢查是否符合與檔案更新資訊相對應的至少一個準則;以及只有通過識別與誘餌檔相對應的數據更改單獨地符合至少一個準則,才停止將檔案更新資訊和更新的檔案從第一電腦裝置傳輸到第二電腦裝置。     The non-transitory machine-readable medium of claim 15, wherein the program's set of instructions further includes: checking for compliance with at least one criterion corresponding to the file update information; and only by identifying data changes corresponding to the decoy file Separately meeting at least one criterion before transferring file update information and updated files from the first computer device to the second computer device.     如請求項16所述的非暫時機器可讀媒體,其中該程式還包括一組指令:如果符合該至少一個準則,停止將檔案更新資訊和更新的檔案從第一電腦裝置傳輸到第二電腦裝置一段時間;以及如果以下情況,則將檔案更新資訊和更新檔案從第一電腦裝置傳輸到第二電腦裝置;在該期間,在該第一電腦裝置中不符合該至少一個準則;則在該期間不會識別出與誘餌檔相對應的數據更改。     The non-transitory machine-readable medium according to claim 16, wherein the program further includes a set of instructions: if the at least one criterion is met, stop transmitting the file update information and the updated file from the first computer device to the second computer device A period of time; and transferring file update information and update files from the first computer device to the second computer device if: during that period, the at least one criterion is not met in the first computer device; during that period No data changes corresponding to the decoy file will be recognized.     如請求項16所述的非暫時機器可讀媒體,其中該至少一個準則包括檔案更新頻率的上限值。     The non-transitory machine-readable medium of claim 16, wherein the at least one criterion includes an upper limit value of an archive update frequency.     如請求項15所述的非暫時機器可讀媒體,其中該程式還包括一組指令:根據識別出的誘餌檔的數據更改,識別對應於數據惡意更改的檔案範圍;從該第二電腦裝置請求與該檔案的範圍相對應的副本;以及從第二電腦裝置接收副本,並替換與副本的數據惡意更改對應的檔案的範圍。     The non-transitory machine-readable medium according to claim 15, wherein the program further includes a set of instructions: identifying a file range corresponding to the malicious change of the data according to the data change of the identified decoy file; requesting from the second computer device A copy corresponding to the range of the file; and receiving a copy from the second computer device and replacing the range of the file corresponding to the malicious change of the copy's data.     如請求項15所述的非暫時機器可讀媒體,其中與該誘餌檔相對應的數據更改包括該誘餌檔的加密或刪除。     The non-transitory machine-readable medium of claim 15, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項15所述的非暫時機器可讀媒體,其中可通信地連接到該第二電腦裝置的第三電腦裝置和包括該第一電腦裝置的電腦裝置組生成從該第一電腦裝置收集的數據讀取歷史中的數據的惡意更改模式一組電腦裝置,且該程式進一步包括一組指令: 在與從該第一電腦裝置到該第三電腦裝置的該誘餌檔相對應的數據更改相關聯的時間段期間發送數據讀取歷史,以產生數據的惡意更改模式;從該第三電腦裝置接收一個或多個惡意更改數據的模式;以及更新該至少一個準則以包括該模式的識別。     The non-transitory machine-readable medium of claim 15, wherein a third computer device communicably connected to the second computer device and a computer device group including the first computer device generate the collected data from the first computer device A malicious change pattern of data in the data reading history. A set of computer devices, and the program further includes a set of instructions: associated with a data change corresponding to the decoy file from the first computer device to the third computer device. Sending a data read history during a period of time to generate a maliciously altered pattern of data; receiving a pattern of one or more maliciously altered data from the third computer device; and updating the at least one criterion to include identification of the pattern.     一種非暫時機器可讀媒體,其儲存用於檢測包括能夠可通信地連接到第二電腦裝置的通信模組的第一電腦裝置中的檔案的惡意軟體感染的程式,該程式可由該第一電腦裝置的至少一個處理單元,該程式包括一組指令:獲取第二電腦裝置中的授權雲端儲存裝置的認證,在該第一電腦裝置中對應於該混合雲端儲存裝置中的檔案的授權雲端儲存裝置來定義要物理儲存在該授權雲端儲存裝置中的混合雲端儲存裝置;在該第一電腦裝置中定義具有分配的儲存容量的高速快取設備,用於保留該混合雲端儲存裝置中部分檔案的副本以處理檔案;將混合雲端儲存裝置中的檔案更新同步到授權的雲端儲存裝置;根據檔案的更新,基於在對第二設備進行同步處理授權雲端儲存裝置中的檔案的同步之前,基於檔案更新來檢查混合雲端儲存裝置中數據的惡意更改的一種或多種模式;如果識別出數據的惡意更改的至少一種模式,則停止檔案更新的同步;以及提供對應於數據惡意更改的訊息。     A non-transitory machine-readable medium storing a program for detecting a malware infection including a file in a first computer device that can be communicatively connected to a communication module of a second computer device, the program being executable by the first computer At least one processing unit of the device, the program includes a set of instructions: obtaining an authentication of an authorized cloud storage device in a second computer device, and an authorized cloud storage device in the first computer device corresponding to a file in the hybrid cloud storage device To define a hybrid cloud storage device to be physically stored in the authorized cloud storage device; a high-speed cache device with allocated storage capacity is defined in the first computer device to retain a copy of some files in the hybrid cloud storage device To process files; synchronize file updates in hybrid cloud storage devices to authorized cloud storage devices; based on the file updates, based on file updates before synchronizing the synchronization of the second device's authorized cloud storage devices with files, Check for one or more malicious changes to data in the hybrid cloud storage device Mode; if at least one identified data pattern malicious changes, update the file synchronization is stopped; and provide information corresponding to the data of malicious changes.     如請求項22所述的非暫時機器可讀媒體,其中該程式還包括一組指令:基於該至少一種數據的惡意更改模式,從該第二電腦裝置請求儲存在授權雲端儲存裝置中的一個或多個檔案;從該第二電腦裝置接收該一個或多個檔案;以及基於數據的惡意更改的至少一種模式來替換高速快取設備中的一個或多個保留副本與一個或多個檔案。     The non-transitory machine-readable medium according to claim 22, wherein the program further comprises a set of instructions: requesting one or more of the authorized cloud storage devices from the second computer device based on the malicious change mode of the at least one data or A plurality of files; receiving the one or more files from the second computer device; and replacing at least one mode of malicious changes to the data to replace one or more reserved copies and one or more files in the cache device.     如請求項22所述的非暫時機器可讀媒體,其中該一個或多個數據的惡意更改模式包括該高速快取設備中的檔案更新頻率的上限值。     The non-transitory machine-readable medium according to claim 22, wherein the malicious change mode of the one or more data includes an upper limit value of an archive update frequency in the high-speed cache device.     如請求項22所述的非暫時機器可讀媒體,其中該程式還包括一組指令:如果在特定期間的傳輸停止期間沒有識別到一個或多個惡意數據變化模式,則重新啟動檔案更新的同步。     The non-transitory machine-readable medium of claim 22, wherein the program further includes a set of instructions: if one or more malicious data change patterns are not identified during a specific period of transmission stop, restart the synchronization of the file update .     如請求項22所述的非暫時機器可讀媒體,其中該程式還包括一組指令:在高速快取設備中生成一個或多個檔案作為誘餌檔;以及其中數據的惡意更改的一種或多種模式包括與高速快取設備中的誘餌檔相對應的數據更改。     The non-transitory machine-readable medium of claim 22, wherein the program further comprises a set of instructions: generating one or more files as a decoy file in a high-speed cache device; and one or more modes of malicious alteration of data therein Includes data changes corresponding to decoy files in high-speed cache devices.     如請求項26所述的非暫時機器可讀媒體,其中對應於該誘餌檔的數據更改包括該誘餌檔的加密或刪除。     The non-transitory machine-readable medium of claim 26, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項22所述的非暫時機器可讀媒體,其中可通信地連接到該第二電腦裝置的第三電腦裝置和包括該第一電腦裝置的一組電腦裝置 生成從該第一電腦裝置收集的數據讀取歷史中的數據的惡意更改模式一組電腦裝置,且該程式還包括一組指令:在與從該第一電腦裝置到該第三電腦裝置的該數據的惡意更改的該至少一種模式的識別相關聯的時間段期間傳輸數據讀取歷史,用於產生數據的惡意更改模式;從第三電腦裝置接收一個或多個更新的數據惡意更改模式;以及將該更新的模式從該第三電腦裝置修改為該第一電腦裝置中該數據的一個或多個惡意更改模式。     The non-transitory machine-readable medium of claim 22, wherein a third computer device communicably connected to the second computer device and a group of computer devices including the first computer device generate a collection from the first computer device A malicious change mode of data in the data reading history of a group of computer devices, and the program further includes a set of instructions: the at least one of the malicious changes to the data from the first computer device to the third computer device Transmitting a data read history during a period of time associated with the identification of the pattern to generate a maliciously altered pattern of data; receiving one or more updated data maliciously altered patterns from a third computer device; and removing the updated pattern from the first The three computer devices are modified to one or more malicious modification modes of the data in the first computer device.     一種電腦裝置,包括:一能夠將包括一個或多個檔案的檔案作為誘餌檔儲存的儲存媒體;一能夠可通信地連接到一遠程設備的通信元件;記憶體;以及一處理器,其耦合到該記憶體並且被配置為執行儲存在該記憶體中的指令,以使該處理器:當儲存媒體中的檔案被更新時,根據檔案更新資訊和更新檔案,將檔案更新資訊和更新檔案發送到該遠程設備,用於該遠程設備操縱其中的檔案;在將檔案更新資訊和更新的檔案發送到該遠程設備之前,檢查用於識別與誘餌檔相對應的數據更改的誘餌檔的檔案狀態;以及如果識別出與誘餌檔相對應的數據更改:停止將檔案更新資訊和更新的檔案從電腦裝置傳輸到該遠程設備;以及生成對應於數據惡意更改的訊息。     A computer device includes: a storage medium capable of storing a file including one or more files as a decoy file; a communication element communicably connected to a remote device; a memory; and a processor coupled to The memory is also configured to execute instructions stored in the memory, so that the processor: when the file in the storage medium is updated, sends the file update information and the update file to the file according to the file update information and the update file. The remote device for the remote device to manipulate the files therein; before sending the file update information and the updated file to the remote device, checking the file status of the decoy file for identifying data changes corresponding to the decoy file; and If a data change corresponding to the decoy file is identified: stop transmitting file update information and updated files from the computer device to the remote device; and generate a message corresponding to the malicious change of the data.     如請求項29所述的電腦裝置,其中儲存在該記憶體中以使該處理器檢查該誘餌檔的檔案狀態的指令包括使該處理器產生作為該誘餌檔的檔案並將所生成的誘餌檔儲存在該儲存媒體中的指令。     The computer device of claim 29, wherein the instructions stored in the memory to cause the processor to check the file status of the bait file include causing the processor to generate a file as the bait file and to generate the bait file Commands stored in the storage medium.     如請求項29所述的電腦裝置,其中儲存在該記憶體中以使該處理器停止傳輸的指令包括使該處理器進行的指令:檢查是否符合與檔案更新資訊對應的至少一個準則;以及只有當至少一個準則被單獨地符合與識別對應於誘餌檔的數據更改,通過該通信元件將檔案更新資訊和更新後的檔案傳送到該遠程設備。     The computer device of claim 29, wherein the instructions stored in the memory to stop the processor from transmitting include instructions to cause the processor to: check whether at least one criterion corresponding to the file update information is met; and When at least one criterion is individually met and identified, the data corresponding to the decoy file is changed, and the file update information and the updated file are transmitted to the remote device through the communication element.     如請求項29所述的電腦裝置,其中儲存在該記憶體中以使該處理器停止傳輸的指令包括使該處理器進行的指令:一旦要發送到該遠程設備的檔案符合該至少一個準則,則通過該通信元件停止一段時間對該遠程設備的傳輸;以及通過該通信元件重新啟動到該遠程設備的傳輸,條件包括:在特定時間段內沒有符合至少一個準則;則沒有誘餌檔或沒有與要發送到該遠程設備的檔案中識別的至少一個誘餌檔具有相同檔案名的檔案。     The computer device of claim 29, wherein the instructions stored in the memory to stop the processor from transmitting include instructions to cause the processor to: once the file to be sent to the remote device meets the at least one criterion, Then stop transmitting to the remote device for a period of time through the communication element; and restart transmission to the remote device through the communication element, the conditions include: failing to meet at least one criterion within a certain period of time; At least one decoy file identified in the file to be sent to the remote device has a file with the same file name.     如請求項31所述的電腦裝置,其中該至少一個準則包括檔案更新頻率的上限值。     The computer device according to claim 31, wherein the at least one criterion includes an upper limit value of a file update frequency.     如請求項29所述的電腦裝置,其中儲存在該記憶體中以使該處理器停止傳輸的指令包括使該處理器進行的指令:根據識別出的誘餌檔的數據更改,識別對應於數據惡意更改的檔案範圍;從該遠程設備請求與檔案範圍對應的副本;以及 從該遠程設備接收副本,並用該副本替換對應於數據惡意更改的檔案的範圍。     The computer device of claim 29, wherein the instructions stored in the memory to stop the processor from transmitting include instructions to cause the processor to perform: identifying data corresponding to malicious data based on the data change of the identified decoy file A changed archive range; requesting a copy corresponding to the archive range from the remote device; and receiving a copy from the remote device and replacing the range of the archive corresponding to the malicious change of data with the copy.     如請求項29所述的電腦裝置,其中與該誘餌檔相對應的數據更改包括該誘餌檔的加密或刪除。     The computer device of claim 29, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項31所述的電腦裝置,其中可通信地連接到該遠程設備的伺服器和包括該電腦裝置的邊緣節點組生成從該邊緣節點組收集的數據讀取歷史中的數據的惡意更改模式,以及該指令儲存在該記憶體中以使該處理器停止傳輸包括使該處理器進行的指令:在與該誘餌檔相對應的數據更改相關聯的期間將數據讀取歷史傳輸到該伺服器,以產生數據的惡意更改模式;從該伺服器接收一個或多個惡意數據更改模式;以及更新至少一個準則以包括模式的識別。     The computer device according to claim 31, wherein the server communicably connected to the remote device and the edge node group including the computer device generate a malicious change pattern of data in the data reading history collected from the edge node group And the instruction stored in the memory to cause the processor to stop transmitting includes an instruction to cause the processor to: transmit a data read history to the server during periods associated with data changes corresponding to the decoy file To generate a malicious change pattern of the data; receive one or more malicious data change patterns from the server; and update at least one criterion to include the identification of the pattern.     一種電腦裝置,包括:一能夠儲存檔案的儲存媒體;一能夠可通信地連接到一雲端儲存伺服器的通信元件;記憶體;以及一處理器,其耦合到該記憶體並且被配置為執行儲存在該記憶體中的指令,以使該處理器:由該通信元件獲取該雲端儲存伺服器中的授權雲端儲存裝置的認證和相應的裝置信息;基於該裝置信息來定義與該授權雲端儲存裝置相對應的混合雲端儲存裝置,並且其中該混合雲端儲存裝置具有檔案目錄; 經由該記憶體從儲存媒體接收一個或多個檔案,並且其中該一個或多個檔案將被儲存在該混合雲端儲存裝置的檔案目錄中;基於該一個或多個檔案檢查該混合雲端儲存裝置中的數據的惡意更改的一種或多種模式;以及如果沒有識別出數據的惡意更改模式,則由通信元件將一個或多個檔案上傳到雲端儲存伺服器中的授權雲端儲存裝置;以及如果識別出數據的惡意更改模式中的至少一種模式,則由該通信元件停止上傳到該雲端儲存伺服器並且提供對應於數據的惡意更改的訊息。     A computer device includes: a storage medium capable of storing files; a communication element communicably connected to a cloud storage server; a memory; and a processor coupled to the memory and configured to perform storage The instructions in the memory enable the processor to: obtain, by the communication element, the authentication of the authorized cloud storage device and corresponding device information in the cloud storage server; and define and associate the authorized cloud storage device with the device information A corresponding hybrid cloud storage device, and wherein the hybrid cloud storage device has a file directory; receiving one or more files from the storage medium via the memory, and wherein the one or more files are to be stored in the hybrid cloud storage device One or more patterns of malicious changes to the data in the hybrid cloud storage device based on the one or more files; and one or more patterns of malicious changes to the data are not identified by the communication element based on the one or more files Upload the file to an authorized cloud storage device in the cloud storage server; and If at least one of the maliciously altered patterns of data is identified, the communication element stops uploading to the cloud storage server and provides a message corresponding to the maliciously altered data.     如請求項37所述的電腦裝置,其中儲存在該記憶體中以使該處理器停止上傳檔案的指令包括使該處理器:如果識別出數據的惡意更改的至少一種模式:由該通信元件請求該雲端儲存伺服器,根據該混合雲端儲存裝置的檔案目錄,儲存在該儲存媒體中的檔案對應的該授權雲端儲存裝置中的檔案;由該通信元件接收來自該雲端儲存伺服器的檔案;以及使用從該儲存伺服器接收的檔案替換該儲存媒體中的檔案。     The computer device of claim 37, wherein the instructions stored in the memory to stop the processor from uploading the file include causing the processor to: if at least one mode of malicious alteration of data is identified: requested by the communication element The cloud storage server, according to the file directory of the hybrid cloud storage device, the file in the authorized cloud storage device corresponding to the file stored in the storage medium; the communication element receives the file from the cloud storage server; and Replace files in the storage medium with files received from the storage server.     如請求項37所述的電腦裝置,其中該一種或多種數據惡意更改模式包括該高速快取設備中的檔案更新頻率的上限值。     The computer device according to claim 37, wherein the one or more data malicious change modes include an upper limit value of a file update frequency in the high-speed cache device.     如請求項37所述的電腦裝置,其中儲存在該記憶體中以使該處理器停止上傳的指令包括使處理器:如果在特定時段的上傳停止期間沒有識別出數據的惡意更改模式,則將該通信元件的一個或多個檔案上傳到該雲端儲存伺服器中的該授權 雲端儲存裝置。     The computer device of claim 37, wherein the instructions stored in the memory to stop the processor from uploading include causing the processor to: if a maliciously altered pattern of data is not identified during a certain period of upload stoppage, One or more files of the communication element are uploaded to the authorized cloud storage device in the cloud storage server.     如請求項37所述的電腦裝置,其中儲存在該記憶體中以使該處理器檢查數據的惡意更改的指令包括:在該混合雲端儲存裝置的檔案目錄中生成一個或多個檔案作為誘餌檔,完全地儲存在該儲存媒體中;以及其中該一種或多種數據惡意更改模式包括對應於該儲存媒體中的該誘餌檔的數據更改。     The computer device of claim 37, wherein the instructions stored in the memory to cause the processor to check for malicious changes to the data include: generating one or more files in the file directory of the hybrid cloud storage device as bait files , Completely stored in the storage medium; and wherein the one or more data malicious change modes include data changes corresponding to the decoy file in the storage medium.     如請求項41所述的電腦裝置,其中與該誘餌檔相對應的數據更改包括該誘餌檔的加密或刪除。     The computer device of claim 41, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項37所述的電腦裝置,其中可通信地連接到該遠程設備的一伺服器和包括該電腦裝置的邊緣節點組生成從該邊緣節點組收集的數據讀取歷史中的數據的惡意更改模式,以及該指令儲存在該記憶體中以使該處理器停止上傳,其中包括使該處理器進行的指令:在與該至少一種數據惡意更改模式的識別相關聯的期間,通過該通信元件發送該混合雲端儲存裝置的檔案目錄的數據讀取歷史,以向該伺服器生成更新的惡意更改模式數據;通過該通信元件接收來自該伺服器的該一種或多種數據惡意更改模式;以及從該伺服器,在該儲存媒體中,將更新的模式修改為該一種或多種數據惡意更改模式。     The computer device according to claim 37, wherein a server communicably connected to the remote device and the edge node group including the computer device generate malicious changes to data in the data reading history collected from the edge node group The mode, and the instruction stored in the memory to stop the processor from uploading, including an instruction to cause the processor to: send through the communication element during a period associated with the identification of the at least one data maliciously altered mode The data reading history of the file directory of the hybrid cloud storage device to generate updated malicious change mode data to the server; receiving the one or more data malicious change modes from the server through the communication element; and from the server A device, in the storage medium, modifying the updated mode to the one or more data malicious change modes.     一種用於檢測可通信地連接到一第一電腦裝置的一第二電腦裝置中數據的惡意更改的機器實現方法,其中作為誘餌檔的一個或多個檔案 被儲存在該第一電腦裝置中,並且其中該第二電腦裝置接收檔案更新資訊並更新檔案且操縱其中儲存的檔案,該方法包括:在該第二電腦裝置處檢查對應於該第一電腦裝置中數據的惡意更改的至少一個準則,其中該至少一個準則包括該第一電腦裝置中的該誘餌檔的數據更改;以及如果符合與第一電腦裝置中數據的惡意更改相對應的該至少一個準則,則在該第二電腦裝置停止對應於檔案更新資訊和從該第一電腦裝置接收的更新檔案的檔案操作。     A machine-implemented method for detecting malicious alteration of data in a second computer device communicably connected to a first computer device, wherein one or more files as bait files are stored in the first computer device, And the second computer device receives the file update information and updates the file and manipulates the file stored therein, the method includes: checking at the second computer device at least one criterion corresponding to a malicious change of data in the first computer device, The at least one criterion includes a data change of the decoy file in the first computer device; and if the at least one criterion corresponding to a malicious change of the data in the first computer device is met, the correspondence is stopped on the second computer device File operations on file update information and update files received from the first computer device.     如請求項44所述的機器實現方法,其中與該誘餌檔相對應的該數據更改包括該誘餌檔的加密或刪除。     The machine-implemented method of claim 44, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項44所述的機器實現方法,其中該至少一個準則包括從該第一電腦裝置接收對應於該誘餌檔的數據更改的訊息。     The machine-implemented method of claim 44, wherein the at least one criterion includes receiving a message from the first computer device corresponding to a data change of the decoy file.     如請求項44所述的機器實現方法,其中該至少一個準則包括根據檔案更新資訊和從該第一電腦裝置接收到的更新檔案識別誘餌檔的數據更改。     The machine-implemented method of claim 44, wherein the at least one criterion includes identifying a data change of the decoy file based on the file update information and the update file received from the first computer device.     如請求項44所述的機器實現方法,其中該至少一個準則包括檔案更新頻率的上限值,並且其中該檔案更新頻率基於該檔案更新資訊和從該第一電腦裝置接收的更新檔案來計算。     The method according to claim 44, wherein the at least one criterion includes an upper limit value of a file update frequency, and wherein the file update frequency is calculated based on the file update information and an update file received from the first computer device.     如請求項44所述的機器實現方法,進一步包括:在檔案操作停止期間,如果在符合該至少一個準則的情況下,則在該第二電腦裝置處重新啟動與該檔案更新資訊和該更新檔案相對應的檔案操作。     The method for implementing a machine according to claim 44, further comprising: during the suspension of the file operation, if the at least one criterion is met, restarting the file update information and the update file with the second computer device. Corresponding file operations.     如請求項44所述的機器實現方法,其中如果符合對應於該第一電腦裝置中數據的惡意更改的該至少一個準則,則該方法進一步包括:在該第二電腦裝置處確定該第二電腦裝置中對應於該第一電腦裝置中數據的惡意更改的檔案的範圍;以及在該第二電腦裝置處檢索檔案的範圍並傳送到該第一電腦裝置。     The machine-implemented method of claim 44, wherein if the at least one criterion corresponding to a malicious change of data in the first computer device is met, the method further comprises: determining the second computer at the second computer device A range of files in the device corresponding to the maliciously altered data in the first computer device; and a range of files retrieved at the second computer device and transmitted to the first computer device.     如請求項44所述的機器實現方法,進一步包括:根據該檔案更新資訊和來自該第一電腦裝置的更新檔案,在該第二電腦裝置處保留對應於該第二電腦裝置中的檔案操縱的更改檔案的副本;以及如果符合與該第一電腦裝置中數據的惡意更改相對應的該至少一個準則:在該第二電腦裝置處確定與該第一電腦裝置中數據的惡意更改對應的該第二電腦裝置中惡意更改的檔案的範圍;在該第二電腦裝置處檢索對應於該第二電腦裝置中惡意更改的檔案的範圍的副本;以及在該第二電腦裝置處,用檢索到的副本替換惡意更改的檔案的範圍。     The method for implementing a machine according to claim 44, further comprising: maintaining, at the second computer device, a file corresponding to the file manipulation in the second computer device according to the file update information and the update file from the first computer device. A copy of the change file; and if the at least one criterion corresponding to a malicious change of data in the first computer device is met: determining at the second computer device that the first computer device corresponds to the malicious change of data in the first computer device A range of maliciously altered files in the second computer device; retrieving a copy of the range of maliciously altered files in the second computer device at the second computer device; and using the retrieved copy at the second computer device Replace the range of maliciously altered archives.     如請求項44所述的機器實現方法,其中該第二電腦裝置與一第三電腦裝置可通信地連接,該第三電腦裝置相應地發送用於該第二電腦裝置的檔案更新資訊和更新檔案:如果符合對應於該第一電腦裝置中數據的惡意更改的該至少一個準則,則在與該第二電腦裝置的數據更改相關聯的期間,在該第二電腦裝置處接收數據讀取歷史; 在該第二電腦裝置處產生的至少一種數據的惡意更改模式;以及基於檔案更新資訊和從該第三電腦裝置接收到的更新檔案來識別該數據的惡意更改的該至少一種模式,在該第二電腦裝置停止對應於檔案更新資訊和更新檔案的檔案操作該第三電腦裝置。     The method according to claim 44, wherein the second computer device is communicably connected to a third computer device, and the third computer device sends the file update information and the update file for the second computer device accordingly. If the at least one criterion corresponding to a malicious change of data in the first computer device is met, receiving a data read history at the second computer device during a period associated with the data change of the second computer device; A malicious change mode of at least one type of data generated at the second computer device; and the at least one mode for identifying a malicious change of the data based on file update information and an update file received from the third computer device, in the first The second computer device stops operating the third computer device corresponding to the file update information and the file of the updated file.     一種非暫時機器可讀媒體,其儲存用於檢測一第二電腦裝置中數據的惡意更改的一程式,該程式包括能夠從儲存有一個或多個檔案誘餌檔的一第一電腦裝置接收檔案更新資訊和更新檔案的一通信元件,以及一處理元件,其能夠根據所接收的檔案更新資訊和來自該第一電腦裝置的更新檔案操作儲存在該第二電腦裝置中的檔案,該程式可由第二電腦裝置的該處理元件執行,該程式包括指令集用於:在該第二電腦裝置處檢查對應於該第一電腦裝置中數據的惡意更改的至少一個準則,其中該至少一個準則包括該第一電腦裝置中的該誘餌檔的數據更改;以及如果符合與該第一電腦裝置中數據的惡意更改相對應的該至少一個準則,則在該第二電腦裝置停止對應於檔案更新資訊和從該第一電腦裝置接收的更新檔案的檔案操作。     A non-transitory machine-readable medium storing a program for detecting malicious changes to data in a second computer device, the program including receiving a file update from a first computer device storing one or more file decoy files A communication element for information and update files, and a processing element capable of operating a file stored in the second computer device according to the received file update information and the update file from the first computer device, and the program can be executed by the second The processing element of the computer device executes, and the program includes an instruction set for checking at the second computer device at least one criterion corresponding to a malicious change of data in the first computer device, wherein the at least one criterion includes the first The data change of the decoy file in the computer device; and if the at least one criterion corresponding to the malicious change of the data in the first computer device is met, the second computer device stops corresponding to the file update information and the information from the first File operations to update files received by a computer device.     如請求項53所述的非暫時機器可讀媒體,其中與該誘餌檔相對應的數據更改包括該誘餌檔的加密或刪除。     The non-transitory machine-readable medium of claim 53, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項53所述的非暫時機器可讀媒體,其中該至少一個準則包括從該第一電腦裝置接收對應於該誘餌檔的數據更改的訊息。     The non-transitory machine-readable medium of claim 53, wherein the at least one criterion includes receiving a message from the first computer device that a data change corresponds to the decoy file.     如請求項53所述的非暫時機器可讀媒體,其中該至少一個準則包括根據該檔案更新資訊和從該第一電腦裝置接收到的更新檔案識別該 誘餌檔的數據更改。     The non-transitory machine-readable medium of claim 53, wherein the at least one criterion includes a data change identifying the decoy file based on the file update information and an update file received from the first computer device.     如請求項53所述的非暫時機器可讀媒體,其中該至少一個準則包括檔案更新頻率的上限值,並且其中該檔案更新頻率基於該檔案更新資訊和從該第一電腦裝置接收之更新檔案計算。     The non-transitory machine-readable medium of claim 53, wherein the at least one criterion includes an upper limit value of a file update frequency, and wherein the file update frequency is based on the file update information and an update file received from the first computer device Calculation.     如請求項53所述的非暫時機器可讀媒體,其中該程式進一步包括一組指令:在檔案操作停止期間,如果在符合該至少一個準則的情況下,則在該第二電腦裝置處重新啟動與該檔案更新資訊和該更新檔案相對應的該檔案操作。     The non-transitory machine-readable medium of claim 53, wherein the program further includes a set of instructions: during the suspension of the file operation, restarting at the second computer device if the at least one criterion is met The file operation corresponding to the file update information and the update file.     如請求項53所述的非暫時機器可讀媒體,其中該程式進一步包括一組指令:如果符合與該第一電腦裝置中數據的惡意更改相對應的該至少一個準則:在該第二電腦裝置處確定該第二電腦裝置中對應於該第一電腦裝置中數據的惡意更改的檔案的範圍;以及在該第二電腦裝置處檢索檔案的範圍並傳送到該第一電腦裝置。     The non-transitory machine-readable medium of claim 53, wherein the program further includes a set of instructions: if the at least one criterion corresponding to a malicious change of data in the first computer device is met: on the second computer device Determining the range of the file in the second computer device corresponding to the maliciously changed data in the first computer device; and retrieving the range of the file at the second computer device and transmitting it to the first computer device.     如請求項53所述的非暫時機器可讀媒體,其中該程式還包括一組指令,用於:根據該檔案更新資訊和來自該第一電腦裝置的更新檔案,在該第二電腦裝置處保留對應於該第二電腦裝置中的檔案操縱的更改檔案的副本;以及如果符合與該第一電腦裝置中數據的惡意更改相對應的該至少一個準 則:在該第二電腦裝置處確定與該第一電腦裝置中數據的惡意更改對應的該第二電腦裝置中惡意更改的檔案的範圍;在該第二電腦裝置處檢索對應於該第二電腦裝置中惡意更改的檔案的範圍的副本;以及在該第二電腦裝置處,用檢索到的副本替換惡意更改的檔案的範圍。     The non-transitory machine-readable medium according to claim 53, wherein the program further comprises a set of instructions for: maintaining the update information from the file and the update file from the first computer device at the second computer device A copy of a change file corresponding to a file manipulation in the second computer device; and if the at least one criterion corresponding to a malicious change of data in the first computer device is met: determining at the second computer device that the A malicious change of data in a computer device corresponding to the range of the maliciously changed file in the second computer device; retrieving a copy of the range of the file corresponding to the maliciously changed file in the second computer device at the second computer device; and At the second computer device, the range of the maliciously altered file is replaced with the retrieved copy.     如請求項53所述的非暫時機器可讀媒體,其中該第二電腦裝置與一第三電腦裝置可通信地連接,該第三電腦裝置相應地傳送檔案更新資訊和該第二電腦裝置的更新檔案來操縱其中儲存的檔案,並且其中該程式還包括一組指令:如果符合與該第一電腦裝置中的數據惡意更改相對應的該至少一個準則:在與該第一電腦裝置的該誘餌檔的數據更改相關聯的期間,在該第二電腦裝置處接收數據讀取歷史;以及在該第二電腦裝置處產生數據的惡意更改的至少一種模式;以及基於該檔案更新資訊和從該第三電腦裝置接收到的更新檔案,在該第二電腦裝置處檢查該數據的惡意更改的該至少一種模式;以及如果識別出數據的惡意更改的該至少一種模式,則在該第二電腦裝置處停止與檔案更新資訊相對應的檔案操作和從該第三電腦裝置接收到的更新檔案。     The non-transitory machine-readable medium according to claim 53, wherein the second computer device is communicably connected to a third computer device, and the third computer device transmits file update information and updates of the second computer device accordingly. Files to manipulate files stored therein, and wherein the program further includes a set of instructions: if the at least one criterion corresponding to a malicious change of data in the first computer device is met: in the decoy file corresponding to the first computer device Receiving at least one mode of data reading history at the second computer device during the period associated with the data change of the second computer device; and at least one mode of maliciously changing the data at the second computer device; The update file received by the computer device, checking the at least one mode of malicious change of the data at the second computer device; and stopping the second computer device if the at least one mode of malicious change of the data is identified A file operation corresponding to the file update information and an update file received from the third computer device.     一種裝置,包括:能夠儲存檔案的一儲存媒體; 能夠可通信地連接到一第一電腦裝置的一通信元件;記憶體;以及一處理器,其耦合到該記憶體並且被配置為執行儲存在該記憶體中的指令,以使該處理器:由該通信元件接收來自該第一電腦裝置的檔案更新資訊和更新的檔案;根據檔案更新資訊和更新的檔案來操縱儲存媒體中的檔案;檢查與該第一電腦裝置中數據的惡意更改相對應的至少一個準則;以及如果符合與該第一電腦裝置的數據的惡意更改相對應的該至少一個準則,則停止對與檔案更新資訊相對應的該儲存媒體中的檔案的操作和從該第一電腦裝置接收的更新檔案;以及其中該電腦裝置將一個或多個檔案儲存為用於數據的惡意更改的誘餌檔,並且該至少一個準則包括該第一電腦裝置中該誘餌檔的數據更改。     A device includes: a storage medium capable of storing a file; a communication element communicably connected to a first computer device; a memory; and a processor coupled to the memory and configured to perform storage in Instructions in the memory so that the processor: the communication element receives file update information and updated files from the first computer device; manipulates files in the storage medium according to the file update information and the updated files; checks At least one criterion corresponding to the malicious change of data in the first computer device; and if the at least one criterion corresponding to the malicious change of data in the first computer device is met, stopping the corresponding to the file update information Operation of files in the storage medium and update files received from the first computer device; and wherein the computer device stores one or more files as a decoy file for malicious alteration of data, and the at least one criterion includes the The data of the decoy file in the first computer device is changed.     如請求項62所述的裝置,其中對應於該誘餌檔的該數據更改包括該誘餌檔的加密或刪除。     The apparatus of claim 62, wherein the data change corresponding to the decoy file includes encryption or deletion of the decoy file.     如請求項62所述的裝置,其中該至少一個準則包括從該第一電腦裝置接收對應於該誘餌檔的數據變化的訊息。     The device of claim 62, wherein the at least one criterion includes receiving a message from the first computer device corresponding to a change in data of the decoy file.     如請求項62所述的裝置,其中儲存在該記憶體中以使該處理器檢查該至少一個準則的指令還包括使該處理器根據該檔案更新資訊和所接收的更新檔案識別該誘餌檔的數據更改的指令,並且其中該至少一個準則包括從該檔案更新資訊和該更新檔案中識別該誘餌檔的數據更改。     The device of claim 62, wherein the instructions stored in the memory to cause the processor to check the at least one criterion further include causing the processor to identify the decoy file based on the file update information and the received update file. A data change instruction, and wherein the at least one criterion includes a data change identifying the decoy file from the file update information and the update file.     如請求項62所述的裝置,其中儲存在該記憶體中以使該處理器檢查該至少一個準則的指令還包括使該處理器基於該檔案更新資訊和從該第一電腦裝置接收的更新檔案來計算檔案更新頻率,並且其中該至少一個準則包括該檔案更新頻率的上限值。     The device of claim 62, wherein the instructions stored in the memory to cause the processor to check the at least one criterion further comprise causing the processor to update information based on the file and an update file received from the first computer device To calculate a file update frequency, and wherein the at least one criterion includes an upper limit value of the file update frequency.     如請求項62所述的裝置,其中儲存在該記憶體中以使該處理器停止該檔案操作的指令還包括如果在停止期間沒有該至少有一個準則得到符合,則使該處理器重新啟動對應於該檔案更新資訊和該更新檔案的操縱的指令。     The device according to claim 62, wherein the instructions stored in the memory to cause the processor to stop the file operation further include causing the processor to restart the corresponding if the at least one criterion is not met during the stop. Update information on the file and instructions for manipulation of the updated file.     如請求項62所述的裝置,其中儲存在該記憶體中以使該處理器停止該檔案操作的指令還包括使該處理器:確定對應於該第一電腦裝置中數據的惡意更改的該儲存媒體中的檔案的範圍;從該儲存媒體檢索檔案的範圍;以及通過該通信元件將檔案的範圍傳送到該第一電腦裝置。     The device of claim 62, wherein the instructions stored in the memory to cause the processor to stop the file operation further include causing the processor to determine the storage corresponding to a malicious change of data in the first computer device A range of files in the media; a range of files retrieved from the storage medium; and a range of files transmitted to the first computer device via the communication element.     如請求項62所述的裝置,其中儲存在該記憶體中以使該處理器操縱該儲存媒體中的檔案的指令還包括使該處理器保留對應於該操縱的更改檔案的副本的指令,並且其中儲存在該記憶體中的指令使該處理器停止對檔案的操縱,進一步包括使該處理器進行的指令:確定對應於該第一電腦裝置中數據的惡意更改的該儲存媒體中惡意更改的檔案的範圍;檢索對應於惡意更改檔案範圍的保留副本;以及用檢索到的副本替換該儲存媒體中惡意更改的檔案的範圍。     The apparatus of claim 62, wherein the instructions stored in the memory to cause the processor to manipulate the files in the storage medium further include instructions to cause the processor to retain a copy of the modified file corresponding to the manipulation, and The instructions stored in the memory cause the processor to stop manipulating the file, and further include instructions for the processor to determine the maliciously changed data in the storage medium corresponding to the maliciously changed data in the first computer device. The scope of the archive; retrieving a reserve copy corresponding to the scope of the maliciously altered archive; and replacing the scope of the maliciously altered archive in the storage medium with the retrieved copy.     如請求項62所述的裝置,其中儲存在該記憶體中以使該處理器停止該檔案操作的指令還包括使該處理器:通過該通信元件在與該第一電腦裝置的該誘餌檔的數據更改相關聯的期間接收數據讀取歷史;以及基於來自該第一電腦裝置的數據讀取歷史來生成數據的惡意更改的至少一種模式;以及其中該通信元件能夠可通信地連接到該第二電腦裝置,並且儲存在該記憶體中的指令進一步使該處理器:通過該通信元件從該第二電腦裝置接收檔案更新資訊和更新的檔案;根據來自該第二電腦裝置的檔案更新資訊和更新的檔案來操縱該儲存媒體中的檔案;基於來自該第二電腦裝置的檔案更新資訊和更新的檔案來檢查數據的惡意更改的該至少一種模式;以及如果識別出數據的惡意更改的該至少一種模式,則停止對來自該第二電腦裝置的該檔案更新資訊和該更新檔案的操縱。     The device according to claim 62, wherein the instruction stored in the memory to cause the processor to stop the file operation further comprises causing the processor to: communicate with the decoy file of the first computer device through the communication element. Receiving a data read history during a period associated with the data change; and at least one mode of generating a malicious change of data based on the data read history from the first computer device; and wherein the communication element is communicably connectable to the second A computer device, and the instructions stored in the memory further cause the processor to: receive file update information and updated files from the second computer device through the communication element; and update information and updates based on the files from the second computer device The at least one mode of checking for malicious changes in data based on the file update information and the updated files from the second computer device; and if at least one of the malicious changes in data is identified Mode, stop updating the file update information and the update file from the second computer device Manipulation.     一種儲存系統,包括:一個雲服務端;和一個或多個邊緣節點可通信地連接到該雲服務端,用於將檔案更新資訊和更新的檔案傳送到該雲服務端;和其中該雲服務端被配置為分別為該邊緣節點分配一個或多個儲存裝置,並且根據該檔案更新資訊和從每個邊緣節點接收到的更新檔案操縱分配給該邊緣的儲存裝置中的檔案節點; 其中該邊緣節點的一第一邊緣節點被配置為檢查惡意數據更改的至少一個準則和如果符合惡意數據更改的該至少一個準則,則停止傳送檔案更新資訊及更新檔案至該雲服務端;其中該雲服務端被配置為基於該檔案更新資訊和從該邊緣節點一第二邊緣節點接收到的更新檔案來檢查包括該第一邊緣節點的該邊緣節點的該第二邊緣節點中的惡意數據更改的至少一個準則,並且如果符合該第二邊緣節點中的惡意數據更改的至少一個準則,則停止對分配給該第二邊緣節點的儲存裝置中的檔案的操縱;以及其中儲存在該邊緣節點中的一個或多個檔案被配置為對應於惡意數據更改的誘餌檔,並且其中該邊緣節點中的至少一個邊緣節點中的該至少一個準則包括對應於儲存在該邊緣節點中的至少一個該誘餌檔的數據更改至少一個邊緣節點。     A storage system includes: a cloud server; and one or more edge nodes communicatively connected to the cloud server for transmitting file update information and updated files to the cloud server; and wherein the cloud service The end is configured to allocate one or more storage devices to the edge node respectively, and manipulate the file node in the storage device allocated to the edge according to the file update information and the update file received from each edge node; wherein the edge A first edge node of the node is configured to check at least one criterion for malicious data changes and if the at least one criterion for malicious data changes is met, stop sending file update information and update files to the cloud server; wherein the cloud server At least one criterion configured to check for malicious data changes in the second edge node including the edge node of the first edge node based on the profile update information and the update file received from the edge node-second edge node , And if at least one criterion for malicious data changes in the second edge node is met, Then stop manipulating files in the storage device allocated to the second edge node; and one or more files stored in the edge node are configured as bait files corresponding to malicious data changes, and wherein the edge node The at least one criterion in at least one edge node in includes changing at least one edge node corresponding to data stored in at least one of the bait files in the edge node.     如請求項71所述的儲存系統,其中對應於該誘餌檔中的至少一個的該數據更改包括該誘餌檔中的至少一個的加密或刪除。     The storage system of claim 71, wherein the data change corresponding to at least one of the bait files includes encryption or deletion of at least one of the bait files.     如請求項71所述的儲存系統,其中該第一邊緣節點還被配置為:產生至少一個要儲存在其中的誘餌檔中;以及檢查用於識別與至少一個該誘餌檔相對應的數據更改的至少一個該誘餌檔的檔案狀態,作為該第一邊緣節點中惡意數據更改的該至少一個準則。     The storage system of claim 71, wherein the first edge node is further configured to: generate at least one decoy file to be stored therein; and check a data change for identifying data changes corresponding to at least one of the decoy files. The file status of at least one of the decoy files serves as the at least one criterion for malicious data changes in the first edge node.     如請求項73所述的儲存系統,其中該第一邊緣節點等於該第二邊緣節點,並且其中該第一邊緣節點還被配置為向該雲服務端發送惡意數據更改訊息作為該至少一個準則,以使雲端服務端的該第二邊緣節點 的惡意數據更會停止檔案的操作。     The storage system according to claim 73, wherein the first edge node is equal to the second edge node, and wherein the first edge node is further configured to send a malicious data change message to the cloud server as the at least one criterion, Therefore, the malicious data of the second edge node on the cloud server side will stop the file operation.     如請求項71所述的儲存系統,其中該雲服務端進一步被配置為檢查與該檔案更新資訊相對應的該誘餌檔的檔案狀態以及從該第二節點接收的更新檔案,用於在第二邊緣節點識別數據更改作為惡意數據的準則。     The storage system according to claim 71, wherein the cloud server is further configured to check the file status of the decoy file corresponding to the file update information and the update file received from the second node for use in the second node Edge nodes identify data changes as a criterion for malicious data.     如請求項75所述的儲存系統,其中該第二邊緣節點等於該第一邊緣節點,並且其中雲服務端進一步被配置為向該第一邊緣節點發送惡意數據更改的訊息作為該惡意的至少一個準則用於該第一邊緣節點的該第一邊緣節點中的數據更改停止該檔案更新資訊和該更新檔案的傳輸。     The storage system according to claim 75, wherein the second edge node is equal to the first edge node, and wherein the cloud server is further configured to send a malicious data change message to the first edge node as the malicious at least one A criterion for data change in the first edge node of the first edge node stops transmission of the file update information and the update file.     如請求項71所述的儲存系統,其中該至少一個邊緣節點中被配置為如果在傳輸停止期間沒有符合該邊緣節點中的該至少一個惡意數據更改準則,則將該檔案更新資訊及其更新檔案的傳輸重新啟動到該雲服務端。     The storage system according to claim 71, wherein the at least one edge node is configured to update the file and its update file if the at least one malicious data change criterion in the edge node is not met during the transmission stop. The transfer is restarted to the cloud server.     如請求項71所述的儲存系統,其中該雲服務端還被配置為如果在操縱停止期間沒有符合該邊緣節點中的該至少一個惡意數據更改準則,則重新啟動分配給該邊緣節點的該儲存裝置中檔案的操縱。     The storage system according to claim 71, wherein the cloud server is further configured to restart the storage allocated to the edge node if the at least one malicious data change criterion in the edge node is not met during the operation stop. Manipulation of files in the device.     如請求項71所述的儲存系統,其中如果符合該至少一個惡意數據更改準則,則該第一邊緣節點進一步被配置為:基於與該第一邊緣節點中的惡意數據更改對應準則的會議來確定該第一邊緣節點中檔案的範圍;請求該雲服務端為分配給第一邊緣節點的儲存裝置中的檔案範圍,並從 該雲服務端接收檔案範圍;以及將該第一個邊緣節點的檔案範圍替換為從該雲端服務端接收到的檔案。     The storage system according to claim 71, wherein if the at least one malicious data change criterion is met, the first edge node is further configured to determine based on a meeting corresponding to the malicious data change criterion in the first edge node A range of files in the first edge node; requesting the cloud server to be a file range in a storage device allocated to the first edge node and receiving the file range from the cloud server; and the file of the first edge node The scope is replaced with the file received from the cloud server.     如請求項71所述的儲存系統,其中該雲服務端還被配置為:在根據檔案更新資訊和來自該第二邊緣節點的更新檔案進行操作之前,將分配給該第二邊緣節點的儲存裝置中的檔案的副本保留;基於與該第二邊緣節點中的惡意數據更改相對應的準則的會議,確定分配給該第二邊緣節點的該儲存裝置中檔案的範圍;以及檢索與檔案範圍對應的一個或多個副本,並用該一個或多個副本替換該檔案的範圍。     The storage system according to claim 71, wherein the cloud server is further configured to: before operating according to the file update information and the update file from the second edge node, allocate the storage device to the second edge node A copy of the archives in the second edge node is retained; a meeting based on the criteria corresponding to the malicious data change in the second edge node determines the range of the files in the storage device allocated to the second edge node; One or more copies and replace the scope of the archive with the one or more copies.     如請求項71所述的儲存系統,其中該第一邊緣節點進一步被配置為:定義具有與分配給該第一邊緣節點的一儲存裝置相對應的一檔案目錄的一混合雲端儲存裝置;在該第一邊緣節點中定義具有分配的儲存容量的一高速快取設備,用於保留該混合雲端儲存裝置中的部分檔案的副本,以處理複製和上傳處理的副本以將相應部分的檔案替換為檔案更新該雲服務端分配的該儲存裝置;在該混合雲端儲存裝置的檔案目錄中生成該一個或多個誘餌檔,並且其中該生成的誘餌檔完全地儲存在該高速快取設備中;如果通過識別對應於該第一邊緣節點的數據更改的該第一邊緣節點中的惡意數據更改的該至少一個準則符合對應於該高速快取設備中的該一個或多個副本的所分配的儲存裝置中的該一個或多個檔案的該雲服務端,在該高速快取設備中產生的誘餌檔;以及 從該雲服務端接收一個或多個檔案,並從該雲服務端替換高速快取設備中的該一個或多個副本與該一個或多個檔案。     The storage system according to claim 71, wherein the first edge node is further configured to: define a hybrid cloud storage device having a file directory corresponding to a storage device allocated to the first edge node; A high-speed cache device with an allocated storage capacity is defined in the first edge node, and is used to retain copies of some files in the hybrid cloud storage device, to process copying and uploading the processed copies to replace the corresponding part of the files with files Update the storage device allocated by the cloud server; generate the one or more decoy files in the file directory of the hybrid cloud storage device, and wherein the generated decoy file is completely stored in the high-speed cache device; if passed The at least one criterion for identifying malicious data changes in the first edge node corresponding to the data changes of the first edge node meets the assigned storage device corresponding to the one or more copies in the cache device. The decoy file generated in the high-speed cache device by the cloud server of the one or more files; and The server receiving one or more files, and replaces the high-speed cache devices with one or more copies of the one or more files from a server in the cloud.     如請求項71所述的儲存系統,其中該至少一個邊緣節點中還被配置為基於該檔案更新資訊和對應於該至少一個該邊緣節點的更新檔案來計算檔案更新頻率,並且其中一個準則該對應於該至少一個邊緣節點包括該檔案更新頻率的上限值。     The storage system according to claim 71, wherein the at least one edge node is further configured to calculate a file update frequency based on the file update information and an update file corresponding to the at least one edge node, and one of the criteria corresponds to The at least one edge node includes an upper limit value of the file update frequency.     如請求項71所述的儲存系統,其中如果符合該第一邊緣節點中的該惡意數據更改的該至少一個準則:該第一邊緣節點進一步被配置為將與其中的惡意數據更改準則的會議相關聯的數據讀取歷史傳送到該雲服務端;以及該雲服務端還被配置為產生惡意數據更改的一種或多種模式,並且其中該模式的識別被進一步配置為修改為該邊緣節點中的至少第二邊緣節點中的惡意數據更改的該至少一個準則。     The storage system of claim 71, wherein if the at least one criterion for the malicious data change in the first edge node is met: the first edge node is further configured to be related to a meeting of the malicious data change criterion therein The associated data reading history is transmitted to the cloud server; and the cloud server is further configured to generate one or more modes of malicious data changes, and wherein the identification of the mode is further configured to be modified to at least one of the edge nodes. The at least one criterion for malicious data change in the second edge node.     如請求項71所述的儲存系統,其中如果符合該第二邊緣節點中的該惡意數據更改的該至少一個準則,則該雲服務端還被配置為:基於與該第二邊緣節點中的惡意數據更改準則的會議相關聯的數據讀取歷史來生成一個或多個惡意數據更改模式;以及將該一個或多個惡意數據更改模式發送到至少該第一邊緣節點,以辨識其中至少一個被修改為惡意數據更改準則。     The storage system according to claim 71, wherein if the at least one criterion for changing the malicious data in the second edge node is met, the cloud server is further configured to: A history of data reading associated with the meeting of data change criteria to generate one or more malicious data change patterns; and sending the one or more malicious data change patterns to at least the first edge node to identify that at least one of them has been modified Change guidelines for malicious data.    
TW106134309A 2016-10-06 2017-10-05 Method and system for preventing malicious alteration of data in computer system TW201814577A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/286,593 2016-10-06
US15/286,593 US20170206353A1 (en) 2016-01-19 2016-10-06 Method and system for preventing malicious alteration of data in computer system

Publications (1)

Publication Number Publication Date
TW201814577A true TW201814577A (en) 2018-04-16

Family

ID=62639358

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106134309A TW201814577A (en) 2016-10-06 2017-10-05 Method and system for preventing malicious alteration of data in computer system

Country Status (1)

Country Link
TW (1) TW201814577A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI691860B (en) * 2018-10-23 2020-04-21 財團法人工業技術研究院 Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI691860B (en) * 2018-10-23 2020-04-21 財團法人工業技術研究院 Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium
US11113391B2 (en) 2018-10-23 2021-09-07 Industrial Technology Research Institute Method and computer system for preventing malicious software from attacking files of the computer system and corresponding non-transitory computer readable storage medium

Similar Documents

Publication Publication Date Title
US20170206353A1 (en) Method and system for preventing malicious alteration of data in computer system
EP3563280B1 (en) Malware detection and content item recovery
US8874520B2 (en) Processes and methods for client-side fingerprint caching to improve deduplication system backup performance
US9536083B2 (en) Securing data on untrusted devices
EP3584716B1 (en) Storage constrained synchronization of shared content items
US20230145138A1 (en) Quarantining information in backup locations
JP6570761B2 (en) Synchronization engine with storage constraints
US9501251B1 (en) Techniques for print monitoring
US9852139B1 (en) Directory partitioning with concurrent directory access
EP3239861B1 (en) Storage constrained synchronization engine
US10031668B2 (en) Determining status of a host operation without accessing the host in a shared storage environment
TW201814577A (en) Method and system for preventing malicious alteration of data in computer system
TWI571754B (en) Method for performing file synchronization control, and associated apparatus
WO2017028517A1 (en) Method for managing data file in cloud, cloud management point, and system
US20230401337A1 (en) Two person rule enforcement for backup and recovery systems
US11200254B2 (en) Efficient configuration replication using a configuration change log
US20170091253A1 (en) Interrupted synchronization detection and recovery
US11934274B2 (en) Efficient mechanism to perform auto retention locking of files ingested via distributed segment processing in deduplication backup servers
US10848405B2 (en) Reporting progress of operation executing on unreachable host
JP2020017821A (en) External information reception and distribution device, data transmission method, and program
US10592527B1 (en) Techniques for duplicating deduplicated data
US20230177158A1 (en) Recovering quarantined information from backup locations
WO2021260932A1 (en) Distributed system, communication terminal, function restoration method, and program
JP2009140097A (en) Access control method and device, and program
JP2019061469A (en) Terminal, method for preserving data, and data preserving system