CN112651023A - Method for detecting and preventing malicious Lego software attacks - Google Patents
Method for detecting and preventing malicious Lego software attacks Download PDFInfo
- Publication number
- CN112651023A CN112651023A CN202011587359.5A CN202011587359A CN112651023A CN 112651023 A CN112651023 A CN 112651023A CN 202011587359 A CN202011587359 A CN 202011587359A CN 112651023 A CN112651023 A CN 112651023A
- Authority
- CN
- China
- Prior art keywords
- file
- module
- malicious
- attack
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012544 monitoring process Methods 0.000 claims abstract description 17
- 230000000694 effects Effects 0.000 claims abstract description 13
- 230000004048 modification Effects 0.000 claims description 11
- 238000012986 modification Methods 0.000 claims description 11
- 230000008859 change Effects 0.000 claims description 9
- 230000002265 prevention Effects 0.000 claims description 5
- 241000589248 Legionella Species 0.000 claims description 3
- 208000007764 Legionnaires' Disease Diseases 0.000 claims description 3
- 230000009471 action Effects 0.000 claims description 2
- 235000015122 lemonade Nutrition 0.000 description 5
- 238000013478 data encryption standard Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for detecting and preventing malicious Lessox software attack, which is characterized by comprising a monitoring module, a changing module, a strategy module and a preventing module; the method further comprises the following steps: monitoring registry activity, malicious changes detected, changed file registry values exceeding a threshold, creating a large virtual file at the location where the attacker encrypts the file content, changing non-hacked file attributes, creating a hacked and secured file list, verifying a secured file list. By the method and the device, malicious attack of the lasso software can be slowed down.
Description
Technical Field
The invention relates to the technical field of computers, network security, artificial intelligence, network management and automatic control, in particular to a method for detecting and preventing malicious Lesojous software attacks.
Background
In this digital world, security is a major concern for users because they are concerned about unauthorized access to their computer systems. At the same time, lasso software, a tool by which cyber criminals encrypt computer file system content without the permission or knowledge of the victim, is becoming increasingly popular. Once the system is destroyed, i.e., the file is encrypted, the attacker forces the user to pay for redemption, typically by online payment, to obtain the decryption key. Even if the victim pays the redemption, there is no guarantee that the decryption key will be provided, or that access to their computer system will be restored.
Disclosure of Invention
In order to solve the technical problem, the invention provides a method for detecting and preventing malicious lemonade attacks, which adopts a completely new method to identify the malicious lemonade attack and can take corresponding measures to prevent the malicious lemonade attack so as to protect the security of a computer.
A method for detecting and preventing malicious Lesoware attacks is characterized by comprising a monitoring module, a changing module, a strategy module and a prevention module;
the method further comprises the following steps:
step 1, monitoring registry activity;
step 2, detecting the malicious change;
step 3, if not, returning to the step 1;
step 4, if the malicious change is detected, checking whether the changed file registry value exceeds a threshold value;
step 5, if the threshold value is not exceeded, returning to the step 1;
step 6, if the threshold value is exceeded, the malicious Legionella attack is generated, and a large virtual file is created at the position of the encrypted file content of the attacker;
step 7, changing the attribute of the file which is not invaded;
step 8, creating an invaded file list and a safe file list;
step 9, verifying a safe file list;
and 10, if the safety is not safe, returning to the step 1.
Further, the monitoring module monitors the folders/directories, detects any changes in the directory's content registry, uses a threshold of valid changes, and identifies any file as potentially malicious activity if its registry value exceeds the threshold in an attempt to change.
Further, the modification module generates a list of hacked files, the module uses the information collected in the monitoring module to generate a list of hacked files, the user is notified of suspicious activity, and the list of hacked files is displayed to the user.
Further, the policy module generates a large random file, and once an attack is identified, a large virtual file is generated at the attack position to slow down the attack and take corresponding measures to prevent further modification of the file system.
Further, the prevention module changes the attributes of the remaining files, and when an attacker is busy encrypting and/or modifying the large virtual file, the module changes the attributes of the remaining files, so that the attacker cannot perform further modification in the system.
The invention has the technical effects that:
the invention provides a method for detecting and preventing malicious Lesojous software attacks, which is characterized by comprising a monitoring module, a changing module, a strategy module and a preventing module; the method further comprises the following steps: monitoring registry activity, malicious changes detected, changed file registry values exceeding a threshold, creating a large virtual file at the location where the attacker encrypts the file content, changing non-hacked file attributes, creating a hacked and secured file list, verifying a secured file list. By the method and the device, malicious attack of the lasso software can be slowed down.
Drawings
FIG. 1 is a schematic diagram of a method for detecting and thwarting malicious Lesojous software attacks.
Detailed Description
The invention is described in further detail below with reference to the figures and examples:
lexus software is an encryption tool that encrypts computer files without the user's knowledge. It hacks into the computer through malicious email links, email attachments, social media, USB devices, business applications, and many other methods. According to authority statistics, the luxo software propagates 31% through email links, 28% through email attachments, 24% through applications other than email, 4% through social media, 3% through U-disk and 1% through business applications; and an unconfirmed redemption attack accounts for 9% of the event. There are two main types of Legionella software attacks: lock lasso software and encryption lasso software. The lock lasso software denies or restricts access to the computer or any other resource. Encryption lux software prevents files and other records from using decryption. In both types, the attacker typically delivers the redemption in an online manner to regain access to the computer or file. Lock lasso software (computer lock) denies access to a computer or device. It is also designed to deny access to computing resources. Typically, this is in the form of locking the user interface of the computer or device and then requiring the user to pay to regain access to it. Locked computers are typically only capable of limited functionality, such as allowing the user to use the luxo software and pay for redemption. This means that a mouse may not be available, the keyboard function may be limited to numeric keys, and the victim may only type numbers to enter the payment code.
The encryption lasso software (data lock) prevents access to the file or data. The purpose of such lasso software is to find and encrypt valuable data stored on the computer, making the data unusable unless the user obtains a decryption key. As people's lives become more and more digital, people have more data stored on personal computers and devices.
There are three main targets for the luxo software attack: home users, business groups, and public institutions.
Home users typically store sensitive information, files and documents on a computer that are valuable to the individual, such as: project material, photographs, video, and games. While these things are valuable to the user, it is unlikely that the home user will employ a backup strategy to successfully recover data from the event of a fire or theft, not to mention the attack of encrypted lasso software.
Commercial computers may also contain sensitive data and vital files such as customer databases, business plans, proposals, reports, source code, forms, and tax files. The threat of modern cryptographic lasso software involves all accessible drives, including the local file sharing server, and encrypting files on those drives. This means that a single encroachment of encrypted lasso software can affect multiple systems.
Public institutions, such as educational institutions, medical institutions, local governments, and even law enforcement agencies, are not excluded from the interest of these cyber criminals, and in some cases may be particularly targeted.
The general guidelines are useful for protecting computer systems from Lele software attacks. The first point to remember is that periodic backups work and encrypt the backup before storing it on any device. The user should take care to handle unsolicited email attachments and not use the super user rights until needed. They must also be aware of the danger of hyperlinks. They need to maintain and continually update the security policies of the firewall and use the latest antivirus and antimalware programs. In addition, computer users should not track and access links on the Internet that they do not know and trust.
In one embodiment, the present application contemplates such a lasso attack in order to detect and thwart the lasso software attack, and then addresses this problem. By adopting the method provided by the application, a plurality of software modules are designed, each module consists of a plurality of stages, the system is successfully attacked, and then the method provided by the application is used for preventing, so that the effect is remarkable.
The first stage is as follows: and generating lasso software. This stage designs a module to create a new legend. The luxo software attacks the user system using the website, USB device and advertisement. It accesses over the network, including click-through links, notifications, and phishing emails.
And a second stage: luxo software attacks files or directories. Upon intruding into the system, the lasso software may encrypt any file, directory, or entire system and display a lasso notification.
And a third stage: authentication of the lasso software encryption. At the end of a successful attack on the system, the user checks the details of the encrypted content. For example, if a file is inaccessible, data is lost, or rights are limited, this may indicate that the system has been corrupted. MD5 (Message-Digest algorithm 5) is used for cryptographic hash functions. The idea of this algorithm is to take random data (text or binary) as input and generate a hash value of fixed size as output.
A fourth stage: attacks are conducted on the local area network. When the hacked system is part of a Local Area Network (LAN), it will find another system and encrypt the shared file.
The fifth stage: a lasso software attack is identified. There are two main types of luxo software attacks: encrypted lanyard software (data lock), or lanyard lock (computer lock). The encryption lasso software prevents access to files or data and the lasso lock denies access to the computer or device. The module identifies the type of attack that is in progress.
The sixth stage: protecting the computer system. If another file is affected, protection is provided for the other file. Once a modified file is found in a particular folder, it will generate a list of modified files (or referred to as a hacked list of files, otherwise referred to as a secured list of files) that are executed in that folder. The following steps (100 as shown in fig. 1) are used to defend against the lemonade attack:
(1) a start 110;
(2) monitoring registry activity 120;
(3) detected malicious changes 130;
(4) if not, return to 120;
(5) if a malicious change is detected, checking whether the changed file registry value exceeds a threshold 140;
(6) if the threshold is not exceeded, return to 120;
(7) if the threshold value is exceeded, the malicious lasso attack is generated, and a large dummy file (large dummy file) 150 is created at the position of the encrypted file content of the attacker;
(8) changes the file properties 160 that are not hacked;
(9) creating a hacked file list and a secured file list 170;
(10) a list of verified secure files 180;
(11) if not, return to 120;
(12) and end 190.
After the above process is applied, the system does not allow the malicious extant file to be executed. The user-defined threshold serves as a trigger that can be used to prevent any unwanted modification. For example, if an attacker tries to encrypt files in folders one by one and sets the threshold to 2, after two encryptions, the method provided by the present application will create one large virtual file (large dummy file) at the location where the attacker encrypts the file content. An attacker is still busy encrypting large virtual files (thousands of bytes); meanwhile, the method provided by the application can change the attributes of other unaffected files, so that the attack is prevented from further spreading.
A seventh stage: authentication of the lasso attack is prevented. The validity of the method provided by the present application is reviewed by examining the remaining files.
According to the seven-stage idea described above, the present application provides four modules to prevent propagation of the Legionella attack.
A monitoring module: the folders/directories are monitored. This module detects any changes in the directory content registry. The present application uses a threshold that is effectively modified. If the lemonade attempts to change the registry value of any file beyond a threshold, it will be identified as a possible malicious activity. The tasks provided by the module include: the path of the folder/directory (containing subdirectories), notification filter, notification creation time, and notification directory name, file name, last access time, last write time, security level, and file size.
A change module: a list of hacked files is generated. The module uses the information collected in the monitoring module to generate a list of files that are hacked. The user may be notified of suspicious activity and a list of hacked files may be displayed to the user. The user may take appropriate action. The tasks provided by the module include: monitoring for changed events, generating a user's threshold, and checking the threshold.
A policy module: a large random file is generated. Once an attack is identified, a large virtual file (e.g., 10 GB) is generated at the attack site. The purpose here is to slow down the attack so that corresponding measures are taken to prevent further modifications to the file system.
A prevention module: the remaining file attributes are changed. When an attacker is busy encrypting and/or modifying large virtual files, the module may alter the remaining file attributes, making it impossible for the attacker to perform further modifications in the system.
In another embodiment, the four modules of the present application are implemented and tested for efficiency. And the methods provided herein have been found to be very useful. The method prevents the propagation of attacks by setting a user-defined threshold. After the set limit is exceeded, the method provided by the application can create a large virtual file to keep the attacker busy. With this additional valuable time provided to the system, the method provided by the present application alters the attributes of the remaining files and directories. Therefore, further modifications to the system are not possible for the attacker.
It is assumed that the lasso software encrypts Data of file contents hacked on the system using DES (Data Encryption Standard), AES (Advanced Encryption Standard), or 3-DES algorithm. The present application analyzes at least the time used by these three algorithms, with the AES encryption process taking the least time.
Generally, larger files require longer encryption times, which enables the method provided by the present application to prevent further corruption. The result shows that creating a large virtual file is a feasible method for solving the lasso software attack.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; all equivalent changes and modifications made according to the present invention are considered to be covered by the scope of the present invention.
Claims (5)
1. A method for detecting and preventing malicious Lesoware attacks is characterized by comprising a monitoring module, a changing module, a strategy module and a prevention module;
the method further comprises the following steps:
step 1, monitoring registry activity;
step 2, detecting the malicious change;
step 3, if not, returning to the step 1;
step 4, if the malicious change is detected, checking whether the changed file registry value exceeds a threshold value;
step 5, if the threshold value is not exceeded, returning to the step 1;
step 6, if the threshold value is exceeded, the malicious Legionella attack is generated, and a large virtual file is created at the position of the encrypted file content of the attacker;
step 7, changing the attribute of the file which is not invaded;
step 8, creating an invaded file list and a safe file list;
step 9, verifying a safe file list;
and 10, if the safety is not safe, returning to the step 1.
2. A method for detecting and deterring malicious luxo software attacks according to claim 1, characterized by said monitoring module monitoring the folder/directory, which module detects any changes in the directory content registry, using a threshold of valid changes, identifying any file as possible malicious activity if its registry value is attempted to be changed beyond the threshold.
3. A method for detecting and deterring malicious lesonable software attacks according to claim 1, wherein said modification module generates a list of files that are hacked, the module uses information collected in the monitoring module to generate a list of files that are hacked, the user is informed of the existence of suspicious activity, and the list of files that are hacked is displayed to the user.
4. The method as claimed in claim 1, wherein the policy module generates a large random file, and upon identifying the attack, generates a large virtual file at the attack location to mitigate the attack and take appropriate action to prevent further modification of the file system.
5. The method as claimed in claim 1, wherein said prevention module changes the remaining file attributes, and when the attacker is busy encrypting and/or modifying large virtual files, the module changes the remaining file attributes so that the attacker cannot perform further modifications in the system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011587359.5A CN112651023A (en) | 2020-12-29 | 2020-12-29 | Method for detecting and preventing malicious Lego software attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011587359.5A CN112651023A (en) | 2020-12-29 | 2020-12-29 | Method for detecting and preventing malicious Lego software attacks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112651023A true CN112651023A (en) | 2021-04-13 |
Family
ID=75363505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011587359.5A Pending CN112651023A (en) | 2020-12-29 | 2020-12-29 | Method for detecting and preventing malicious Lego software attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112651023A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113672916A (en) * | 2021-07-28 | 2021-11-19 | 安天科技集团股份有限公司 | Method and device for preventing suspected malicious Lego software attack and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106484570A (en) * | 2016-10-28 | 2017-03-08 | 福建平实科技有限公司 | A kind of backpu protecting method and system extorting software document data for defence |
| CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
| CN106845222A (en) * | 2016-12-02 | 2017-06-13 | 哈尔滨安天科技股份有限公司 | A kind of detection method and system of blackmailer's virus |
| CN109413048A (en) * | 2018-09-30 | 2019-03-01 | 上海观安信息技术股份有限公司 | Software approach, electronic equipment and program product are extorted based on the detection of file type honey jar |
-
2020
- 2020-12-29 CN CN202011587359.5A patent/CN112651023A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
| CN106484570A (en) * | 2016-10-28 | 2017-03-08 | 福建平实科技有限公司 | A kind of backpu protecting method and system extorting software document data for defence |
| CN106845222A (en) * | 2016-12-02 | 2017-06-13 | 哈尔滨安天科技股份有限公司 | A kind of detection method and system of blackmailer's virus |
| CN109413048A (en) * | 2018-09-30 | 2019-03-01 | 上海观安信息技术股份有限公司 | Software approach, electronic equipment and program product are extorted based on the detection of file type honey jar |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113672916A (en) * | 2021-07-28 | 2021-11-19 | 安天科技集团股份有限公司 | Method and device for preventing suspected malicious Lego software attack and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9348984B2 (en) | Method and system for protecting confidential information | |
| Popoola et al. | Ransomware: Current trend, challenges, and research directions | |
| Patel et al. | A malicious activity monitoring mechanism to detect and prevent ransomware | |
| Patyal et al. | Multi-layered defense architecture against ransomware | |
| Malecki | Best practices for preventing and recovering from a ransomware attack | |
| Payne et al. | Multiple-extortion ransomware: The case for active cyber threat intelligence | |
| Gudimetla | Ransomware Prevention and Mitigation Strategies | |
| Butt et al. | Cyber threat ransomware and marketing to networked consumers | |
| Duong et al. | Working from home users at risk of COVID-19 ransomware attacks | |
| Belmabrouk | Cyber criminals and data privacy measures | |
| Choudhary et al. | Cyber Security With Emerging Technologies & Challenges | |
| CN112651023A (en) | Method for detecting and preventing malicious Lego software attacks | |
| Liao | Ransomware: a growing threat to SMEs | |
| Hassan et al. | Ransomware overview | |
| Iordache | Database–Web Interface Vulnerabilities | |
| Narain | Ransomware-Rising Menace to an Unsuspecting Cyber Audience | |
| Teymourlouei | Preventative Measures in Cyber & Ransomware Attacks for Home & Small Businesses' Data | |
| De Villiers Minnaar | The scourge of ransomware: the cybercrime growth industry of the early 2020s | |
| Dodi | Cyber Security's New Challenges under Covid-19 Pandemic: Between Technique and Law | |
| Wolf | Ransomware detection | |
| Šulc | CURRENT RANSOMWARE TRENDS | |
| Mishra et al. | Identity Theft, Malware, and Social Engineering in Dealing with Cybercrime | |
| Vistro et al. | Ransomware malware: Attacks and preventions | |
| Emeksiz et al. | Ransomware as an Imminent and Destructive Cyber-Threat of the Digital World | |
| Azhar et al. | Big Data Security Issues: A Review |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |