[go: up one dir, main page]

CN118862069A - Industrial control host ransomware protection method, device and storage medium - Google Patents

Industrial control host ransomware protection method, device and storage medium Download PDF

Info

Publication number
CN118862069A
CN118862069A CN202410915667.8A CN202410915667A CN118862069A CN 118862069 A CN118862069 A CN 118862069A CN 202410915667 A CN202410915667 A CN 202410915667A CN 118862069 A CN118862069 A CN 118862069A
Authority
CN
China
Prior art keywords
program
library
current program
ransomware
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410915667.8A
Other languages
Chinese (zh)
Inventor
徐天明
杨明勋
赵金香
胡鹏
王行哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Original Assignee
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd filed Critical Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority to CN202410915667.8A priority Critical patent/CN118862069A/en
Publication of CN118862069A publication Critical patent/CN118862069A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本申请公开了一种工控主机勒索防护方法、装置及存储介质,属于网络技术领域。该方法通过实施可信程序白名单库和勒索病毒库,使得主机保护系统能有效防止未授权的程序运行和恶意软件,特别是勒索病毒对敏感数据的损害,降低了数据泄露和损坏的风险,仅允许已验证的可信程序运行,减少了系统崩溃和性能下降的可能性,从而提升了系统的整体稳定性和可靠性,还通过审计模式和保护模式的设计使得用户可以根据具体需求选择合适的运行模式,此外,系统能够实时监控文件写入操作,快速响应可疑行为,有效预防恶意软件活动。

The present application discloses a method, device and storage medium for protecting industrial control hosts from ransomware, and belongs to the field of network technology. The method implements a trusted program whitelist library and a ransomware virus library, so that the host protection system can effectively prevent unauthorized program operation and malware, especially ransomware damage to sensitive data, reduce the risk of data leakage and damage, and only allow verified trusted programs to run, reducing the possibility of system crashes and performance degradation, thereby improving the overall stability and reliability of the system. The design of the audit mode and protection mode allows users to choose the appropriate operation mode according to specific needs. In addition, the system can monitor file write operations in real time, quickly respond to suspicious behaviors, and effectively prevent malware activities.

Description

一种工控主机勒索防护方法、装置及存储介质Industrial control host ransomware protection method, device and storage medium

技术领域Technical Field

本申请实施例涉及网络技术领域,特别涉及一种工控主机勒索防护方法、装置及存储介质。The embodiments of the present application relate to the field of network technology, and in particular to a method, device and storage medium for protecting an industrial control host from ransomware.

背景技术Background Art

当前,信息安全领域尤其关注于开发高效的系统安全解决方案以保护计算设备和网络免受恶意软件攻击。系统监控和威胁检测技术是网络安全的重要组成部分,旨在实时监控系统活动,及时检测和响应安全威胁。主流的安全系统利用签名基础的检测机制、行为分析技术和启发式分析来识别和阻止恶意软件的活动。Currently, the field of information security is particularly focused on developing efficient system security solutions to protect computing devices and networks from malware attacks. System monitoring and threat detection technology is an important part of network security, which aims to monitor system activities in real time, detect and respond to security threats in a timely manner. Mainstream security systems use signature-based detection mechanisms, behavioral analysis techniques, and heuristic analysis to identify and block malware activities.

当前的安全解决方案能够对已知的威胁提供有效的防护,但它们在几个关键领域存在一些不足。首先,依赖签名的方法不能有效识别零日攻击或未知的新型恶意软件,因为这些攻击还没有相应的签名信息。其次,现有的行为监控系统往往需要复杂的配置和持续的更新,以应对日益变化的威胁景观,这增加了维护的复杂性和成本。此外,传统的防御系统常在实际遭遇攻击时才能检测到恶意活动,对于防止损害发生前的预防措施并不足够。例如,许多现有系统在勒索软件加密文件前无法有效地识别和停止其活动。这种延迟响应导致了数据损失和业务中断的风险。Current security solutions can provide effective protection against known threats, but they have some shortcomings in several key areas. First, signature-based approaches cannot effectively identify zero-day attacks or unknown new malware because there is no corresponding signature information for these attacks. Second, existing behavioral monitoring systems often require complex configuration and continuous updates to cope with the ever-changing threat landscape, which increases the complexity and cost of maintenance. In addition, traditional defense systems often detect malicious activities only when they are actually attacked, which is not enough to prevent damage before it occurs. For example, many existing systems cannot effectively identify and stop the activities of ransomware before it encrypts files. This delayed response leads to the risk of data loss and business interruption.

在此背景下,有必要为提高对新型和复杂威胁的防护能力开发新一代安全解决方案,能够更智能地分析和响应系统内的活动,并实时更新以应对新兴的安全威胁。In this context, it is necessary to develop a new generation of security solutions to improve protection against new and complex threats, which can analyze and respond to activities within the system more intelligently and update in real time to respond to emerging security threats.

发明内容Summary of the invention

本申请实施例提供了一种工控主机勒索防护方法、装置及存储介质,所述技术方案如下:The present application provides a method, device and storage medium for protecting an industrial control host from ransomware. The technical solution is as follows:

一方面,提供了一种工控主机勒索防护方法,所述方法包括:On the one hand, a method for protecting an industrial control host from ransomware is provided, the method comprising:

实时监控主机内程序对文件的写入操作;Real-time monitoring of file writing operations by programs in the host;

响应于触发文件写入的当前程序不在可信程序白名单库内,检测所述当前程序是否在勒索病毒库中;In response to the current program that triggers the file writing not being in the trusted program whitelist library, detecting whether the current program is in the ransomware virus library;

响应于所述当前程序在所述勒索病毒库中,禁止所述当前程序访问文件;In response to the current program being in the ransomware virus library, prohibiting the current program from accessing files;

响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件并提示用户对当前程序进行是否可信的管理;In response to the current program not being in the ransomware virus library, prohibiting the current program from accessing files and prompting a user to manage whether the current program is trustworthy;

响应于触发文件写入的当前程序在所述可信程序白名单库内,允许所述当前程序访问文件。In response to the current program that triggers the file writing being in the trusted program whitelist library, the current program is allowed to access the file.

可选的,所述响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件并提示用户对当前程序进行是否可信的管理,包括:Optionally, in response to the current program not being in the ransomware virus library, prohibiting the current program from accessing files and prompting the user to manage whether the current program is trustworthy includes:

响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件;In response to the current program not being in the ransomware virus library, prohibiting the current program from accessing files;

向用户提供界面确认是否允许所述当前程序运行;Providing an interface to the user to confirm whether to allow the current program to run;

响应于收到对所述当前程序允许运行的操作,将所述当前程序加入所述可信程序白名单库。In response to receiving an operation of allowing the current program to run, the current program is added to the trusted program whitelist library.

可选的,所述方法还包括:Optionally, the method further includes:

对主机保护系统进行初始化得到所述可信程序白名单库,所述可信程序白名单库用于指示可执行程序的名单以及可执行程序的数字指纹;Initializing the host protection system to obtain the trusted program whitelist library, wherein the trusted program whitelist library is used to indicate a list of executable programs and digital fingerprints of the executable programs;

设置所述主机保护系统的运行模式,所述运行模式包括审计模式和保护模式。An operating mode of the host protection system is set, wherein the operating mode includes an audit mode and a protection mode.

可选的,所述对主机保护系统进行初始化得到所述可信程序白名单库,包括:Optionally, the initializing the host protection system to obtain the trusted program whitelist library includes:

对所述主机保护系统进行扫描获得所有可执行程序;Scanning the host protection system to obtain all executable programs;

对扫描到的可执行程序提取数字指纹;Extract digital fingerprints from scanned executable programs;

将提取的数字指纹与对应的可执行程序进行关联存储得到所述可信程序白名单库。The extracted digital fingerprint is associated with the corresponding executable program and stored to obtain the trusted program whitelist library.

可选的,所述审计模式下,所述主机保护系统用于记录所有程序的运行日志以及对运行非可信程序白名单库中程序时生成警报消息;Optionally, in the audit mode, the host protection system is used to record the running logs of all programs and generate an alarm message when running a program in the untrusted program whitelist library;

所述保护模式下,所述主机保护系统用于允许所述可信程序白名单库内的程序运行,阻止非可信程序白名单库中程序的运行。In the protection mode, the host protection system is used to allow the programs in the trusted program whitelist library to run, and prevent the programs in the untrusted program whitelist library from running.

可选的,所述方法还包括:Optionally, the method further includes:

收集和更新勒索病毒的特征信息构建所述勒索病毒库;Collect and update the characteristic information of the ransomware virus to build the ransomware virus library;

将所述勒索病毒库成到所述主机保护系统中。The ransomware virus library is integrated into the host protection system.

另一方面,还提供了一种工控主机勒索防护装置,所述装置包括:On the other hand, a ransomware protection device for an industrial control host is also provided, the device comprising:

程序监控模块,用于实时监控主机内程序对文件的写入操作;The program monitoring module is used to monitor the writing operation of the program on the host in real time;

名单判断模块,用于响应于触发文件写入的当前程序不在可信程序白名单库内,检测所述当前程序是否在勒索病毒库中;A list determination module, configured to detect whether the current program that triggers file writing is in the ransomware virus library in response to the current program that triggers file writing not being in the trusted program whitelist library;

第一处理模块,用于响应于所述当前程序在所述勒索病毒库中,禁止所述当前程序访问文件;A first processing module, configured to prohibit the current program from accessing files in response to the current program being in the ransomware virus library;

第二处理模块,用于响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件并提示用户对当前程序进行是否可信的管理;A second processing module is used for prohibiting the current program from accessing files and prompting a user to manage whether the current program is trustworthy in response to the current program not being in the ransomware virus library;

第三处理模块,用于响应于触发文件写入的当前程序在所述可信程序白名单库内,允许所述当前程序访问文件。The third processing module is used for allowing the current program that triggers the file writing to access the file in response to the current program being in the trusted program whitelist library.

另一方面,提供了一种计算机可读存储介质,所述存储介质存储有至少一条指令,所述至少一条指令用于被处理器执行以实现如上述方面所述的工控主机勒索防护方法。On the other hand, a computer-readable storage medium is provided, wherein the storage medium stores at least one instruction, and the at least one instruction is used to be executed by a processor to implement the industrial control host ransomware protection method as described in the above aspects.

另一方面,还提供了一种计算机程序产品,该计算机程序产品存储有至少一条指令,所述至少一条指令由所述处理器加载并执行以实现上述方面所述的工控主机勒索防护方法。On the other hand, a computer program product is also provided, which stores at least one instruction, and the at least one instruction is loaded and executed by the processor to implement the industrial control host ransomware protection method described in the above aspect.

本申请专利至少包括如下技术效果。This patent application includes at least the following technical effects.

实现高数据安全性。通过实施可信程序白名单库和勒索病毒库,使得主机保护系统能有效防止未授权的程序运行和恶意软件,特别是勒索病毒对敏感数据的损害。这种防护机制大大降低了数据泄露和损坏的风险。Achieve high data security. By implementing a trusted program whitelist library and a ransomware library, the host protection system can effectively prevent unauthorized program execution and malware, especially ransomware, from damaging sensitive data. This protection mechanism greatly reduces the risk of data leakage and damage.

实现增强系统稳定性和可靠性。仅允许已验证的可信程序运行,减少了系统崩溃和性能下降的可能性,从而提升了系统的整体稳定性和可靠性。Enhanced system stability and reliability. Only verified and trusted programs are allowed to run, reducing the possibility of system crashes and performance degradation, thereby improving the overall stability and reliability of the system.

实现灵活的运行模式选择。审计模式和保护模式的设计使得用户可以根据具体需求选择合适的运行模式。审计模式允许用户监控所有程序的行为,而保护模式提供了严格的防护。Flexible operation mode selection. The design of audit mode and protection mode allows users to choose the appropriate operation mode according to specific needs. Audit mode allows users to monitor the behavior of all programs, while protection mode provides strict protection.

实现实时监控与即时响应。系统能够实时监控文件写入操作,快速响应可疑行为,有效预防恶意软件活动。同时,及时的用户提示和管理确保用户能够在关键时刻作出决策。Realize real-time monitoring and immediate response. The system can monitor file write operations in real time, quickly respond to suspicious behaviors, and effectively prevent malware activities. At the same time, timely user prompts and management ensure that users can make decisions at critical moments.

实现用户参与的安全策略。用户提示和管理机制使用户可以直接参与安全决策过程,增强了用户对系统安全的控制和理解。Implement user-participated security strategies. User prompts and management mechanisms allow users to directly participate in the security decision-making process, enhancing users' control and understanding of system security.

实现审计日志与合规性支持。详细的安全日志记录帮助企业满足合规要求,提供必要的审计轨迹,以应对外部审计和内部审查的需要。Implement audit logs and compliance support. Detailed security log records help enterprises meet compliance requirements and provide the necessary audit trails to meet the needs of external audits and internal reviews.

实现提升防御适应性和前瞻性。定期更新的勒索病毒库和白名单库确保系统能够对抗最新的威胁,使防御措施保持当前和有效。Improve defense adaptability and foresight. Regularly updated ransomware and whitelist libraries ensure that the system can fight the latest threats, keeping defense measures current and effective.

综上所述,本申请不仅增强了主机的安全防护能力,还提供了灵活性和用户控制,帮助企业和个人有效防护其关键资产免受恶意软件和网络攻击的威胁。In summary, this application not only enhances the host's security protection capabilities, but also provides flexibility and user control to help enterprises and individuals effectively protect their critical assets from the threats of malware and network attacks.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1示出了本申请一示例性实施例提供的一种工控主机勒索防护方法下的系统执行示意图;FIG1 shows a schematic diagram of a system execution of a method for protecting an industrial control host from ransomware provided by an exemplary embodiment of the present application;

图2示出了本申请一示例性实施例提供的工控主机勒索防护方法的流程图;FIG2 shows a flow chart of a method for protecting an industrial control host from ransomware provided by an exemplary embodiment of the present application;

图3示出了本申请一示例性实施例提供的工控主机勒索防护装置的结构框图。FIG3 shows a structural block diagram of an industrial control host ransomware protection device provided by an exemplary embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present application clearer, the implementation methods of the present application will be further described in detail below with reference to the accompanying drawings.

在本文中提及的“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。The term "multiple" as used herein refers to two or more than two. "And/or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the related objects are in an "or" relationship.

首先对涉及的技术领域名词作释义。First, the terms in the technical field involved are defined.

审计模式:审计模式通常是指一个系统设置,允许所有程序运行,但会记录和监控这些程序的活动。在这种模式下,系统不会阻止任何程序的执行,而是详细记录程序运行的日志信息,例如何时运行、运行了什么操作等。这些记录可以用于后期的分析,以检查是否有任何不寻常或潜在的恶意活动发生。在本申请中,审计模式的主要作用是允许管理员对系统上运行的所有程序进行监视和记录,同时提供警报机制,以警告系统管理员有未经授权或未知的程序在运行。这种模式对于发现新的或未经识别的威胁、理解软件行为和系统使用模式非常有用,但它并不直接阻止任何可能的恶意行为。因此,在审计模式下,即使勒索病毒在运行,也只会记录其行为而不会被阻止。Audit mode: Audit mode generally refers to a system setting that allows all programs to run, but records and monitors the activities of these programs. In this mode, the system does not block the execution of any program, but instead records detailed log information about the program's operation, such as when it was run, what operations were run, etc. These records can be used for later analysis to check whether any unusual or potentially malicious activities have occurred. In this application, the main role of audit mode is to allow administrators to monitor and record all programs running on the system, while providing an alert mechanism to warn system administrators that unauthorized or unknown programs are running. This mode is very useful for discovering new or unidentified threats, understanding software behavior and system usage patterns, but it does not directly prevent any possible malicious behavior. Therefore, in audit mode, even if the ransomware is running, its behavior will only be recorded and will not be blocked.

主机保护系统:主机保护系统在本申请中定义为一种集成的安全解决方案,旨在通过多层次的防护措施保护计算机主机免受未授权访问和恶意软件攻击。这种系统在本申请中包括以下关键组件和功能。Host Protection System: A host protection system is defined in this application as an integrated security solution designed to protect computer hosts from unauthorized access and malware attacks through multi-layered protection measures. Such a system includes the following key components and functions in this application.

一、白名单管理,主机保护系统通过实施白名单机制,只允许预先批准的可信程序运行,从而有效地阻止未知或恶意软件的执行。勒索软件特征库,系统内置或定期更新的勒索软件特征库帮助识别和阻止已知的勒索软件攻击,增强了对新兴威胁的防护能力。1. Whitelist management: The host protection system implements a whitelist mechanism to allow only pre-approved trusted programs to run, thereby effectively preventing the execution of unknown or malicious software. Ransomware signature library: The system's built-in or regularly updated ransomware signature library helps identify and block known ransomware attacks, enhancing protection against emerging threats.

二、运行模式选择。提供审计模式和保护模式两种运行方式,用户可以根据自己的需求和安全政策选择合适的模式。审计模式用于监控和记录程序行为,而保护模式提供实际的安全防护。2. Operation mode selection. Two operation modes are provided: audit mode and protection mode. Users can choose the appropriate mode according to their needs and security policies. Audit mode is used to monitor and record program behavior, while protection mode provides actual security protection.

三、实时监控与响应。系统实时监控关键系统活动和文件写入操作,能够即时发现并响应可疑行为和潜在的安全威胁。3. Real-time monitoring and response: The system monitors key system activities and file writing operations in real time, and can immediately detect and respond to suspicious behaviors and potential security threats.

四、用户互动提示和管理。通过向用户提供安全提示和决策支持,系统加强了用户在维护主机安全中的主动性和参与感。4. User interactive prompts and management. By providing users with security prompts and decision-making support, the system strengthens the user's initiative and sense of participation in maintaining host security.

五、详细的审计日志。记录详尽的安全日志以支持合规性需求,为企业提供对抗审计和合规检查所需的详细数据和证据。5. Detailed audit logs: Record detailed security logs to support compliance requirements and provide enterprises with the detailed data and evidence needed to resist audits and compliance inspections.

六、定期更新和适应性防护。系统通过定期更新软件和恶意软件库,不断适应新的安全威胁和漏洞,确保防护措施的前瞻性和有效性。6. Regular updates and adaptive protection. The system constantly adapts to new security threats and vulnerabilities by regularly updating software and malware libraries to ensure the forward-looking and effective protection measures.

总的来说,主机保护系统是一种全方位的安全防护机制,专为防止各种网络和软件威胁而设计,确保计算机系统的完整性、可用性和机密性不受侵害。In general, the host protection system is a comprehensive security protection mechanism designed to prevent various network and software threats, ensuring the integrity, availability and confidentiality of computer systems are not compromised.

请参考图1和图2,图1示出了本申请一示例性实施例提供的一种工控主机勒索防护方法下的系统执行示意图,图2示出了本申请一示例性实施例提供的工控主机勒索防护方法的流程图。工控主机勒索防护方法包括:Please refer to Figures 1 and 2. Figure 1 shows a schematic diagram of a system execution under a method for protecting an industrial control host from ransomware provided by an exemplary embodiment of the present application, and Figure 2 shows a flow chart of a method for protecting an industrial control host from ransomware provided by an exemplary embodiment of the present application. The method for protecting an industrial control host from ransomware includes:

步骤201,实时监控主机内程序对文件的写入操作。Step 201, monitor in real time the write operation of the program in the host to the file.

在这个步骤中,主机保护系统实时监控所有正在运行的程序,特别关注这些程序对系统文件或关键数据文件的写入操作。系统使用高级监控技术来捕捉每一个文件操作事件,确保没有任何写入行为被遗漏。In this step, the host protection system monitors all running programs in real time, paying special attention to the write operations of these programs to system files or critical data files. The system uses advanced monitoring technology to capture every file operation event to ensure that no write behavior is missed.

在一个示例中,假设一个用户正在运行一个文本编辑软件来编辑一个重要的工作报告。该系统将监控这个编辑软件对报告文件的所有写入操作,包括保存更改、添加数据等行为。这种监控帮助确保文件的写入行为符合预期,没有未授权的更改。In an example, suppose a user is running a text editing software to edit an important work report. The system will monitor all write operations of the editing software to the report file, including saving changes, adding data, etc. This monitoring helps ensure that the file writing behavior is as expected and there are no unauthorized changes.

步骤202,响应于触发文件写入的当前程序不在可信程序白名单库内,检测当前程序是否在勒索病毒库中。Step 202: In response to the current program that triggers file writing not being in the trusted program whitelist library, detecting whether the current program is in the ransomware virus library.

当一个程序开始写入文件,但该程序未被列入可信白名单时,系统将其识别为潜在的风险。系统随即检查这个程序是否存在于已知的勒索病毒特征库中。这是一个双重验证过程,旨在快速识别和响应可能的恶意行为。When a program starts writing files, but it is not included in the trusted whitelist, the system identifies it as a potential risk. The system then checks whether the program exists in the known ransomware signature library. This is a two-factor verification process designed to quickly identify and respond to possible malicious behavior.

在一个示例中,若一款未知的新软件尝试修改系统文件,系统首先确认该软件不在白名单中,随后对照勒索病毒库进行检测。如果该软件的特征与库中的某款勒索病毒相匹配,系统将进行下一步骤的安全防御措施。In one example, if an unknown new software attempts to modify system files, the system first confirms that the software is not in the whitelist, and then checks it against the ransomware library. If the characteristics of the software match a ransomware in the library, the system will proceed to the next step of security defense measures.

步骤203,响应于当前程序在勒索病毒库中,禁止当前程序访问文件。Step 203: In response to the current program being in the ransomware virus library, prohibiting the current program from accessing the file.

一旦确认当前程序的行为模式与勒索病毒库中的记录匹配,系统立即阻止该程序的所有文件访问权限。这一措施是为了防止数据被加密或损坏,是一种紧急的安全响应。Once it is confirmed that the behavior pattern of the current program matches the record in the ransomware virus library, the system immediately blocks all file access permissions of the program. This measure is to prevent data from being encrypted or damaged and is an urgent security response.

在一个示例中,如果一个程序被检测为“WannaCry”勒索病毒,系统会立刻中断它的所有文件写入操作,防止它加密用户的文档和系统文件。In one example, if a program is detected as the "WannaCry" ransomware, the system will immediately interrupt all its file writing operations to prevent it from encrypting user documents and system files.

步骤204,响应于当前程序不在勒索病毒库中,禁止当前程序访问文件并提示用户对当前程序进行是否可信的管理。Step 204: In response to the current program not being in the ransomware virus library, the current program is prohibited from accessing files and the user is prompted to manage whether the current program is trustworthy.

在一种可能的实施方式中,步骤204包括响应于当前程序不在勒索病毒库中,禁止当前程序访问文件,向用户提供界面确认是否允许当前程序运行,响应于收到对当前程序允许运行的操作,将当前程序加入可信程序白名单库。In one possible implementation, step 204 includes, in response to the current program not being in the ransomware virus library, prohibiting the current program from accessing files, providing an interface to the user to confirm whether to allow the current program to run, and in response to receiving an operation to allow the current program to run, adding the current program to a trusted program whitelist library.

此步骤涉及对不在勒索病毒库中但行为可疑的程序进行阻止,并向用户展示警告和操作选择。用户可以决定是否信任该程序,是否允许其继续运行,或是否应将其添加到白名单。This step involves blocking programs that are not in the ransomware database but behave suspiciously, and presenting a warning and action choice to the user. The user can decide whether to trust the program, allow it to continue running, or whether it should be added to the whitelist.

在一个示例中,假设一个视频编辑软件尝试在不寻常的时间进行大量文件写入操作,系统会阻止这些操作并提示用户。用户可选择信任并允许软件继续运行,或者保持阻止状态,直到进行进一步的调查。In one example, if a video editing software attempts to perform a large number of file write operations at an unusual time, the system will block these operations and prompt the user. The user can choose to trust and allow the software to continue running, or remain blocked until further investigation.

步骤205,响应于触发文件写入的当前程序在可信程序白名单库内,允许当前程序访问文件。Step 205 , in response to the current program that triggers the file writing being in the trusted program whitelist library, the current program is allowed to access the file.

对于验证过且列入白名单的程序,系统允许其进行文件写入操作。这表示系统对这些程序的行为有足够的信任,认为它们的操作是安全的。For verified and whitelisted programs, the system allows them to write files, which means that the system has enough trust in the behavior of these programs and believes that their operations are safe.

在一个示例中,一个已验证的数据库管理软件需要进行数据备份操作,系统识别该软件为白名单程序后,会允许其执行文件写入操作,以便完成备份过程。In one example, a verified database management software needs to perform a data backup operation. After the system identifies the software as a whitelist program, it allows it to perform a file write operation to complete the backup process.

本申请专利至少包括如下技术效果。This patent application includes at least the following technical effects.

实现高数据安全性。通过实施可信程序白名单库和勒索病毒库,使得主机保护系统能有效防止未授权的程序运行和恶意软件,特别是勒索病毒对敏感数据的损害。这种防护机制大大降低了数据泄露和损坏的风险。Achieve high data security. By implementing a trusted program whitelist library and a ransomware library, the host protection system can effectively prevent unauthorized program execution and malware, especially ransomware, from damaging sensitive data. This protection mechanism greatly reduces the risk of data leakage and damage.

实现增强系统稳定性和可靠性。仅允许已验证的可信程序运行,减少了系统崩溃和性能下降的可能性,从而提升了系统的整体稳定性和可靠性。Enhanced system stability and reliability. Only verified and trusted programs are allowed to run, reducing the possibility of system crashes and performance degradation, thereby improving the overall stability and reliability of the system.

实现灵活的运行模式选择。审计模式和保护模式的设计使得用户可以根据具体需求选择合适的运行模式。审计模式允许用户监控所有程序的行为,而保护模式提供了严格的防护。Flexible operation mode selection. The design of audit mode and protection mode allows users to choose the appropriate operation mode according to specific needs. Audit mode allows users to monitor the behavior of all programs, while protection mode provides strict protection.

实现实时监控与即时响应。系统能够实时监控文件写入操作,快速响应可疑行为,有效预防恶意软件活动。同时,及时的用户提示和管理确保用户能够在关键时刻作出决策。Realize real-time monitoring and immediate response. The system can monitor file write operations in real time, quickly respond to suspicious behaviors, and effectively prevent malware activities. At the same time, timely user prompts and management ensure that users can make decisions at critical moments.

实现用户参与的安全策略。用户提示和管理机制使用户可以直接参与安全决策过程,增强了用户对系统安全的控制和理解。Implement user-participated security strategies. User prompts and management mechanisms allow users to directly participate in the security decision-making process, enhancing users' control and understanding of system security.

此外,本申请实施例在执行申请实施例的工控主机勒索防护方法之前,还有构建可信程序白名单库、勒索病毒库的内容。In addition, before executing the industrial control host ransomware protection method of the embodiment of the application, the embodiment of the present application also includes building a trusted program whitelist library and a ransomware virus library.

准备工作一、构建可信程序白名单库。Preparation 1: Build a trusted program whitelist library.

首先,对主机保护系统进行初始化得到可信程序白名单库,可信程序白名单库用于指示可执行程序的名单以及可执行程序的数字指纹。First, the host protection system is initialized to obtain a trusted program whitelist library, where the trusted program whitelist library is used to indicate a list of executable programs and digital fingerprints of the executable programs.

具体的,对主机保护系统进行扫描获得所有可执行程序;对扫描到的可执行程序提取数字指纹;将提取的数字指纹与对应的可执行程序进行关联存储得到可信程序白名单库。Specifically, the host protection system is scanned to obtain all executable programs; digital fingerprints are extracted from the scanned executable programs; the extracted digital fingerprints are associated with corresponding executable programs and stored to obtain a trusted program whitelist library.

其次,设置主机保护系统的运行模式,运行模式包括审计模式和保护模式。Secondly, set the operating mode of the host protection system, which includes audit mode and protection mode.

准备工作二、构建勒索病毒库。Preparation 2: Build a ransomware virus library.

首先,收集和更新勒索病毒的特征信息构建勒索病毒库。First, collect and update the characteristic information of the ransomware to build a ransomware library.

其次,将勒索病毒库成到主机保护系统中。Secondly, integrate the ransomware virus library into the host protection system.

请参考图3,其示出了本申请一示例性实施例提供的工控主机勒索防护装置的结构框图,装置包括:Please refer to FIG3 , which shows a structural block diagram of an industrial control host ransomware protection device provided by an exemplary embodiment of the present application, the device comprising:

程序监控模块301,用于实时监控主机内程序对文件的写入操作;The program monitoring module 301 is used to monitor the writing operation of the program in the host to the file in real time;

名单判断模块302,用于响应于触发文件写入的当前程序不在可信程序白名单库内,检测当前程序是否在勒索病毒库中;The list determination module 302 is used to detect whether the current program is in the ransomware virus library in response to the current program that triggers the file writing not being in the trusted program whitelist library;

第一处理模块303,用于响应于当前程序在勒索病毒库中,禁止当前程序访问文件;The first processing module 303 is used to prohibit the current program from accessing the file in response to the current program being in the ransomware virus library;

第二处理模块304,用于响应于当前程序不在勒索病毒库中,禁止当前程序访问文件并提示用户对当前程序进行是否可信的管理;The second processing module 304 is used for prohibiting the current program from accessing files and prompting the user to manage whether the current program is trustworthy in response to the current program not being in the ransomware virus library;

第三处理模块305,用于响应于触发文件写入的当前程序在可信程序白名单库内,允许当前程序访问文件。The third processing module 305 is used to allow the current program to access the file in response to the current program that triggers the file writing being in the trusted program whitelist library.

可选的,第二处理模块304,包括:Optionally, the second processing module 304 includes:

第一处理子单元,用于响应于当前程序不在勒索病毒库中,禁止当前程序访问文件;A first processing subunit is configured to prohibit the current program from accessing the file in response to the current program not being in the ransomware virus library;

第二处理子单元,用于向用户提供界面确认是否允许当前程序运行;The second processing subunit is used to provide an interface for the user to confirm whether to allow the current program to run;

第三处理子单元,用于响应于收到对当前程序允许运行的操作,将当前程序加入可信程序白名单库。The third processing sub-unit is configured to, in response to receiving an operation to allow the current program to run, add the current program to a trusted program whitelist library.

可选的,装置还包括:Optionally, the device further comprises:

第四处理模块,用于对主机保护系统进行初始化得到可信程序白名单库,可信程序白名单库用于指示可执行程序的名单以及可执行程序的数字指纹;A fourth processing module, used for initializing the host protection system to obtain a trusted program whitelist library, where the trusted program whitelist library is used to indicate a list of executable programs and digital fingerprints of the executable programs;

第五处理模块,用于设置主机保护系统的运行模式,运行模式包括审计模式和保护模式。The fifth processing module is used to set the operation mode of the host protection system, and the operation mode includes an audit mode and a protection mode.

可选的,第四处理模块,包括:Optionally, the fourth processing module includes:

第四处理子单元,用于对主机保护系统进行扫描获得所有可执行程序;The fourth processing sub-unit is used to scan the host protection system to obtain all executable programs;

第五处理子单元,用于对扫描到的可执行程序提取数字指纹;A fifth processing subunit, used for extracting a digital fingerprint from the scanned executable program;

第六处理子单元,用于将提取的数字指纹与对应的可执行程序进行关联存储得到可信程序白名单库。The sixth processing sub-unit is used to associate and store the extracted digital fingerprint with the corresponding executable program to obtain a trusted program whitelist library.

可选的,审计模式下,主机保护系统用于记录所有程序的运行日志以及对运行非可信程序白名单库中程序时生成警报消息;Optionally, in audit mode, the host protection system is used to record the running logs of all programs and generate alarm messages when running programs in the untrusted program whitelist library;

保护模式下,主机保护系统用于允许可信程序白名单库内的程序运行,阻止非可信程序白名单库中程序的运行。In protection mode, the host protection system is used to allow programs in the trusted program whitelist library to run and prevent the running of programs in the untrusted program whitelist library.

可选的,装置还包括:Optionally, the device further comprises:

第六处理模块,用于收集和更新勒索病毒的特征信息构建勒索病毒库;The sixth processing module is used to collect and update the characteristic information of the ransomware virus to build a ransomware virus library;

第七处理模块,用于将勒索病毒库成到主机保护系统中。The seventh processing module is used to integrate the ransomware virus library into the host protection system.

本申请实施例还提供一种计算机可读存储介质,该存储介质中存储有至少一条指令,至少一条指令由处理器加载并执行以实现如上述各个实施例提供的工控主机勒索防护方法。An embodiment of the present application also provides a computer-readable storage medium, in which at least one instruction is stored, and the at least one instruction is loaded and executed by a processor to implement the industrial control host ransomware protection method provided in the above embodiments.

可选地,该计算机可读存储介质可以包括:只读存储器(ROM,Read Only Memory)、随机存取记忆体(RAM,Random Access Memory)、固态硬盘(SSD,Solid State Drives)或光盘等。其中,随机存取记忆体可以包括电阻式随机存取记忆体(ReRAM,Resistance RandomAccess Memory)和动态随机存取存储器(DRAM,Dynamic Random Access Memory)。Optionally, the computer readable storage medium may include: a read-only memory (ROM), a random access memory (RAM), a solid state drive (SSD), or an optical disk, etc. Among them, the random access memory may include a resistance random access memory (ReRAM) and a dynamic random access memory (DRAM).

还提供了一种计算机程序产品,该计算机程序产品存储有至少一条指令,至少一条指令由处理器加载并执行以实现上述方面所述的工控主机勒索防护方法。A computer program product is also provided, which stores at least one instruction, and the at least one instruction is loaded and executed by a processor to implement the industrial control host ransomware protection method described in the above aspect.

上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above-mentioned embodiments of the present application are for description only and do not represent the advantages or disadvantages of the embodiments.

本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。A person skilled in the art will understand that all or part of the steps to implement the above embodiments may be accomplished by hardware or by instructing related hardware through a program, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a disk or an optical disk, etc.

以上所述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above description is only an optional embodiment of the present application and is not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application shall be included in the protection scope of the present application.

Claims (8)

1.一种工控主机勒索防护方法,其特征在于,所述方法包括:1. A method for protecting an industrial control host from ransomware, characterized in that the method comprises: 实时监控主机内程序对文件的写入操作;Real-time monitoring of file writing operations by programs in the host; 响应于触发文件写入的当前程序不在可信程序白名单库内,检测所述当前程序是否在勒索病毒库中;In response to the current program that triggers the file writing not being in the trusted program whitelist library, detecting whether the current program is in the ransomware virus library; 响应于所述当前程序在所述勒索病毒库中,禁止所述当前程序访问文件;In response to the current program being in the ransomware virus library, prohibiting the current program from accessing files; 响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件并提示用户对当前程序进行是否可信的管理;In response to the current program not being in the ransomware virus library, prohibiting the current program from accessing files and prompting a user to manage whether the current program is trustworthy; 响应于触发文件写入的当前程序在所述可信程序白名单库内,允许所述当前程序访问文件。In response to the current program that triggers the file writing being in the trusted program whitelist library, the current program is allowed to access the file. 2.根据权利要求1所述的方法,其特征在于,所述响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件并提示用户对当前程序进行是否可信的管理,包括:2. The method according to claim 1, characterized in that, in response to the current program not being in the ransomware virus library, prohibiting the current program from accessing files and prompting the user to manage whether the current program is trustworthy, comprises: 响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件;In response to the current program not being in the ransomware virus library, prohibiting the current program from accessing files; 向用户提供界面确认是否允许所述当前程序运行;Providing an interface to the user to confirm whether to allow the current program to run; 响应于收到对所述当前程序允许运行的操作,将所述当前程序加入所述可信程序白名单库。In response to receiving an operation of allowing the current program to run, the current program is added to the trusted program whitelist library. 3.根据权利要求1所述的方法,其特征在于,所述方法还包括:3. The method according to claim 1, characterized in that the method further comprises: 对主机保护系统进行初始化得到所述可信程序白名单库,所述可信程序白名单库用于指示可执行程序的名单以及可执行程序的数字指纹;Initializing the host protection system to obtain the trusted program whitelist library, wherein the trusted program whitelist library is used to indicate a list of executable programs and digital fingerprints of the executable programs; 设置所述主机保护系统的运行模式,所述运行模式包括审计模式和保护模式。An operating mode of the host protection system is set, wherein the operating mode includes an audit mode and a protection mode. 4.根据权利要求3所述的方法,其特征在于,所述对主机保护系统进行初始化得到所述可信程序白名单库,包括:4. The method according to claim 3, wherein the initializing the host protection system to obtain the trusted program whitelist library comprises: 对所述主机保护系统进行扫描获得所有可执行程序;Scanning the host protection system to obtain all executable programs; 对扫描到的可执行程序提取数字指纹;Extract digital fingerprints from scanned executable programs; 将提取的数字指纹与对应的可执行程序进行关联存储得到所述可信程序白名单库。The extracted digital fingerprint is associated with the corresponding executable program and stored to obtain the trusted program whitelist library. 5.根据权利要求3所述的方法,其特征在于,5. The method according to claim 3, characterized in that: 所述审计模式下,所述主机保护系统用于记录所有程序的运行日志以及对运行非可信程序白名单库中程序时生成警报消息;In the audit mode, the host protection system is used to record the running logs of all programs and generate an alarm message when running a program in the untrusted program whitelist library; 所述保护模式下,所述主机保护系统用于允许所述可信程序白名单库内的程序运行,阻止非可信程序白名单库中程序的运行。In the protection mode, the host protection system is used to allow the programs in the trusted program whitelist library to run, and prevent the programs in the untrusted program whitelist library from running. 6.根据权利要求1所述的方法,其特征在于,所述方法还包括:6. The method according to claim 1, characterized in that the method further comprises: 收集和更新勒索病毒的特征信息构建所述勒索病毒库;Collect and update the characteristic information of the ransomware virus to build the ransomware virus library; 将所述勒索病毒库成到所述主机保护系统中。The ransomware virus library is integrated into the host protection system. 7.一种工控主机勒索防护装置,其特征在于,所述装置包括:7. A ransomware protection device for an industrial control host, characterized in that the device comprises: 程序监控模块,用于实时监控主机内程序对文件的写入操作;The program monitoring module is used to monitor the writing operation of the program on the host in real time; 名单判断模块,用于响应于触发文件写入的当前程序不在可信程序白名单库内,检测所述当前程序是否在勒索病毒库中;A list determination module, configured to detect whether the current program that triggers file writing is in the ransomware virus library in response to the current program that triggers file writing not being in the trusted program whitelist library; 第一处理模块,用于响应于所述当前程序在所述勒索病毒库中,禁止所述当前程序访问文件;A first processing module, configured to prohibit the current program from accessing files in response to the current program being in the ransomware virus library; 第二处理模块,用于响应于所述当前程序不在所述勒索病毒库中,禁止所述当前程序访问文件并提示用户对当前程序进行是否可信的管理;A second processing module is used for prohibiting the current program from accessing files and prompting a user to manage whether the current program is trustworthy in response to the current program not being in the ransomware virus library; 第三处理模块,用于响应于触发文件写入的当前程序在所述可信程序白名单库内,允许所述当前程序访问文件。The third processing module is used for allowing the current program that triggers the file writing to access the file in response to the current program being in the trusted program whitelist library. 8.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现如上述权利要求1至6任一项所述的工控主机勒索防护方法。8. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, and the computer program is loaded and executed by a processor to implement the industrial control host ransomware protection method as described in any one of claims 1 to 6 above.
CN202410915667.8A 2024-07-09 2024-07-09 Industrial control host ransomware protection method, device and storage medium Pending CN118862069A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410915667.8A CN118862069A (en) 2024-07-09 2024-07-09 Industrial control host ransomware protection method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410915667.8A CN118862069A (en) 2024-07-09 2024-07-09 Industrial control host ransomware protection method, device and storage medium

Publications (1)

Publication Number Publication Date
CN118862069A true CN118862069A (en) 2024-10-29

Family

ID=93178921

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410915667.8A Pending CN118862069A (en) 2024-07-09 2024-07-09 Industrial control host ransomware protection method, device and storage medium

Country Status (1)

Country Link
CN (1) CN118862069A (en)

Similar Documents

Publication Publication Date Title
US11349855B1 (en) System and method for detecting encrypted ransom-type attacks
EP3479280B1 (en) Ransomware protection for cloud file storage
US10154066B1 (en) Context-aware compromise assessment
US11232201B2 (en) Cloud based just in time memory analysis for malware detection
CN104766011B (en) The sandbox detection alarm method and system of Intrusion Detection based on host feature
US10079835B1 (en) Systems and methods for data loss prevention of unidentifiable and unsupported object types
KR101626424B1 (en) System and method for virtual machine monitor based anti-malware security
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
JP6134395B2 (en) System and method for risk-based rules for application control
US20140245376A1 (en) Systems and methods of risk based rules for application control
CN101667232B (en) Terminal credible security system and method based on credible computing
JP2016503936A (en) System and method for identifying and reporting application and file vulnerabilities
CN107563199A (en) It is a kind of that software detection and defence method in real time are extorted based on file request monitoring
JP2023534502A (en) Advanced ransomware detection
JP7123488B2 (en) File access monitoring method, program and system
CN101877039A (en) A Fault Detection Technology for Server Operating System
JP2010182019A (en) Abnormality detector and program
KR20170091989A (en) System and method for managing and evaluating security in industry control network
Kardile Crypto ransomware analysis and detection using process monitor
WO2021046811A1 (en) Attack behavior determination method and apparatus, and computer storage medium
CN101006432A (en) Computer Data Protection Methods
US20200382552A1 (en) Replayable hacktraps for intruder capture with reduced impact on false positives
US11611585B2 (en) Detection of privilege escalation attempts within a computer network
WO2021217449A1 (en) Malicious intrusion detection method, apparatus, and system, computing device, medium, and program
CN118862069A (en) Industrial control host ransomware protection method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination