WO2024250745A1

WO2024250745A1 - Ransomware detection method, distributed system, and computer-readable storage medium

Info

Publication number: WO2024250745A1
Application number: PCT/CN2024/078473
Authority: WO
Inventors: 欧锻灏; 霍正聃; 王伟
Original assignee: Huawei Cloud Computing Technologies Co Ltd
Current assignee: Huawei Cloud Computing Technologies Co Ltd
Priority date: 2023-06-08
Filing date: 2024-02-26
Publication date: 2024-12-12
Anticipated expiration: 2025-12-08
Also published as: CN119106419A

Abstract

Provided in the present application are a ransomware detection method and a related device. The method is applied to a backup detection system, the backup detection system being used for performing ransomware detection on backup data in a backup storage system, and the backup data being the backup of service data. The method comprises: acquiring backup data; performing ransomware detection on the backup data; on the basis of a private key, acquiring target backup data and a signature of label information thereof, the label information of the target backup data being used for indicating that the target backup data has passed the ransomware detection; and sending the target backup data, the label information and the signature to an isolation storage system, the signature being used for the isolation storage system to verify the signature on the basis of a public key and store the target backup data after the verification succeeds, and the public key and the private key being a matched key pair. Therefore, signing the backup data by means of the backup detection system can ensure that the backup data which has passed the signature verification of the isolation storage system and is stored by same has not attacked by the ransomware, thus enabling a service system to perform data recovery after passing of the signature verification.

Description

Ransomware detection method, distributed system and computer-readable storage medium

本申请要求于2023年6月8日提交中国专利局、申请号为202310678119.3、申请名称为“一种病毒检测的方法、装置及其他设备”的中国专利申请的优先权，和要求于2023年10月26日提交中国专利局、申请号为202311405723.5、申请名称为“勒索软件检测方法、分布式系统及计算机可读存储介质”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the Chinese Patent Office on June 8, 2023, with application number 202310678119.3 and application name “A method, device and other equipment for virus detection”, and claims priority to the Chinese patent application filed with the Chinese Patent Office on October 26, 2023, with application number 202311405723.5 and application name “Ransomware detection method, distributed system and computer-readable storage medium”, the entire contents of which are incorporated by reference in this application.

Technical Field

本申请涉及安全技术领域，尤其涉及一种勒索软件检测方法、分布式系统及计算机可读存储介质。The present application relates to the field of security technology, and in particular to a ransomware detection method, a distributed system, and a computer-readable storage medium.

Background Art

勒索软件，又称勒索病毒，是一种恶意软件，特别是加密型勒索软件，通过加密文件的方式劫持受害者的数据，并要求受害者支付高额赎金用以恢复数据。Ransomware, also known as ransomware virus, is a type of malware, especially encryption ransomware, which hijacks the victim's data by encrypting files and requires the victim to pay a high ransom to restore the data.

防勒索攻击，是通过将业务系统中的业务数据在备份存储系统中进行快速检测和备份，当业务系统中的业务数据被勒索软件攻击和污染，以备份存储系统中的备份副本数据可以恢复出业务数据。但是，一旦备份副本数据被勒索软件加密和污染，将无法恢复出业务数据，影响业务连续性。因此，需要对备份存储系统中的备份数据进行勒索攻击检测，确认备份数据无勒索攻击后，再将备份数据转存到安全的隔离存储系统中。但是，备份数据在流转到隔离存储系统中，或者传送到业务系统中用以恢复数据的过程中，有可能遭受勒索病毒污染，导致业务数据恢复失败。Anti-ransomware attacks are achieved by quickly detecting and backing up the business data in the business system in the backup storage system. When the business data in the business system is attacked and contaminated by ransomware, the business data can be restored using the backup copy data in the backup storage system. However, once the backup copy data is encrypted and contaminated by ransomware, the business data cannot be restored, affecting business continuity. Therefore, it is necessary to detect ransomware attacks on the backup data in the backup storage system, and after confirming that the backup data is free of ransomware attacks, the backup data is transferred to a secure isolated storage system. However, when the backup data is transferred to the isolated storage system or to the business system for data recovery, it may be contaminated by ransomware, resulting in failure of business data recovery.

发明内容Summary of the invention

本申请提供了一种勒索软件检测方法、装置及其他设备，基于签名验签，可以确保将未被勒索检测的备份数据存储至隔离存储系统中，以用于业务系统进行数据恢复，保证业务的连续性。The present application provides a ransomware detection method, apparatus and other devices, which can ensure that backup data that has not been detected by ransomware is stored in an isolated storage system based on signature verification, so as to be used for data recovery in the business system and ensure business continuity.

第一方面，提供了一种勒索软件检测方法，该方法应用于备份检测系统。该备份检测系统用于对备份存储系统中的备份数据进行勒索检测，其中，备份数据是业务数据的备份，该方法包括：备份检测系统获取该备份数据；备份检测系统对该备份数据进行勒索检测；备份检测系统基于私钥获取目标备份数据和该目标备份数据的标签信息的签名，目标备份数据的标签信息用于指示目标备份数据通过勒索检测；备份检测系统将该目标备份数据、标签信息和签名发送至隔离存储系统，其中，签名用于隔离存储系统基于公钥对签名进行验证以及在验证成功之后存储该目标备份数据，公钥是与私钥相匹配的密钥对。In a first aspect, a ransomware detection method is provided, which is applied to a backup detection system. The backup detection system is used to perform ransomware detection on backup data in a backup storage system, wherein the backup data is a backup of business data, and the method comprises: the backup detection system obtains the backup data; the backup detection system performs ransomware detection on the backup data; the backup detection system obtains a signature of the target backup data and the label information of the target backup data based on a private key, wherein the label information of the target backup data is used to indicate that the target backup data passes the ransomware detection; the backup detection system sends the target backup data, the label information and the signature to an isolated storage system, wherein the signature is used by the isolated storage system to verify the signature based on a public key and store the target backup data after successful verification, wherein the public key is a key pair that matches the private key.

在本实施例中，备份检测系统对备份存储系统中存储的备份数据进行勒索检测，为了避免备份存储系统中的备份数据被勒索软件攻击，除了在备份存储系统中进行备份存储，也可以建立一个单独的物理隔离区域，将通过备份检测系统勒索检测的目标备份数据存储至隔离存储系统中。备份检测系统进行勒索检测之后对通过勒索检测的目标备份数据利用签名私钥进行签名，隔离存储系统在对目标备份数据进行存储之前，利用本地预置的公钥进行签名验证，能够确保隔离存储系统存储的备份数据未被勒索软件攻击，以用于业务系统进行数据恢复，保证业务的连续性。In this embodiment, the backup detection system performs ransomware detection on the backup data stored in the backup storage system. In order to prevent the backup data in the backup storage system from being attacked by ransomware, in addition to performing backup storage in the backup storage system, a separate physical isolation area can also be established to store the target backup data that has passed the ransomware detection of the backup detection system in the isolation storage system. After the backup detection system performs ransomware detection, the target backup data that has passed the ransomware detection is signed using a signature private key. Before the isolation storage system stores the target backup data, it uses a locally preset public key to verify the signature, which can ensure that the backup data stored in the isolation storage system has not been attacked by ransomware, so as to be used for data recovery in the business system and ensure business continuity.

在一些可能的实现方式中，备份检测系统基于私钥获取目标备份数据和目标备份数据的标签信息的签名，包括：备份检测系统计算目标备份数据和其标签信息的第一哈希值。In some possible implementations, the backup detection system obtains signatures of target backup data and label information of the target backup data based on a private key, including: the backup detection system calculates a first hash value of the target backup data and its label information.

在本实现方式中，备份检测系统在对目标备份数据和标签信息采用私钥进行签名之前，由备份检测系统先计算目标备份数据和其标签信息的第一哈希值，再将第一哈希值发送至密钥管理系统基于私钥进行签名，可以降低网络带宽和传输开销。In this implementation, before the backup detection system uses a private key to sign the target backup data and label information, the backup detection system first calculates the first hash value of the target backup data and its label information, and then sends the first hash value to the key management system for signing based on the private key, which can reduce network bandwidth and transmission overhead.

在一些可能的实现方式中，备份检测系统计算目标备份数据和标签信息的第一哈希值之后，包括：备份检测系统将第一哈希值发送至密钥管理系统，其中，密钥管理系统用于基于私钥对第一哈希值进行签名以及将签名发送至备份检测系统。In some possible implementations, after the backup detection system calculates the first hash value of the target backup data and the tag information, it includes: the backup detection system sends the first hash value to a key management system, wherein the key management system is used to sign the first hash value based on a private key and send the signature to the backup detection system.

在本实现方式中，备份检测系统将第一哈希值发送至密钥管理系统，由密钥管理系统利用某种数字签名算法生成用于签名验签的私钥和公钥，私钥用于对目标备份数据和标签信息进行签名，公钥用于验签。In this implementation, the backup detection system sends the first hash value to the key management system, which uses a digital signature algorithm to generate a private key and a public key for signature verification. The private key is used to sign the target backup data and label information, and the public key is used for signature verification.

在一些可能的实现方式中，备份检测系统计算目标备份数据和标签信息的第一哈希值之后，包括：备份检测系统从密钥管理系统中获取私钥，备份检测系统基于私钥对第一哈希值进行签名。 In some possible implementations, after the backup detection system calculates the first Hash value of the target backup data and the tag information, the backup detection system obtains a private key from a key management system, and the backup detection system signs the first Hash value based on the private key.

在本实现方式中，备份检测系统计算目标备份数据和标签信息的第一哈希值之后，可以向密钥管理系统发起密钥获取请求，密钥管理系统可以生成用于签名验签的私钥和公钥，或将用户通过本地可信任的加密机并通过密钥管理系统的配置界面或应用程序接口(application programming interface，API)导入的私钥发送至备份检测系统。In this implementation, after the backup detection system calculates the first hash value of the target backup data and label information, it can initiate a key acquisition request to the key management system. The key management system can generate a private key and a public key for signature verification, or send the private key imported by the user through a local trusted encryption machine and through the configuration interface or application programming interface (API) of the key management system to the backup detection system.

在一些可能的实现方式中，签名用于隔离存储系统基于目标备份数据和标签信息计算得到的第二哈希值，与基于公钥对签名进行验证得到的第一哈希值相同时，存储目标备份数据。In some possible implementations, the signature is used to isolate the target backup data. When a second hash value calculated by the storage system based on the target backup data and the tag information is the same as a first hash value obtained by verifying the signature based on the public key, the target backup data is stored.

在本实现方式中，隔离存储系统在对目标备份数据进行存储之前，基于公钥对目标备份数据和签名进行验签，从而验证该目标备份数据在从备份检测系统传输至隔离存储系统的过程中，是否被勒索软件攻击。基于公钥验证成功后，即确定目标备份数据未被勒索软件攻击，则将该目标备份数据存储于隔离存储系统，用于业务系统的业务数据被勒索攻击后，能够基于隔离存储系统的存储的目标备份数据进行恢复。通过签名验签的勒索检测方法，可以确保备份数据存储在隔离存储系统中的数据未被勒索软件攻击。In this implementation, before storing the target backup data, the isolated storage system verifies the target backup data and the signature based on the public key, thereby verifying whether the target backup data has been attacked by ransomware during the process of being transmitted from the backup detection system to the isolated storage system. After the public key verification is successful, that is, it is determined that the target backup data has not been attacked by ransomware, the target backup data is stored in the isolated storage system, and after the business data of the business system is attacked by ransomware, it can be restored based on the target backup data stored in the isolated storage system. The ransomware detection method of signature verification can ensure that the backup data stored in the isolated storage system has not been attacked by ransomware.

在一些可能的实现方式中，私钥由密钥管理系统生成，或私钥由用户导入至密钥管理系统。In some possible implementations, the private key is generated by a key management system, or the private key is imported into the key management system by a user.

在本实现方式中，密钥管理系统利用某种数字签名算法生成用于签名验签的私钥和公钥，私钥用于对目标备份数据和标签信息进行签名，公钥用于验签。或者，用户通过本地可信任的加密机生成用于签名验签的私钥和公钥，并通过密钥管理系统的配置界面或API导入本地加密机生成的私钥和公钥，私钥用于对目标备份数据和标签信息进行签名，公钥用于验签。In this implementation, the key management system uses a certain digital signature algorithm to generate a private key and a public key for signature verification. The private key is used to sign the target backup data and label information, and the public key is used to verify the signature. Alternatively, the user generates a private key and a public key for signature verification through a local trusted encryption machine, and imports the private key and public key generated by the local encryption machine through the configuration interface or API of the key management system. The private key is used to sign the target backup data and label information, and the public key is used to verify the signature.

第二方面，提供了一种勒索软件检测方法，该方法应用于隔离存储系统，该方法包括：隔离存储系统接收目标备份数据、该目标备份数据的标签信息和该目标备份数据的签名，其中，标签信息用于指示目标备份数据通过备份检测系统的勒索检测，签名由备份检测系统基于私钥对目标备份数据和标签信息进行签名得到；隔离存储系统基于公钥对签名进行验证，公钥是与私钥相匹配的密钥对；若验证成功，隔离存储系统存储目标备份数据；隔离存储系统接收业务系统的恢复请求，恢复请求用于获取目标备份数据；隔离存储系统根据恢复请求，向业务系统发送目标备份数据、标签信息和签名，其中，签名用于业务系统基于公钥进行验证以及验证成功之后利用目标备份数据进行数据恢复。In a second aspect, a ransomware detection method is provided, which is applied to an isolated storage system, and the method includes: the isolated storage system receives target backup data, label information of the target backup data, and a signature of the target backup data, wherein the label information is used to indicate that the target backup data has passed the ransomware detection of the backup detection system, and the signature is obtained by the backup detection system signing the target backup data and the label information based on a private key; the isolated storage system verifies the signature based on a public key, and the public key is a key pair matching the private key; if the verification is successful, the isolated storage system stores the target backup data; the isolated storage system receives a recovery request from the business system, and the recovery request is used to obtain the target backup data; the isolated storage system sends the target backup data, the label information and the signature to the business system according to the recovery request, wherein the signature is used for the business system to verify based on the public key and to use the target backup data for data recovery after the verification is successful.

在本实施例中，为了避免备份存储系统中的备份数据被勒索攻击，除了在备份存储系统进行备份存储，也可以建立一个单独的物理隔离区域存储备份数据。隔离存储系统接收备份检测系统发送的经过勒索软件检测后未被勒索攻击的目标备份数据和签名。隔离存储系统在对目标备份数据进行存储之前，基于公钥对目标备份数据和签名进行验签，并将验证通过的目标备份数据存储至隔离存储系统，用于业务系统的业务数据被勒索攻击后，能够基于目标备份数据进行恢复。业务系统在利用目标备份数据进行数据恢复之前，同样，也基于公钥对目标备份数据和签名进行验签，并确定目标备份数据未被勒索软件攻击后，则利用目标备份数据进行数据恢复，从而确保业务数据恢复成功。In this embodiment, in order to prevent the backup data in the backup storage system from being attacked by ransomware, in addition to backup storage in the backup storage system, a separate physically isolated area can also be established to store the backup data. The isolated storage system receives the target backup data and signature that have not been attacked by ransomware after detection by the ransomware, which are sent by the backup detection system. Before storing the target backup data, the isolated storage system verifies the target backup data and signature based on the public key, and stores the verified target backup data in the isolated storage system, so that the business data of the business system can be restored based on the target backup data after being attacked by ransomware. Before using the target backup data for data recovery, the business system also verifies the target backup data and signature based on the public key, and after determining that the target backup data has not been attacked by ransomware, it uses the target backup data for data recovery, thereby ensuring successful recovery of the business data.

在一些可能的实现方式中，隔离存储系统基于公钥对签名进行验证，包括：隔离存储系统计算目标备份数据和标签信息的第一哈希值。In some possible implementations, the isolated storage system verifies the signature based on the public key, including: the isolated storage system calculates a first hash value of the target backup data and the tag information.

在本实现方式中，位于物理隔离区域的隔离存储系统断开互联网的连接，由隔离存储系统计算目标备份数据和标签信息的第一哈希值。In this implementation, the isolated storage system located in the physically isolated area is disconnected from the Internet, and the isolated storage system calculates the first hash value of the target backup data and the label information.

在一些可能的实现方式中，隔离存储系统计算目标备份数据和标签信息的第一哈希值之后，包括：隔离存储系统基于公钥对签名进行验证得到的第二哈希值，与第一哈希值进行比较。In some possible implementations, after the isolated storage system calculates the first hash value of the target backup data and the tag information, the method further includes: the isolated storage system verifies the signature based on the public key and obtains a second hash value, and compares the second hash value with the first hash value.

在本实现方式中，隔离存储系统基于公钥对备份检测系统发送的签名进行验签，得到第二哈希值，其中，公钥与备份检测系统进行签名的私钥为相匹配的密钥对，并与第一哈希值进行比较。当第一哈希值和第二哈希值相同时，则说明备份目标数据在从备份检测系统发送至隔离存储系统的过程中，未被破坏和篡改，即未被勒索软件攻击，即验签成功；当第一哈希值和第二哈希值不同时，则备份目标数据可能已被破坏和篡改，即可能已被勒索软件攻击，即验签失败。In this implementation, the isolated storage system verifies the signature sent by the backup detection system based on the public key to obtain a second hash value, wherein the public key and the private key signed by the backup detection system are a matching key pair, and is compared with the first hash value. When the first hash value and the second hash value are the same, it means that the backup target data has not been destroyed or tampered with during the process of being sent from the backup detection system to the isolated storage system, that is, it has not been attacked by ransomware, that is, the signature verification is successful; when the first hash value and the second hash value are different, the backup target data may have been destroyed or tampered with, that is, it may have been attacked by ransomware, that is, the signature verification fails.

在一些可能的实现方式中，若验证成功，隔离存储系统存储目标备份数据，包括：若第二哈希值与第一哈希值相同，隔离存储系统存储目标备份数据。In some possible implementations, if the verification is successful, the isolated storage system stores the target backup data, including: if the second hash value is the same as the first hash value, the isolated storage system stores the target backup data.

在本实现方式中，隔离存储系统基于公钥验证成功后，即目标备份数据未被勒索软件攻击，则将该目标备份数据存储于隔离存储系统，用于业务系统的业务数据被勒索攻击后，能够基于隔离存储系统的存储的目标备份数据进行恢复。In this implementation, after the isolated storage system successfully verifies based on the public key, that is, the target backup data has not been attacked by ransomware, the target backup data is stored in the isolated storage system. After the business data of the business system is attacked by ransomware, it can be restored based on the target backup data stored in the isolated storage system.

在一些可能的实现方式中，签名用于业务系统基于公钥进行验证得到的第二哈希值，与基于目标备份数据和标签信息计算得到的第三哈希值相同时，利用目标备份数据进行数据恢复。In some possible implementations, when the second hash value obtained by the signature based on the public key verification by the business system is the same as the third hash value calculated based on the target backup data and the tag information, the target backup data is used for data recovery.

在本实现方式中，业务系统收到隔离存储系统发送的目标备份数据、标签信息和签名，在利用目标备份数据进行数据恢复之前，基于公钥对目标备份数据和签名进行验签，从而验证该目标备份数据在从隔离存储系统传输至业务系统进行数据恢复的过程中，是否被勒索软件攻击。公钥与备份检测系统获取签名的私钥为相匹配的一个密钥对，是基于同一签名算法生成的。基于公钥验证成功后，即确定目标备份数据未被勒索软件攻击后，则利用目标备份数据进行数据恢复。In this implementation, the business system receives the target backup data, label information and signature sent by the isolated storage system, and then uses the target backup data, label information and signature to Before restoring the backup data, the target backup data and signature are verified based on the public key to verify whether the target backup data has been attacked by ransomware during the process of transferring from the isolated storage system to the business system for data recovery. The public key and the private key used by the backup detection system to obtain the signature are a matching key pair, which are generated based on the same signature algorithm. After the public key verification is successful, that is, after determining that the target backup data has not been attacked by ransomware, the target backup data is used for data recovery.

第三方面，提供了一种勒索软件检测装置，其特征在于，该装置应用于备份检测系统，该备份检测系统用于对备份存储系统中的备份数据进行勒索检测，备份数据是业务数据的备份，该装置包括：获取模块，用于获取备份数据；处理模块，用于对备份数据进行勒索检测；获取模块，还用于基于私钥获取目标备份数据和目标备份数据的标签信息的签名，其中，目标备份数据的标签信息用于指示目标备份数据通过勒索检测；发送模块，用于将目标备份数据、标签信息和签名发送至隔离存储系统，其中，签名用于隔离存储系统基于公钥对签名进行验证以及在验证成功之后存储目标备份数据，公钥是与私钥相匹配的密钥对。In a third aspect, a ransomware detection device is provided, characterized in that the device is applied to a backup detection system, the backup detection system is used to perform ransomware detection on backup data in a backup storage system, the backup data is a backup of business data, and the device includes: an acquisition module, used to acquire backup data; a processing module, used to perform ransomware detection on backup data; the acquisition module is also used to acquire signatures of target backup data and label information of target backup data based on a private key, wherein the label information of the target backup data is used to indicate that the target backup data passes the ransomware detection; a sending module is used to send the target backup data, label information and signature to an isolated storage system, wherein the signature is used for the isolated storage system to verify the signature based on a public key and store the target backup data after successful verification, and the public key is a key pair matching the private key.

第四方面，提供了一种勒索软件检测装置，其特征在于，该装置应用于隔离存储系统，该装置包括：接收模块，用于接收目标备份数据、该目标备份数据的标签信息和该目标备份数据的签名，其中，标签信息用于指示目标备份数据通过备份检测系统的勒索检测，该签名由备份检测系统基于私钥对目标备份数据和标签信息进行签名得到；处理模块，用于基于公钥对签名进行验证，公钥是与私钥相匹配的密钥对；若验证成功，处理模块，还用于存储目标备份数据；接收模块，还用于接收业务系统的恢复请求，恢复请求用于获取目标备份数据；处理模块，还用于根据恢复请求，向业务系统发送目标备份数据、标签信息和签名，签名用于业务系统基于公钥进行验证以及验证成功之后利用目标备份数据进行数据恢复。In a fourth aspect, a ransomware detection device is provided, characterized in that the device is applied to an isolated storage system, and the device includes: a receiving module, used to receive target backup data, label information of the target backup data, and a signature of the target backup data, wherein the label information is used to indicate that the target backup data has passed the ransomware detection of the backup detection system, and the signature is obtained by signing the target backup data and the label information by the backup detection system based on a private key; a processing module, used to verify the signature based on a public key, and the public key is a key pair matching the private key; if the verification is successful, the processing module is also used to store the target backup data; the receiving module is also used to receive a recovery request from the business system, and the recovery request is used to obtain the target backup data; the processing module is also used to send the target backup data, label information and signature to the business system according to the recovery request, and the signature is used for the business system to verify based on the public key and use the target backup data for data recovery after the verification is successful.

关于第三方面和第四方面的技术原理和有益效果，可以参考前述第一方面和第二方面的相关描述，在此不再赘述。Regarding the technical principles and beneficial effects of the third and fourth aspects, reference may be made to the relevant descriptions of the first and second aspects, which will not be repeated here.

第五方面，本申请提供了一种计算设备集群，包括至少一个计算设备，每个计算设备包括处理器和存储器；至少一个计算设备的处理器用于执行至少一个计算设备的存储器中存储的指令，以使得计算设备集群执行上述第一方面或第一方面中的任意一种实现方式的方法。In a fifth aspect, the present application provides a computing device cluster, comprising at least one computing device, each computing device comprising a processor and a memory; the processor of at least one computing device is used to execute instructions stored in the memory of at least one computing device, so that the computing device cluster executes the method of the above-mentioned first aspect or any one of the implementation methods of the first aspect.

第六方面，本申请提供了一种计算设备集群，包括至少一个计算设备，每个计算设备包括处理器和存储器；至少一个计算设备的处理器用于执行至少一个计算设备的存储器中存储的指令，以使得计算设备集群执行上述第二方面或第二方面中的任意一种实现方式的方法。In a sixth aspect, the present application provides a computing device cluster, comprising at least one computing device, each computing device comprising a processor and a memory; the processor of at least one computing device is used to execute instructions stored in the memory of at least one computing device, so that the computing device cluster executes the method of the above-mentioned second aspect or any one of the implementation methods of the second aspect.

第七方面，本申请提供了一种包含指令的计算机程序产品，当指令被计算机设备集群运行时，使得计算机设备集群执行上述第一方面或第一方面中的任意一种实现方式的方法。In a seventh aspect, the present application provides a computer program product comprising instructions, which, when executed by a computer device cluster, enables the computer device cluster to execute the method of the above-mentioned first aspect or any one of the implementation modes of the first aspect.

第八方面，本申请提供了一种包含指令的计算机程序产品，当指令被计算机设备集群运行时，使得计算机设备集群执行上述第二方面或第二方面中的任意一种实现方式的方法。In an eighth aspect, the present application provides a computer program product comprising instructions, which, when executed by a computer device cluster, enables the computer device cluster to execute the method of the second aspect or any one of the implementation modes of the second aspect.

第九方面，本申请提供了一种计算机可读存储介质，包括计算机程序指令，当计算机程序指令由计算设备集群执行时，计算设备集群执行上述第一方面或第一方面中的任意一种实现方式的方法。In a ninth aspect, the present application provides a computer-readable storage medium, comprising computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the method of the above-mentioned first aspect or any one of the implementation methods of the first aspect.

第十方面，本申请提供了一种计算机可读存储介质，包括计算机程序指令，当计算机程序指令由计算设备集群执行时，计算设备集群执行上述第一方面或第一方面中的任意一种实现方式的方法。In a tenth aspect, the present application provides a computer-readable storage medium, comprising computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the method of the above-mentioned first aspect or any one of the implementation methods of the first aspect.

BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例或背景技术中的技术方案，下面将对本申请实施例或背景技术中所需要使用的附图进行说明。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the background technology, the drawings required for use in the embodiments of the present application or the background technology will be described below.

图1是本申请涉及的一种勒索软件检测的架构示意图。FIG1 is a schematic diagram of an architecture of ransomware detection involved in the present application.

图2是本申请提供的一种勒索软件检测的架构示意图。FIG2 is a schematic diagram of an architecture of ransomware detection provided by the present application.

图3是本申请提供的一种勒索软件检测方法的流程示意图。FIG3 is a flow chart of a ransomware detection method provided by the present application.

图4是本申请提供另一实施例的一种勒索软件检测方法的流程示意图。FIG4 is a flow chart of a ransomware detection method according to another embodiment of the present application.

图5是本申请提供一个实施例的一种签名的流程示意图。FIG5 is a schematic diagram of a signature process according to an embodiment of the present application.

图6是本申请提供另一实施例的一种勒索软件检测方法的流程示意图。FIG6 is a flow chart of a ransomware detection method according to another embodiment of the present application.

图7是本申请提供另一实施例的一种勒索软件检测方法的流程示意图。 FIG. 7 is a flow chart of a ransomware detection method according to another embodiment of the present application.

图8是本申请提供一个实施例的一种验签的流程示意图。FIG8 is a schematic diagram of a signature verification process according to an embodiment of the present application.

图9是本申请提供另一实施例的一种勒索软件检测方法的流程示意图。FIG. 9 is a flow chart of a ransomware detection method according to another embodiment of the present application.

图10是本申请提供另一实施例的一种勒索软件检测方法的流程示意图。FIG. 10 is a flow chart of a ransomware detection method according to another embodiment of the present application.

图11是本申请提供的一种勒索软件检测装置的结构示意图。FIG11 is a schematic diagram of the structure of a ransomware detection device provided by the present application.

图12是本申请提供的另一种勒索软件检测装置的结构示意图。FIG. 12 is a schematic diagram of the structure of another ransomware detection device provided in the present application.

图13是本申请提供的一种计算设备的结构示意图。FIG13 is a schematic diagram of the structure of a computing device provided by the present application.

图14是本申请提供的一种计算设备集群的结构示意图。FIG. 14 is a schematic diagram of the structure of a computing device cluster provided in the present application.

图15是本申请提供的一种计算设备间通过网络连接的结构示意图。FIG. 15 is a schematic diagram of a structure in which computing devices are connected via a network provided by the present application.

DETAILED DESCRIPTION

本文中术语“和/或”，是一种描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。本文中符号“/”表示关联对象是或者的关系，例如A/B表示A或者B。The term "and/or" in this article is a description of the association relationship of associated objects, indicating that there can be three relationships. For example, A and/or B can represent: A exists alone, A and B exist at the same time, and B exists alone. The symbol "/" in this article indicates that the associated objects are in an or relationship, for example, A/B means A or B.

本文中的说明书和权利要求书中的术语“第一”和“第二”等是用于区别不同的对象，而不是用于描述对象的特定顺序。例如，第一请求和第二请求等是用于区别不同的请求，而不是用于描述请求的特定顺序。The terms "first", "second", etc. in the specification and claims herein are used to distinguish different objects rather than to describe a specific order of objects. For example, a first request and a second request are used to distinguish different requests rather than to describe a specific order of requests.

在本申请实施例中，“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言，使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "for example" in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as "exemplary" or "for example" is intended to present related concepts in a specific way.

在本申请实施例的描述中，除非另有说明，“多个”的含义是指两个或者两个以上，例如，多个处理单元是指两个或者两个以上的处理单元等；多个元件是指两个或者两个以上的元件等。In the description of the embodiments of the present application, unless otherwise specified, "multiple" means two or more than two. For example, multiple processing units refer to two or more processing units, etc.; multiple elements refer to two or more elements, etc.

本申请提供的一种勒索软件检测方法、装置及其他设备，下面将结合附图进行描述。The present application provides a ransomware detection method, device and other equipment, which will be described below in conjunction with the accompanying drawings.

为了使本申请提供的技术方案更清晰，在具体描述本申请提供的技术方案之前，首先进行相关术语的解释。In order to make the technical solution provided by the present application clearer, before describing the technical solution provided by the present application in detail, the relevant terms are first explained.

(1)勒索软件：也称作勒索病毒、勒索软体，是一种特殊的恶意软件，通常被归类为“阻断访问式攻击”(denial-of-access attack)。勒索病毒与其他病毒最大的不同在于手法以及中毒方式。其中，一种典型的勒索病毒是系统性地加密计算设备存储的文件，例如是加密关键的业务/数据文件，该业务/数据文件可以是数据库文件、办公文档、压缩文件、视频、图片和源代码中的一种或多种，然后要求受害者缴纳赎金以取回受害者根本无从自行获取的解密口令/工具以便解密文件。(1) Ransomware: Also known as ransomware or ransomware, it is a special type of malware, usually classified as a "denial-of-access attack". The biggest difference between ransomware and other viruses lies in the method and the way they infect. Among them, a typical ransomware is to systematically encrypt files stored on a computing device, such as critical business/data files, which can be one or more of database files, office documents, compressed files, videos, images, and source code, and then require the victim to pay a ransom to retrieve the decryption password/tool that the victim has no way of obtaining on his own in order to decrypt the file.

(2)签名(Signature)：签名，指的是只有信息的发送者才能产生的别人无法伪造的一段数字串，这段数字串同时也是对信息的发送者发送信息真实性的一个有效证明。签名是通过一个单向函数，对要传送的信息进行处理得到的用以认证信息来源，并核实信息在传送过程中是否发生变化的一个字母数字串。常见的签名算法主要有：RSA(Rivest–Shamir–Adleman)，DSA(Digital Signature Algorithm)数字签名算法，ECDSA(Elliptic Curve Digital Signature Algorithm)椭圆曲线数字签名算法。验签用于确定数据是否被篡改过。(2) Signature: A signature is a string of numbers that can only be generated by the sender of the information and cannot be forged by others. This string of numbers is also a valid proof of the authenticity of the information sent by the sender. A signature is an alphanumeric string obtained by processing the information to be transmitted through a one-way function. It is used to authenticate the source of the information and verify whether the information has changed during the transmission process. Common signature algorithms include: RSA (Rivest–Shamir–Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve Digital Signature Algorithm). Signature verification is used to determine whether the data has been tampered with.

(3)非对称加密算法(Asymmetric cryptography)：是密码学的一种演算法，它需要两个密钥，一个是公开密钥，另一个是私有密钥，公钥用作加密，私钥则用作解密。使用公钥把明文加密后所得的密文，只能用相对应的私钥才能解密并得到原本的明文，最初用来加密的公钥不能用作解密。由于加密和解密需要两个不同的密钥，故被称为非对称加密；不同于加密和解密都使用同一个密钥的对称加密。公钥可以公开，可任意向外发布。私钥不可以公开，必须由用户自行严格秘密保管，绝不透过任何途径向任何人提供，也不会透露给被信任的要通讯的另一方。(3) Asymmetric cryptography: It is a cryptographic algorithm that requires two keys, one is a public key and the other is a private key. The public key is used for encryption and the private key is used for decryption. The ciphertext obtained by encrypting the plaintext with the public key can only be decrypted with the corresponding private key to obtain the original plaintext. The public key originally used for encryption cannot be used for decryption. Since encryption and decryption require two different keys, it is called asymmetric encryption; it is different from symmetric encryption that uses the same key for both encryption and decryption. The public key can be made public and can be released to the outside at will. The private key cannot be made public and must be kept strictly confidential by the user. It must never be provided to anyone through any means, nor disclosed to the trusted other party to communicate.

(4)密钥管理服务(Key Management Service，KMS)：是一种安全、可靠、简单易用的密钥托管服务，能够创建和管理密钥，保护密钥的安全。KMS通过使用硬件安全模块(Hardware Security Module，HSM)保护密钥安全，帮助用户创建和管理密钥，所有的用户密钥都由HSM中的根密钥保护，避免密钥泄露。(4) Key Management Service (KMS): It is a secure, reliable, and easy-to-use key hosting service that can create and manage keys and protect the security of keys. KMS protects key security by using a hardware security module (HSM) to help users create and manage keys. All user keys are protected by the root key in the HSM to prevent key leakage.

勒索软件，利用加密等安全机制来劫持用户文件和相关资源，使得用户无法访问数据资产或使用计算资源，并以此为条件来向用户勒索赎金。这类用户数据资产包括文档、数据库、源代码、图片、压缩文件等多种文件形式。而赎金形式通常为比特币，少数为真实货币或其他虚拟货币。Ransomware uses encryption and other security mechanisms to hijack user files and related resources, making it impossible for users to access data assets or use computing resources, and then uses this as a condition to extort ransom from users. This type of user data assets includes documents, databases, source code, images, compressed files and other file formats. The ransom is usually in the form of Bitcoin, and a few are real currencies or other virtual currencies.

根据勒索软件危害程度的严重性可以将勒索软件分为三类：恐吓型勒索软件、锁定型勒索软件和加密型勒索软件。恐吓型勒索软件，是一种虚假信息警告，通过一些指控性的词语危害受害者，利用受害者恐惧被政府有关部门抓捕的心里，使得受害者付钱。锁定型勒索软件，通过劫持受害者系统上的一项或多项服务，例如桌面、输入设备或应用程序，阻止用户访问这些资源、受感染的系统只具有有限的功能。加密型勒索软件，使用加密算法加密系统中所有的文件数据，迫使受害者支付赎金以换取被加密的文件，在没有解密密钥的情况下，加密勒索软件的攻击是不可逆的。Ransomware can be divided into three categories according to the severity of the damage it causes: scare-type ransomware, lock-type ransomware, and encryption-type ransomware. Ransomware. Intimidation-type ransomware is a type of false information warning that harms victims through accusatory words, using the victims' fear of being arrested by relevant government departments to make them pay. Locking-type ransomware hijacks one or more services on the victim's system, such as the desktop, input devices, or applications, preventing users from accessing these resources. The infected system has only limited functions. Encryption-type ransomware uses encryption algorithms to encrypt all file data in the system, forcing victims to pay a ransom in exchange for encrypted files. Without the decryption key, the attack of encryption ransomware is irreversible.

为了避免勒索，传统的防勒索攻击在网络层，使用防火墙、沙箱、等系统来防止勒索软件入侵，阻断勒索软件扩散，在主机层，使用访问控制、安全补丁、杀毒软件等技术，防止勒索软件的攻击植入。但是，勒索软件具有隐蔽性和伪装性，一旦进入网络或主机层，攻击者会潜伏在获得权限并掌握大量关键数据后，才发起勒索，此时，网络或主机层已经无法发起阻止勒索攻击。In order to avoid ransomware, traditional anti-ransomware attacks use firewalls, sandboxes, and other systems at the network layer to prevent ransomware intrusion and block the spread of ransomware. At the host layer, access control, security patches, antivirus software and other technologies are used to prevent ransomware attacks from being implanted. However, ransomware is concealed and disguised. Once it enters the network or host layer, the attacker will lurk until he obtains permission and has a large amount of key data before launching the ransomware. At this time, the network or host layer can no longer initiate and prevent the ransomware attack.

在这一阶段，可以通过存储防勒索阻止勒索攻击。存储防勒索手段包括对勒索软件的异常IO进行检测、采用防篡改技术对数据进行主动保护、通过加密技术防止存储的数据泄露。其次，除了备份数据副本之外，会将数据副本存储到被物理隔离的安全保护区中，确保安全保护区中的副本文件是未被勒索攻击的数据，在业务数据受到勒索攻击后可以用于恢复业务数据，保证业务的连续性。At this stage, storage anti-ransomware can be used to prevent ransomware attacks. Storage anti-ransomware measures include detecting abnormal IO of ransomware software, actively protecting data with anti-tampering technology, and preventing stored data leakage through encryption technology. Secondly, in addition to backing up data copies, data copies will be stored in physically isolated security protection areas to ensure that the copy files in the security protection area are data that has not been attacked by ransomware, and can be used to restore business data after the business data is attacked by ransomware, ensuring business continuity.

如图1所示，位于业务系统110的生产主机在产生业务数据进入生产存储设备后，可以将产生的业务数据进行备份，存储到同一区域(region)的备份存储系统120的备份存储设备中，能够确保在生产主机被勒索软件攻击后，根据备份存储设备中备份数据恢复业务数据，保证生产主机的正常运行。如图1所示，在region A中，生产主机产生业务数据后存储至生产存储设备中，在业务数据存储至生产存储设备的过程中，基于勒索软件的行为进行勒索软件检测，确保存储在生产存储设备的业务数据是安全的。业务数据进行勒索软件检测后，定期执行步骤2备份业务数据，并将该备份数据通过内部存储网络存储至备份存储系统120的备份存储设备中，其中，内部存储网络虽然是封闭性的，与外部网络隔离，但是勒索软件具有隐蔽性和潜伏性，生产主机无法阻止勒索攻击，导致存储至生产存储设备中的业务数据可能有部分已被勒索攻击。此外，在执行步骤2进行备份的过程中，业务数据也会被勒索软件攻击，导致存储至备份存储设备中的备份数据可能已被勒索攻击。因此，需要执行步骤3、4由备份检测系统130的勒索软件检测模块对备份存储设备中存储的备份数据定期进行勒索检测，并返回检测结果，其中，该勒索软件检测模块可以部署在region A中的应用服务器上。为了避免勒索，除了在备份存储系统120进行备份存储，也可以执行步骤5建立一个单独的物理隔离区域，通过Air Gap自动关断控制，将勒索软件检测后未被勒索的备份数据复制到隔离存储系统140的隔离存储设备中。其次，为了避免region A发生自然灾害等原因而发生故障导致数据丢失，可以通过步骤6将业务数据进行备份，存储至region B的容灾存储设备系统150中的容灾存储设备中。当位于region A中业务系统110的生产存储设备的业务数据被勒索攻击后，可以通过图1所示的步骤7～9用备份数据进行业务数据的恢复，确保业务的正常运行。As shown in FIG1 , after the production host in the business system 110 generates business data and enters the production storage device, it can back up the generated business data and store it in the backup storage device of the backup storage system 120 in the same region (region), which can ensure that after the production host is attacked by ransomware, the business data can be restored according to the backup data in the backup storage device to ensure the normal operation of the production host. As shown in FIG1 , in region A, the production host generates business data and stores it in the production storage device. In the process of storing the business data in the production storage device, ransomware detection is performed based on the behavior of the ransomware to ensure that the business data stored in the production storage device is safe. After the business data is detected by ransomware, step 2 is performed regularly to back up the business data, and the backup data is stored in the backup storage device of the backup storage system 120 through the internal storage network. Although the internal storage network is closed and isolated from the external network, the ransomware is concealed and latent, and the production host cannot prevent the ransomware attack, resulting in that part of the business data stored in the production storage device may have been attacked by ransomware. In addition, during the backup process in step 2, the business data may also be attacked by ransomware, resulting in the backup data stored in the backup storage device being attacked by ransomware. Therefore, it is necessary to perform steps 3 and 4 so that the ransomware detection module of the backup detection system 130 regularly performs ransomware detection on the backup data stored in the backup storage device and returns the detection results, wherein the ransomware detection module can be deployed on the application server in region A. In order to avoid ransomware, in addition to performing backup storage in the backup storage system 120, step 5 can also be performed to establish a separate physical isolation area, and the backup data that has not been ransomed after ransomware detection can be copied to the isolated storage device of the isolated storage system 140 through the Air Gap automatic shutdown control. Secondly, in order to avoid data loss due to failures caused by natural disasters in region A, the business data can be backed up in step 6 and stored in the disaster recovery storage device in the disaster recovery storage device system 150 of region B. When the business data of the production storage device of the business system 110 in region A is attacked by ransomware, the business data can be restored using backup data through steps 7 to 9 shown in Figure 1 to ensure the normal operation of the business.

但是，经勒索软件检测系统检测后，未被勒索的备份数据在存储至隔离存储系统140的隔离存储设备中，或者从隔离存储系统中恢复业务数据到业务系统110的生产主机的过程中，备份数据有可能会再次受到勒索软件攻击，导致存储至隔离存储系统140的隔离存储设备的备份数据被勒索污染，或者导致业务系统110的生产主机中的业务数据恢复失败。However, after being detected by the ransomware detection system, the backup data that has not been ransomed may be attacked by ransomware again when being stored in the isolated storage device of the isolated storage system 140, or when restoring business data from the isolated storage system to the production host of the business system 110, causing the backup data stored in the isolated storage device of the isolated storage system 140 to be contaminated by the ransomware, or causing the business data recovery in the production host of the business system 110 to fail.

为了避免未被勒索的备份数据在流转过程中受到勒索软件攻击，本申请实施例提出了一种勒索软件检测方法，通过引入密钥管理系统，在备份检测系统进行勒索检测之后，对未被勒索攻击的备份数据进行签名，隔离存储系统在对备份数据进行存储之前，或者从隔离存储系统中恢复业务数据到业务系统之前需要进行验签，确保验签通过后再将备份数据存储至隔离存储系统，或在业务系统中进行业务数据的恢复。此外，基于备份检测系统，可以只对未进行签名的备份数据进行勒索检测，避免全量检测备份数据或重复检测备份数据，导致计算和存储资源的浪费。In order to prevent the backup data that has not been ransomed from being attacked by ransomware during circulation, the embodiment of the present application proposes a ransomware detection method. By introducing a key management system, after the backup detection system performs ransomware detection, the backup data that has not been attacked by ransomware is signed. Before the isolated storage system stores the backup data, or before restoring the business data from the isolated storage system to the business system, it is necessary to verify the signature to ensure that the backup data is stored in the isolated storage system or the business data is restored in the business system after the signature verification is passed. In addition, based on the backup detection system, ransomware detection can be performed only on the backup data that has not been signed, avoiding the full detection of backup data or repeated detection of backup data, which leads to waste of computing and storage resources.

为便于理解，下面首先对本申请实施例的至少一个应用场景进行介绍，For ease of understanding, at least one application scenario of an embodiment of the present application is first introduced below.

示例性的，图2示出的是本申请实施例中的至少一个应用场景的示意图。如图2所示，用户在业务系统110中通过生产主机的业务数据会存储在生产存储设备中，生产存储设备为用户的业务数据提供云存储服务，其中生产存储设备可以是部署在分布式存储系统中，可以将用户的业务数据分布存储在多台独立的存储节点上，各存储节点之间可以通信交互。可以理解，存储节点是既具有计算能力又具有存储能力的设备，如服务器、台式计算机等。在软件上，每台存储设备上具有操作系统，可以支持提供对应的存储应用服务，例如可以部署服务层，提供对象存储OBS、文件存储SFS或块存储EVS等存储服务。其他存储节点可以部署数据持久层来提供持久化的数据存储功能，还可以部署索引层来提供数据索引功能。可以理解，各个存储设备上软件层所需的计算资源来源于设备本地的处理器和内存，所需的存储资源既可以来源于设备本地的硬盘，也可以来自其他存储设备中的硬盘。Exemplarily, FIG2 shows a schematic diagram of at least one application scenario in an embodiment of the present application. As shown in FIG2, the business data of the user through the production host in the business system 110 will be stored in the production storage device, and the production storage device provides cloud storage services for the user's business data, wherein the production storage device can be deployed in a distributed storage system, and the user's business data can be distributed and stored on multiple independent storage nodes, and each storage node can communicate and interact with each other. It can be understood that a storage node is a device that has both computing and storage capabilities, such as a server, a desktop computer, etc. In terms of software, each storage device has an operating system that can support the provision of corresponding storage application services. For example, a service layer can be deployed to provide storage services such as object storage OBS, file storage SFS, or block storage EVS. Other storage nodes can deploy a data persistence layer to provide persistent data storage functions, and can also deploy an index layer to provide data indexing functions. It can be understood that The computing resources required by the software layer on each storage device come from the local processor and memory of the device, and the required storage resources can come from the local hard disk of the device or from the hard disk of other storage devices.

为了防止业务系统110中的业务数据被勒索攻击影响用户的正常业务运行，会对业务系统110中的业务数据定期备份至位于同一区域regionA的备份存储系统120中的备份存储设备中，备份存储设备与生产存储设备类似，此处不再赘述。其中，备份存储设备与生产存储设备可以位于同一个区域(region)的同一可用区(AZ)中，也可以位于同一个region的不同AZ中，此处不作限制。但是，由于业务系统110中的业务数据可能已被勒索软件攻击，或业务数据备份至备份存储系统120的过程中会被勒索软件攻击，则会导致存储至备份存储系统120中的备份数据是已被勒索软件攻击的备份数据。因此，需要由备份检测系统130对备份存储系统120中的备份数据基于备份数据的文件特征进行勒索检测。其中，基于备份数据的文件特征进行勒索检测是由于勒索攻击会在备份数据中留下勒索提示信息或影响备份数据的文件特征。In order to prevent the business data in the business system 110 from being attacked by ransomware and affecting the normal business operation of users, the business data in the business system 110 will be regularly backed up to the backup storage device in the backup storage system 120 located in the same region regionA. The backup storage device is similar to the production storage device and will not be repeated here. Among them, the backup storage device and the production storage device can be located in the same availability zone (AZ) of the same region (region), or in different AZs of the same region, and there is no restriction here. However, since the business data in the business system 110 may have been attacked by ransomware, or the business data may be attacked by ransomware during the process of backing up to the backup storage system 120, the backup data stored in the backup storage system 120 will be backup data that has been attacked by ransomware. Therefore, the backup detection system 130 needs to perform ransomware detection on the backup data in the backup storage system 120 based on the file characteristics of the backup data. Among them, ransomware detection based on the file characteristics of the backup data is because the ransomware attack will leave ransomware prompt information in the backup data or affect the file characteristics of the backup data.

为了避免备份存储系统120中的备份数据被勒索攻击，除了在备份存储系统120进行备份存储，也可以建立一个单独的物理隔离区域，通过Air Gap自动关断控制，将备份存储系统120中经过勒索软件检测后未被勒索攻击的备份数据，复制到位于同一区域regionA的隔离存储系统140的隔离存储设备中进行存储。隔离存储设备与生产存储设备类似，此处不再赘述。通过Air Gap，将隔离存储系统140中的备份数据断开与互联网的连接，能够避免备份数据被在线访问，进而防止备份数据被勒索攻击。当业务系统110的生产存储设备的业务数据被勒索攻击后，能够基于隔离存储系统140的隔离存储设备中的备份数据进行恢复。In order to prevent the backup data in the backup storage system 120 from being attacked by ransomware, in addition to performing backup storage in the backup storage system 120, a separate physical isolation area can also be established. Through the automatic shutdown control of Air Gap, the backup data in the backup storage system 120 that has not been attacked by ransomware after being detected by the ransomware can be copied to the isolated storage device of the isolated storage system 140 located in the same region A for storage. The isolated storage device is similar to the production storage device and will not be described here. Through Air Gap, the backup data in the isolated storage system 140 is disconnected from the Internet, which can prevent the backup data from being accessed online, thereby preventing the backup data from being attacked by ransomware. When the business data of the production storage device of the business system 110 is attacked by ransomware, it can be restored based on the backup data in the isolated storage device of the isolated storage system 140.

在一些实施例中，除了在同一个region中进行业务数据备份，还可以在另一个区域regionB，即另一个地理位置建立容灾备份系统或数据中心，将已进行勒索检测后的备份数据跨区域复制到位于regionB的容灾存储系统150中，来保证位于regionA中的业务系统110及备份存储系统120发生故障或灾害后，生产业务能够基于容灾存储系统150的容灾存储设备中的备份数据恢复业务数据，并继续运行生产业务。In some embodiments, in addition to backing up business data in the same region, a disaster recovery backup system or data center can also be established in another region regionB, that is, another geographical location, and the backup data that has been detected for ransomware can be copied across regions to the disaster recovery storage system 150 located in regionB to ensure that after a failure or disaster occurs in the business system 110 and the backup storage system 120 located in regionA, the production business can restore the business data based on the backup data in the disaster recovery storage device of the disaster recovery storage system 150 and continue to run the production business.

在一些可能的实现方式中，容灾存储系统150也可以在regionB中建立一个单独的物理隔离区域，通过Air Gap自动关断控制存储容灾存储设备中未被勒索攻击的备份数据，与隔离存储系统140类似，此处不再赘述。In some possible implementations, the disaster recovery storage system 150 may also establish a separate physically isolated area in region B, and use Air Gap to automatically shut down and control the backup data in the disaster recovery storage device that has not been attacked by ransomware, which is similar to the isolated storage system 140 and will not be described in detail here.

由于，经勒索软件检测系统检测后，未被勒索的备份数据在存储至隔离存储系统140的隔离存储设备中，或者从隔离存储系统中恢复业务数据到业务系统110的生产主机的过程中，备份数据有可能会再次受到勒索软件攻击，导致存储至隔离存储系统140的隔离存储设备的备份数据被勒索污染，或者导致业务系统110的生产主机中的业务数据恢复失败。在备份检测系统130进行勒索检测之后，密钥管理系统210对未被勒索攻击的备份数据利用签名私钥进行签名，隔离存储系统140在对备份数据进行存储之前，或者业务系统110从隔离存储系统140中恢复备份数据之前，利用本地预置的公钥或者请求密钥管理系统210进行签名验证，确保验签通过后再将备份数据存储至隔离存储系统，或在业务系统中进行业务数据的恢复。Since, after being detected by the ransomware detection system, the backup data that has not been ransomed is stored in the isolated storage device of the isolated storage system 140, or in the process of restoring business data from the isolated storage system to the production host of the business system 110, the backup data may be attacked by ransomware again, resulting in the backup data stored in the isolated storage device of the isolated storage system 140 being contaminated by ransomware, or causing the business data recovery in the production host of the business system 110 to fail. After the backup detection system 130 performs ransomware detection, the key management system 210 signs the backup data that has not been attacked by ransomware using the signature private key. Before the isolated storage system 140 stores the backup data, or before the business system 110 restores the backup data from the isolated storage system 140, the local preset public key is used or the key management system 210 is requested to perform signature verification, and the backup data is stored in the isolated storage system or the business data is restored in the business system after the signature verification is passed.

在本示例中，备份检测系统130均可以通过软件实现，也可以通过硬件实现，作为具体示例，备份检测系统130可以部署在一个或多个执行机上，执行机可以是物理机、虚拟机或者容器。In this example, the backup detection system 130 can be implemented by software or hardware. As a specific example, the backup detection system 130 can be deployed on one or more execution machines, which can be physical machines, virtual machines, or containers.

在本实施例中，存储设备也可以是部署在集中式存储系统中，例如用户可以将业务数据集中存储在一个生产存储设备上，并通过备份存储设备存储业务数据的备份数据等。In this embodiment, the storage device may also be deployed in a centralized storage system. For example, a user may store business data in a production storage device and store backup data of the business data in a backup storage device.

接下来，基于上文所描述的内容，对本申请实施例提供的一种勒索软件检测方法进行介绍。可以理解的是，该方法是基于上文所描述的内容提出，该方法中的部分或全部内容可以参见上文中的描述。Next, based on the above description, a ransomware detection method provided by an embodiment of the present application is introduced. It can be understood that the method is proposed based on the above description, and part or all of the content of the method can be referred to the above description.

示例性的，图3示出了本申请实施例提供的一种勒索软件检测方法的流程示意图。可以理解，该方法可以在任何适合的具有计算、处理、存储能力的装置、设备、平台或设备集群中实现。如图3所示，该方法可以包括步骤S301至S306：For example, FIG3 shows a flow chart of a ransomware detection method provided in an embodiment of the present application. It is understood that the method can be implemented in any suitable device, equipment, platform or device cluster with computing, processing and storage capabilities. As shown in FIG3, the method may include steps S301 to S306:

步骤S301，备份检测系统获取备份数据。Step S301: The backup detection system obtains backup data.

在本实施例中，备份检测系统与隔离存储系统之间是彼此独立的系统，在勒索检测场景中，当用户的业务数据备份到备份存储系统中，为了保证备份数据的安全性，可以通过备份检测系统定期对备份存储系统中的备份数据进行勒索检测，然后将未被勒索攻击的备份数据存储至隔离存储系统进行存储，以在业务系统中的业务数据发生故障之后进行数据恢复。在本申请的示例中，该业务系统可以是图2所示的业务系统110，该备份存储系统可以是图2所示的备份存储系统120，该备份检测系统可以是图2所示的备份检测系统130，该隔离存储系统可以是图2所示的隔离存储系统140，下文也以此为例进行阐述。In this embodiment, the backup detection system and the isolated storage system are independent systems. In the ransomware detection scenario, when the user's business data is backed up in the backup storage system, in order to ensure the security of the backup data, the backup detection system can be used to regularly perform ransomware detection on the backup data in the backup storage system, and then the backup data that has not been attacked by the ransomware is stored in the isolated storage system for storage, so as to perform data recovery after a failure occurs in the business data in the business system. In the example of the present application, the business system can be the business system 110 shown in FIG. 2, the backup storage system can be the backup storage system 120 shown in FIG. 2, the backup detection system can be the backup detection system 130 shown in FIG. 2, and the isolated storage system can be the isolated storage system 140 shown in FIG. 2, which is also used as an example for explanation below.

在本申请实施例中，用户将业务数据发送至备份存储系统120进行备份存储，备份存储系统120将该业务数据的备份数据存储至备份存储设备中。用户在将业务数据发送至备份存储系统120之前，会基于勒索软件的行为预先进行勒索检测。In the embodiment of the present application, the user sends the business data to the backup storage system 120 for backup storage, and the backup storage system 120 stores the business data in the backup storage system 120. The backup data of the business data is stored in the backup storage device. Before the user sends the business data to the backup storage system 120, the user will perform a ransomware detection in advance based on the behavior of the ransomware.

示例性的，勒索软件会使用加密算法加密业务系统110中业务数据，迫使用户支付赎金以换取被加密的业务数据，而在没有解密密钥的情况下，加密勒索软件的攻击是不可逆的。勒索软件在加密业务数据时，会记录在业务系统110的系统日志中。业务系统110则可以通过查看系统日志，来确定勒索攻击是如何发生的，进而识别勒索软件，并确定业务系统110是否有其他恶意软件。For example, ransomware uses an encryption algorithm to encrypt business data in the business system 110, forcing the user to pay a ransom in exchange for the encrypted business data. Without a decryption key, the attack of encryption ransomware is irreversible. When the ransomware encrypts the business data, it will be recorded in the system log of the business system 110. The business system 110 can determine how the ransomware attack occurred by checking the system log, and then identify the ransomware and determine whether the business system 110 has other malware.

示例性的，勒索软件会在短时间内创建大量的新文件，对应大量的文件名，业务系统110可以设计在相对较小的时间窗口(例如1分钟内)查看创建的新文件的总数，当新文件的数目超过设定阈值，则判断业务系统110受到了勒索软件攻击。For example, ransomware will create a large number of new files in a short period of time, corresponding to a large number of file names. The business system 110 can be designed to check the total number of new files created in a relatively small time window (for example, within 1 minute). When the number of new files exceeds the set threshold, it is determined that the business system 110 has been attacked by ransomware.

可以理解，用户发送至备份存储系统120的业务数据可以是未被勒索软件攻击的业务数据，也可以是已被勒索软件攻击的业务数据。例如，业务系统110未检测出该业务数据已被勒索软件攻击，业务系统110发送未被勒索软件攻击的业务数据至备份存储系统120的过程中，该业务数据被勒索软件攻击，备份存储系统120中存储的是已被勒索软件攻击的业务数据的备份数据。It is understandable that the business data sent by the user to the backup storage system 120 may be business data that has not been attacked by ransomware, or business data that has been attacked by ransomware. For example, the business system 110 does not detect that the business data has been attacked by ransomware, and during the process of the business system 110 sending the business data that has not been attacked by ransomware to the backup storage system 120, the business data is attacked by ransomware, and the backup storage system 120 stores the backup data of the business data that has been attacked by ransomware.

在本实施例中，备份存储系统120接收业务系统110定期发送的业务数据，作为备份数据并通过内部存储网络存储至备份存储设备中，内部存储网络虽然是封闭性的，与外部网络隔离，但是勒索软件具有隐蔽性和潜伏性，业务系统110无法阻止勒索攻击，导致生产存储设备中的业务数据可能有部分已被勒索攻击。此外，业务系统110在发送业务数据至备份存储系统的过程中，业务数据也会被勒索软件攻击，导致存储至备份存储系统120中的备份数据已被勒索软件攻击。因此，需要备份检测系统130定期对存储于备份存储系统120中的备份数据进行勒索检测，并向备份存储系统返回检测结果。In this embodiment, the backup storage system 120 receives the business data sent regularly by the business system 110 as backup data and stores it in the backup storage device through the internal storage network. Although the internal storage network is closed and isolated from the external network, the ransomware is concealed and latent. The business system 110 cannot prevent the ransomware attack, resulting in that part of the business data in the production storage device may have been attacked by the ransomware. In addition, in the process of the business system 110 sending business data to the backup storage system, the business data will also be attacked by the ransomware, resulting in the backup data stored in the backup storage system 120 being attacked by the ransomware. Therefore, the backup detection system 130 is required to regularly perform ransomware detection on the backup data stored in the backup storage system 120 and return the detection results to the backup storage system.

步骤S302，备份检测系统130对备份数据进行勒索检测。Step S302: the backup detection system 130 performs ransomware detection on the backup data.

在本实施例中，备份检测系统130定期对备份存储系统120中备份存储设备中存储的备份数据基于备份数据的文件特征进行勒索检测。其中，基于备份数据的文件特征进行勒索检测是由于勒索攻击会在备份数据中留下勒索提示信息或影响备份数据的文件特征。In this embodiment, the backup detection system 130 regularly performs ransomware detection based on the file features of the backup data stored in the backup storage device in the backup storage system 120. The ransomware detection based on the file features of the backup data is because the ransomware attack may leave ransomware prompt information in the backup data or affect the file features of the backup data.

示例性的，基于备份数据的文件特征进行勒索检测可以包括文件后缀检测、勒索提示信息检测或前后备份数据熵值变化检测，但不限于此。Exemplarily, the ransomware detection based on the file features of the backup data may include file suffix detection, ransomware prompt information detection, or entropy value change detection of the previous and next backup data, but is not limited thereto.

一个具体示例中，勒索攻击软件会遍历生产存储设备中的业务数据，或者在特定几个用于存储文档的目录中检索其中的业务数据，将全部或特定高价值的业务数据进行加密。此外，勒索攻击软件会直接修改原始的业务数据，或者会将密文写入另一份业务数据中，加密完成后，删除原始的业务数据。由于勒索攻击软件通常会进行文件的遍历和加密，读写大量的业务数据，备份检测系统130在进行勒索检测时，如果进程中读写的业务数据的文件数量较少，则可以排除勒索攻击软件的嫌疑。In a specific example, the ransomware software will traverse the business data in the production storage device, or retrieve the business data in several specific directories for storing documents, and encrypt all or specific high-value business data. In addition, the ransomware software will directly modify the original business data, or write the ciphertext into another business data, and delete the original business data after encryption. Since the ransomware software usually traverses and encrypts files and reads and writes a large amount of business data, when the backup detection system 130 performs ransomware detection, if the number of business data files read and written in the process is small, the suspicion of ransomware software can be ruled out.

一个具体示例中，勒索攻击软件会在加密勒索攻击后的文件目录下，放置勒索提示信息。其中，勒索提示信息可以是文本文件，也可以是网页文件。此外，大多数勒索攻击软件在勒索加密完成后，会修改桌面背景，或通过弹出对话框提示的方式，告知用户被勒索攻击了，示例地，如桌面会弹出对话框提示用户“你已经被勒索加密了，不要尝试解密，请支付赎金”。因此，如果备份检测系统130观测到勒索提示信息，则可以判断业务数据可能被勒索攻击。In a specific example, the ransomware software will place a ransomware prompt in the file directory after the encrypted ransomware attack. The ransomware prompt can be a text file or a web page file. In addition, most ransomware software will modify the desktop background or pop up a dialog box to inform the user that they have been attacked by ransomware after the ransomware encryption is completed. For example, a dialog box will pop up on the desktop to prompt the user "You have been encrypted by ransomware, do not try to decrypt, please pay the ransom." Therefore, if the backup detection system 130 observes the ransomware prompt, it can be determined that the business data may be attacked by ransomware.

一个具体示例中，勒索攻击软件对业务数据进行勒索攻击后，会修改业务数据的文件名，添加特定的文件后缀。其中，添加文件后缀可以用来表示该业务数据已被加密，避免被勒索攻击软件重复加密，也可以用来提示用户该业务数据已被加密，也可以是在收到赎金后，便于识别需要进行解密的业务数据。由于勒索攻击软件加密业务数据后，一般会在业务数据的源文件名后添加固定后缀，示例地，如源文件名为report.docx，加密后的文件名为report.docx.lockbit0331。因此，备份检测系统130检测到业务数据的文件名中包含特定的文件后缀，则可以判断该数据已被勒索攻击。In a specific example, after the ransomware software launches a ransomware attack on the business data, it will modify the file name of the business data and add a specific file suffix. Among them, adding a file suffix can be used to indicate that the business data has been encrypted to avoid repeated encryption by the ransomware software. It can also be used to prompt the user that the business data has been encrypted. It can also be used to facilitate the identification of business data that needs to be decrypted after receiving the ransom. After the ransomware software encrypts the business data, it generally adds a fixed suffix to the source file name of the business data. For example, if the source file name is report.docx, the encrypted file name is report.docx.lockbit0331. Therefore, if the backup detection system 130 detects that the file name of the business data contains a specific file suffix, it can be determined that the data has been attacked by ransom.

一个具体示例中，勒索软件会修改业务数据的文件内容，由于勒索攻击软件写入的文件多数都是加密后的密文，密文的熵值一般较高，或者勒索攻击软件会写入大量不同后缀的数据文件，这些数据文件都是高熵值，因此，备份检测系统130可以通过业务数据的熵值的变化来判断业务数据是否被勒索攻击。例如，勒索软件对原文件内容进行加密，加密后的文件数据相比于数据明文，有更强的随机性，因此信息熵值更高，备份检测系统130可以通过表现出的高熵值加密数据的特性判断是否被勒索软件攻击。In a specific example, ransomware will modify the file content of business data. Since most of the files written by ransomware attack software are encrypted ciphertexts, the entropy value of ciphertexts is generally high, or ransomware attack software will write a large number of data files with different suffixes, and these data files are all high entropy values. Therefore, the backup detection system 130 can determine whether the business data is attacked by ransomware by the change of the entropy value of the business data. For example, the ransomware encrypts the original file content, and the encrypted file data has stronger randomness than the data plaintext, so the information entropy value is higher. The backup detection system 130 can determine whether it is attacked by ransomware by showing the characteristics of high entropy encrypted data.

步骤S303，备份检测系统130基于私钥获取目标备份数据和目标备份数据的标签信息的签名。Step S303 : the backup detection system 130 obtains the signature of the target backup data and the label information of the target backup data based on the private key.

在本实施例中，备份检测系统130在对备份数据进行勒索检测后，会对通过勒索检测后的目标备份数据进行标记，确定标签信息，这样，备份检测系统130可以基于标签信息，获知目标备份数据是否被勒索软件攻击，进而只将通过勒索检测的，即未被勒索软件攻击的目标备份数据发送至隔离存储系统140。In this embodiment, after the backup detection system 130 performs ransomware detection on the backup data, it will mark the target backup data that has passed the ransomware detection and determine the label information. In this way, the backup detection system 130 can know whether the target backup data has been ransomed based on the label information. Software attack, and then only the target backup data that has passed the ransomware detection, that is, has not been attacked by the ransomware, is sent to the isolated storage system 140.

举例说明，标签信息可以是备份数据对应的比特位，在备份检测系统130进行勒索检测之后，如果该备份数据未被勒索软件攻击，可以将该备份数据对应的比特位，修改为“1”；如果该备份数据已被勒索软件攻击，可以将该备份数据对应的比特位，修改为“0”。For example, the label information may be a bit corresponding to the backup data. After the backup detection system 130 performs ransomware detection, if the backup data has not been attacked by ransomware, the bit corresponding to the backup data may be modified to "1"; if the backup data has been attacked by ransomware, the bit corresponding to the backup data may be modified to "0".

在上述示例中，备份检测系统对备份数据进行标记后，可以基于该备份数据对应的比特位，确定该备份数据是否被勒索软件攻击，接着将未被勒索软件攻击的目标备份数据发送至隔离存储系统140中进行隔离存储，即将比特位为“1”对应的目标备份数据发送至隔离存储系统140。In the above example, after the backup detection system marks the backup data, it can determine whether the backup data has been attacked by ransomware based on the bit corresponding to the backup data, and then send the target backup data that has not been attacked by the ransomware to the isolated storage system 140 for isolated storage, that is, send the target backup data corresponding to the bit “1” to the isolated storage system 140.

在另一个示例中，在备份检测系统130在进行勒索检测之后，如果该目标备份数据未被勒索软件攻击，可以将该目标备份数据对应的目标比特位，修改为“0”；如果该目标备份数据已被勒索软件攻击，可以将该目标备份数据对应的目标比特位，修改为“1”，本申请实施例不作具体限定。In another example, after the backup detection system 130 performs ransomware detection, if the target backup data has not been attacked by ransomware, the target bit corresponding to the target backup data can be modified to "0"; if the target backup data has been attacked by ransomware, the target bit corresponding to the target backup data can be modified to "1", which is not specifically limited in the embodiments of the present application.

在一些实施例中，备份检测系统130在检测出备份数据对应的比特位为“0”，即备份数据被勒索软件攻击后，会发出告警信息，并发送告警通知，提示用户所存储于备份存储系统120中的备份数据已被勒索软件攻击。用户可以基于此告警信息，对业务数据进行重新备份存储到备份存储系统120中，或者支付赎金解密该备份数据。In some embodiments, when the backup detection system 130 detects that the bit corresponding to the backup data is "0", that is, the backup data is attacked by ransomware, it will issue an alarm message and send an alarm notification to remind the user that the backup data stored in the backup storage system 120 has been attacked by ransomware. Based on this alarm message, the user can re-backup the business data and store it in the backup storage system 120, or pay the ransom to decrypt the backup data.

在本实施例中，备份检测系统130确定通过勒索检测的目标备份数据的标签信息之后，备份检测系统130获取未被进行勒索检测攻击的目标备份数据和其标签信息的签名，目标备份数据基于私钥进行计算得到。私钥可以是备份检测系统本地预先存储的，也可以是由密钥管理系统210基于加密算法生成，也可以是用户导入自己的私钥至密钥管理系统，对目前备份数据和标签信息进行签名。In this embodiment, after the backup detection system 130 determines the label information of the target backup data that has passed the ransomware detection, the backup detection system 130 obtains the signature of the target backup data and its label information that has not been subjected to the ransomware detection attack, and the target backup data is calculated based on the private key. The private key can be pre-stored locally in the backup detection system, or generated by the key management system 210 based on an encryption algorithm, or the user can import his own private key into the key management system to sign the current backup data and label information.

示例性的，签名算法可以包括RSA数字签名算法，DSA数字签名算法，ECDSA椭圆曲线数字签名算法，但不限于此。Exemplarily, the signature algorithm may include RSA digital signature algorithm, DSA digital signature algorithm, ECDSA elliptic curve digital signature algorithm, but is not limited thereto.

在另一些实施例中，签名算法还可以包括AES256抗量子对称密码算法对签名进行二次保护，使得签名完整性保护可以抵抗量子计算攻击。In other embodiments, the signature algorithm may also include an AES256 quantum-resistant symmetric cryptographic algorithm to perform secondary protection on the signature, so that the signature integrity protection can resist quantum computing attacks.

步骤S304，备份检测系统130发送目标备份数据、标签信息和签名至隔离存储系统140。Step S304 , the backup detection system 130 sends the target backup data, label information, and signature to the isolated storage system 140 .

在本实施例中，为了避免备份存储系统120中的备份数据被勒索攻击，除了在备份存储系统120进行备份存储，也可以建立一个单独的物理隔离区域，通过Air Gap自动关断控制，备份检测系统将经过勒索软件检测后未被勒索攻击的目标备份数据和签名发送到隔离存储系统140。通过Air Gap，隔离存储系统140中的目标备份数据与互联网断开网络连接，能够避免目标备份数据被在线访问，进而防止该目标备份数据被勒索攻击。当业务系统110的生产存储设备的业务数据被勒索攻击后，能够基于隔离存储系统140的隔离存储设备中的目标备份数据进行恢复。In this embodiment, in order to prevent the backup data in the backup storage system 120 from being attacked by ransomware, in addition to performing backup storage in the backup storage system 120, a separate physical isolation area can also be established. Through the automatic shutdown control of Air Gap, the backup detection system sends the target backup data and signature that have not been attacked by ransomware after detection by the ransomware to the isolated storage system 140. Through Air Gap, the target backup data in the isolated storage system 140 is disconnected from the Internet, which can prevent the target backup data from being accessed online, thereby preventing the target backup data from being attacked by ransomware. When the business data of the production storage device of the business system 110 is attacked by ransomware, it can be restored based on the target backup data in the isolated storage device of the isolated storage system 140.

步骤305，隔离存储系统140基于公钥对签名进行验签。Step 305: The isolated storage system 140 verifies the signature based on the public key.

在本实施例中，隔离存储系统140在对目标备份数据进行存储之前，基于公钥对目标备份数据和签名进行验签，从而验证该目标备份数据在从备份检测系统120传输至隔离存储系统140的过程中，是否被勒索软件攻击。公钥与备份检测系统120获取签名的私钥为相匹配的一个密钥对，是基于同一签名算法生成的。In this embodiment, before storing the target backup data, the isolated storage system 140 verifies the target backup data and the signature based on the public key, thereby verifying whether the target backup data is attacked by ransomware during the process of being transmitted from the backup detection system 120 to the isolated storage system 140. The public key and the private key used by the backup detection system 120 to obtain the signature are a matching key pair, which are generated based on the same signature algorithm.

示例性的，签名所采用的私钥ECDSAPrivateKey，与验签使用的公钥ECDSAPublicKey为一对互相匹配的密钥对，相应地，该密钥对应一个密钥ID(即密钥标识)，密钥ID对应于一对公私钥。私钥ECDSAPrivateKey用于对目标备份数据进行签名，得到目标备份数据的签名，公钥ECDSAPublicKey用于对目标备份数据的签名进行验签，进而验证该目标备份数据未被勒索软件攻击。Exemplarily, the private key ECDSAPrivateKey used for signing and the public key ECDSAPublicKey used for signature verification are a pair of key pairs that match each other. Accordingly, the key corresponds to a key ID (i.e., key identifier), and the key ID corresponds to a pair of public and private keys. The private key ECDSAPrivateKey is used to sign the target backup data to obtain the signature of the target backup data, and the public key ECDSAPublicKey is used to verify the signature of the target backup data, thereby verifying that the target backup data has not been attacked by ransomware.

步骤S306，若验证成功，隔离存储系统140存储目标备份数据。Step S306: If the verification is successful, the isolated storage system 140 stores the target backup data.

在本实施例中，隔离存储系统140基于公钥验证成功后，即确定目标备份数据未被勒索软件攻击，则将该目标备份数据存储于隔离存储系统140，用于业务系统110的业务数据被勒索攻击后，能够基于隔离存储系统140的存储的目标备份数据进行恢复。In this embodiment, after the isolation storage system 140 successfully verifies the public key, that is, determines that the target backup data has not been attacked by ransomware, the target backup data is stored in the isolation storage system 140, so that after the business data of the business system 110 is attacked by ransomware, it can be restored based on the target backup data stored in the isolation storage system 140.

这样，在本实施例中，备份检测系统获取备份存储系统中的备份数据的签名，位于物理隔离区域的隔离存储系统基于私钥对签名进行验证，在验签成功后，将未被勒索软件攻击的目标备份数据存储于隔离存储系统中，以用于业务系统故障时恢复业务数据。通过签名验签的勒索检测方法，确保备份数据存储在隔离存储系统中的数据未被勒索软件攻击。此外，备份检测系统定期对备份存储系统中的备份数据进行勒索检测时，仅对未签名的备份数据进行勒索检测，能够避免备份检测系统消耗大量资源进行全量勒索检测，降低了计算开销，提高了勒索检测效率。 Thus, in this embodiment, the backup detection system obtains the signature of the backup data in the backup storage system, and the isolated storage system located in the physically isolated area verifies the signature based on the private key. After the signature verification is successful, the target backup data that has not been attacked by the ransomware is stored in the isolated storage system for use in restoring business data when the business system fails. The ransomware detection method of signature verification ensures that the backup data stored in the isolated storage system has not been attacked by the ransomware. In addition, when the backup detection system regularly performs ransomware detection on the backup data in the backup storage system, it only performs ransomware detection on the unsigned backup data, which can avoid the backup detection system consuming a large amount of resources for full ransomware detection, reduce computing overhead, and improve ransomware detection efficiency.

在一些可能的实现方式中，如图4所示，执行步骤S303时具体可以包括步骤S401至S404：In some possible implementations, as shown in FIG. 4 , executing step S303 may specifically include steps S401 to S404:

步骤S401，备份检测系统130计算目标备份数据和标签信息的第一哈希值。Step S401 : the backup detection system 130 calculates a first hash value of target backup data and label information.

在本实现方式中，在备份检测系统130基于私钥获取目标备份数据的标签信息时，首先基于数字签名算法计算目标备份数据和标签信息的第一哈希值。In this implementation, when the backup detection system 130 obtains the label information of the target backup data based on the private key, it first calculates the first hash value of the target backup data and the label information based on the digital signature algorithm.

示例性的，备份检测系统130可以采用消息摘要算法(Message Digest，MD)、安全散列算法(Secure Hash Algorithm，SHA)或消息认证码算法(Message Authentication Code，MAC)计算目标备份数据和标签信息的第一哈希值，但不限于此。Exemplarily, the backup detection system 130 may use a message digest algorithm (Message Digest, MD), a secure hash algorithm (Secure Hash Algorithm, SHA) or a message authentication code algorithm (Message Authentication Code, MAC) to calculate the first hash value of the target backup data and tag information, but is not limited thereto.

步骤S402，备份检测系统130发送第一哈希值至密钥管理系统210。Step S402 : the backup detection system 130 sends the first hash value to the key management system 210 .

在本实现方式中，备份检测系统130将第一哈希值发送至密钥管理系统210，请求密钥管理系统210基于私钥对目标备份数据和标签信息进行签名。In this implementation, the backup detection system 130 sends the first hash value to the key management system 210, requesting the key management system 210 to sign the target backup data and label information based on the private key.

步骤S403，密钥管理系统210基于私钥对第一哈希值进行签名。Step S403: The key management system 210 signs the first hash value based on the private key.

在本实现方式中，密钥管理系统210接收备份检测系统130发送的第一哈希值，并基于私钥对第一哈希值进行签名。In this implementation, the key management system 210 receives the first hash value sent by the backup detection system 130 and signs the first hash value based on the private key.

示例性的，密钥管理系统210利用某种数字签名算法生成用于签名验签的私钥和公钥，私钥用于对目标备份数据和标签信息进行签名，公钥用于验签。Exemplarily, the key management system 210 generates a private key and a public key for signature verification using a certain digital signature algorithm, wherein the private key is used to sign the target backup data and label information, and the public key is used to verify the signature.

示例性的，用户通过本地可信任的加密机生成用于签名验签的私钥和公钥，并通过密钥管理系统210的配置界面或API导入本地加密机生成的私钥和公钥，私钥用于对目标备份数据和标签信息进行签名，公钥用于验签。Exemplarily, the user generates a private key and a public key for signature verification through a local trusted encryption machine, and imports the private key and the public key generated by the local encryption machine through the configuration interface or API of the key management system 210. The private key is used to sign the target backup data and label information, and the public key is used for signature verification.

步骤S404，密钥管理系统210发送签名至备份检测系统130。In step S404 , the key management system 210 sends the signature to the backup detection system 130 .

在本实现方式中，密钥管理系统210基于私钥对第一哈希值进行签名之后，将签名发送至备份检测系统。备份检测系统130将目标备份数据、标签信息和签名存储至备份检测系统后。为了避免备份存储系统120中的备份数据被勒索攻击，会将目标备份数据和签名复制存储至隔离存储系统140中，其中，签名用于隔离存储系统基于公钥进行验签，若验证通过，隔离存储系统140存储目标备份数据，用户业务系统110进行数据恢复。In this implementation, after the key management system 210 signs the first hash value based on the private key, the signature is sent to the backup detection system. The backup detection system 130 stores the target backup data, label information and signature in the backup detection system. In order to prevent the backup data in the backup storage system 120 from being attacked by ransomware, the target backup data and signature will be copied and stored in the isolated storage system 140, where the signature is used for the isolated storage system to verify the signature based on the public key. If the verification is successful, the isolated storage system 140 stores the target backup data, and the user business system 110 performs data recovery.

一个具体示例中，如图5所示，备份检测系统130使用SHA-1哈希算法计算目标备份数据和标签信息的第一哈希值，也称消息摘要。SHA-1哈希算法会将任意长度的目标备份数据和标签信息哈希得到固定长度的伪随机结果，即第一哈希值。其中第一哈希值是唯一的、不可逆的，无法从第一哈希值中恢复出原目标备份数据和标签信息。例如，使用SHA-1哈希算法计算得到的第一哈希值是DFCD3454。然后基于私钥对第一哈希值进行签名。In a specific example, as shown in FIG5 , the backup detection system 130 uses the SHA-1 hash algorithm to calculate the first hash value of the target backup data and label information, also known as the message digest. The SHA-1 hash algorithm will hash the target backup data and label information of any length to obtain a pseudo-random result of a fixed length, namely the first hash value. The first hash value is unique and irreversible, and the original target backup data and label information cannot be restored from the first hash value. For example, the first hash value calculated using the SHA-1 hash algorithm is DFCD3454. The first hash value is then signed based on the private key.

在一些可能的实现方式中，如图6所示，执行步骤S303时具体可以包括步骤S601至S603：In some possible implementations, as shown in FIG6 , executing step S303 may specifically include steps S601 to S603:

步骤S601，备份检测系统130计算目标备份数据和标签信息的第一哈希值。Step S601 : the backup detection system 130 calculates a first hash value of target backup data and label information.

在本实现方式中，与步骤S401相同，在备份检测系统130基于私钥获取目标备份数据的标签信息时，首先基于数字签名算法计算目标备份数据和标签信息的第一哈希值。In this implementation, similar to step S401, when the backup detection system 130 obtains the label information of the target backup data based on the private key, it first calculates the first hash value of the target backup data and the label information based on the digital signature algorithm.

步骤S602，密钥管理系统210发送私钥至备份检测系统130。In step S602 , the key management system 210 sends the private key to the backup detection system 130 .

在本实现方式中，备份检测系统130向密钥管理系统210发起密钥获取请求，密钥管理系统210可以生成用于签名验签的私钥和公钥，或将用户通过本地可信任的加密机并通过密钥管理系统210的配置界面或API导入的私钥发送至备份检测系统130。In this implementation, the backup detection system 130 initiates a key acquisition request to the key management system 210. The key management system 210 can generate a private key and a public key for signature verification, or send the private key imported by the user through a local trusted encryption machine and through the configuration interface or API of the key management system 210 to the backup detection system 130.

步骤S603，备份检测系统130基于私钥对第一哈希值进行签名。Step S603: The backup detection system 130 signs the first hash value based on the private key.

在本实现方式中，备份检测系统130接收密钥管理系统210发送的私钥，对第一哈希值进行签名。In this implementation, the backup detection system 130 receives the private key sent by the key management system 210 and signs the first hash value.

在一些可能的实现方法中，如图7所示，执行步骤S305时具体可以包括步骤S701至S703。In some possible implementation methods, as shown in FIG. 7 , executing step S305 may specifically include steps S701 to S703 .

步骤S701，隔离存储系统140计算目标备份数据和标签信息的第二哈希值。Step S701 : The isolation storage system 140 calculates a second hash value of target backup data and tag information.

在本实现方式中，隔离存储系统140计算目标备份数据和标签信息的5第二哈希值。隔离存储系统140接收目标备份数据和标签信息后，基于相同的数字签名算法计算目标备份数据和标签信息的第二哈希值。In this implementation, the isolation storage system 140 calculates the second hash value of the target backup data and the tag information. After receiving the target backup data and the tag information, the isolation storage system 140 calculates the second hash value of the target backup data and the tag information based on the same digital signature algorithm.

上述示例中，备份检测系统130使用SHA-1哈希算法计算目标备份数据和标签信息的第一哈希值，相应地，隔离存储系统140也使用SHA-1哈希算法计算目标备份数据和标签信息的第二哈希值。In the above example, the backup detection system 130 uses the SHA-1 hash algorithm to calculate the first hash value of the target backup data and the tag information. Accordingly, the isolation storage system 140 also uses the SHA-1 hash algorithm to calculate the second hash value of the target backup data and the tag information.

步骤S702，隔离存储系统140基于公钥进行验签得到第一哈希值。Step S702: The isolated storage system 140 performs signature verification based on the public key to obtain a first hash value.

在本实现方式中，隔离存储系统140基于公钥对备份检测系统130发送的签名进行验签，得到第一哈希值，其中，公钥与备份检测系统进行签名的私钥为相匹配的密钥对。In this implementation, the isolated storage system 140 verifies the signature sent by the backup detection system 130 based on the public key to obtain the first hash. Xi value, where the public key and the private key used to sign the backup detection system are a matching key pair.

步骤S703，隔离存储系统140将第一哈希值与第二哈希值进行比较。Step S703 : The isolation storage system 140 compares the first hash value with the second hash value.

在本实现方式中，隔离存储系统140基于公钥对备份检测系统130发送的签名进行验签，得到第一哈希值后，与计算得到的目标备份数据和标签信息的第二哈希值进行比较，当第一哈希值和第二哈希值相同时，则说明备份目标数据在从备份检测系统130发送至隔离存储系统140的过程中，未被破坏和篡改，即未被勒索软件攻击，即验签成功；当第一哈希值和第二哈希值不同时，则备份目标数据可能已被破坏和篡改，即可能已被勒索软件攻击，即验签失败。In this implementation, the isolated storage system 140 verifies the signature sent by the backup detection system 130 based on the public key, and after obtaining the first hash value, compares it with the calculated second hash value of the target backup data and label information. When the first hash value and the second hash value are the same, it means that the backup target data has not been destroyed or tampered with in the process of being sent from the backup detection system 130 to the isolated storage system 140, that is, it has not been attacked by ransomware, and the verification is successful; when the first hash value and the second hash value are different, the backup target data may have been destroyed or tampered with, that is, it may have been attacked by ransomware, and the verification fails.

在一些实现方式中，隔离存储系统140在将第一哈希值与第二哈希值进行比较时，检测出第一哈希值和第二哈希值不同，即目标备份数据被勒索软件攻击，可以发出告警信息，并发送告警通知，提示用户所存储于隔离存储系统140中的目标备份数据已被勒索软件攻击。用户可以基于此告警信息，对业务数据进行重新备份存储到隔离存储系统140中，或者支付赎金解密该目标备份数据。In some implementations, when the isolated storage system 140 compares the first hash value with the second hash value, if it detects that the first hash value is different from the second hash value, that is, the target backup data is attacked by ransomware, an alarm message may be issued, and an alarm notification may be sent to remind the user that the target backup data stored in the isolated storage system 140 has been attacked by ransomware. Based on this alarm message, the user may re-backup the business data and store it in the isolated storage system 140, or pay a ransom to decrypt the target backup data.

一个具体示例中，如图8所示，备份检测系统130使用SHA-1哈希算法计算目标备份数据和标签信息的第一哈希值，也称消息摘要。例如，使用SHA-1哈希算法计算得到的第一哈希值是DFCD3454。然后基于私钥对第一哈希值进行签名。接着，备份检测系统130将目标备份数据、标签信息和签名发送至隔离存储系统140。同样地，隔离存储系统140使用SHA-1哈希算法计算目标备份数据和标签信息的第二哈希值，并基于公钥对签名进行验签得到第一哈希值，然后将第一哈希值与第二哈希值进行比较，如果两者相同，即说明备份目标数据在从备份检测系统发送至隔离存储系统140的过程中，未被破坏和篡改，即未被勒索软件攻击，即验签成功；如果两者不同，则备份目标数据可能已被破坏和篡改，即可能已被勒索软件攻击，即验签失败。In a specific example, as shown in FIG8 , the backup detection system 130 uses the SHA-1 hash algorithm to calculate the first hash value of the target backup data and the tag information, also known as the message digest. For example, the first hash value calculated using the SHA-1 hash algorithm is DFCD3454. The first hash value is then signed based on the private key. Next, the backup detection system 130 sends the target backup data, the tag information, and the signature to the isolated storage system 140. Similarly, the isolated storage system 140 uses the SHA-1 hash algorithm to calculate the second hash value of the target backup data and the tag information, and verifies the signature based on the public key to obtain the first hash value, and then compares the first hash value with the second hash value. If the two are the same, it means that the backup target data has not been destroyed or tampered with during the process of being sent from the backup detection system to the isolated storage system 140, that is, it has not been attacked by ransomware, that is, the verification is successful; if the two are different, the backup target data may have been destroyed and tampered with, that is, it may have been attacked by ransomware, that is, the verification failed.

在一些可能的实现方式中，为了确保业务系统中的业务数据被勒索攻击后，基于隔离存储系统中的备份数据进行恢复时，也需要进行验签进行业务数据的恢复，确保业务的正常运行，本实施例中，如图9所示，在隔离存储系统140侧，勒索软件检测方法还可以包括：In some possible implementations, in order to ensure that after the business data in the business system is attacked by ransomware, when the business data is restored based on the backup data in the isolated storage system, it is also necessary to perform signature verification to restore the business data to ensure the normal operation of the business. In this embodiment, as shown in FIG. 9, on the side of the isolated storage system 140, the ransomware detection method may also include:

步骤S901，隔离存储系统140接收目标备份数据、标签信息和签名。Step S901 : The isolated storage system 140 receives target backup data, label information, and a signature.

在本实现方式中，为了避免备份存储系统120中的备份数据被勒索攻击，除了在备份存储系统120进行备份存储，也可以建立一个单独的物理隔离区域，通过Air Gap自动关断控制，隔离存储系统140接收备份检测系统130发送的经过勒索软件检测后未被勒索攻击的目标备份数据和签名。通过Air Gap，隔离存储系统140中的目标备份数据与互联网断开网络连接，能够避免目标备份数据被在线访问，进而防止该目标备份数据被勒索攻击。当业务系统110的生产存储设备的业务数据被勒索攻击后，能够基于隔离存储系统140的隔离存储设备中的目标备份数据进行恢复。In this implementation, in order to prevent the backup data in the backup storage system 120 from being attacked by ransomware, in addition to performing backup storage in the backup storage system 120, a separate physical isolation area can also be established. Through the automatic shutdown control of Air Gap, the isolation storage system 140 receives the target backup data and signature sent by the backup detection system 130 that have not been attacked by ransomware after detection by ransomware. Through Air Gap, the target backup data in the isolation storage system 140 is disconnected from the Internet, which can prevent the target backup data from being accessed online, thereby preventing the target backup data from being attacked by ransomware. When the business data of the production storage device of the business system 110 is attacked by ransomware, it can be restored based on the target backup data in the isolation storage device of the isolation storage system 140.

步骤S902，隔离存储系统140基于公钥对签名进行验证。Step S902: The isolated storage system 140 verifies the signature based on the public key.

在本实现方式中，隔离存储系统140在对目标备份数据进行存储之前，基于公钥对目标备份数据和签名进行验签，从而验证该目标备份数据在从备份检测系统120传输至隔离存储系统140的过程中，是否被勒索软件攻击。公钥与备份检测系统120获取签名的私钥为相匹配的一个密钥对，是基于同一签名算法生成的。In this implementation, the isolated storage system 140 verifies the target backup data and the signature based on the public key before storing the target backup data, thereby verifying whether the target backup data is attacked by ransomware during the process of being transmitted from the backup detection system 120 to the isolated storage system 140. The public key and the private key used by the backup detection system 120 to obtain the signature are a matching key pair, which are generated based on the same signature algorithm.

步骤S903，若验证成功，隔离存储系统140存储目标备份数据。Step S903: If the verification is successful, the isolated storage system 140 stores the target backup data.

在本实现方式中，隔离存储系统140基于公钥验证成功后，即目标备份数据未被勒索软件攻击，则将该目标备份数据存储于隔离存储系统，用于业务系统110的业务数据被勒索攻击后，能够基于隔离存储系统140的存储的目标备份数据进行恢复。In this implementation, after the isolated storage system 140 successfully verifies the public key, that is, the target backup data has not been attacked by ransomware, the target backup data is stored in the isolated storage system, so that after the business data of the business system 110 is attacked by ransomware, it can be restored based on the target backup data stored in the isolated storage system 140.

步骤S904，业务系统110向隔离存储系统140发送恢复请求。Step S904 : the business system 110 sends a recovery request to the isolated storage system 140 .

在本实现方式中，当业务系统110中的业务数据受到勒索软件攻击后，向隔离存储系统140发送数据恢复请求，请求获取用于数据恢复的目标备份数据。In this implementation, when the business data in the business system 110 is attacked by ransomware, a data recovery request is sent to the isolated storage system 140 to request to obtain target backup data for data recovery.

步骤S905，隔离存储系统140发送目标备份数据、标签信息和签名。Step S905 : The isolated storage system 140 sends the target backup data, label information, and signature.

在本实现方式中，隔离存储系统140接收到业务系统110发送的恢复请求，根据该恢复请求发送目标备份数据、标签信息和签名，其中，签名用于业务系统110进行验签通过后，基于该目标备份数据进行数据恢复。In this implementation, the isolated storage system 140 receives a recovery request sent by the business system 110, and sends the target backup data, label information and signature according to the recovery request, wherein the signature is used for data recovery based on the target backup data after the business system 110 verifies the signature.

步骤S906，业务系统110基于公钥对签名进行验证。Step S906: the business system 110 verifies the signature based on the public key.

在本实现方式中，业务系统110收到隔离存储系统140发送的目标备份数据、标签信息和签名，在利用目标备份数据进行数据恢复之前，基于公钥对目标备份数据和签名进行验签，从而验证该目标备份数据在从隔离存储系统140传输至业务系统110进行数据恢复的过程中，是否被勒索软件攻击。公钥与备份检测系统120获取签名的私钥为相匹配的一个密钥对，是基于同一签名算法生成的。In this implementation, the business system 110 receives the target backup data, label information and signature sent by the isolated storage system 140. Before using the target backup data for data recovery, the target backup data and signature are verified based on the public key to verify the target backup data. Whether it is attacked by ransomware during the data transmission from the isolated storage system 140 to the business system 110 for data recovery. The public key and the private key for obtaining the signature by the backup detection system 120 are a key pair that matches each other and are generated based on the same signature algorithm.

步骤S907，若验证成功，业务系统110利用目标备份数据进行数据恢复。Step S907: If the verification is successful, the business system 110 uses the target backup data to perform data recovery.

在本实现方式中，业务系统110基于公钥验证成功后，即确定目标备份数据未被勒索软件攻击后，则利用目标备份数据进行数据恢复。In this implementation, after the business system 110 succeeds in public key verification, that is, after determining that the target backup data has not been attacked by ransomware, the target backup data is used for data recovery.

在一些可能的实现方法中，如图10所示，执行步骤S906时具体可以包括步骤S1001至S1003。In some possible implementation methods, as shown in FIG. 10 , executing step S906 may specifically include steps S1001 to S1003 .

步骤S1001，业务系统110计算目标备份数据和标签信息的第三哈希值。Step S1001 : the business system 110 calculates a third hash value of target backup data and tag information.

在本实现方式中，业务系统110计算目标备份数据和标签信息的第三哈希值。业务系统110接收目标备份数据和标签信息后，基于相同的数字签名算法计算目标备份数据和标签信息的第三哈希值。In this implementation, the business system 110 calculates the third Hash value of the target backup data and the label information. After receiving the target backup data and the label information, the business system 110 calculates the third Hash value of the target backup data and the label information based on the same digital signature algorithm.

步骤S1002，业务系统110基于公钥进行验签得到第一哈希值。In step S1002 , the business system 110 performs signature verification based on the public key to obtain a first hash value.

在本实现方式中，业务系统110基于公钥对隔离存储系统140发送的签名进行验签，得到第一哈希值，其中，公钥与备份检测系统进行签名的私钥为相匹配的密钥对。In this implementation, the business system 110 verifies the signature sent by the isolated storage system 140 based on the public key to obtain a first hash value, wherein the public key and the private key signed by the backup detection system are a matching key pair.

步骤S1003，业务系统110将第一哈希值与第三哈希值进行比较。Step S1003 : the business system 110 compares the first Hash value with the third Hash value.

在本实现方式中，业务系统110基于公钥对隔离存储系统140发送的签名进行验签，得到第一哈希值后，与计算得到的目标备份数据和标签信息的第三哈希值进行比较，当第一哈希值和第三哈希值相同时，则说明备份目标数据在从隔离存储系统140发送至业务系统110的过程中，未被破坏和篡改，即未被勒索软件攻击，即验签成功；当第一哈希值和第三哈希值不同时，则备份目标数据可能已被破坏和篡改，即可能已被勒索软件攻击，即验签失败。In this implementation, the business system 110 verifies the signature sent by the isolated storage system 140 based on the public key, and after obtaining the first hash value, compares it with the calculated third hash value of the target backup data and label information. When the first hash value and the third hash value are the same, it means that the backup target data has not been destroyed or tampered with in the process of being sent from the isolated storage system 140 to the business system 110, that is, it has not been attacked by ransomware, and the verification is successful; when the first hash value and the third hash value are different, the backup target data may have been destroyed or tampered with, that is, it may have been attacked by ransomware, and the verification fails.

在一些实现方式中，业务系统110在将第一哈希值与第三哈希值进行比较时，检测出第一哈希值和第三哈希值不同，即目标备份数据被勒索软件攻击，可以发出告警信息，并发送告警通知，提示用户所存储于隔离存储系统140中的目标备份数据已被勒索软件攻击。用户可以基于此告警信息，对业务数据进行重新备份存储到隔离存储系统140中，或者支付赎金解密该目标备份数据。业务系统110隔离存储系统140进行验签的过程类似，此处不再赘述。In some implementations, when the business system 110 compares the first hash value with the third hash value, if it detects that the first hash value and the third hash value are different, that is, the target backup data is attacked by ransomware, an alarm message may be issued, and an alarm notification may be sent to remind the user that the target backup data stored in the isolated storage system 140 has been attacked by ransomware. Based on this alarm message, the user may re-backup the business data and store it in the isolated storage system 140, or pay the ransom to decrypt the target backup data. The process of the business system 110 isolating the storage system 140 to verify the signature is similar and will not be repeated here.

本申请还提供一种勒索软件检测装置，如图11所示，该装置1100包括：The present application also provides a ransomware detection device, as shown in FIG11 , the device 1100 includes:

获取模块1101，用于获取备份数据；An acquisition module 1101 is used to acquire backup data;

处理模块1102，用于对备份数据进行勒索检测；The processing module 1102 is used to perform ransomware detection on the backup data;

获取模块1101，还用于基于私钥获取目标备份数据和目标备份数据的标签信息的签名，目标备份数据的标签信息用于指示目标备份数据通过勒索检测；The acquisition module 1101 is further used to acquire the signature of the target backup data and the tag information of the target backup data based on the private key, and the tag information of the target backup data is used to indicate that the target backup data has passed the ransomware detection;

发送模块1103，用于将目标备份数据、标签信息和签名发送至隔离存储系统，签名用于隔离存储系统基于公钥对签名进行验证以及在验证成功之后存储目标备份数据，公钥是与私钥相匹配的密钥对。The sending module 1103 is used to send the target backup data, label information and signature to the isolated storage system. The signature is used by the isolated storage system to verify the signature based on the public key and store the target backup data after the verification is successful. The public key is a key pair that matches the private key.

在一些可能的实现方式中，获取模块1101，具体用于：计算目标备份数据和标签信息的第一哈希值。In some possible implementations, the acquisition module 1101 is specifically configured to calculate a first hash value of the target backup data and the tag information.

在一些可能的实现方式中，获取模块1101计算目标备份数据和标签信息的第一哈希值之后，发送模块1103，还用于将第一哈希值发送至密钥管理系统，密钥管理系统用于基于私钥对第一哈希值进行签名以及将签名发送至备份检测系统。In some possible implementations, after the acquisition module 1101 calculates the first hash value of the target backup data and label information, the sending module 1103 is also used to send the first hash value to the key management system, and the key management system is used to sign the first hash value based on the private key and send the signature to the backup detection system.

在一些可能的实现方式中，获取模块1101计算目标备份数据和标签信息的第一哈希值之后，包括：获取模块1101，还用于从密钥管理系统中获取私钥；处理模块1103，还用于基于私钥对第一哈希值进行签名。In some possible implementations, after the acquisition module 1101 calculates the first hash value of the target backup data and the tag information, it includes: the acquisition module 1101 is also used to obtain a private key from the key management system; the processing module 1103 is also used to sign the first hash value based on the private key.

其中，获取模块1101、处理模块1102和发送模块1103均可以通过软件实现，或者可以通过硬件实现。示例性的，接下来以处理模块1102为例，介绍处理模块1102的实现方式。类似的，获取模块1101和发送模块1103的实现方式可以参考处理模块1102的实现方式。Among them, the acquisition module 1101, the processing module 1102 and the sending module 1103 can all be implemented by software, or can be implemented by hardware. Exemplarily, the implementation of the processing module 1102 is described below by taking the processing module 1102 as an example. Similarly, the implementation of the acquisition module 1101 and the sending module 1103 can refer to the implementation of the processing module 1102.

模块作为软件功能单元的一种举例，处理模块1102可以包括运行在计算实例上的代码。其中，计算实例可以包括物理主机(计算设备)、虚拟机、容器中的至少一种。进一步地，上述计算实例可以是一台或者多台。例如，处理模块1102可以包括运行在多个主机/虚拟机/容器上的代码。需要说明的是，用于运行该代码的多个主机/虚拟机/容器可以分布在相同的区域(region)中，也可以分布在不同的region 中。进一步地，用于运行该代码的多个主机/虚拟机/容器可以分布在相同的AZ中，也可以分布在不同的AZ中，每个AZ包括一个数据中心或多个地理位置相近的数据中心。其中，通常一个region可以包括多个AZ。As an example of a software functional unit, processing module 1102 may include code running on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Furthermore, the computing instance may be one or more. For example, processing module 1102 may include code running on multiple hosts/virtual machines/containers. It should be noted that the multiple hosts/virtual machines/containers used to run the code may be distributed in the same region or in different regions. Furthermore, multiple hosts/virtual machines/containers for running the code may be distributed in the same AZ or in different AZs, each AZ including a data center or multiple geographically close data centers. Generally, a region may include multiple AZs.

同样，用于运行该代码的多个主机/虚拟机/容器可以分布在同一个虚拟私有云VPC中，也可以分布在多个VPC中。其中，通常一个VPC设置在一个region内，同一region内两个VPC之间，以及不同region的VPC之间跨区通信需在每个VPC内设置通信网关，经通信网关实现VPC之间的互连。Similarly, multiple hosts/virtual machines/containers used to run the code can be distributed in the same virtual private cloud VPC or in multiple VPCs. Usually, a VPC is set up in a region. For cross-region communication between two VPCs in the same region and between VPCs in different regions, a communication gateway needs to be set up in each VPC to achieve interconnection between VPCs through the communication gateway.

模块作为硬件功能单元的一种举例，处理模块1102可以包括至少一个计算设备，如服务器等。或者，处理模块1102也可以是利用专用集成电路ASIC实现、或可编程逻辑器件PLD实现的设备等。其中，上述PLD可以是CPLD、FPGA、GAL或其任意组合实现。As an example of a hardware functional unit, the processing module 1102 may include at least one computing device, such as a server, etc. Alternatively, the processing module 1102 may also be a device implemented using an application specific integrated circuit ASIC, or a programmable logic device PLD, etc. The PLD may be implemented using a CPLD, FPGA, GAL, or any combination thereof.

处理模块1102包括的多个计算设备可以分布在相同的region中，也可以分布在不同的region中。处理模块1102包括的多个计算设备可以分布在相同的AZ中，也可以分布在不同的AZ中。同样，处理模块1102包括的多个计算设备可以分布在同一个VPC中，也可以分布在多个VPC中。其中，所述多个计算设备可以是服务器、ASIC、PLD、CPLD、FPGA和GAL等计算设备的任意组合。The multiple computing devices included in the processing module 1102 can be distributed in the same region or in different regions. The multiple computing devices included in the processing module 1102 can be distributed in the same AZ or in different AZs. Similarly, the multiple computing devices included in the processing module 1102 can be distributed in the same VPC or in multiple VPCs. The multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

需要说明的是，在其他实施例中，获取模块1101可以用于执行勒索软件检测方法中的任意步骤，处理模块1102可以用于执行勒索软件检测方法中的任意步骤,发送模块1103可以用于执行勒索软件检测方法中的任意步骤，获取模块1101、处理模块1102和发送模块1103负责实现的步骤可根据需要指定，通过获取模块1101、处理模块1102和发送模块1103分别实现勒索软件检测方法中不同的步骤来实现数据处理装置的全部功能。It should be noted that, in other embodiments, the acquisition module 1101 can be used to execute any step in the ransomware detection method, the processing module 1102 can be used to execute any step in the ransomware detection method, and the sending module 1103 can be used to execute any step in the ransomware detection method. The steps that the acquisition module 1101, the processing module 1102, and the sending module 1103 are responsible for implementing can be specified as needed. The acquisition module 1101, the processing module 1102, and the sending module 1103 respectively implement different steps in the ransomware detection method to realize all the functions of the data processing device.

本申请还提供一种勒索软件检测装置，如图12所示，该装置1200包括：The present application also provides a ransomware detection device, as shown in FIG12 , the device 1200 includes:

接收模块1201，用于接收目标备份数据、目标备份数据的标签信息和目标备份数据的签名，标签信息用于指示目标备份数据通过备份检测系统的勒索检测，签名由备份检测系统基于私钥对目标备份数据和标签信息进行签名得到；The receiving module 1201 is used to receive target backup data, label information of the target backup data, and a signature of the target backup data, where the label information is used to indicate that the target backup data has passed the ransomware detection of the backup detection system, and the signature is obtained by signing the target backup data and the label information by the backup detection system based on a private key;

处理模块1202，用于基于公钥对签名进行验证，公钥是与私钥相匹配的密钥对；A processing module 1202 is used to verify the signature based on a public key, where the public key is a key pair that matches the private key;

若验证成功，处理模块1202，还用于存储目标备份数据；If the verification is successful, the processing module 1202 is also used to store the target backup data;

接收模块1202，还用于接收业务系统的恢复请求，恢复请求用于获取目标备份数据；The receiving module 1202 is further used to receive a recovery request from the business system, where the recovery request is used to obtain target backup data;

处理模块1202，还用于根据恢复请求，向业务系统发送目标备份数据、标签信息和签名，签名用于业务系统基于公钥进行验证以及验证成功之后利用目标备份数据进行数据恢复。The processing module 1202 is also used to send the target backup data, label information and signature to the business system according to the recovery request. The signature is used by the business system to verify based on the public key and to use the target backup data for data recovery after successful verification.

在一些可能的实现方式中，处理模块1202，具体用于：计算目标备份数据和标签信息的第一哈希值。In some possible implementations, the processing module 1202 is specifically configured to calculate a first hash value of the target backup data and the tag information.

在一些可能的实现方式中，处理模块1202计算目标备份数据和标签信息的第一哈希值之后，包括：处理模块1202，还用于基于公钥对签名进行验证得到的第二哈希值，与第一哈希值进行比较。In some possible implementations, after the processing module 1202 calculates the first hash value of the target backup data and the tag information, the processing module 1202 is further configured to compare a second hash value obtained by verifying the signature based on the public key with the first hash value.

在一些可能的实现方式中，处理模块1202计算目标备份数据和标签信息的第一哈希值之后，包括：若第二哈希值与第一哈希值相同，处理模块1202，还用于存储目标备份数据。In some possible implementations, after the processing module 1202 calculates the first hash value of the target backup data and the tag information, the processing module 1202 further includes: if the second hash value is the same as the first hash value, the processing module 1202 is further configured to store the target backup data.

其中，接收模块1201和处理模块1202均可以通过软件实现，或者可以通过硬件实现。示例性的，接下来以处理模块1202为例，介绍处理模块1202的实现方式。类似的，接收模块1201的实现方式可以参考处理模块1202的实现方式。The receiving module 1201 and the processing module 1202 can be implemented by software or hardware. For example, the implementation of the processing module 1202 is described below by taking the processing module 1202 as an example. Similarly, the implementation of the receiving module 1201 can refer to the implementation of the processing module 1202.

模块作为软件功能单元的一种举例，处理模块1202可以包括运行在计算实例上的代码。其中，计算实例可以包括物理主机(计算设备)、虚拟机、容器中的至少一种。进一步地，上述计算实例可以是一台或者多台。例如，处理模块1202可以包括运行在多个主机/虚拟机/容器上的代码。需要说明的是，用于运行该代码的多个主机/虚拟机/容器可以分布在相同的区域(region)中，也可以分布在不同的region中。进一步地，用于运行该代码的多个主机/虚拟机/容器可以分布在相同的AZ中，也可以分布在不同的AZ中，每个AZ包括一个数据中心或多个地理位置相近的数据中心。其中，通常一个region可以包括多个AZ。As an example of a software functional unit, the processing module 1202 may include code running on a computing instance. Among them, the computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Further, the above-mentioned computing instance may be one or more. For example, the processing module 1202 may include code running on multiple hosts/virtual machines/containers. It should be noted that the multiple hosts/virtual machines/containers used to run the code can be distributed in the same region (region) or in different regions. Furthermore, the multiple hosts/virtual machines/containers used to run the code can be distributed in the same AZ or in different AZs, and each AZ includes a data center or multiple data centers with similar geographical locations. Among them, usually a region can include multiple AZs.

同样，用于运行该代码的多个主机/虚拟机/容器可以分布在同一个虚拟私有云VPC中，也可以分布在多个VPC中。其中，通常一个VPC设置在一个region内，同一region内两个VPC之间，以及不同region的VPC之间跨区通信需在每个VPC内设置通信网关，经通信网关实现VPC之间的互连。 Similarly, multiple hosts/virtual machines/containers used to run the code can be distributed in the same virtual private cloud VPC or in multiple VPCs. Usually, a VPC is set up in a region. For cross-region communication between two VPCs in the same region and between VPCs in different regions, a communication gateway needs to be set up in each VPC to achieve interconnection between VPCs through the communication gateway.

模块作为硬件功能单元的一种举例，处理模块1202可以包括至少一个计算设备，如服务器等。或者，处理模块1202也可以是利用专用集成电路ASIC实现、或可编程逻辑器件PLD实现的设备等。其中，上述PLD可以是CPLD、FPGA、GAL或其任意组合实现。As an example of a hardware functional unit, the processing module 1202 may include at least one computing device, such as a server, etc. Alternatively, the processing module 1202 may also be a device implemented using an application specific integrated circuit ASIC, or a programmable logic device PLD, etc. The PLD may be implemented using a CPLD, FPGA, GAL, or any combination thereof.

处理模块1202包括的多个计算设备可以分布在相同的region中，也可以分布在不同的region中。处理模块1202包括的多个计算设备可以分布在相同的AZ中，也可以分布在不同的AZ中。同样，处理模块1202包括的多个计算设备可以分布在同一个VPC中，也可以分布在多个VPC中。其中，所述多个计算设备可以是服务器、ASIC、PLD、CPLD、FPGA和GAL等计算设备的任意组合。The multiple computing devices included in the processing module 1202 can be distributed in the same region or in different regions. The multiple computing devices included in the processing module 1202 can be distributed in the same AZ or in different AZs. Similarly, the multiple computing devices included in the processing module 1202 can be distributed in the same VPC or in multiple VPCs. The multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

需要说明的是，在其他实施例中，接收模块1201可以用于执行勒索软件检测方法中的任意步骤，处理模块1202可以用于执行勒索软件检测方法中的任意步骤，接收模块1201和处理模块1202负责实现的步骤可根据需要指定，通过接收模块1201和处理模块1202分别实现勒索软件检测方法中不同的步骤来实现数据处理装置的全部功能。It should be noted that, in other embodiments, the receiving module 1201 can be used to execute any step in the ransomware detection method, and the processing module 1202 can be used to execute any step in the ransomware detection method. The steps that the receiving module 1201 and the processing module 1202 are responsible for implementing can be specified as needed. The receiving module 1201 and the processing module 1202 respectively implement different steps in the ransomware detection method to realize all the functions of the data processing device.

本申请还提供一种计算设备100。如图13所示，计算设备100包括：总线102、处理器104、存储器106和通信接口108。处理器104、存储器106和通信接口108之间通过总线102通信。计算设备100可以是服务器或终端设备。应理解，本申请不限定计算设备100中的处理器、存储器的个数。The present application also provides a computing device 100. As shown in FIG. 13 , the computing device 100 includes: a bus 102, a processor 104, a memory 106, and a communication interface 108. The processor 104, the memory 106, and the communication interface 108 communicate with each other through the bus 102. The computing device 100 may be a server or a terminal device. It should be understood that the present application does not limit the number of processors and memories in the computing device 100.

总线102可以是外设部件互连标准(peripheral component interconnect，PCI)总线或扩展工业标准结构(extended industry standard architecture，EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示，图13中仅用一条线表示，但并不表示仅有一根总线或一种类型的总线。总线104可包括在计算设备100各个部件(例如，存储器106、处理器104、通信接口108)之间传送信息的通路。The bus 102 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG. 13 is represented by only one line, but does not mean that there is only one bus or one type of bus. The bus 104 may include a path for transmitting information between various components of the computing device 100 (e.g., the memory 106, the processor 104, the communication interface 108).

处理器104可以包括中央处理器(central processing unit，CPU)、图形处理器(graphics processing unit，GPU)、微处理器(micro processor，MP)或者数字信号处理器(digital signal processor，DSP)等处理器中的任意一种或多种。The processor 104 may include any one or more processors such as a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP) or a digital signal processor (DSP).

存储器106可以包括易失性存储器(volatile memory)，例如随机存取存储器(random access memory，RAM)。处理器104还可以包括非易失性存储器(non-volatile memory)，例如只读存储器(read-only memory，ROM)，快闪存储器，机械硬盘(hard disk drive，HDD)或固态硬盘(solid state drive，SSD)。The memory 106 may include a volatile memory, such as a random access memory (RAM). The processor 104 may also include a non-volatile memory, such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD), or a solid state drive (SSD).

存储器106中存储有可执行的程序代码，处理器104执行该可执行的程序代码以分别实现前述获取模块1101、处理模块1102和发送模块1103的功能，从而实现勒索软件检测方法。也即，存储器106上存有用于执行勒索软件检测方法的指令。图13仅示例性地示出存储器106存储实现前述获取模块1101、处理模块1102和发送模块1103的功能的程序代码作为示例。The memory 106 stores executable program codes, and the processor 104 executes the executable program codes to respectively implement the functions of the aforementioned acquisition module 1101, the processing module 1102, and the sending module 1103, thereby implementing the ransomware detection method. That is, the memory 106 stores instructions for executing the ransomware detection method. FIG. 13 only exemplarily shows that the memory 106 stores program codes for implementing the functions of the aforementioned acquisition module 1101, the processing module 1102, and the sending module 1103 as an example.

通信接口103使用例如但不限于网络接口卡、收发器一类的收发模块，来实现计算设备100与其他设备或通信网络之间的通信。The communication interface 103 uses a transceiver module such as, but not limited to, a network interface card or a transceiver to implement communication between the computing device 100 and other devices or a communication network.

本申请实施例还提供了一种计算设备集群。该计算设备集群包括至少一台计算设备。该计算设备可以是服务器，例如是中心服务器、边缘服务器，或者是本地数据中心中的本地服务器。在一些实施例中，计算设备也可以是台式机、笔记本电脑或者智能手机等终端设备。The embodiment of the present application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device can be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device can also be a terminal device such as a desktop computer, a laptop computer, or a smart phone.

如图14所示，所述计算设备集群包括至少一个计算设备100。计算设备集群中的一个或多个计算设备100中的存储器106中可以存有相同的用于执行勒索软件检测方法的指令。As shown in Fig. 14, the computing device cluster includes at least one computing device 100. The memory 106 in one or more computing devices 100 in the computing device cluster may store the same instructions for executing the ransomware detection method.

在一些可能的实现方式中，该计算设备集群中的一个或多个计算设备100的存储器106中也可以分别存有用于执行勒索软件检测方法的部分指令。换言之，一个或多个计算设备100的组合可以共同执行用于执行勒索软件检测方法的指令。In some possible implementations, the memory 106 of one or more computing devices 100 in the computing device cluster may also store partial instructions for executing the ransomware detection method. In other words, the combination of one or more computing devices 100 may jointly execute instructions for executing the ransomware detection method.

需要说明的是，计算设备集群中的不同的计算设备100中的存储器106可以存储不同的指令，分别用于执行数据处理装置的部分功能。也即，不同的计算设备100中的存储器106存储的指令可以实现获取模块1101、处理模块1102和发送模块1103中的一个或多个模块的功能，或者实现接收模块1201和处理模块1202中的一个或多个模块的功能。It should be noted that the memory 106 in different computing devices 100 in the computing device cluster may store different instructions, which are respectively used to execute part of the functions of the data processing apparatus. That is, the instructions stored in the memory 106 in different computing devices 100 may implement the functions of one or more of the acquisition module 1101, the processing module 1102 and the sending module 1103, or implement the functions of one or more of the receiving module 1201 and the processing module 1202.

在一些可能的实现方式中，计算设备集群中的一个或多个计算设备可以通过网络连接。其中，所述网络可以是广域网或局域网等等。图15示出了一种可能的实现方式。如图15所示，两个计算设备100A和100B之间通过网络进行连接。具体地，通过各个计算设备中的通信接口与所述网络进行连接。在这一类可能的实现方式中，计算设备100A中的存储器106中存有执行获取模块1101的功能的指令。图15中以计算设备100A中的存储器106中存有执行获取模块1101的功能的指令为例。同时，计算设备100B中的存储器106中存有执行处理模块1102和发送模块1103的功能的指令。图15中以计算设备100B中的存储器106中存有执行处理模块1102和发送模块1103的功能的指令为例。In some possible implementations, one or more computing devices in the computing device cluster may be connected via a network. The network may be a wide area network or a local area network, etc. FIG. 15 shows a possible implementation. As shown in FIG. 15 , two computing devices 100A and 100B are connected via a network. Specifically, the network is connected via a communication interface in each computing device. In this type of possible implementation, the memory 106 in the computing device 100A stores instructions for executing the functions of the acquisition module 1101. In FIG. 15 , the computing device 100A and the computing device 100B are connected via a network. Specifically, the computing device 100A and the computing device 100B are connected via a communication interface in each computing device. In this type of possible implementation, the memory 106 in the computing device 100A stores instructions for executing the functions of the acquisition module 1101. In the example, the memory 106 in the computing device 100A stores instructions for executing the functions of the acquisition module 1101. At the same time, the memory 106 in the computing device 100B stores instructions for executing the functions of the processing module 1102 and the sending module 1103. In FIG. 15 , the memory 106 in the computing device 100B stores instructions for executing the functions of the processing module 1102 and the sending module 1103 as an example.

图15所示的计算设备集群之间的连接方式可以是考虑到本申请提供的勒索软件检测方法需要大量地计算数据，因此考虑处理模块1102和发送模块1103实现的功能交由计算设备100B执行。The connection method between the computing device clusters shown in Figure 15 can be considered that the ransomware detection method provided in this application requires a large amount of computing data, so the functions implemented by the processing module 1102 and the sending module 1103 are considered to be executed by the computing device 100B.

应理解，图15中示出的计算设备100A的功能也可以由多个计算设备100完成。同样，计算设备100B的功能也可以由多个计算设备100完成。It should be understood that the functions of the computing device 100A shown in FIG15 may also be completed by multiple computing devices 100. Similarly, the functions of the computing device 100B may also be completed by multiple computing devices 100.

本申请实施例还提供了一种包含指令的计算机程序产品。所述计算机程序产品可以是包含指令的，能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当所述计算机程序产品在至少一个计算设备上运行时，使得至少一个计算设备执行勒索软件检测方法，或勒索软件检测方法。The embodiment of the present application also provides a computer program product including instructions. The computer program product may be software or a program product including instructions that can be run on a computing device or stored in any available medium. When the computer program product is run on at least one computing device, the at least one computing device executes a ransomware detection method or a ransomware detection method.

本申请实施例还提供了一种计算机可读存储介质。所述计算机可读存储介质可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。所述可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如固态硬盘)等。该计算机可读存储介质包括指令，所述指令指示计算设备执行勒索软件检测方法，或指示计算设备执行勒索软件检测方法。The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium can be any available medium that can be stored by a computing device or a data storage device such as a data center containing one or more available media. The available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid-state hard disk). The computer-readable storage medium includes instructions that instruct a computing device to execute a ransomware detection method, or instructs a computing device to execute a ransomware detection method.

最后应说明的是：以上实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本发明各实施例技术方案的保护范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the protection scope of the technical solutions of the embodiments of the present invention.

Claims

A ransomware detection method, characterized in that the method is applied to a backup detection system, the backup detection system is used to perform ransomware detection on backup data in a backup storage system, the backup data is a backup of business data, and the method comprises:

The backup detection system obtains the backup data;

The backup detection system performs ransomware detection on the backup data;

The backup detection system obtains the signature of the target backup data and the tag information of the target backup data based on the private key, and the tag information of the target backup data is used to indicate that the target backup data passes the ransomware detection;

The backup detection system sends the target backup data, the label information and the signature to the isolated storage system, and the signature is used by the isolated storage system to verify the signature based on a public key and store the target backup data after successful verification. The public key is a key pair that matches the private key.

The method according to claim 1 is characterized in that the backup detection system obtains the signature of the target backup data and the label information of the target backup data based on the private key, comprising:

The backup detection system calculates a first hash value of the target backup data and the tag information.

The method according to claim 1 or 2, characterized in that after the backup detection system calculates the first hash value of the target backup data and the label information, it comprises:

The backup detection system sends the first Hash value to a key management system, and the key management system is used to sign the first Hash value based on the private key and send the signature to the backup detection system.

The backup detection system obtains the private key from the key management system;

The backup detection system signs the first hash value based on the private key.

The method according to any one of claims 1 to 4 is characterized in that the signature is used for storing the target backup data when the second hash value calculated by the isolated storage system based on the target backup data and the tag information is the same as the first hash value obtained by verifying the signature based on the public key.

The method according to any one of claims 1 to 5 is characterized in that the private key is generated by the key management system, or the private key is imported into the key management system by a user.

A ransomware detection method, characterized in that the method is applied to an isolated storage system, and the method comprises:

The isolated storage system receives target backup data, label information of the target backup data, and a signature of the target backup data, wherein the label information is used to indicate that the target backup data passes the ransomware detection of the backup detection system, and the signature is obtained by the backup detection system signing the target backup data and the label information based on a private key;

The isolated storage system verifies the signature based on a public key, where the public key is a key pair that matches the private key;

If the verification is successful, the isolated storage system stores the target backup data;

The isolated storage system receives a recovery request from the business system, where the recovery request is used to obtain the target backup data;

The isolated storage system sends the target backup data, the label information and the signature to the business system according to the recovery request, and the signature is used by the business system to perform verification based on the public key and to perform data recovery using the target backup data after successful verification.

The method according to claim 7, characterized in that the isolated storage system verifies the signature based on the public key, comprising:

The isolation storage system calculates a first hash value of the target backup data and the tag information.

The method according to claim 7 or 8, characterized in that after the isolated storage system calculates the first hash value of the target backup data and the tag information, it comprises:

The isolated storage system verifies the signature based on the public key, obtains a second hash value, and compares the second hash value with the first hash value.

The method according to any one of claims 7 to 9, characterized in that if the verification is successful, the isolated storage system stores the target backup data, comprising:

If the second hash value is the same as the first hash value, the isolated storage system stores the target backup data.

The method according to claim 7 is characterized in that when the second hash value obtained by the signature based on the public key verification by the business system is the same as the third hash value calculated based on the target backup data and the tag information, the target backup data is used for data recovery.

The method according to any one of claims 7 to 10 is characterized in that the private key is generated by the key management system, or the private key is imported into the key management system by a user.

A ransomware detection device, characterized in that the device is applied to a backup detection system, the backup detection system is used to perform ransomware detection on backup data in a backup storage system, the backup data is a backup of business data, and the device comprises:

An acquisition module, used for acquiring the backup data;

A processing module, used for performing ransomware detection on the backup data;

The acquisition module is further used to acquire the signature of the target backup data and the tag information of the target backup data based on the private key, and the tag information of the target backup data is used to indicate that the target backup data has passed the ransomware detection;

A sending module is used to send the target backup data, the label information and the signature to the isolated storage system, the signature is used by the isolated storage system to verify the signature based on a public key and store the target backup data after successful verification, and the public key is a key pair that matches the private key.

The device according to claim 13, characterized in that the acquisition module is specifically used to:

A first hash value of the target backup data and the tag information is calculated.

The device according to claim 13 or 14, characterized in that after the acquisition module calculates the first hash value of the target backup data and the label information, the sending module is further used to:

The first hash value is sent to a key management system, and the key management system is used to sign the first hash value based on the private key and send the signature to the backup detection system.

The device according to claim 13 or 14, characterized in that after the acquisition module calculates the first hash value of the target backup data and the label information, it includes:

The acquisition module is further used to obtain the private key from the key management system;

The processing module is further configured to sign the first hash value based on the private key.

The device according to any one of claims 13 to 16 is characterized in that the signature is used for storing the target backup data when the second hash value calculated by the isolated storage system based on the target backup data and the label information is the same as the first hash value obtained by verifying the signature based on the public key.

The device according to any one of claims 13 to 17 is characterized in that the private key is generated by the key management system, or the private key is imported into the key management system by a user.

A ransomware detection device, characterized in that the method is applied to an isolated storage system, and the device comprises:

A receiving module, used to receive target backup data, label information of the target backup data, and a signature of the target backup data, wherein the label information is used to indicate that the target backup data has passed the ransomware detection of a backup detection system, and the signature is obtained by signing the target backup data and the label information by the backup detection system based on a private key;

a processing module, configured to verify the signature based on a public key, wherein the public key is a key pair that matches the private key;

If the verification is successful, the processing module is further used to store the target backup data;

The receiving module is further used to receive a recovery request from the business system, where the recovery request is used to obtain the target backup data;

The processing module is also used to send the target backup data, the label information and the signature to the business system according to the recovery request, and the signature is used by the business system to verify based on the public key and to use the target backup data for data recovery after successful verification.

The device according to claim 19, characterized in that the processing module is specifically used to:

The device according to claim 19 or 20, characterized in that after the processing module calculates the first hash value of the target backup data and the label information, it includes:

The processing module is further configured to compare a second hash value obtained by verifying the signature based on the public key with the first hash value.

The device according to any one of claims 19 to 21, characterized in that after the processing module calculates the first hash value of the target backup data and the label information, it comprises:

If the second Hash value is the same as the first Hash value, the processing module is further configured to store the target backup data.

The device according to claim 19 is characterized in that when the second hash value obtained by the signature based on the public key verified by the business system is the same as the third hash value calculated based on the target backup data and the tag information, the target backup data is used for data recovery.

The device according to any one of claims 19 to 23 is characterized in that the private key is generated by the key management system, or the private key is imported into the key management system by a user.

A computing device cluster, characterized in that it includes at least one computing device, each computing device including a processor and a storage Device;

The processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device, so that the computing device cluster executes the method according to any one of claims 1 to 6.

A computing device cluster, characterized in that it includes at least one computing device, each computing device includes a processor and a memory;

The processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device, so that the computing device cluster executes the method according to any one of claims 7 to 12.

A computer program product comprising instructions, characterized in that when the instructions are executed by a computing device cluster, the computing device cluster executes the method according to any one of claims 1 to 6.

A computer program product comprising instructions, characterized in that when the instructions are executed by a computing device cluster, the computing device cluster executes the method according to any one of claims 7 to 12.

A computer-readable storage medium, characterized in that it includes computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the method according to any one of claims 1 to 6.

A computer-readable storage medium, characterized in that it includes computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the method according to any one of claims 7 to 12.