Method and related apparatus for deploying a decoy file

Abstract

This application provides a method and related apparatus for deploying decoy files. It acquires the popularity values ​​of multiple files, which indicate the frequency of file access, and generates decoy files based on files with high access frequencies. Files with high access frequencies may be more important; generating decoy files from these files provides protection against them. Since the decoy files are generated from frequently accessed files, they share greater similarity, thus enhancing their protective effect.

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to a method and apparatus for deploying decoy files. Background Technology

[0002] To ensure the secure operation of electronic devices (such as servers), it is usually necessary to defend against potential cyberattacks. This can be done by deploying decoy files on the electronic device and detecting whether these files have been accessed or modified. Based on the detection results, it can be determined whether someone is attempting to access files or attack the electronic device without authorization. For example, if the detection result shows that the decoy file has been modified, then an intruder is confirmed to be present on the electronic device.

[0003] However, the deployment methods of existing decoy files are relatively fixed. For example, the names of decoy files are relatively simple or the file types of decoy files are relatively fixed. This makes it easy for intruders to bypass decoy files in a targeted manner, resulting in weak anti-attack capabilities and failure to provide corresponding attack protection. Summary of the Invention

[0004] This application provides a method and related apparatus for deploying decoy files. The decoy files are generated based on files with high popularity values. Since files with high popularity values ​​have uncertainty, the flexibility of the decoy files can be improved, thereby enhancing the protective strength of the decoy files.

[0005] To achieve the above objectives, this application adopts the following technical solution:

[0006] In a first aspect, a method for deploying a decoy file is provided, the method comprising: acquiring popularity values ​​of multiple files, the popularity values ​​indicating the frequency of access to the files; determining a target file among the multiple files based on the popularity values ​​of the multiple files, wherein the popularity value of the target file is greater than the popularity values ​​of other files among the multiple files; and generating a decoy file based on the file information of the target file.

[0007] In this way, the popularity scores of multiple files are obtained, and decoy files are generated based on the files with higher popularity scores. Since files with higher popularity scores are accessed more frequently, they are considered more important to users and can be protected using decoy files. Because decoy files are generated based on the file information of real files, the similarity between the decoy files and real files is increased, enhancing the protective strength of the decoy files. Furthermore, because decoy files are generated from files with high popularity scores, and the nature of high popularity scores is uncertain, the flexibility of the decoy files is increased, thereby enhancing their protective strength.

[0008] In some implementations of the first aspect, obtaining the popularity values ​​of multiple files includes: obtaining first information of multiple files, and determining the popularity values ​​of multiple files based on the first information of multiple files, wherein the first information is used to indicate the access records of multiple files.

[0009] In some implementations of the first aspect, determining the popularity value of multiple files based on first information of the multiple files includes: obtaining second information about the access paths of the multiple files; determining the popularity value of the multiple files based on the first information and the second information; wherein the second information is used to indicate the access records of the access paths of the multiple files. Thus, the electronic device can determine the access records of the access paths of each file based on the second information, then determine the popularity value of the file based on the access records of the access paths and the file's access records, and determine the popularity or degree of demand of the file from the file's access records and the access records of the access paths, thereby identifying the target file required among the multiple files.

[0010] In some implementations of the first aspect, the first information includes the access time corresponding to each access to the file; determining the popularity value of multiple files based on the first information of multiple files includes: determining the popularity value of multiple files based on the first information and the access interval time, wherein the access interval time is the time interval between the access time and the current time. Thus, the smaller the time interval between the time a file is accessed and the current time, the greater the popularity of the file and the stronger its activity.

[0011] In some implementations of the first aspect, determining the popularity value of multiple files based on the first information of the multiple files includes: obtaining the file types and / or file content of the multiple files; and determining the popularity value of the multiple files based on the file types and / or file content and the first information. Since different file types carry different forms of content and can carry different amounts of content, the popularity of a file may differ depending on its file type. Because different file contents contain different information, their importance to users varies, and thus the importance or popularity of a file can be determined based on its content.

[0012] In some implementations of the first aspect, obtaining the popularity values ​​of multiple files includes: the method further includes: in response to a target event, obtaining the popularity values ​​of multiple files, wherein the target event is used to indicate an update of the decoy file. By defining a target event, the update of the decoy file is triggered when the target event is detected, thereby improving the flexibility of decoy file deployment.

[0013] In some implementations of the first aspect, the target event includes at least one of: reaching the decoy file update cycle, detecting changes in access records of multiple files, and detecting the execution of a boot operation.

[0014] In a second aspect, an electronic device is provided, comprising: a memory including computer-readable instructions; and a processor communicating with the memory, the processor being configured to execute the computer-readable instructions, causing the electronic device to perform the decoy file deployment method described in any one aspect.

[0015] Thirdly, a computer-readable storage medium is provided, including a program or instructions that, when executed by a processor, implement a method for deploying a decoy file as described in any one of the first aspects.

[0016] Fourthly, a chip is provided, including a processor for retrieving and executing instructions stored in a memory, causing an electronic device on which the chip is mounted to execute the decoy file deployment method described in any one of the first aspects.

[0017] Fifthly, a computer program product is provided, the computer program product comprising instructions that, when executed by a computer, implement the method as described in any one of the first aspects.

[0018] The beneficial effects of each possible implementation of the electronic device provided in the second aspect of the embodiments of this application, the computer-readable storage medium provided in the third aspect, the chip provided in the fourth aspect, and the computer program product provided in the fifth aspect can be referred to the descriptions of the various possible implementations in the first aspect, and will not be repeated here. Attached Figure Description

[0019] Figure 1 A schematic diagram of an architecture provided for an embodiment of this application;

[0020] Figure 2 A flowchart illustrating a method for deploying decoy files provided in an embodiment of this application;

[0021] Figure 3 A schematic diagram of an architecture provided for an embodiment of this application;

[0022] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0023] The technical solutions in this application will now be described with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments in this specification, and not all of them.

[0024] In the field of cybersecurity, decoy files can be deployed to protect files on electronic devices. By enticing attackers to click or open decoy files, administrators can promptly detect and respond to potential security threats. However, existing decoy files often have relatively fixed file information, such as simple filenames or fixed file types. This makes them easy for intruders to bypass, weakening their defensive capabilities and rendering them ineffective in protecting against attacks.

[0025] To address the aforementioned issues, this application provides a method for deploying decoy files. This method involves acquiring the popularity values ​​of multiple files, which indicate the frequency of file access, and generating decoy files based on the files with higher access frequencies. Files with higher access frequencies may be more important; generating decoy files from these files allows for protection against those files. Since the decoy files are generated from frequently accessed files, they share greater similarity, thus enhancing their protective effectiveness.

[0026] Optionally, the protective effects of decoy files include: by placing decoy files on electronic devices, attackers can be drawn to focus their attention on the decoy file. Decoy files can be used to monitor and detect unauthorized access or malicious activity. For example, once a decoy file is accessed or modified, an alert is triggered, notifying system administrators of a potential intrusion. Decoy files can also lure malware into revealing its behavior or characteristics, thereby facilitating analysis.

[0027] Please see Figure 1 , Figure 1 This application provides an architectural diagram. Figure 1 The electronic device contains multiple files. The electronic device is used to obtain the popularity value of multiple files; and generates a decoy file based on the file with the higher popularity value. That is, each electronic device is used to complete the deployment of its own decoy file.

[0028] Optionally, the electronic device in this application embodiment may be a terminal device, a server, an in-vehicle device, etc. The electronic device can protect the files in the electronic device by deploying decoy files.

[0029] Please see Figure 2 , Figure 2 This is a flowchart illustrating a method for deploying a decoy file, as provided in an embodiment of this application. Figure 2 The deployment methods for the decoy files include: S201 to S203.

[0030] S201. The electronic device acquires the popularity value of multiple files, which is used to indicate the frequency at which the multiple files are accessed.

[0031] Optionally, the higher the popularity value of a file, the more frequently the file is accessed; conversely, the lower the popularity value of a file, the less frequently the file is accessed.

[0032] Optionally, the electronic device can directly obtain the popularity values ​​of multiple files. For example, module A in the electronic device can detect the access frequency of multiple files and determine the popularity values ​​of multiple files. Alternatively, the popularity values ​​of multiple files can be determined through other parameters, such as by obtaining the access frequency of multiple files to determine the popularity value of the file.

[0033] Optionally, multiple files may include all files in the electronic device, or specific files in the electronic device, such as system files, or multiple files specified by the user in the electronic device. Multiple files may also be files located in the same access path or in the same folder within the electronic device, or they may be files located in different access paths or folders within the electronic device.

[0034] S202. The electronic device determines the target file among the multiple files based on the popularity values ​​of the multiple files, wherein the popularity value of the target file is greater than the popularity values ​​of the other files among the multiple files.

[0035] Optionally, after acquiring the popularity values ​​of multiple files, the electronic device can determine the relationship between the popularity value of each file and a preset popularity threshold. Files with popularity values ​​greater than or equal to the popularity threshold are then set as target files, and the popularity values ​​of the target files are greater than those of the other files (i.e., non-target files among the multiple files). The preset popularity threshold can be pre-set in the electronic device. For example, if the electronic device acquires popularity values ​​of 5, 10, 15, 30, 40, and 60 for 6 files, and the preset popularity threshold is 30, then the electronic device will set the three files with popularity values ​​of 30, 40, and 60 as target files.

[0036] Optionally, after acquiring the popularity values ​​of multiple files, the electronic device can set a preset proportion or a preset number of files as target files, wherein the popularity values ​​of the files set as target files are greater than the popularity values ​​of the other files. For example, if the preset proportion is 1 / 3 and the electronic device acquires popularity values ​​of 6 files: 5, 10, 15, 30, 40, and 60, then the electronic device will set the two files with popularity values ​​of 40 and 60 as target files.

[0037] S203. The electronic device generates a decoy file based on the file information of the target file.

[0038] Optionally, the file information includes file attribute information, such as filename, file type, and file size. The electronic device generates a decoy file based on the target file's attribute information; that is, the decoy file mimics the target file. For example, the decoy file may have the same file size as the target file, the same file type, and a similar filename (e.g., if the target file's filename is 0001, the decoy file's filename is 0002). This increases the similarity between the decoy and target files. The decoy file is generated based on a real file to enhance its protective capabilities.

[0039] Optionally, the file information also includes file access record information, such as file creation time, file modification time, and file access time. The electronic device can set the access record information of the decoy file so that the access record information of the decoy file is the same as or similar to the access record information of the target file. For example, the electronic device can set the decoy file so that the file creation time, file modification time, and file access time of the decoy file are the same as those of the target file.

[0040] Optionally, the electronic device can read the file content of the target file and generate the file content of the decoy file based on the file content of the target file to increase the similarity between the target file and the decoy file.

[0041] Optionally, after generating the decoy file, the electronic device can also set the decoy file and its corresponding target file in the same access path. For example, if the access path of the target file is C:\Users\admin\Desktop\, then after generating the decoy file, the electronic device can place the decoy file in that access path.

[0042] In this way, electronic devices acquire the popularity scores of multiple files and generate decoy files based on the files with higher popularity scores. Since files with higher popularity scores are accessed more frequently, they are considered more important to users and can be protected against using decoy files. Because decoy files are generated based on the file information of real files, increasing the similarity between the decoy files and real files enhances the protective strength of the decoy files. Furthermore, because decoy files are generated from files with higher popularity scores, and the nature of these scores is uncertain, the flexibility of the decoy files can be increased, thereby enhancing their protective strength. For example, the flexibility of decoy file deployment can be used to improve protection against ransomware.

[0043] Optionally, in S201, the electronic device obtains the popularity values ​​of multiple files, including: the electronic device obtains first information about the multiple files, the first information indicating the access history of the multiple files, and determines the popularity values ​​of the multiple files based on the first information. The first information describes the historical access history of the file, such as the number of accesses per unit time, so the electronic device can determine the popularity value of the file based on the historical access history of the file.

[0044] Optionally, file access may include operations such as reading, writing, creating, and deleting the file. The first piece of information may include the file's creation time, open time, write time, read time, or close time. For example, the file's creation time (CreationTime) is 2024 / 2 / 22 9:58:09, and the last write time (LastWriteTime) is 2024 / 9 / 13 9:08:42.

[0045] Optionally, the electronic device can determine the access frequency of each file based on the first information of multiple files; then, it can determine the popularity value of each file based on the access frequency and the correspondence between access frequency and popularity value. The higher the access frequency of a file, the higher its popularity value; the lower the access frequency of a file, the lower its popularity value. For example, if file A is read twice and modified twice within one hour, then file A has an access frequency of 4, and its popularity value is determined to be 3 based on the correspondence between access frequency and popularity value.

[0046] Optionally, the electronic device has a pre-set correspondence between file access frequency and popularity value. For example, if a file is accessed 3 times within ten minutes, its popularity value is 3; if the file is accessed 6 times within ten minutes, its popularity value is 6.

[0047] Optionally, if the number of multiple files is large, such as multiple files being all files of an electronic device, then the first information includes access records of files accessed within a preset time period. For example, if the preset time period is 30 minutes, then the first information includes access records of files accessed within 30 minutes.

[0048] Each file in an electronic device has a corresponding access path (or storage location). For example, the access path for file A is C:\Users\admin\Desktop\. If a certain access path is accessed more frequently, it can be determined that the files within that access path are in higher demand by users, and the popularity value of the files in that access path will also be higher. Multiple files can have the same access path or different access paths.

[0049] Optionally, the electronic device determines the popularity value of multiple files based on first information of the multiple files, including: the electronic device acquiring second information of the multiple files, the second information indicating access records of the access paths of the multiple files, and determining the popularity value of the multiple files based on the first and second information. The electronic device can determine the access records of the access paths of each file based on the second information, and then determine the popularity value of the file based on the access records of the access paths of the file and the access records of the file.

[0050] Optionally, the electronic device determines the access frequency of the access path corresponding to each file based on the second information, and then determines the popularity value of multiple files based on the access frequency of the access paths of multiple files and the first information.

[0051] Optionally, the electronic device determines the access frequency of each file based on the first information, and determines the access frequency of the access path corresponding to each file based on the second information; then, it determines the popularity value of the file based on the file's access frequency and the access frequency of the access path corresponding to that file. That is, the electronic device determines the popularity value of a file based on the access frequency of each file and the access frequency of the path where that file is located.

[0052] Optionally, the electronic device has a preset first correspondence between the access frequency of a file and a first weight, and a second correspondence between the access frequency of the access path corresponding to the file and a second weight. The electronic device determines the first weight based on the access frequency of the file and the first correspondence, determines the second weight based on the access frequency of the access path corresponding to the file and the second correspondence, and then determines the popularity value based on the first weight and the second weight.

[0053] Optionally, the popularity value can be the product of the first weight and the second weight, or the sum of the first weight and the second weight. In other embodiments, the popularity value can also be determined based on other methods, such as giving different proportions to the access frequency of the file and the access frequency of the access path. After determining the first weight and the second weight, the popularity value of the file can also be determined based on the proportions of the two. For example, if the first weight is 1 and the second weight is 2, and the proportions of the access frequency of the file and the access frequency of the access path are 0.4 and 0.2 respectively, then the popularity value of the file is 1×0.4+2×0.2=0.8.

[0054] For example, if file A is accessed 6 times within one hour, the first weight is determined to be 6 based on the first correspondence. If the access path of file A is accessed 3 times within one hour, the second weight is 1, and the popularity value is 1 × 6 = 6.

[0055] Optionally, the electronic device can actively acquire first and / or second information of multiple files, for example, by acquiring the first and / or second information of files through special instructions or command lines. If the operating system of the electronic device is a Windows system, a list of recently accessed files and folders can be obtained through command lines. In other embodiments, a monitoring module can be set in the electronic device to detect the access records of multiple files. For example, a monitoring module can be installed in the electronic device, and the monitoring module can detect the access records (such as creation, modification, deletion, etc.) of files through Windows file system hooking technology. The electronic device can obtain the access records of multiple files through the monitoring module. The importance of each file is related to the frequency of access to the file and the time of access. For example, file A was accessed 8 times in one hour, and file B was accessed 8 times between 12 hours and 24 hours ago. The access frequency of the two files is the same within 24 hours, but the importance of file B may be lower than that of file A.

[0056] Optionally, the first information includes the access time corresponding to each access to the file; the electronic device determines the popularity value of multiple files based on the first information of multiple files, including: determining the popularity value of multiple files based on the first information of multiple files and the access interval time, wherein the access interval time is used to indicate the time interval between the access time of each file and the current time.

[0057] Optionally, if a file has multiple access times, the access interval can be the ratio of the sum of N access times to N current times. For example, if file A has two access times of T1 and T2, and the current time is T, then the access interval of file A is (2T-T1-T2) / 2T.

[0058] Optionally, the electronic device determines the popularity value of multiple files based on the first information of multiple files and the access interval time, including: determining the access frequency of each file based on the first information, determining the first weight of the file based on the access frequency of the file and the first correspondence relationship, determining the third weight of the file based on the access interval time and the third correspondence relationship, wherein the third correspondence relationship describes the relationship between the access interval time and the third weight preset in the electronic device, and the electronic device determines the popularity value based on the first weight and the third weight.

[0059] Optionally, the popularity value can be the product of the first weight and the third weight, or the sum of the first weight and the third weight.

[0060] Optionally, the electronic device determines the popularity value of multiple files based on first information and access interval time, including: determining the access frequency of each file based on the first information, and determining the first weight corresponding to the file based on the access frequency and a first correspondence relationship; the electronic device obtains second information of multiple files, determines the access frequency of the access path corresponding to each file based on the second information, and determines the second weight corresponding to the file based on the access frequency of the access path and the second correspondence relationship; and determines the third weight of the file based on the access interval time and a third correspondence relationship, wherein the third correspondence relationship describes the relationship between the access interval time and the third weight preset in the electronic device, and the electronic device determines the popularity value based on the first weight, the second weight, and the third weight.

[0061] Optionally, the popularity value can be the product of the first weight, the second weight, and the third weight, or the sum of the first weight, the second weight, and the third weight.

[0062] The contents of multiple files may differ, and the importance of multiple files may also differ. For example, if file 1 contains important user information and file 2 contains unimportant user information, then file 1 is more important than file 2. Therefore, when protecting files using decoy files, file 1 can be protected first.

[0063] Optionally, the electronic device determines the popularity value of multiple files based on the first information of the multiple files, including: the electronic device determines the popularity value of multiple files based on the file content and the first information of the multiple files. The electronic device determines the importance of each file by recognizing the file content, and determines the popularity value of each file based on the importance of each file and the first information of that file.

[0064] Optionally, the electronic device has a preset fourth correspondence between keywords or key words and fourth weights. The electronic device can determine the keywords or key words contained in the file based on the file content, and determine the fourth weight of the file based on the keywords or key words and the fourth correspondence. Then, the electronic device determines the popularity value of multiple files based on the fourth weights of multiple files and the first information. For example, if file 1 contains keyword A, then the fourth weight is 1; if file 2 contains keyword B, then the fourth weight is 3.

[0065] Multiple files may have different file types. For example, file 1 is a text document (TXT), file 2 is an office document (doc), and file 3 is a picture (jpg). Since different file types carry different content, the importance of different file types also varies. Electronic devices can use decoy files to prioritize the protection of specific file types.

[0066] Optionally, the electronic device determines the popularity value of multiple files based on the first information of the multiple files, including: the electronic device determines the popularity value of multiple files based on the file type of the multiple files and the first information. The electronic device determines the importance of each file by the file type, and determines the popularity value of each file based on the importance of each file and the first information of that file.

[0067] Optionally, the electronic device has a pre-defined correspondence between file types and fifth weights. The electronic device can determine the fifth weight of a file based on its file type and the fifth correspondence, and then determine the popularity value of multiple files based on their fifth weights and the first information. For example, if file 1 is of type TXT, its fifth weight is 1; if file 2 is of type JPG, its fifth weight is 3.

[0068] To enable dynamic deployment of decoy files, electronic devices can define target events. When an electronic device detects a target event, it is triggered to update the decoy files within the device, thereby achieving dynamic deployment of the decoy files and enhancing their protective strength.

[0069] Optionally, in S201, the electronic device acquires the popularity values ​​of multiple files, including: in response to a target event, acquiring the popularity values ​​of multiple files, whereby the target event is used to indicate the update of the decoy file. Thus, after the electronic device detects the target event, it reacquires the popularity values ​​of multiple files and determines a new target file based on the latest acquired popularity values; then, it generates a new decoy file based on the new target file, and triggers the update of the decoy file through the target event to enhance the protective strength of the decoy file.

[0070] Optionally, in the first time period, the file is the target file, and the electronic device generates a decoy file based on this file; in the second time period, the electronic device detects a decrease in the file's popularity value, and therefore the file is no longer the target file in the second time period, so the electronic device deletes the decoy file corresponding to that file. The first time period is earlier than the second time period. Deleting older decoy files helps prevent them from occupying excessive space.

[0071] Optionally, if the target event includes at least one of reaching the decoy file update cycle, detecting that the electronic device performs a power-on operation, or detecting changes in the access records of multiple files, then the electronic device triggers the update of the decoy file by acquiring the popularity values ​​of multiple files. If the target event includes reaching the decoy file update cycle, then after the electronic device generates the decoy file, and the decoy file update cycle is reached after a preset time, the electronic device is triggered to update the decoy file. If the target event includes detecting that the electronic device performs a power-on operation, then the electronic device is triggered to update the decoy file after detecting that the electronic device performs a power-on operation. If the target event includes detecting changes in the access records of multiple files, then the electronic device is triggered to update the decoy file after detecting changes in the access records of multiple files.

[0072] Optionally, if the electronic device detects changes in the access records of a preset number of files or a preset proportion of files among multiple files, the electronic device determines that the access records of multiple files have changed and triggers the electronic device to update the decoy files of the electronic device.

[0073] In some embodiments, the electronic device acquires first information, second information, file type, and file content of multiple files; the electronic device determines the access frequency of each file based on the first information, and determines a first weight based on the access frequency of the file and a first correspondence; the electronic device determines the access frequency of the access path corresponding to each file based on the second information, and determines a second weight based on the access frequency of the access path corresponding to the file and a second correspondence; the electronic device determines the access interval time corresponding to multiple files based on the first information, and determines a third weight of the file based on the access interval time corresponding to the file and a third correspondence; the electronic device may determine the keywords or key words contained in the file based on the file content, and determines a fourth weight of the file based on the keywords or key words and a fourth correspondence; the electronic device may determine a fifth weight of the file based on the file type and a fifth correspondence; then the electronic device determines a popularity value based on the first weight, second weight, third weight, fourth weight, and fifth weight of multiple files, determines a target file based on the popularity value of multiple files, generates a decoy file based on the file information of the target file, and places the decoy file in the access path where the target file is located.

[0074] The popularity of each file can be the product of the first weight, the second weight, the third weight, the fourth weight, and the fifth weight, or the sum of the first weight, the second weight, the third weight, the fourth weight, and the fifth weight.

[0075] Optionally, the electronic device can monitor access to multiple files. When access to a target file is detected among the multiple files, the device acquires the access record of the target file and then obtains first information based on the access record of the target file at a preset time. The electronic device also acquires the access record of the access path where the target file is located and obtains second information based on the access record of the access path where the target file is located at a preset time.

[0076] Please see Figure 3 , Figure 3 Another architectural schematic diagram provided for an embodiment of this application, and Figure 1 The architecture is similar to that in other contexts. An electronic device contains multiple files, and the system acquires the popularity values ​​of these files. Based on these popularity values, a target file is determined, and a decoy file is generated and deployed within the electronic device. The difference lies in: Figure 3 Electronic device 1 is used to acquire the popularity values ​​of multiple files in other electronic devices (such as electronic devices 2, 3, and 4), and to determine the target file among these files based on the popularity values ​​of the files in the other electronic devices. The popularity value of the target file is greater than that of the other files in the multiple files. Then, based on the file information of the target file, a decoy file is generated for deployment on the other electronic devices. Figure 3 The decoy file generated by electronic device 1 is used for deployment in other electronic devices. In this way, one electronic device can deploy decoy files to multiple other electronic devices, thus saving the computing resources of the electronic devices.

[0077] It should be understood that the above description is merely to help those skilled in the art better understand the embodiments of this application, and is not intended to limit the scope of the embodiments of this application. Based on the examples given above, those skilled in the art can obviously make various equivalent modifications or changes. For example, some steps in the various methods described above may be unnecessary, or new steps may be added. Alternatively, any combination of two or more of the above embodiments may be used. Such modifications, changes, or combinations also fall within the scope of the embodiments of this application.

[0078] It should also be understood that the methods, situations, categories, and classifications of embodiments in this application are for the convenience of description only and should not constitute a special limitation. Various methods, categories, situations, and features in embodiments can be combined without contradiction.

[0079] It should also be understood that the various numerical designations used in the embodiments of this application are merely for descriptive convenience and are not intended to limit the scope of the embodiments of this application. The order of the process numbers described above does not imply the order of execution; the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.

[0080] It should also be understood that the above description of the embodiments of this application focuses on highlighting the differences between the various embodiments. Any similarities or differences not mentioned can be referred to each other. For the sake of brevity, they will not be repeated here.

[0081] The above combination Figures 1-3 The embodiments of the methods and systems provided in this application have been described. The electronic devices provided in the embodiments of this application are described below.

[0082] This embodiment can divide the electronic device into functional modules according to the above method. For example, each function can be divided into its own functional modules, or two or more functions can be integrated into one processing module. The integrated modules can be implemented in hardware. It should be noted that the module division in this embodiment is illustrative and only represents one logical functional division; other division methods may be used in actual implementation.

[0083] It should be noted that the relevant content of each step involved in the above method embodiments can be referenced from the functional description of the corresponding functional module, and will not be repeated here.

[0084] The electronic device provided in this application embodiment is used to execute the decoy file deployment method provided in the above method embodiment, and thus can achieve the same effect as the above implementation method.

[0085] In other embodiments, when using integrated units, the electronic device may include a processing module, a storage module, and a communication module. The processing module can be used to control and manage the actions of the electronic device. For example, it can be used to support the electronic device in executing the steps performed by the processing unit. The storage module can be used to store program code and data, etc. The communication module can be used to support communication between the electronic device and other electronic devices.

[0086] The processing module can be a processor or a controller. It can implement or execute various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. The processor can also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of digital signal processing (DSP) and a microprocessor, etc. The storage module can be a memory. The communication module can specifically be a radio frequency circuit, a Bluetooth chip, a Wi-Fi chip, or a device that interacts with other electronic devices or electronic devices.

[0087] Based on the same concept, this application also provides an electronic device, see [link to relevant documentation]. Figure 4 , Figure 4 A schematic diagram of the structure of an exemplary electronic device according to this application is shown. Figure 4The electronic device shown can execute the steps of the decoy file deployment method performed by any of the electronic devices provided in the embodiments of this application.

[0088] The electronic device 400 includes at least one processor 401, a memory 403, and at least one network interface 404.

[0089] Processor 401 may be, for example, a general-purpose CPU, a digital signal processor (DSP), a network processor (NP), a GPU, a neural network processing unit (NPU), a data processing unit (DPU) for deploying decoy files, a microprocessor, or one or more integrated circuits or application-specific integrated circuits (ASICs) used to implement the scheme of this application, a programmable logic device (PLD), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. A PLD may be, for example, a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. It can implement or execute the various logic blocks, modules, and circuits described in connection with the disclosure of this application. A processor may also be a combination that implements computational functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, etc.

[0090] Optionally, the electronic device 400 also includes a bus 402. The bus 402 is used to transmit information between the various components of the electronic device 400. The bus 402 can be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus 402 can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, Figure 4 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0091] Memory 403 may be, for example, read-only memory (ROM) or other types of storage devices capable of storing static information and instructions; random access memory (RAM) or other types of dynamic storage devices capable of storing information and instructions; electrically erasable programmable read-only memory (EEPROM); compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital versatile optical discs, Blu-ray discs, etc.); magnetic disk storage media or other magnetic storage devices; or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and accessible by a computer, but not limited thereto. Memory 403 may exist independently and be connected to processor 401 via bus 402. Memory 403 may also be integrated with processor 401.

[0092] Network interface 404 uses any transceiver-like device for communicating with other devices or communication networks, such as Ethernet, radio access network (RAN), or wireless local area network (WLAN). Network interface 404 can include wired network interfaces and wireless network interfaces. Specifically, network interface 404 can be an Ethernet interface, such as Fast Ethernet (FE), Gigabit Ethernet (GE), Asynchronous Transfer Mode (ATM), WLAN, cellular network, or combinations thereof. The Ethernet interface can be an optical interface, an electrical interface, or a combination thereof. In some embodiments of this application, network interface 404 can be used by electronic device 400 to communicate with other devices.

[0093] In specific implementations, as some embodiments, processor 401 may include one or more CPUs. Each of these processors may be a single-core processor or a multi-core processor. Here, "processor" may refer to one or more devices, circuits, and / or processing cores for processing data (e.g., computer program instructions).

[0094] In specific implementations, as some embodiments, electronic device 400 may include multiple processors. Each of these processors may be a single-core processor or a multi-core processor. Here, a processor may refer to one or more devices, circuits, and / or processing cores for processing data (such as computer program instructions).

[0095] In some embodiments, memory 403 is used to store program instructions for executing the present application solution, and processor 401 can execute the program instructions stored in memory 403. That is, electronic device 400 can implement the method provided in the above embodiments through processor 401 and program instructions in memory 403. The program instructions may include one or more software modules. Optionally, processor 401 itself may also store program instructions for executing the present application solution.

[0096] In specific implementation, the processor 401 in the electronic device 400 of this application reads instructions from the memory 403, causing... Figure 4 The electronic device 400 shown is capable of performing all or part of the steps in the decoy file deployment method performed by the electronic device in the above embodiments.

[0097] In the above embodiments, each step of the method is implemented through integrated logic circuits in the hardware of the processor of the electronic device 400 or through software instructions. The steps of the method embodiments disclosed in this application can be directly implemented by the hardware processor, or implemented by a combination of hardware and software modules in the processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. Since the storage medium is located in memory, the processor reads information from the memory and, in conjunction with its hardware, completes the steps of the above method embodiments; to avoid repetition, these will not be described in detail here.

[0098] It should be understood that the aforementioned processor can be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. General-purpose processors can be microprocessors or any conventional processor. It is worth noting that the processor can be a processor supporting the Advanced Reduced Instruction Set Computing (RISC) machine (ARM) architecture.

[0099] Furthermore, in an alternative embodiment, the memory described above may include read-only memory and random access memory, and provide instructions and data to the processor. The memory may also include non-volatile random access memory. For example, the memory may also store device type information.

[0100] The memory can be volatile or non-volatile, or may include both. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which serves as an external cache. Many forms of RAM are available by way of example, but not limitation. Examples include static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous linked dynamic random access memory (SLDRAM), and direct rambus RAM (DR RAM).

[0101] The electronic device provided in this embodiment can execute the above method embodiment, and its implementation principle and technical effect are similar, so they will not be described again here.

[0102] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the methods described in the above-described method embodiments.

[0103] This application also provides a computer program product that, when run on an electronic device, causes the electronic device to implement the method described in the above-described method embodiments.

[0104] This application provides a chip, including a processor, for calling and executing instructions stored in a memory, causing a communication device with the chip installed to execute the method described in the above-described method embodiments of any electronic device provided in this application.

[0105] This application also provides a chip system including a processor coupled to a memory. The processor executes a computer program stored in the memory to implement the method described in the above-described method embodiments. The chip system may be a single chip or a chip module composed of multiple chips.

[0106] In the above embodiments, implementation can be achieved entirely or partially through software, hardware, firmware, or any combination thereof. When implemented using software, it can be implemented entirely or partially in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted through the computer-readable storage medium. The computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, or magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid-state disk (SSD)).

[0107] Those skilled in the art will understand that implementing all or part of the processes in the above embodiments can be accomplished by a computer program instructing related hardware. This program can be stored in a computer-readable storage medium, and when executed, it can include the processes described in the above method embodiments. The aforementioned storage medium can include various media capable of storing program code, such as ROM or random access memory (RAM), magnetic disks, or optical disks.

[0108] The naming or numbering of steps in this application does not mean that the steps in the method flow must be executed in the time / logical order indicated by the naming or numbering. The execution order of the named or numbered process steps can be changed according to the technical purpose to be achieved, as long as the same or similar technical effect can be achieved.

[0109] In the above embodiments, the descriptions of each embodiment have different focuses. For parts that are not described in detail or recorded in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0110] In the embodiments provided in this application, it should be understood that the disclosed apparatus / devices and methods can be implemented in other ways. For example, the apparatus / device embodiments described above are merely illustrative. For instance, the division of modules or units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0111] It should be understood that in the description of this application and the appended claims, the terms "comprising," "including," "having," and any variations thereof are intended to cover a non-exclusive inclusion and mean "including but not limited to," unless otherwise specifically emphasized. For example, a process, method, system, product, or apparatus that includes a series of steps or modules is not necessarily limited to those steps or modules that are explicitly listed, but may include other steps or modules that are not explicitly listed or that are inherent to such process, method, product, or apparatus.

[0112] In the description of this application, unless otherwise stated, " / " indicates that the objects before and after are in an "or" relationship. For example, A / B can mean A or B. "And / or" in this application is used to describe the relationship between the related objects, indicating that there can be three relationships. For example, A and / or B can mean: A exists alone, A and B exist at the same time, and B exists alone. A and B can be singular or plural.

[0113] Furthermore, in the description of this application, unless otherwise stated, "multiple" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.

[0114] As used in this application specification and the appended claims, the term "if" may be interpreted, depending on the context, as "when," "once," "in response to determination," or "in response to detection." Similarly, the phrase "if determined" or "if detected [the described condition or event]" may be interpreted, depending on the context, as meaning "once determined," "in response to determination," "once detected [the described condition or event]," or "in response to detection [the described condition or event]."

[0115] Furthermore, in the description of this application and the appended claims, the terms "first," "second," etc., are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence, nor should they be construed as indicating or implying relative importance or implicitly specifying the number of indicated technical features. It should be understood that such data can be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than that illustrated or described herein; features defined as "first" or "second" may explicitly or implicitly include at least one of those features.

[0116] In the embodiments of this application, the words "exemplarily" or "for example" are used to indicate examples, illustrations, or explanations. Any embodiment or design described as "exemplarily" or "for example" in the embodiments of this application should not be construed as being more preferred or advantageous than other embodiments or design solutions. Specifically, the use of the words "exemplarily" or "for example" is intended to present the relevant concepts in a specific manner.

[0117] References to "one embodiment" or "some embodiments" in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized.

[0118] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.

Claims

1. A method for deploying a decoy file, characterized in that, The method includes: Obtain the popularity value of multiple files, the popularity value being used to indicate the frequency with which the files are accessed; A target file is determined from the multiple files based on their popularity values, wherein the popularity value of the target file is greater than that of the other files in the multiple files; A decoy file is generated based on the file information of the target file.

2. The method according to claim 1, characterized in that, The process of obtaining the popularity values ​​of multiple files includes: First information of multiple files is obtained, and popularity values ​​of multiple files are determined based on the first information of multiple files, wherein the first information is used to indicate access records of multiple files.

3. The method according to claim 2, characterized in that, The step of determining the popularity value of multiple files based on the first information of the multiple files includes: Second information about the access paths of multiple files is obtained, and the popularity value of multiple files is determined based on the first information and the second information. The second information is used to indicate the access records of the access paths of multiple files.

4. The method according to claim 2 or 3, characterized in that, The first information includes the access time corresponding to each access to the file; The step of determining the popularity value of multiple files based on the first information of the multiple files includes: The popularity values ​​of multiple files are determined based on the first information and the access interval time, wherein the access interval time is the time interval between the access time and the current time.

5. The method according to any one of claims 2 to 4, characterized in that, The step of determining the popularity value of multiple files based on the first information of the multiple files includes: Obtain the file type and / or file content of multiple files; The popularity value of multiple files is determined based on the file type and / or file content of the multiple files and the first information.

6. The method according to any one of claims 1 to 5, characterized in that, The process of obtaining the popularity values ​​of multiple files includes: In response to a target event, the popularity values ​​of multiple files are obtained, the target event being used to indicate the update of the decoy file.

7. The method according to claim 6, characterized in that, The target events include at least one of the following: reaching the decoy file update cycle, detecting changes in the access records of multiple files, and detecting the execution of a boot operation.

8. An electronic device, characterized in that, include: The memory includes computer-readable instructions; A processor communicating with the memory, the processor being configured to execute the computer-readable instructions, causing the electronic device to perform the method for deploying the decoy file according to any one of claims 1-7.

9. A computer-readable storage medium, characterized in that, Includes a program or instruction that, when executed by a processor, implements the method for deploying a decoy file as described in any one of claims 1-7.

10. A computer program product, characterized in that, The computer program product includes instructions that, when executed by a computer, implement the method for deploying the decoy file as described in any one of claims 1-7.

Images