Ransomware identification method and system based on multi-source data fusion
By employing a ransomware identification method that integrates multi-source data, this approach simultaneously acquires and analyzes behavioral data from file systems, system resources, and industrial control systems. By utilizing multi-dimensional feature fusion and weighted scoring, it addresses the issues of delayed identification and insufficient interpretability of unknown ransomware in existing technologies, thereby achieving accurate identification and protection against ransomware.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NAT IND INFORMATION SECURITY DEV RES CENT
- Filing Date
- 2026-03-31
- Publication Date
- 2026-06-23
AI Technical Summary
Existing ransomware detection methods are insufficient in their ability to identify unknown variants and rapidly iterating viruses, and lack interpretability, thus failing to meet the high security protection requirements of industrial control systems.
By using a multi-source data fusion method, file system event data, system resource operation indicators, process behavior data, and industrial control system behavior data are acquired simultaneously. File characteristics, process characteristics, and industrial scenario characteristics are identified, and weighted scoring is performed using binary mapping, piecewise linear, and normalized mapping functions to achieve accurate identification and protection against ransomware.
It achieves accurate identification of known ransomware and unknown variants, has good interpretability, can cope with the rapidly iterating attack patterns of ransomware, and improves the comprehensiveness of attack identification and prevention capabilities.
Smart Images

Figure CN122263100A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of ransomware detection, and in particular to a ransomware identification method and system based on multi-source data fusion. Background Technology
[0002] Currently, information systems have widely penetrated key areas such as government affairs, industrial control, finance, and corporate offices. Ransomware, as one of the most destructive cybersecurity threats, encrypts, tampers with, or renames target files in batches after infiltrating systems, destroying file accessibility and integrity, and demanding data recovery in exchange for ransom. Once an attack is successful, it can not only lead to the loss of important data and business interruption, causing significant economic losses, but in industrial control system environments, it may also extend to the physical level, causing serious security risks such as production stoppages and equipment malfunctions, posing a severe challenge to the security of critical information infrastructure.
[0003] In existing technologies, ransomware detection methods have mainly formed two mainstream directions. One is the traditional detection method based on matching file extension blacklists and process name features. Threat identification is achieved by comparing file extensions with the encrypted features of known ransomware and process names with known ransomware names. The other is the detection method based on machine learning or neural network models, which has emerged in recent years. It achieves automatic identification by relying on large-scale sample training. At the same time, related technologies are also evolving towards full-process attack chain protection and AI-enabled detection, but there are still obvious technical shortcomings. Traditional feature matching methods rely heavily on known feature libraries. When faced with rapidly iterating unknown ransomware variants and obfuscated new ransomware, their identification ability is weak, exhibiting significant lag and evasion risks, and they are difficult to adapt to dynamically changing attack situations. Detection methods based on machine learning or neural networks are limited by the difficulty of obtaining ransomware samples and the uneven distribution of samples. This can lead to unstable model training results, high false positive rates, and insufficient generalization ability. Furthermore, the decision-making process of neural network models is "black box" and lacks interpretability, failing to meet the core application requirements of controllable and auditable protection in industrial scenarios and security-critical systems. At the same time, traditional protection technologies also suffer from fragmented security capabilities and difficulty in dealing with cross-domain penetration attacks.
[0004] Therefore, existing ransomware detection methods have limitations such as inaccurate identification of known ransomware, lag in identification of unknown variants, lack of interpretability of models, and insufficient generalization ability, making them unable to meet the high security protection requirements of critical information infrastructure and industrial control environments. Summary of the Invention
[0005] The purpose of this application is to provide a ransomware identification method and system based on multi-source data fusion, which can accurately identify known ransomware and unknown variants, while having good interpretability.
[0006] To achieve the above objectives, this application provides the following solution: Firstly, this application provides a ransomware identification method based on multi-source data fusion, including: Synchronously acquire file system event data, system resource operation indicators, process behavior data, and industrial control system behavior data of the target terminal; File characteristics are identified from file system event data, system operation behavior characteristics are identified from system resource operation indicators, process characteristics are identified from process behavior data, and industrial scenario characteristics are identified from industrial control system behavior data; the file characteristics include file extension, information entropy value, and actual file type; the process characteristics include process name and process behavior; If the file extension or the actual file type satisfies the essential behavioral characteristics of ransomware encrypting files, or if the process name satisfies the ransomware process naming rules, then it is determined to be a strong indicator feature. If the information entropy value satisfies the essential behavioral characteristics of ransomware encrypting files, or if the process behavior satisfies the abnormal file operation behavior of ransomware processes, then it is determined to be a medium-level indicative characteristic. If the system's operational behavior characteristics satisfy the abnormal operational state fluctuations caused by ransomware, or if the industrial scenario characteristics satisfy the abnormal behavior of ransomware in an industrial application environment, then it is determined to be a basic situation characteristic. Based on the strong indication characteristics, the first sub-risk score is determined using a binary mapping function; Based on the moderate indicative characteristics, the second sub-risk score is determined using a threshold-based piecewise linear mapping function; Based on the basic situation characteristics, the third sub-risk score is determined using a normalized mapping function; Based on the first sub-risk score, the second sub-risk score, and the third sub-risk score, a weighted scoring mechanism is used to obtain the overall urgency score; When the overall urgency score is greater than or equal to a preset threshold, it is identified as a ransomware attack, and the operation of terminating suspicious processes in parallel is automatically triggered to block network connections in order to prevent the spread of ransomware attacks.
[0007] Optionally, the file system event data includes: creation, modification, deletion, and renaming of files on a specified disk drive; The system resource operation indicators include: CPU utilization, memory usage, network transmission rate, and number of TCP connections; The industrial control system behavior data includes: file operations, process running status, and port activity of PLC programming, SCADA system, DCS control system, and MES production execution system.
[0008] Optionally, file extensions are identified from file system event data, wherein the file extensions satisfy the essential behavioral characteristics of ransomware encrypting files, including: Capture files and file paths that have been created, modified, or renamed within the monitored directory range from the file system event data; Parse the filename string in the file path and use the string after the last delimiter as the original file extension; The original file extensions are standardized to obtain file extensions; the standardization process includes: converting the extensions to lowercase and removing illegal characters or redundant whitespace characters. Construct a blacklist of suspicious ransomware extensions; the blacklist of suspicious ransomware extensions consists of the extensions used by known ransomware to encrypt files, the extensions used by publicly disclosed ransomware to encrypt files, and a predefined set of suspicious extensions; Match the file extensions with the blacklist of suspected ransomware extensions; When the file extension is detected to match any extension in the ransomware's suspicious extension blacklist, it is determined that the file extension satisfies the essential behavioral characteristics of ransomware encrypting files. Within a preset detection time window, count the number of files whose extensions have changed, and record the new extension type. When multiple file extensions are modified within a single time window, and the changed extensions do not belong to the predefined set of legal business extensions, it is determined that there is a risk of abnormal extensions. When multiple files are uniformly modified to the same unknown extension within a preset time, it is determined that the file extension satisfies the essential behavioral characteristics of ransomware encrypting files.
[0009] Optionally, an information entropy value is identified from file system event data, wherein the information entropy value satisfies the essential behavioral characteristics of ransomware encrypting files, including: Read byte data from a file; The read byte data is scanned byte by byte, and the number of times each byte value in the range of 0 to 255 appears in the byte data is counted to form a byte frequency statistics table; Based on the byte frequency statistics table, calculate the probability of occurrence for each byte value; the probability of occurrence is equal to the ratio of the number of times the byte appears to the total number of bytes. The information entropy value of the file is calculated using the Shannon entropy formula based on the probability of occurrence of each byte value. When the information entropy value is greater than or equal to the preset entropy threshold, it is determined that the information entropy value meets the essential behavioral characteristics of ransomware encrypting files, and the file is marked as a suspected encrypted file.
[0010] Optionally, the real file type is identified from file system event data, wherein the real file type satisfies the essential behavioral characteristics of ransomware encrypted files, including: Read the header bytes of the file; The read file header bytes are converted into hexadecimal representation to construct a magic number feature sequence for file type identification; Establish a magic number feature library for file formats; Matching magic number feature sequences with file format magic number feature libraries; When the magic number feature sequence does not match any magic number feature sequence or matching rule in the file format magic number feature library, the true file type is determined to be an unknown type or an abnormal type, and the true file type satisfies the essential behavioral characteristics of ransomware encrypted files.
[0011] Optionally, system operational behavior characteristics are identified from system resource operation indicators, wherein the system operational behavior characteristics satisfy the abnormal operational state fluctuations caused by ransomware, including: Count the number of file creation, modification, renaming, and deletion events that occur within a unit of time. When the growth rate of the number of file events within a preset time period is greater than the growth rate threshold, and the number of file events is greater than the preset threshold of the historical normal operation level, it is determined that there is abnormal file operation behavior. Obtain data on network traffic, the number of accesses to external addresses, communication traffic, and changes in available system memory resources; When the system experiences an abnormal increase in network traffic during abnormal business hours, or establishes an abnormal connection with an external address whose risk value exceeds the risk threshold, it is determined that the system has network activity related to ransomware. When the system establishes a connection with an external address that does not belong to the predefined set of trusted addresses, and the number of accesses within a preset time exceeds the threshold, it is judged as an abnormal and risky connection. When the rate of decrease of the change in available memory resources in the system exceeds a rate threshold within a preset time period and cannot be explained by normal business load, it is judged as abnormal behavior.
[0012] Optionally, process characteristics are identified from process behavior data, wherein the process names conform to ransomware process naming rules, including: Obtain the process name from process behavior data; The process name is matched with a pre-established ransomware process feature database. The ransomware process feature database includes process name features, naming rules and feature information corresponding to known ransomware and known ransomware variants. The feature information includes ransomware family name, variant name, case conversion form and matching features constructed based on string similarity or regular expression rules. When a process name matches a feature in the ransomware process feature library, or exhibits a random naming feature without obvious semantics, the process is determined to have a ransomware risk. Statistics on file type access behavior of each process within a unit of time; When a single process performs continuous write or overwrite operations on different files within a preset time period, and the access frequency is greater than the historical normal operating baseline of the system, the process is determined to have abnormal file operation behavior.
[0013] Optionally, industrial scenario characteristics are identified from industrial control system behavior data, wherein the industrial scenario characteristics satisfy the abnormal behavior of ransomware in industrial application environments, including: Obtain modification behavior of industrial engineering documents from industrial control system behavior data; When industrial engineering documents are modified multiple times outside of maintenance periods, or renamed with an unknown extension or with a ransomware-specific extension, it is determined that there is abnormal risk behavior. When an unauthorized process initiates an abnormal connection to a port in an industrial environment, or when multiple connection attempts occur within a preset time, the system is deemed to have suffered abnormal access behavior.
[0014] Optionally, the binary mapping function is: ; In the formula, Features Sub-risk scores; The threshold-based piecewise linear mapping function is: ; In the formula, Features Observations within the current time window, This is the threshold for the start of an anomaly. This is the abnormal saturation threshold. ; The normalized mapping function is: ; In the formula, This refers to the ratio or deviation indicator. , This is the historical baseline value. and These represent the multiplier thresholds for the onset and significant occurrence of system anomalies, respectively. The formula for calculating the overall urgency score is as follows: ; In the formula, The overall urgency score; Features The assigned weights satisfy ; The number of features.
[0015] Secondly, this application provides a ransomware identification system based on multi-source data fusion, including: a data acquisition module, a feature fusion module, an identification engine, and a response execution module; The data acquisition module automatically identifies the terminal's disk drive and supports custom monitoring drive letters; the data acquisition module is used to synchronously acquire file system event data, system resource operation indicators, process behavior data, and industrial control system behavior data of the target terminal; The feature fusion module is used to identify file features from file system event data, system operation behavior characteristics from system resource operation indicators, process features from process behavior data, and industrial scenario characteristics from industrial control system behavior data. The file features include file extension, information entropy value, and actual file type. The process features include process name and process behavior. If the file extension or the actual file type satisfies the essential behavioral characteristics of ransomware encrypted files, or the process name satisfies ransomware process naming rules, it is determined to be a strong indicative feature. If the information entropy value satisfies the essential behavioral characteristics of ransomware encrypted files, or the process behavior satisfies abnormal file operation behavior of ransomware processes, it is determined to be a medium indicative feature. If the system operation behavior characteristics satisfy the abnormal operational state fluctuations caused by ransomware, or the industrial scenario characteristics satisfy the abnormal behavior of ransomware in industrial application environments, it is determined to be a basic situational feature. The identification engine determines the first sub-risk score based on strong indicative features using a binary mapping function; the second sub-risk score based on moderate indicative features using a threshold-based piecewise linear mapping function; and the third sub-risk score based on basic situational features using a normalized mapping function. A weighted scoring mechanism is then applied to the first, second, and third sub-risk scores to obtain an overall urgency score. When the overall urgency score is greater than or equal to a preset threshold, it is determined to be a ransomware attack. The response execution module provides both automatic and manual protection, automatically triggering parallel termination of suspicious processes and blocking network connections to prevent the spread of ransomware attacks.
[0016] According to the specific embodiments provided in this application, this application has the following technical effects: This application provides a ransomware identification method and system based on multi-source data fusion. It does not rely on known feature libraries or large-scale labeled samples, but rather on the essential behavioral patterns of ransomware encryption attacks. It directly captures the essential behavioral characteristics of ransomware, such as batch file encryption, file attribute tampering, and abnormal resource consumption. Regardless of whether the virus possesses known feature identifiers or has undergone obfuscation or transformation, as long as it exhibits abnormal behavior consistent with the essence of ransomware attacks, it can be quickly identified. This achieves accurate identification of known ransomware, unknown variants, and new types of ransomware across the entire spectrum, effectively addressing the rapidly evolving attack landscape of ransomware. The sub-risk scores and mapping rules for each feature are definable, traceable, and verifiable. The overall urgency score can be completely decomposed into the contribution of each dimension of features. Each risk judgment can be mapped to a specific abnormal file, abnormal process, or abnormal behavioral event, exhibiting good interpretability.
[0017] This application extracts core indicators from four dimensions—file features, process features, system operation behavior features, and industrial scenario features—simultaneously from multi-source data. It covers the entire attack chain behavior characteristics of ransomware, from file encryption, abnormal process execution, system status fluctuations to network external propagation. Through complementary verification of multi-source heterogeneous features, it completely changes the inherent defect of the traditional "single point judgment" approach, significantly improves the comprehensiveness of attack identification, and effectively prevents attackers from evading detection by tampering with a single feature.
[0018] Based on the strength of the indication of ransomware attacks, this application classifies them into three categories: strong indication features, medium indication features, and basic situational features. For each category of features, three differentiated score conversion functions are designed: binary mapping, piecewise linear mapping, and normalized mapping. This approach achieves rapid and high-weighted determination of clear ransomware behavior through strong indication features, while the gradual accumulation of scores for medium and situational features avoids misjudgments caused by normal business fluctuations. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0020] Figure 1 A flowchart illustrating a ransomware identification method based on multi-source data fusion, provided for an embodiment of this application; Figure 2 This is a schematic diagram of the structure of a computer device provided in an embodiment of this application. Detailed Implementation
[0021] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0022] To make the above-mentioned objectives, features and advantages of this application more apparent and understandable, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments.
[0023] In one exemplary embodiment, such as Figure 1 As shown, a ransomware identification method based on multi-source data fusion is provided. This method is executed by a computer device, specifically by a terminal or server alone, or by both a terminal and a server. In this embodiment, it includes the following steps 101 to 110.
[0024] Step 101: Synchronously acquire file system event data, system resource operation indicators, process behavior data, and industrial control system behavior data of the target terminal.
[0025] Step 102: Identify file features from file system event data, identify system operation behavior characteristics from system resource operation indicators, identify process features from process behavior data, and identify industrial scenario characteristics from industrial control system behavior data; the file features include file extension, information entropy value, and actual file type; the process features include process name and process behavior.
[0026] Step 103: If the file extension or the actual file type satisfies the essential behavioral characteristics of ransomware encrypting files, or if the process name satisfies the ransomware process naming rules, then it is determined to be a strong indicator feature.
[0027] Step 104: If the information entropy value satisfies the essential behavioral characteristics of ransomware encrypting files, or if the process behavior satisfies the abnormal file operation behavior of ransomware processes, then it is determined to be a medium-level indicator feature.
[0028] Step 105: If the system operation behavior characteristics meet the abnormal operation state fluctuations caused by ransomware, or the industrial scenario characteristics meet the abnormal behavior of ransomware in an industrial application environment, then it is determined to be a basic situation characteristic.
[0029] Step 106: Determine the first sub-risk score using a binary mapping function based on the strong indication features.
[0030] Step 107: Determine the second sub-risk score using a threshold-based piecewise linear mapping function based on the medium indication features.
[0031] Step 108: Based on the basic situation characteristics, determine the third sub-risk score using the normalized mapping function.
[0032] Step 109: Based on the first sub-risk score, the second sub-risk score, and the third sub-risk score, a weighted scoring mechanism is used to obtain the overall urgency score.
[0033] Step 110: When the overall urgency score is greater than or equal to the preset threshold, it is determined to be a ransomware attack.
[0034] By implementing steps 101 to 110 above, the method of this application does not rely on a single feature matching rule, nor does it rely entirely on a large-scale training sample. Instead, it extracts and integrates file features, process features, system operation behavior features, and industrial scenario-specific features from multiple dimensions to construct an interpretable threat assessment model, thereby achieving a comprehensive judgment of ransomware behavior and subsequent response.
[0035] This application achieves accurate identification and intelligent response to ransomware by integrating multi-source heterogeneous data, extracting multi-dimensional features, and constructing dynamic evaluation, which is particularly suitable for the security protection needs of industrial control environments and critical information infrastructure.
[0036] In another exemplary embodiment of this application, the file system event data includes: operation records such as creation, modification, deletion and renaming of files on a specified disk drive; system resource operation indicators include: CPU utilization, memory usage, network transmission rate and number of TCP connections; industrial control system behavior data includes: key file operations, process running status and port activity of PLC programming, SCADA system, DCS control system and MES production execution system.
[0037] After data collection is completed, the feature fusion and extraction stage begins, where multi-dimensional feature engineering is used to accurately characterize ransomware behavior.
[0038] In actual operation, ransomware encryption and propagation behaviors typically trigger a series of abnormal characteristics that differ from the normal operating state of the system. For example, a large number of files may be modified or renamed in a short period, file information entropy may increase significantly, the actual file type and extension may be inconsistent, the number of system file events may surge, processes may perform more frequent write operations on critical files, and abnormal network connections or sudden increases in network traffic may occur. These abnormal characteristics can all serve as important criteria for identifying ransomware attacks.
[0039] In another exemplary embodiment of this application, at the file feature level, the core features of file extension, information entropy value, and real file type (magic number) are extracted. By comparing suspicious extensions (such as locked, crypt) in the ransomware blacklist and determining whether the file entropy value exceeds a preset threshold (default 7.5), potential encryption behavior is identified.
[0040] (i) Identify file extensions from file system event data, wherein the file extensions satisfy the essential behavioral characteristics of ransomware encrypting files, including: Step 1: Obtain the file path and parse the file extension. 1) During system operation, based on the file system event listening mechanism, files that have been created, modified, or renamed within the monitored directory range are captured, and the complete path information of the files that have been created or renamed is obtained; 2) Parse the filename string in the file path and use the string after the last "." symbol as the file extension.
[0041] Step 2: File extension standardization To avoid the impact of case sensitivity differences or unusual naming conventions on the detection results, the parsed file extensions are standardized, including but not limited to: Convert all file extensions to lowercase. Remove illegal characters or redundant whitespace characters.
[0042] Step 3: Risk Assessment of Name Extensions 1) Risk assessment based on a file extension blacklist: Standardized file extensions are matched against a pre-built blacklist of suspected ransomware extensions. The blacklist includes extensions used by known and publicly disclosed ransomware files (such as locked, crypt, crypto, enc, encrypted, etc.) as well as a manually defined set of suspected extensions. When a file extension is detected to match any extension in the blacklist, the file is considered to have high-risk ransomware characteristics. This method is used to identify encrypted files generated by known ransomware or its variants.
[0043] 2) Anomaly Detection Based on File Extension Changes: Within a preset detection time window, the number of files whose file extensions have changed is counted, and the new file extension type is recorded. When multiple files have their file extensions modified within a single time window, and the new file extensions do not belong to the predefined set of legitimate business file extensions, an anomaly risk is identified. When multiple files are uniformly modified to the same unknown file extension within a short period of time, it is identified as a high-risk ransomware characteristic. This detection method is used to identify unknown or new types of ransomware.
[0044] (ii) Identifying information entropy values from file system event data, wherein the information entropy values satisfy the essential behavioral characteristics of ransomware encrypting files, including: Step 1: Read file byte data Perform byte-level read operations on the target file without relying on file extension and file type information; Based on system performance and real-time requirements, file content can be obtained using any of the following methods: Reading all bytes of a file: Starting from the beginning offset of the file, read continuously to the end of the file according to the file's storage order to obtain the complete binary data content of the file. This method is suitable for scenarios with small file sizes or where system resources allow, and can obtain the most complete byte distribution information, thereby improving the accuracy of information entropy calculation. Byte data refers to the raw data of a file stored in binary form on the storage medium, regardless of file type.
[0045] The byte data refers to the original data content of the file stored in binary form in the storage medium. It consists of consecutive byte units in the order of file storage and does not contain logical information after parsing the file structure or semantics.
[0046] Reading a portion of the file's bytes: A block of bytes of predetermined length is read from a predetermined offset position in the file, where the predetermined offset position corresponds to at least one of the file header region, the middle region of the file, and / or the file tail region. This method is suitable for scenarios with large file sizes or high real-time requirements. It estimates the file's byte distribution characteristics through sampling while reducing the storage access resource consumption of file reading.
[0047] Step 2: Statistical analysis of byte frequency distribution The file byte data is scanned byte by byte, and the number of times each byte value in the range of 0 to 255 appears in the file data is counted to construct a byte frequency statistics table.
[0048] Step 3: Calculate the byte probability distribution Based on the byte frequency statistics, the probability of each byte value appearing in the file data is calculated, where: The probability of each byte value occurring is equal to the ratio of the number of times that byte occurs to the total number of bytes.
[0049] Step 4: Calculate the file information entropy value Based on the aforementioned byte probability distribution, the information entropy value of the file is calculated using the Shannon entropy formula: ; in Represents byte value The probability of occurrence in the file is expressed as the entropy value in bits / byte.
[0050] Step 5: Determine the entropy threshold The calculated information entropy value is compared with the preset entropy threshold (default 7.5); When the information entropy value is greater than or equal to the preset entropy threshold (default 7.5), the file content is determined to have highly random characteristics and is marked as a suspected encrypted file.
[0051] (iii) Identifying the real file type from file system event data, wherein the real file type satisfies the essential behavioral characteristics of ransomware encrypted files, including: Step 1: Read the header byte sequence and construct the magic number feature sequence. Without relying on the file extension, read bytes of data of a predetermined length from the beginning of the file to be detected as file header data, wherein the predetermined length at least covers the signature byte length of common file formats; The read file header bytes are converted into hexadecimal representation to construct a magic number feature sequence for file type identification.
[0052] Step 2: Establish a magic number feature library for file formats A pre-established magic number feature library for file formats is used to store the header byte features corresponding to various common file formats, wherein each file format corresponds to at least one magic number feature sequence. The magic number feature sequence includes a fixed byte sequence located at the beginning of the file and / or a structured feature byte sequence located at a predetermined offset position.
[0053] The file format magic number feature library may include, but is not limited to, the following exemplary magic number feature sequences: ZIP file format: The file starts with bytes 50 4B 03 04; OLE compound document format (legacy Office files): The file starts with bytes D0 CF 11 E0 A1 B1 1AE1; PDF file format: The file starts with 25 50 44 46 bytes; JPEG file format: The file starts with FF D8 FF bytes; PNG file format: The file starts with bytes 89 50 4E 47 0D 0A 1A 0A; GIF file format: The file starts with bytes 47 49 46 38 37 61 or 47 49 46 38 39 61; BMP file format: The file starts with 42 4D bytes; TIFF file format: The file starts with bytes 49 49 2A 00 or 4D 4D 00 2A; RAR file format: The file starts with bytes 52 61 72 21 1A 07 00; 7-Zip file format: The file starts with bytes 37 7A BC AF 27 1C; GZIP file format: The file starts with bytes 1F 8B; SQLite database file format: The file starts with bytes 53 51 4C 69 74 65 20 66 6F 72 6D61 74 20 33.
[0054] For file formats employing container or segmented structures, the magic number feature library also includes joint matching rules based on multiple fields, such as: RIFF / WAV file format: The file starts with bytes 52 49 46 46 and contains the byte sequence 57 41 56 45 at a predetermined offset position; MP3 file format with ID3 tag: The file starts with bytes 49 44 33.
[0055] Step 3: Magic Number Matching and Real File Type Recognition The magic number feature sequence constructed in step 1 is matched with the file format magic number feature library in step 2 to determine whether the magic number feature sequence is consistent with the magic number feature sequence or matching rule of any known file format.
[0056] When the magic number feature sequence successfully matches the magic number feature of a certain file format, the true file type of the file is determined to be the corresponding known file format; When the magic number feature sequence cannot match any magic number feature sequence or matching rule in the magic number feature library, the true file type of the file is determined to be an unknown type or an abnormal type.
[0057] In another exemplary embodiment of this application, at the system behavior characteristic level, abnormal fluctuations caused by ransomware are identified by analyzing the temporal changes in the overall system operating state. System operating behavior characteristics are identified from file system event data and system resource operation indicators. These system operating behavior characteristics satisfy the abnormal operating state fluctuations caused by ransomware, including: The system counts the number of file creation, modification, renaming, and deletion events occurring within a unit of time from file system event data. If the growth rate of the number of file events within a preset time period exceeds a growth rate threshold, and the number of file events exceeds a preset threshold for historical normal operation levels, abnormal file operation behavior is determined. The system also acquires data on changes in network traffic, external address access counts, communication traffic, and available system memory resources. If the system experiences abnormal growth in network traffic during abnormal business hours, or establishes abnormal connections with external addresses whose risk value exceeds a risk threshold, ransomware-related network activity is determined. If the system establishes connections with external addresses not belonging to a predefined set of trusted addresses, and the number of accesses within a preset time period exceeds a number threshold, it is determined to be an abnormal risk connection. Finally, if the rate of decrease in available system memory resources within a preset time period exceeds a rate threshold and cannot be explained by normal business load, it is determined to be abnormal behavior.
[0058] Specifically, the system counts the number of file events (such as file creation, modification, renaming, and deletion) occurring within a unit of time. When these file events experience a sudden surge in a short period, exceeding a preset threshold for the system's historical normal operating levels, abnormal file operation behavior is identified. Simultaneously, the system monitors network communication status. When the system experiences an abnormal surge in network traffic during abnormal business hours, or establishes abnormal connections with high-risk external addresses, ransomware-related network activity is identified. The identification of high-risk external addresses is achieved by comparing them with the system's historical normal communication baseline. When the system establishes a connection with an external address not belonging to a predefined set of trusted addresses, and this connection exhibits high-frequency access, abnormal traffic growth, or a significant temporal correlation with abnormal file operation behavior within a short period, it is identified as an abnormal high-risk connection. Furthermore, changes in available memory resources are monitored. When available memory resources show a significant decrease within a short period, and this change cannot be explained by normal business load, it is used as an important reference characteristic for abnormal system behavior.
[0059] In another exemplary embodiment of this application, at the process characteristic level, suspicious processes are screened by jointly analyzing the name characteristics and behavioral characteristics of processes running in the system. Process characteristics are identified from process behavior data, wherein the process names conform to ransomware process naming rules, including: The process name is obtained from process behavior data; the process name is matched with a pre-established ransomware process feature database; the ransomware process feature database includes process name features, naming rules and feature information corresponding to known ransomware and known ransomware variants, the feature information includes ransomware family name, variant name, case transformation form and matching features constructed based on string similarity or regular expression rules; when the process name matches the features in the ransomware process feature database, or presents random naming features without obvious semantics, the process is determined to have ransomware risk; the access behavior of each process to file types within a unit of time is statistically analyzed; when a single process performs continuous write or overwrite operations on different files within a preset time, and the access frequency is greater than the historical normal operating baseline of the system, the process is determined to have abnormal file operation behavior.
[0060] Specifically, the basic information of the process name and process path is first obtained, and the process name is then matched against a pre-established ransomware process feature database. This database stores process name characteristics, naming rules, and associated feature information corresponding to known ransomware and its variants. The feature information includes, but is not limited to, ransomware family names, common variant names, case variations, and matching features constructed based on string similarity or regular expressions. When a process name completely matches, is highly similar to, or exhibits random naming characteristics without clear semantics in the ransomware process feature database, the process is determined to have a high ransomware risk.
[0061] Simultaneously, the system analyzes the access behavior of each process to key file types within a unit of time, including the number of file opening, writing, overwriting, and renaming operations. When a single process performs continuous write or overwrite operations on a large number of different files within a short period of time, and its access frequency is significantly higher than the historical normal operating baseline of the system, the process is judged to have abnormal file operation behavior. In addition, the resource usage of processes is monitored. When a process continuously occupies a high proportion of processor resources without significant business load, or generates significant disk write load in a short period of time, the suspicion level of the process is further increased in combination with the above characteristics.
[0062] In another exemplary embodiment of this application, at the industrial scenario feature level, based on the operational characteristics of industrial control systems and industrial application environments, key abnormal behavior features specific to the industry are extracted. Industrial scenario features are identified from industrial control system behavior data, and these features satisfy the abnormal behavior of ransomware in industrial application environments, including: Modification behavior of industrial engineering files is obtained from the behavior data of the industrial control system; when industrial engineering files are modified multiple times during non-maintenance periods, or renamed with an unknown extension or a ransomware-specific extension, abnormal risk behavior is identified; when an unauthorized process initiates an abnormal connection to a port in the industrial environment, or when multiple connection attempts occur within a preset time, the system is identified as having suffered abnormal access behavior.
[0063] Specifically, access to and modification of industrial-specific file types are closely monitored. When industrial engineering files are frequently modified outside of maintenance periods, or renamed with unknown extensions or ransomware-specific extensions, high-risk abnormal behavior is identified. Simultaneously, the system's connection to high-risk ports is monitored. These high-risk ports include, but are not limited to, commonly used ports for industrial control and critical services, such as industrial control protocol ports like 502, 102, 20000, and 44818, and common remote access or database service ports like 21, 22, 23, 80, 443, 8080, 1433, 1521, and 3306. When unauthorized processes initiate abnormal connections to critical or high-risk ports in the industrial environment, or when frequent connection attempts occur within a short period, the system is considered to be under attack. Furthermore, the frequency of changes to critical industrial system data within a unit of time is statistically analyzed. When industrial system data undergoes frequent changes within a short period and lacks supporting legitimate operation records, this is used as a key criterion for identifying ransomware activity in the industrial environment.
[0064] In another exemplary embodiment of this application, after feature extraction is completed, a threat assessment model is constructed through a weighted scoring mechanism to achieve quantitative fusion of multi-source heterogeneous features and intelligent decision-making. Specifically, within a detection time window... The feature set extracted from the file feature layer, process feature layer, system behavior feature layer, and industrial scene feature layer is denoted as . These features include the following: 1) At the file feature level, this includes the precise matching results between file extensions and ransomware extension blacklists, the behavioral characteristics of multiple files being uniformly modified to the same unknown extension within a short period of time, file information entropy values, and file type identification results based on magic number feature sequences. 2) At the process characteristic level, this includes the matching results between the process name and the ransomware process characteristic database, the number of times the process performs open, write, overwrite and rename operations on key file types per unit time, and the process's resource usage, including the processor resource usage ratio and disk write load indicators. 3) At the level of system behavior characteristics, this includes the number of file events in the system per unit time, such as file creation, modification, renaming, and deletion; system network communication status characteristics (including network transmission traffic and the number of accesses and communication traffic to external addresses); and changes in the system's available memory resources. 4) At the level of industrial scenario characteristics, this includes the behavioral characteristics of industrial engineering documents being frequently modified during non-maintenance periods, the changes in the number of accesses to high-risk ports of industrial systems in a short period of time, and the change frequency indicators of key data in industrial systems per unit time.
[0065] To address features from different sources and with different dimensions, the system first differentiates them based on their varying indicative strength in ransomware attack detection. Then, each feature is converted into an interval using a pre-defined mapping function. Sub-risk scores within ,in This is used to characterize the contribution of each feature to the ransomware attack risk within the current detection time window. Simultaneously, corresponding weights are assigned to each feature. and satisfy This is to reflect the relative importance of different features in the overall judgment.
[0066] To ensure the interpretability and feasibility of the scoring model, based on the differences in the indicative strength of features in determining ransomware attacks, the features are divided into three categories: strong indicative features, medium indicative features, and basic situational features. Differentiated mapping functions are used to generate sub-risk scores for each category. For strong indicative features, these features characterize abnormal signals that directly indicate a ransomware attack, including precise matching of file extensions to a ransomware extension blacklist, inconsistencies between file magic number feature sequences and declared types, precise matching of process names to a ransomware process feature database, and the behavioral characteristic of multiple files being uniformly modified to the same unknown extension within a short period. This invention uses a hard-decision or near-hard-decision binary mapping function to score the strong indicative features, and its sub-risk score is defined as: .
[0067] In the formula, Features The sub-risk score.
[0068] Through the above mapping method, when a high-confidence ransomware feature signal appears in the system, it can immediately and significantly boost the final urgency score, thereby enabling rapid identification of clear ransomware behavior.
[0069] For moderate indicative features, these features characterize anomalous behaviors highly correlated with ransomware attacks but potentially occurring in normal business or operational scenarios. These include abnormally high file information entropy values, high-frequency write or renaming operations on critical file types by processes within a unit of time, and abnormally high processor resource or disk write loads. This invention employs a threshold-based piecewise linear mapping function to reflect the positive correlation between the degree of anomaly and the intensity of risk. Let the observed value of a certain moderate indicative feature within the current time window be... The corresponding abnormal initiation threshold is The abnormal saturation threshold is ,and Then the sub-risk score of this feature Defined as: .
[0070] In the formula, Features Observations within the current time window, This is the threshold for the start of an anomaly. This is the abnormal saturation threshold.
[0071] By using the piecewise linear mapping method described above, the risk score can be gradually accumulated as the degree of anomaly increases, reaching a saturation state when the degree of anomaly increases significantly. This avoids false alarms caused by slight fluctuations, while ensuring that continuous anomalies can effectively reflect their risk contribution.
[0072] The basic situation characteristics are used to reflect the changing trend of the overall system operation status and its auxiliary support role in the determination of ransomware attacks. These include a sudden increase in the number of system file creation, modification, deletion and renaming events per unit time, an abnormal increase in system network communication traffic or external connection frequency, a short-term significant increase in system memory resource utilization, frequent modification of industrial engineering files during non-maintenance periods, an abnormal increase in the number of accesses to high-risk ports of the industrial system, and high-frequency change characteristics of industrial system data per unit time.
[0073] This invention employs a normalized mapping function based on magnification or deviation to characterize the degree of deviation of the current observation value from the historical baseline. Let the observed value of a certain basic situational feature within the current time window be... Its corresponding historical baseline value is And construct a multiplier or deviation index. ,For example Then the sub-risk score of this feature It can be represented as: .
[0074] in, and These represent the multiplier thresholds for the onset and significant occurrence of system anomalies, respectively. Through this mapping method, situational indicators of different dimensions and scales can be uniformly mapped to the same risk space, providing a consistent mathematical basis for the fusion of multi-source features.
[0075] After obtaining the sub-risk scores corresponding to each feature, this invention calculates the overall urgency score by weighted summation. And linearly map it to a preset interval The calculation formula is as follows: .
[0076] In the formula, Features The assigned weights, The number of features.
[0077] Simultaneously, a whitelist protection mechanism is used to filter trusted processes such as core operating system processes and critical industrial control software processes to avoid false positives. When the urgency level reaches or exceeds a preset threshold (default 8 points), it is judged as a ransomware attack; when the urgency level is between 4 and 8 points, it is marked as a high-risk alert; and when it is below 4 points, it is recorded in the regular log.
[0078] In another exemplary embodiment of this application, an intelligent response mechanism is initiated based on the identification results: For confirmed ransomware attacks, parallel termination of suspicious processes is automatically triggered, supporting complete termination of the process tree, blocking network connections of suspicious processes, closing high-risk ports and shared services to prevent the spread of attacks; for high-risk alerts, a detailed threat report is generated (supporting multiple formats such as TXT, CSV, JSON, XML, and DOC), including a list of suspicious files, associated process PIDs, threat levels, and key information such as characteristic information, for further analysis by operations and maintenance personnel; throughout the entire identification and response process, structured logs are recorded in real time, categorized and stored according to INFO / WARN / ERROR levels, supporting keyword search and color-highlighted quick retrieval functions, providing support for security auditing and traceability. Simultaneously, the algorithm supports dynamic adjustment of various threshold parameters (such as file event frequency threshold, entropy threshold, and urgency threshold) and blacklist / whitelist databases to adapt to the protection needs of different scenarios, achieving a dynamic balance between identification accuracy and protection flexibility.
[0079] This application extracts features from file extension characteristics, file information entropy values, file magic number feature sequence matching results, process name matching, key file access frequency, changes in the number of system file events, abnormal network communication behavior, access to industrial-specific files and high-risk ports, and the frequency of changes in industrial data per unit time. A weighted scoring mechanism is then used to fuse these multi-source heterogeneous features to generate a unified risk assessment result. Through differentiated mapping function design, the model can both assign high weight to strong indicative features directly pointing to ransomware behavior and incorporate moderately relevant features and changes in the overall system situation for supplementary support. This enables effective identification of known ransomware viruses and unknown variants, and allows for effective response after identification.
[0080] Compared to existing technologies, the method in this application breaks through the core technical bottlenecks of traditional ransomware detection methods. It systematically solves the industry pain points of existing solutions, such as limited identification dimensions, delayed response to unknown threats, insufficient detection accuracy, lack of interpretability, and poor scenario adaptability. It has significant technical advantages in terms of detection comprehensiveness, ability to identify unknown variants, result reliability, compliance adaptability, scenario compatibility, and closed-loop protection. Each advantage is supported by clear core technical points, as follows: First, the method in this application breaks through the limitations of a single detection indicator, constructing a comprehensive judgment system covering all dimensions and the entire attack chain, achieving a comprehensive and accurate characterization of ransomware behavior. Existing technologies often rely on discrete features such as single file extension matching and process name matching, resulting in a one-sided detection dimension and vulnerability to attackers through feature tampering and code obfuscation. This invention, through a multi-source data fusion architecture, simultaneously extracts core indicators from four dimensions: file features, process features, system operational behavior characteristics, and industry-specific features. This covers the entire attack chain of ransomware behavior, from file encryption and abnormal process execution to system status fluctuations and network propagation, rather than being limited to specific known feature indicators. This advantage stems directly from the multi-dimensional feature engineering design of this invention, including core technologies such as joint verification of file extensions and magic numbers, information entropy value encryption behavior recognition, process behavior and resource usage linkage analysis, system global event timing monitoring, and industry-specific behavior judgment. Through complementary verification of multi-source heterogeneous features, it completely changes the inherent defect of the traditional "single-point judgment," significantly improving the comprehensiveness of attack identification and effectively preventing attackers from evading detection through single feature tampering.
[0081] Second, the method in this application possesses a strong ability to identify unknown threats and new ransomware variants, completely solving the detection lag defect of traditional solutions. Existing detection methods based on feature database matching can only identify known ransomware already in the database, and have no effective ability to identify new variants or obfuscated unknown ransomware, resulting in significant detection lag; while machine learning-based detection methods rely on large-scale new labeled samples to retrain the model, making it impossible to achieve rapid response to new attacks. This invention does not rely on known signature libraries or large-scale labeled samples. Instead, it constructs a detection model based on the essential behavioral patterns of ransomware encryption attacks. Through core technologies such as determining abnormal extension changes, identifying encrypted features of file information entropy, verifying the consistency between the file's true type and extension, monitoring abnormal high-frequency file operations in processes, and analyzing system operation baseline deviation, it directly captures the essential behavioral characteristics of ransomware, such as batch encryption of files, tampering with file attributes, and abnormal resource consumption. Regardless of whether the virus possesses known signatures or whether it has been obfuscated or transformed, as long as it performs abnormal behaviors consistent with the essence of ransomware attacks, it can be quickly identified and dealt with. There is no need to update the signature library or retrain the model in advance. It truly achieves full coverage of known ransomware, unknown variants, and new types of ransomware, effectively responding to the rapidly iterating and evolving attack landscape of ransomware.
[0082] Third, the method in this application achieves an optimal balance between detection accuracy and false alarm rate through a hierarchical and differentiated weighted scoring mechanism, which greatly improves the reliability of the detection results. Existing technologies often employ a single threshold judgment method, which is prone to false alarms due to normal business operations and also suffers from the problem of missing low-intensity attacks. Black-box machine learning models cannot controllably optimize the results of false alarms and missed alarms. The advantage of this invention comes from three core technical points: feature hierarchical classification mechanism, differentiated mapping function design, and weighted fusion scoring model. First, based on the strength of the feature's indication of ransomware attacks, it is divided into three categories: strong indication features, medium indication features, and basic situation features. For different categories of features, three differentiated score conversion functions are designed: binary mapping, piecewise linear mapping, and normalized mapping. This achieves rapid and high-weight judgment of clear ransomware behavior through strong indication features, and avoids false judgments caused by normal business fluctuations through the gradual accumulation of scores for medium and situation features. On this basis, a unified risk urgency score is generated through configurable weight allocation and weighted summation calculation. Combined with a trusted process whitelist filtering mechanism, it achieves accurate differentiation between ransomware attacks and normal business behavior. While ensuring full detection of attack behavior, it significantly reduces the false alarm rate and improves the practicality and reliability of the detection results.
[0083] Fourth, the method in this application constructs a fully explainable and traceable threat assessment model, which fully meets the controllable, auditable, and compliant requirements of critical information infrastructure and industrial control scenarios. Existing neural network-based detection methods have a "black box" characteristic in their decision-making process, making it impossible to decompose and trace the risk assessment results, and thus failing to meet the core requirements of manageable, controllable, and compliant auditable security protection systems in key areas such as industrial scenarios and government affairs. The core advantage of this invention lies in its explainable weighted scoring mechanism and full-process structured log recording technology: In the risk assessment model of this invention, the sub-risk scores, weight allocations, and mapping rules of each feature are all definable, traceable, and verifiable. The final risk urgency score can be completely decomposed into the contribution of each dimension feature, and each risk judgment can be mapped to a specific abnormal file, abnormal process, or abnormal behavior event, with no unexplainable decision-making links. At the same time, through the full-process structured log recording mechanism, the entire process of data collection, feature extraction, risk judgment, and response handling is stored hierarchically and categorized, supporting rapid retrieval and traceability, fully complying with the compliance requirements of network security level protection and critical information infrastructure security protection, and possessing strong practical application value.
[0084] Based on the same inventive concept, this application also provides a ransomware identification system based on multi-source data fusion for implementing the ransomware identification method based on multi-source data fusion described above. The solution provided by this system is similar to the implementation scheme described in the above method. Therefore, the specific limitations of one or more embodiments of the ransomware identification system based on multi-source data fusion provided below can be found in the limitations of the ransomware identification method based on multi-source data fusion described above, and will not be repeated here.
[0085] In one exemplary embodiment, a ransomware identification system based on multi-source data fusion is provided, comprising: a data acquisition module, a feature fusion module, an identification engine, and a response execution module.
[0086] The data acquisition module automatically identifies the terminal's disk drive and supports custom monitoring drive letters; the data acquisition module is used to synchronously acquire file system event data, system resource operation indicators, process behavior data, and industrial control system behavior data of the target terminal.
[0087] The feature fusion module is used to identify file features from file system event data, system operation behavior features from system resource operation indicators, process features from process behavior data, and industrial scenario features from industrial control system behavior data. The file features include file extension, information entropy value, and actual file type. The process features include process name and process behavior. If the file extension or the actual file type satisfies the essential behavioral characteristics of ransomware encrypted files, or the process name satisfies ransomware process naming rules, it is determined to be a strong indicative feature. If the information entropy value satisfies the essential behavioral characteristics of ransomware encrypted files, or the process behavior satisfies abnormal file operation behavior of ransomware processes, it is determined to be a medium indicative feature. If the system operation behavior features satisfy the abnormal operational state fluctuations caused by ransomware, or the industrial scenario features satisfy the abnormal behavior of ransomware in industrial application environments, it is determined to be a basic situational feature.
[0088] The identification engine determines the first sub-risk score based on strong indicative features using a binary mapping function; determines the second sub-risk score based on medium indicative features using a threshold-based piecewise linear mapping function; and determines the third sub-risk score based on basic situational features using a normalized mapping function. A weighted scoring mechanism is then applied to the first, second, and third sub-risk scores to obtain an overall urgency score. When the overall urgency score is greater than or equal to a preset threshold, it is determined to be a ransomware attack.
[0089] The response execution module provides both automatic and manual protection, automatically triggering parallel termination of suspicious processes and blocking network connections to prevent the spread of ransomware attacks.
[0090] As an optional implementation method, the system of this application is based on a multi-source data fusion ransomware intelligent identification algorithm, adopts a C / S separation architecture, focuses on the protection of industrial control environment and critical information infrastructure, and creates an endpoint security product that integrates collection, identification, response and management. The core consists of a daemon process (background core service) and a graphical user interface (visual operation entry), which work together to achieve real-time protection and flexible control.
[0091] The product is compatible with industrial control hosts, servers and other terminal devices. It supports Windows 7 SP1 and above. The minimum requirements are an Intel Core i3 processor, 4GB of memory and 500MB of disk space. An Intel Core i5 processor, 8GB of memory and more than 1GB of disk space are recommended. Administrator privileges are required for installation and startup to ensure operational security.
[0092] In terms of core functions, the data acquisition module can automatically identify the terminal disk drive, support custom monitoring drive letters, and collect file system events, system resource indicators, process behavior, and industrial scenario-specific data (PLC programming file operations, SCADA system data, etc.) in real time, ensuring comprehensive and real-time data sources; the feature fusion module extracts features from multi-source data according to four dimensions: file, process, system behavior, and industrial scenario; the intelligent recognition engine integrates the core algorithm of the scoring model, combines blacklists and whitelists with dynamic thresholds, accurately determines ransomware attacks, high-risk alarms, and routine operations, and supports parameter customization and optimization adjustment.
[0093] The response execution module provides both automatic and manual protection. Upon detecting an attack, it automatically terminates suspicious processes and blocks network connections. High-risk alerts automatically generate threat reports in multiple formats. The visual management interface adopts a Ribbon design and includes core tabs such as monitoring configuration, list management, and log viewing, making operation intuitive and convenient. The industrial adaptation module provides dedicated protection for four major industrial processes, adapting to the special needs of industrial environments.
[0094] The product is easy to deploy, and can be completed by following the wizard through the .msi installer. It supports one-click startup of the GUI or manual startup of the daemon process. Logs are automatically classified and stored to meet audit compliance requirements. It can be widely used in key fields such as industrial control and energy, and provides comprehensive ransomware detection and protection.
[0095] This application proposes a research and development concept for intelligent ransomware identification based on multi-source data fusion. Through multi-dimensional feature extraction and fusion calculation, a dynamic and interpretable threat assessment model is constructed. It can accurately identify known ransomware and unknown variants without relying entirely on large-scale labeled samples and single feature matching rules. At the same time, it has good generalization ability and interpretability, effectively making up for the shortcomings of existing technologies, improving the intelligence and accuracy of ransomware protection in key areas, and preventing and mitigating various security risks brought about by ransomware attacks.
[0096] In one exemplary embodiment, a computer device is provided, which may be a server or a terminal, and its internal structure diagram may be as follows. Figure 2As shown, this computer device includes a processor, memory, input / output (I / O) interfaces, and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operating system and computer programs in the non-volatile storage media to run. The database stores ransomware attack detection results. The I / O interfaces are used for information exchange between the processor and external devices. The communication interface is used for communication with external terminals via a network connection. When executed by the processor, the computer program implements a ransomware identification method based on multi-source data fusion.
[0097] Those skilled in the art will understand that Figure 2 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer equipment to which the present application is applied. Specific computer equipment may include, for example, [the following is a list of possible additional structures]. Figure 2 The embodiments show more or fewer components, combinations of certain components, or different component arrangements. In one exemplary embodiment, a computer device is provided, including a memory and a processor, the memory storing a computer program, which the processor executes to implement the steps in the above-described method embodiments.
[0098] In one exemplary embodiment, a computer-readable storage medium is provided storing a computer program that, when executed by a processor, implements the steps in the above-described method embodiments.
[0099] In one exemplary embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above-described method embodiments.
[0100] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties.
[0101] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM).
[0102] The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.
[0103] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0104] This document uses specific examples to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the methods and core ideas of this application. Furthermore, those skilled in the art will recognize that, based on the ideas of this application, there will be changes in the specific implementation methods and application scope. Therefore, the content of this specification should not be construed as a limitation of this application.
Claims
1. A ransomware identification method based on multi-source data fusion, characterized in that, include: Synchronously acquire file system event data, system resource operation indicators, process behavior data, and industrial control system behavior data of the target terminal; File characteristics are identified from file system event data, system operation behavior characteristics are identified from system resource operation indicators, process characteristics are identified from process behavior data, and industrial scenario characteristics are identified from industrial control system behavior data; the file characteristics include file extension, information entropy value, and actual file type; the process characteristics include process name and process behavior; If the file extension or the actual file type satisfies the essential behavioral characteristics of ransomware encrypting files, or if the process name satisfies the ransomware process naming rules, then it is determined to be a strong indicator feature. If the information entropy value satisfies the essential behavioral characteristics of ransomware encrypting files, or if the process behavior satisfies the abnormal file operation behavior of ransomware processes, then it is determined to be a medium-level indicative characteristic. If the system's operational behavior characteristics satisfy the abnormal operational state fluctuations caused by ransomware, or if the industrial scenario characteristics satisfy the abnormal behavior of ransomware in an industrial application environment, then it is determined to be a basic situation characteristic. Based on the strong indication characteristics, the first sub-risk score is determined using a binary mapping function; Based on the moderate indicative characteristics, the second sub-risk score is determined using a threshold-based piecewise linear mapping function; Based on the basic situation characteristics, the third sub-risk score is determined using a normalized mapping function; Based on the first sub-risk score, the second sub-risk score, and the third sub-risk score, a weighted scoring mechanism is used to obtain the overall urgency score; When the overall urgency score is greater than or equal to a preset threshold, it is identified as a ransomware attack, and the operation of terminating suspicious processes in parallel is automatically triggered to block network connections in order to prevent the spread of ransomware attacks.
2. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, The file system event data includes: creation, modification, deletion, and renaming of files on the specified disk drive; The system resource operation indicators include: CPU utilization, memory usage, network transmission rate, and number of TCP connections; The industrial control system behavior data includes: file operations, process running status, and port activity of PLC programming, SCADA system, DCS control system, and MES production execution system.
3. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, Identify file extensions from file system event data, where the file extensions satisfy the essential behavioral characteristics of ransomware encrypting files, including: Capture files and file paths that have been created, modified, or renamed within the monitored directory range from the file system event data; Parse the filename string in the file path and use the string after the last delimiter as the original file extension; The original file extensions are standardized to obtain file extensions; the standardization process includes: converting the extensions to lowercase and removing illegal characters or redundant whitespace characters. Construct a blacklist of suspicious ransomware extensions; the blacklist of suspicious ransomware extensions consists of the extensions used by known ransomware to encrypt files, the extensions used by publicly disclosed ransomware to encrypt files, and a predefined set of suspicious extensions; Match the file extensions with the blacklist of suspected ransomware extensions; When the file extension is detected to match any extension in the ransomware's suspicious extension blacklist, it is determined that the file extension satisfies the essential behavioral characteristics of ransomware encrypting files. Within a preset detection time window, count the number of files whose extensions have changed, and record the new extension type. When multiple file extensions are modified within a single time window, and the changed extensions do not belong to the predefined set of legal business extensions, it is determined that there is a risk of abnormal extensions. When multiple files are uniformly modified to the same unknown extension within a preset time, it is determined that the file extension satisfies the essential behavioral characteristics of ransomware encrypting files.
4. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, Identify information entropy values from file system event data, wherein the information entropy values satisfy the essential behavioral characteristics of ransomware encrypting files, including: Read byte data from a file; The read byte data is scanned byte by byte, and the number of times each byte value in the range of 0 to 255 appears in the byte data is counted to form a byte frequency statistics table; Based on the byte frequency statistics table, calculate the probability of occurrence for each byte value; the probability of occurrence is equal to the ratio of the number of times the byte appears to the total number of bytes. The information entropy value of the file is calculated using the Shannon entropy formula based on the probability of occurrence of each byte value. When the information entropy value is greater than or equal to the preset entropy threshold, it is determined that the information entropy value meets the essential behavioral characteristics of ransomware encrypting files, and the file is marked as a suspected encrypted file.
5. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, Identify the real file type from file system event data. This real file type satisfies the essential behavioral characteristics of ransomware-encrypted files, including: Read the header bytes of the file; The read file header bytes are converted into hexadecimal representation to construct a magic number feature sequence for file type identification; Establish a magic number feature library for file formats; Matching magic number feature sequences with file format magic number feature libraries; When the magic number feature sequence does not match any magic number feature sequence or matching rule in the file format magic number feature library, the true file type is determined to be an unknown type or an abnormal type, and the true file type satisfies the essential behavioral characteristics of ransomware encrypted files.
6. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, Identify system operational behavior characteristics from system resource operation indicators. These characteristics satisfy the abnormal operational state fluctuations caused by ransomware, including: Count the number of file creation, modification, renaming, and deletion events that occur within a unit of time. When the growth rate of the number of file events within a preset time period is greater than the growth rate threshold, and the number of file events is greater than the preset threshold of the historical normal operation level, it is determined that there is abnormal file operation behavior. Obtain data on network traffic, the number of accesses to external addresses, communication traffic, and changes in available system memory resources; When the system experiences an abnormal increase in network traffic during abnormal business hours, or establishes an abnormal connection with an external address whose risk value exceeds the risk threshold, it is determined that the system has network activity related to ransomware. When the system establishes a connection with an external address that does not belong to the predefined set of trusted addresses, and the number of accesses within a preset time exceeds the threshold, it is judged as an abnormal and risky connection. When the rate of decrease of the change in available memory resources in the system exceeds a rate threshold within a preset time period and cannot be explained by normal business load, it is judged as abnormal behavior.
7. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, Identify process characteristics from process behavior data, wherein the process names conform to ransomware process naming rules, including: Obtain the process name from process behavior data; The process name is matched with a pre-established ransomware process feature database. The ransomware process feature database includes process name features, naming rules and feature information corresponding to known ransomware and known ransomware variants. The feature information includes ransomware family name, variant name, case conversion form and matching features constructed based on string similarity or regular expression rules. When a process name matches a feature in the ransomware process feature library, or exhibits a random naming feature without obvious semantics, the process is determined to have a ransomware risk. Statistics on file type access behavior of each process within a unit of time; When a single process performs continuous write or overwrite operations on different files within a preset time period, and the access frequency is greater than the historical normal operating baseline of the system, the process is determined to have abnormal file operation behavior.
8. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, Identify industrial scenario characteristics from industrial control system behavior data. These characteristics conform to the abnormal behavior of ransomware in industrial application environments, including: Obtain modification behavior of industrial engineering documents from industrial control system behavior data; When industrial engineering documents are modified multiple times outside of maintenance periods, or renamed with an unknown extension or a ransomware-specific extension, it is determined that there is abnormal risk behavior. When an unauthorized process initiates an abnormal connection to a port in an industrial environment, or when multiple connection attempts occur within a preset time, the system is determined to have suffered abnormal access behavior.
9. The ransomware identification method based on multi-source data fusion according to claim 1, characterized in that, The binary mapping function is: ; In the formula, Features Sub-risk scores; The threshold-based piecewise linear mapping function is: ; In the formula, Features Observations within the current time window, This is the threshold for the start of an anomaly. This is the abnormal saturation threshold. ; The normalized mapping function is: ; In the formula, This refers to the ratio or deviation indicator. , This is the historical baseline value. and These represent the multiplier thresholds for the onset and significant occurrence of system anomalies, respectively. The formula for calculating the overall urgency score is as follows: ; In the formula, The overall urgency score; Features The assigned weights satisfy ; The number of features.
10. A ransomware identification system based on multi-source data fusion, characterized in that, include: The system comprises a data acquisition module, a feature fusion module, a recognition engine, and a response execution module. The data acquisition module automatically identifies the terminal's disk drive and supports custom monitoring drive letters; The data acquisition module is used to synchronously acquire file system event data, system resource operation indicators, process behavior data, and industrial control system behavior data of the target terminal; The feature fusion module is used to identify file features from file system event data, system operation behavior features from system resource operation indicators, process features from process behavior data, and industrial scenario features from industrial control system behavior data. The file features include file extension, information entropy value, and actual file type. The process features include process name and process behavior. If the file extension or the actual file type satisfies the essential behavioral characteristics of ransomware encrypted files, or the process name satisfies ransomware process naming rules, it is determined to be a strong indicative feature. If the information entropy value satisfies the essential behavioral characteristics of ransomware encrypted files, or the process behavior satisfies abnormal file operation behavior of ransomware processes, it is determined to be a medium indicative feature. If the system's operational behavior characteristics satisfy the abnormal operational state fluctuations caused by ransomware, or if the industrial scenario characteristics satisfy the abnormal behavior of ransomware in an industrial application environment, then it is determined to be a basic situation characteristic. The recognition engine is used to determine the first sub-risk score based on strong indicative features using a binary mapping function; Based on the moderate indicative characteristics, the second sub-risk score is determined using a threshold-based piecewise linear mapping function; Based on the basic situation characteristics, the third sub-risk score is determined using a normalized mapping function; based on the first, second, and third sub-risk scores, a weighted scoring mechanism is used to obtain the overall urgency score; when the overall urgency score is greater than or equal to a preset threshold, it is determined to be a ransomware attack. The response execution module provides both automatic and manual protection, automatically triggering parallel termination of suspicious processes and blocking network connections to prevent the spread of ransomware attacks.