Abnormal encryption detection method, device, equipment, medium and program product

By using a multi-algorithm dynamic fusion and a three-dimensional collaborative detection system, the problems of single detection methods and insufficient fine-grained database detection in existing technologies have been solved, achieving high-precision identification and wide coverage of ransomware attacks.

CN122372285APending Publication Date: 2026-07-10CHINA UNITED NETWORK COMM GRP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA UNITED NETWORK COMM GRP CO LTD
Filing Date
2026-04-20
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies for detecting ransomware attacks suffer from limitations such as a single detection method, fixed detection algorithms, and inability to adapt to different types of data. This results in insufficient comprehensiveness and accuracy in detection, and an inability to identify covert encryption behaviors and fine-grained database encryption.

Method used

A detection method that dynamically fuses multiple algorithms is adopted. The algorithm combination is adaptively selected according to the data type to construct a three-dimensional collaborative detection system of file-database-behavior. Abnormal encryption behavior is identified through entropy calculation and multi-dimensional detection.

Benefits of technology

It improves the accuracy of abnormal encryption detection, reduces the false negative rate, covers file encryption, fine-grained database encryption, and covert encryption behavior, and expands the detection coverage.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372285A_ABST
    Figure CN122372285A_ABST
Patent Text Reader

Abstract

This application provides an abnormal encryption detection method, apparatus, device, medium, and program product, relating to the field of communication technology, to improve the comprehensiveness and accuracy of abnormal encryption behavior detection. The specific technical solution includes: acquiring the data stream to be detected and its associated behavioral data; classifying the data stream to be detected to obtain data of at least one data type; processing the data of each data type using an algorithm corresponding to each data type to obtain the entropy value calculation result of the data stream to be detected; performing multi-dimensional detection on the data stream to be detected based on the associated behavioral data to obtain dimensional abnormal data of the data stream to be detected; and determining the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected. This application is applied to the detection scenario of abnormal encryption of network data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to an abnormal encryption detection method, apparatus, device, medium, and program product. Background Technology

[0002] As global cybersecurity threats become increasingly organized and professional, ransomware attacks are escalating, making defense against ransomware attacks a core need in the current cybersecurity field.

[0003] To address this need, the current industry approach involves collecting specific bytes from the file to be tested and extracting features such as character distribution. These features are then input into a pre-defined machine learning model to determine whether the file is encrypted.

[0004] However, the above-mentioned solutions only use a preset machine learning model to detect abnormal encryption of the above file types, and cannot detect abnormal encryption of other types of data. Furthermore, since the algorithm of the above-mentioned machine learning model is fixed, it cannot flexibly cope with the input file types. Therefore, the existing solutions have the problems of single detection method and insufficient comprehensiveness and accuracy in detecting abnormal encryption behavior. Summary of the Invention

[0005] This application provides an abnormal encryption detection method, apparatus, device, medium, and program product to improve the comprehensiveness and accuracy of abnormal encryption behavior detection.

[0006] In a first aspect, embodiments of this application provide an abnormal encryption detection method, the method comprising: acquiring a data stream to be detected and associated behavioral data of the data stream to be detected; classifying the data stream to be detected to obtain data of at least one data type, the data type including: text type, database type and binary type; processing the data of each data type using an algorithm corresponding to each data type to obtain an entropy value calculation result of the data stream to be detected, the entropy value calculation result being used to characterize the degree of abnormal encryption of the data stream to be detected; performing multi-dimensional detection on the data stream to be detected based on the associated behavioral data to obtain dimensional abnormal data of the data stream to be detected, the multi-dimensional detection including at least two of the following: file dimension detection, database dimension detection and behavioral dimension detection; and determining the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected.

[0007] The technical solution provided in this application offers at least the following beneficial effects: After acquiring the data stream to be detected and its associated behavioral data, the data stream can be classified, allowing for adaptive selection of different algorithm combinations for different data types. This enables the calculation of entropy values ​​to characterize the degree of abnormal encryption in the data stream. Simultaneously, based on the associated behavioral data, multi-dimensional detection is performed to obtain abnormal data for each dimension of the data stream. Thus, abnormal encryption can be comprehensively determined from both the degree of abnormal encryption and multi-dimensional detection, resulting in more accurate abnormal encryption judgments. This improves the accuracy of identifying different types of data encryption behaviors and reduces the false negative rate of abnormal encryption detection. Furthermore, a three-dimensional collaborative detection system encompassing files, databases, and behaviors is constructed, covering file encryption, fine-grained database encryption, and covert encryption behaviors, expanding the detection coverage.

[0008] One possible implementation is that the above-mentioned file dimension detection includes at least one of the following: file header consistency verification, file body entropy calculation, file tail keyword retrieval, and file permission detection; the above-mentioned database dimension detection includes at least one of the following: table-level scan, record-level scan, field-level scan, and transaction log detection; the above-mentioned behavior dimension detection includes at least one of the following: encryption rhythm analysis, time feature analysis, account anomaly detection, and operation sequence analysis.

[0009] Another possible implementation involves using an algorithm corresponding to each data type to process the data of each data type and obtain the entropy calculation result of the data stream to be detected. This includes: using an algorithm corresponding to each data type to process the data of each data type and obtain the entropy calculation result corresponding to the data of each data type. The algorithm includes at least one of the following: most common value estimation algorithm, collision test estimation algorithm, Markov test estimation algorithm, compression test estimation algorithm; and performing entropy fusion calculation based on the entropy calculation result corresponding to the data of each data type to obtain the entropy calculation result of the data stream to be detected.

[0010] Another possible implementation involves determining the abnormal encryption judgment result of the data stream to be detected based on the entropy calculation result and the dimensional anomaly data of the data stream to be detected. This includes: determining the data stream to be detected as having a first abnormal encryption level when the entropy calculation result of the data stream to be detected is greater than a first entropy threshold and the dimensional anomaly data indicates that at least two dimensions of the multi-dimensional detection are abnormal; or, determining the data stream to be detected as having a second abnormal encryption level when the entropy calculation result of the data stream to be detected is less than or equal to the first entropy threshold and greater than or equal to a second entropy threshold, and the dimensional anomaly data indicates that only one dimension of the multi-dimensional detection is abnormal; or, determining the data stream to be detected as having a third abnormal encryption level when the entropy calculation result of the data stream to be detected is less than the second entropy threshold and the dimensional anomaly data indicates that all dimensions of the multi-dimensional detection are normal. The first abnormal encryption level is higher than the second abnormal encryption level, and the second abnormal encryption level is higher than the third abnormal encryption level.

[0011] Another possible implementation is that, after determining the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional anomaly data of the data stream to be detected, the method further includes: outputting alarm information when the data stream to be detected is at the first abnormal encryption level; or, sending review task information to the client when the data stream to be detected is at the second abnormal encryption level, the review task information being used to instruct the user to perform a review operation on the data stream to be detected; or, generating a searchable log based on the data stream to be detected when the data stream to be detected is at the third abnormal encryption level.

[0012] Secondly, embodiments of this application provide an abnormal encryption detection device, comprising: an acquisition module, a classification module, a calculation module, a detection module, and a determination module; the acquisition module is used to acquire a data stream to be detected and associated behavioral data of the data stream to be detected; the classification module is used to classify the data stream to be detected acquired by the acquisition module to obtain data of at least one data type, including: text type, database type, and binary type; the calculation module is used to process the data of each data type obtained by the classification module using an algorithm corresponding to each data type to obtain an entropy value calculation result of the data stream to be detected, the entropy value calculation result being used to characterize the abnormal encryption degree of the data stream to be detected; the detection module is used to perform multi-dimensional detection on the data stream to be detected based on the associated behavioral data acquired by the acquisition module to obtain dimensional abnormal data of the data stream to be detected, the multi-dimensional detection including at least two of the following: file dimension detection, database dimension detection, and behavioral dimension detection; the determination module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result of the data stream to be detected calculated by the calculation module and the dimensional abnormal data of the data stream to be detected obtained by the detection module.

[0013] One possible implementation is that the above-mentioned file dimension detection includes at least one of the following: file header consistency verification, file body entropy calculation, file tail keyword retrieval, and file permission detection; the above-mentioned database dimension detection includes at least one of the following: table-level scan, record-level scan, field-level scan, and transaction log detection; the above-mentioned behavior dimension detection includes at least one of the following: encryption rhythm analysis, time feature analysis, account anomaly detection, and operation sequence analysis.

[0014] Another possible implementation, the aforementioned calculation module, is specifically used for:

[0015] Each data type is processed using an algorithm corresponding to it to obtain the entropy value calculation result for each data type. The algorithm includes at least one of the following: most common value estimation algorithm, collision test estimation algorithm, Markov test estimation algorithm, and compression test estimation algorithm. Based on the entropy value calculation results corresponding to each data type, entropy value fusion calculation is performed to obtain the entropy value calculation result of the data stream to be detected.

[0016] Another possible implementation, the aforementioned determining module, is specifically used for:

[0017] If the entropy value of the data stream to be detected is greater than the first entropy threshold, and the detection results of at least two dimensions in the multi-dimensional detection of the dimension anomaly data representation are abnormal, the data stream to be detected is determined to be at the first anomaly encryption level; or, if the entropy value of the data stream to be detected is less than or equal to the first entropy threshold, and greater than or equal to the second entropy threshold, and the detection result of only one dimension in the multi-dimensional detection of the dimension anomaly data representation is abnormal, the data stream to be detected is determined to be at the second anomaly encryption level; or, if the entropy value of the data stream to be detected is less than the second entropy threshold, and the detection results of all dimensions in the multi-dimensional detection of the dimension anomaly data representation are normal, the data stream to be detected is determined to be at the third anomaly encryption level; wherein, the first anomaly encryption level is higher than the second anomaly encryption level, and the second anomaly encryption level is higher than the third anomaly encryption level.

[0018] In another possible implementation, the above-mentioned device further includes: an output module, a transmission module, or a generation module;

[0019] The aforementioned output module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional anomaly data of the data stream to be detected, and then output alarm information if the data stream to be detected is at the first abnormal encryption level; or,

[0020] The aforementioned sending module, after determining the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional anomaly data of the data stream to be detected, sends a review task information to the client if the data stream to be detected is at the second abnormal encryption level. The review task information instructs the user to perform a review operation on the data stream to be detected; or...

[0021] The aforementioned generation module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected, and to generate a searchable log based on the data stream to be detected when the data stream to be detected is at the third abnormal encryption level.

[0022] Thirdly, this application provides an electronic device comprising: a processor and a memory; the memory stores a program or instructions executable on the processor, wherein the program or instructions, when executed by the processor, implement the method of the first aspect described above.

[0023] Fourthly, this application provides a readable storage medium on which a program or instructions are stored, which, when executed by a computer, implement the method of the first aspect described above.

[0024] Fifthly, this application provides a computer program product stored in a storage medium, which, when executed by a computer, implements the method described in the first aspect.

[0025] In a sixth aspect, embodiments of this application provide a chip including a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the method described in the first aspect.

[0026] The beneficial effects of the second to sixth aspects mentioned above are described in the corresponding description of the first aspect and will not be repeated here. Attached Figure Description

[0027] Figure 1 This application provides a schematic diagram of the network architecture for an abnormal encryption detection method.

[0028] Figure 2 A flowchart illustrating an abnormal encryption detection method provided in the application embodiment;

[0029] Figure 3 A three-dimensional collaborative detection dimension map of an anomaly encryption detection method provided in the application embodiment;

[0030] Figure 4 A flowchart illustrating an abnormal encryption detection method provided in the application embodiment;

[0031] Figure 5 A system architecture diagram of an anomaly encryption detection method provided in the application embodiments;

[0032] Figure 6 A flowchart illustrating an anomaly encryption detection method for ransomware anomaly encryption identification is provided in the application embodiment.

[0033] Figure 7 This is a schematic diagram of the structure of an anomaly encryption detection device provided in an embodiment of this application;

[0034] Figure 8 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0035] The following is a detailed description of the abnormal encryption detection method, apparatus, equipment, medium, and program products provided in this application, with reference to the accompanying drawings.

[0036] The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application are within the scope of protection of this application.

[0037] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such use of data can be interchanged where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class and the number of objects is not limited; for example, a first object can be one or more. Furthermore, in the specification and claims, "and / or" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects are in an "or" relationship.

[0038] The terms "at least one," "at least one of," etc., used in the specification and claims of this application refer to any one, any two, or a combination of two or more of the included items. For example, at least one of a, b, and c can mean: "a," "b," "c," "a and b," "a and c," "b and c," and "a, b, and c," where a, b, and c can be single or multiple. Similarly, "at least two" refers to two or more items, and its meaning is similar to that of "at least one."

[0039] In the description of this application, unless otherwise stated, "a plurality of" means two or more.

[0040] The present application provides an abnormal encryption detection method, apparatus, device, medium, and program product that can be applied to the detection of abnormal encryption of network data.

[0041] Currently, global cybersecurity threats exhibit core trends of "organization, specialization, and APT-ification." Ransomware attacks, with their "low barrier to entry and high returns," have become the most pressing core threat in the field of data security. According to existing data, the frequency of ransomware attacks has rapidly increased from "one every 11 seconds" to "one every 2 seconds" in the next few years, meaning that ransomware attacks for enterprises have transformed from an "occasional risk" to an "inevitable challenge."

[0042] Furthermore, the scope of these ransomware attacks has expanded from ordinary small and medium-sized enterprises to critical information infrastructure sectors, with finance, energy, transportation, healthcare, and telecommunications becoming the hardest hit: Case 1: A bank suffered a ransomware attack that disrupted its core business systems; another financial institution was accused by a ransomware group of stealing 6.6TB of sensitive data, directly triggering compliance risks in cross-border business and a crisis of customer trust. Case 2: Multiple ransomware attacks are frequent in the industrial internet sector, with attackers using bulk network requests to mask encryption, leading to the paralysis of production systems. Case 3: Data centers and hospitals in multiple locations suffered data loss and system outages due to ransomware attacks, causing serious social impact.

[0043] The above cases fully demonstrate that even leading institutions with robust basic protection systems still find it difficult to avoid new types of ransomware attacks. Once an attack occurs, it will directly lead to multiple risks such as business interruption, data leakage, losses, and compliance penalties, highlighting the urgent need for ransomware encryption detection technology.

[0044] As attack teams' toolchains mature and attack strategies become more customized, ransomware attacks exhibit a clear evolutionary trend in their cryptographic behavior. Furthermore, because these attack tools are specifically designed to exploit the weaknesses of existing detection technologies, traditional detection methods become ineffective. For example:

[0045] 1) Advanced Persistent Threat (APT) Attacks: Covert Attacks Using Low-Speed ​​Encryption. Attackers tailor "low-speed" encryption strategies for large industry clients, encrypting only a small number of files or database records daily, avoiding peak work hours, with a latency period of up to several months. Because the encryption behavior is dispersed and the characteristics are not obvious, traditional detection rules based on "traffic surges" and "batch encryption" are difficult to identify.

[0046] 2) Multiple Ransomware Mode: Combining Encryption and Theft. Attackers no longer rely solely on encryption to lock down data; instead, they first steal sensitive data and then encrypt it, using "public data" as a dual threat (as seen in existing technologies addressing multiple ransomware scenarios in the industrial internet sector, where attackers use bulk network requests to mask encryption behavior, leading to production system paralysis). In this mode, encryption is more covert, and the characteristics of encrypted data are easily confused with normal business data, further increasing the difficulty of detection.

[0047] 3) Rapid virus mutation and diversified encryption paths: "Zero-day vulnerabilities" and "obfuscation" have become the main attack methods, and encryption paths cover VPN vulnerability intrusion, phishing email implantation, supply chain attacks, etc. (as mentioned in existing technologies, viruses bypass signature-based detection by using obfuscation). The speed of virus mutation far exceeds the update speed of traditional virus databases, and traditional detection methods that rely on signature matching are completely ineffective.

[0048] 4) Encryption targets extend to databases: Attackers in fine-grained encryption attacks are shifting from traditional file encryption to database table-level, record-level, and field-level encryption (current technologies focus on database ransomware prevention or mention database access control). Local encryption features are not obvious, and traditional file-level detection cannot cover this type of scenario, resulting in core database data being encrypted and remaining undetected for a long time.

[0049] Despite the introduction of various detection solutions in the industry, existing technologies have clear shortcomings in addressing the aforementioned evolutionary trends, making it difficult to form an effective defense. The following problems still exist:

[0050] 1) Coarse detection granularity: It cannot cover fine-grained encryption of the database, and existing technologies are mostly limited to "file-level detection".

[0051] 2) Single detection algorithm: Existing solutions mostly use a single entropy algorithm or a fixed machine learning model, which cannot adapt to the encryption characteristics of different types of data (text, database, binary file). For example, the recognition rate of a single entropy algorithm for low-entropy encrypted data and compressed encrypted data is significantly low.

[0052] 3) Lack of multi-dimensional collaboration: Difficulty in identifying covert encryption behavior. Existing technologies only focus on the characteristics of the data itself (e.g., existing technologies only extract file byte features, or only use two-dimensional logic of injection detection + feature classification), without combining dimensions such as the timing of encryption behavior and permission changes. For example, for covert behaviors such as "low-speed encryption at night" and "encryption operations performed by non-operation accounts", existing technologies cannot effectively identify them due to the lack of collaboration across behavioral dimensions.

[0053] Furthermore, while existing technologies share some similarities with this application in areas such as "multi-model fusion," "database protection," and "dynamic detection," none of them simultaneously achieve the three core capabilities of "dynamic adaptation of multiple algorithms," "three-dimensional collaboration of file-database-behavior," and "fine-grained database detection." These limitations prevent them from addressing the evolving trends of ransomware encryption towards greater concealment, finer granularity, and diversification. Against this backdrop, developing a ransomware anomaly encryption identification method that covers all data types, adapts to encryption features across multiple scenarios, and supports the identification of covert behaviors is crucial for addressing current industry pain points.

[0054] In summary, current ransomware detection technologies, due to their design logic focusing on "single-dimensional, fixed algorithms," are unable to cope with the increasingly covert, fine-grained, and diversified evolution of ransomware. Their core shortcomings are as follows:

[0055] 1) Single detection algorithm with poor adaptability: Existing technologies mostly use a single entropy algorithm or fixed feature matching, without adjusting the detection logic according to data type (text, database, binary). This results in low accuracy in identifying encrypted features of different types of data and a high false negative rate.

[0056] 2) Limited detection dimensions and narrow coverage: It only focuses on the encryption characteristics of the data itself, without combining the encryption behavior time sequence, permission changes and other dimensions, and cannot identify hidden encryption modes such as "slow speed, night execution" and so on.

[0057] 3) Coarse detection granularity, unable to deal with database encryption: Existing technologies are mostly limited to file-level detection, lacking fine-grained detection logic at the database table, record, and field levels, resulting in localized database encryption attacks remaining undetected for a long time.

[0058] In other words, this application provides a detection method that dynamically fuses multiple algorithms, adaptively selecting algorithm combinations based on data type to improve the accuracy of identifying different types of data encryption behaviors and reduce the false negative rate. Simultaneously, it constructs a three-dimensional collaborative detection system of files, databases, and behaviors, covering file encryption, fine-grained database encryption, and covert encryption behaviors, thus expanding the detection coverage.

[0059] The following description, in conjunction with the accompanying drawings, details the abnormal encryption detection method, apparatus, device, medium, and program products provided in the embodiments of this application.

[0060] Figure 1 The network architecture of an abnormal encryption detection method provided in an embodiment of this application is illustrated. For example... Figure 1 As shown, the network architecture includes an anomaly encryption detection device 101 and a terminal device 102. The anomaly encryption detection device 101 and the terminal device 102 are interconnected.

[0061] In some embodiments, the anomaly encryption detection device 101 may be a server, a computer, or a processor or processing unit within a server or computer. The server may be a single server or a server cluster consisting of multiple servers. It should be noted that the embodiments of this application do not limit the specific device form of the anomaly encryption detection device 101. Figure 1 The example shown is a single server using the anomaly encryption detection device 101.

[0062] In some embodiments, the terminal device may be a mobile phone, tablet computer, laptop computer, handheld computer, in-vehicle electronic device, mobile internet device (MID), augmented reality (AR) / virtual reality (VR) device, robot, wearable device, personal computer (PC), ultra-mobile personal computer (UMPC), netbook, or personal digital assistant (PDA), etc., and the embodiments of this application do not specifically limit it. Figure 1 The example shown is a mobile phone, with terminal device 102 as an example.

[0063] In some embodiments, the abnormal encryption monitoring device 101 acquires the data stream to be detected and its associated behavioral data; classifies the data stream to be detected to obtain data of at least one data type, including: text type, database type, and binary type; processes the data of each data type using an algorithm corresponding to each data type to obtain the entropy value calculation result of the data stream to be detected, the entropy value calculation result being used to characterize the degree of abnormal encryption of the data stream to be detected; performs multi-dimensional detection on the data stream to be detected based on the associated behavioral data to obtain the dimensional abnormal data of the data stream to be detected, the multi-dimensional detection including at least two of the following: file dimension detection, database dimension detection, and behavioral dimension detection; determines the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected, and sends a review task information to the terminal device 102 based on the abnormal encryption judgment result, the review task information being used to instruct the user to perform a review operation on the data stream to be detected.

[0064] It should be noted that the network architecture described in the embodiments of this application is for the purpose of more clearly illustrating the technical solutions of the embodiments of this application, and does not constitute a limitation on the technical solutions provided in the embodiments of this application. As network architectures evolve, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.

[0065] See Figure 2 This is a flowchart illustrating an abnormal encryption detection method provided in an embodiment of this application. Figure 2 As shown, the abnormal encryption detection method provided in this application embodiment can be implemented by the above-mentioned abnormal encryption detection device, specifically including the following steps 201 to 204.

[0066] Step 201: The anomaly encryption detection device acquires the data stream to be detected and the associated behavioral data of the data stream to be detected; the data stream to be detected is classified to obtain data of at least one data type.

[0067] In some embodiments of this application, the above data types include, but are not limited to: text type, database type, and binary type.

[0068] In some embodiments of this application, the abnormal encryption device acquires the aforementioned data stream to be detected. The system automatically determines the data type by the file extension (preset mapping table of 50+ common file type extensions), database connection protocol identifier (Oracle TNS protocol port 1521, MySQL handshake protocol feature 0x0a000000), and binary file magic number (preset mapping table of 30+ common binary file magic numbers) in the data stream to be detected, with a determination accuracy of 100%. For data without extension / magic number, it is determined to be a binary file by default.

[0069] Step 202: The anomaly encryption detection device uses an algorithm corresponding to each data type to process the data of each data type to obtain the entropy value calculation result of the data stream to be detected.

[0070] In some embodiments of this application, the entropy value calculation result is used to characterize the degree of abnormal encryption of the data stream to be detected.

[0071] In some embodiments of this application, each data type corresponds to one or more algorithms.

[0072] In some embodiments of this application, the above algorithms include, but are not limited to: most common value estimation algorithm, collision test estimation algorithm, Markov test estimation algorithm, and compression test estimation algorithm.

[0073] In some embodiments of this application, the most common value estimation algorithm includes: based on frequency statistics, the percentage of characters that appear most frequently in the statistical data. The calculation logic can be: most common character frequency / total number of characters, with a threshold of 0.3. If the percentage is greater than or equal to 0.3, it is determined to be regular text data.

[0074] In some embodiments of this application, the above-mentioned collision test estimation algorithm includes: based on the birthday paradox principle, calculating randomness by the number of repeated character pairs in the statistical data, with the formula: collision number = total number of characters × (total number of characters - 1) / (2 × character set size).

[0075] In some embodiments of this application, the character set is encoded in UTF-8 by default, and the number of collisions is greater than or equal to the total number of characters × 0.1, which is considered to be highly random.

[0076] In some embodiments of this application, the Markov test estimation algorithm described above includes: constructing a first-order Markov chain model, calculating the entropy value of the transition probability matrix of adjacent characters, wherein the dimension of the transition probability matrix is ​​the character set size × the character set size.

[0077] In one example, the above entropy calculation can be performed using the Shannon entropy formula: ,

[0078] Where H represents the Shannon entropy value of the transition probability matrix; a higher entropy value indicates stronger randomness in character transitions and a higher probability of encrypted data. P(i,j) represents the probability of transitioning from character i to character j, calculated by the ratio of the frequency of adjacent character pairs (i,j) in the Markov chain to the total frequency of character i (i.e., P(i,j) = frequency of character pair (i,j) / total frequency of character i). Σ represents the summation of all non-zero probability elements in the transition probability matrix. If P(i,j) = 0, then log2P(i,j) is meaningless, and the contribution of this element to the entropy value is counted as 0. The character set defaults to 256 characters (0x00-0xFF) corresponding to UTF-8 encoding. For double-byte characters such as Chinese characters, the transition probability is automatically calculated after splitting according to UTF-8 encoding rules.

[0079] In some embodiments of this application, the compression test estimation algorithm includes: using the DEFLATE compression algorithm, setting the compression level to 6, and calculating the ratio of the data before and after compression, i.e., the compression ratio. Wherein, compression ratio = compressed size / uncompressed size. Generally, a compression ratio < 0.6 is considered high randomness.

[0080] In some embodiments of this application, the system has a built-in "data type-algorithm mapping strategy configuration file (XML format)". The configuration file contains data type tags, algorithm combination tags, and weight allocation tags, and automatically selects the optimal algorithm combination according to the data type.

[0081] In some embodiments of this application, when the data type is a text file, the algorithm corresponding to this data type can be the most common value estimation algorithm and the Markov test estimation algorithm.

[0082] In some embodiments of this application, when the data type is a database, the algorithm corresponding to the data type can be a collision test estimation algorithm and a compression test estimation algorithm.

[0083] In some embodiments of this application, when the data type is a binary file, the algorithm corresponding to this data type can be a collision test estimation algorithm and a compression test estimation algorithm.

[0084] In some embodiments of this application, the entropy calculation results are obtained based on the entropy calculation results corresponding to each of the above data types. For example, the entropy calculation results are obtained by fusing the entropy calculation results corresponding to each of the above data types using a weighted average method.

[0085] For example, a common weight allocation for the above weighted average method is as follows: most common value estimate: 0.2, collision test estimate: 0.3, Markov test estimate: 0.2, compression test estimate: 0.3, where the entropy value of a single algorithm is rounded to two decimal places. The sum of the weights is generally 1.

[0086] In some embodiments of this application, the anomaly encryption detection device can perform parallel computation of multiple algorithms by calling the algorithm classes corresponding to various types of data (typically, the fully qualified name of the algorithm class is com.riversecurity.detection.algorithm.XXXAlgorithm). For example, a Java multithreaded pool can be used, with the core thread count = CPU core count × 2, the maximum thread count = CPU core count × 4, a queue capacity of 10000, and a rejection policy of discarding tasks and logging them.

[0087] It should be noted that if the calculation times out, it will automatically retry once (retry interval is 5 seconds). If it still times out, it will be judged as a suspected anomaly (entropy value is set to 7.0 by default).

[0088] In some embodiments of this application, step 202 described above can be specifically implemented through the following steps 202a and 202b:

[0089] Step 202a: The anomaly encryption detection device uses an algorithm corresponding to each data type to process the data of each data type and obtain the entropy value calculation result corresponding to each data type.

[0090] In some embodiments of this application, the abnormal encryption detection device supports users to customize algorithm combinations through the operation and maintenance management terminal. Algorithms can be added / deleted, and weight allocation can be adjusted. The total weight must be 1.

[0091] In some embodiments of this application, the abnormal encryption detection device supports users in dynamically adjusting the entropy threshold through the operation and maintenance management terminal. For example, the threshold for normal data can be set to be less than 6.5, and the threshold for encrypted data can be set to be greater than 7.5, with a fine-tuning step of 0.1. It should be noted that the threshold adjustment record is usually kept in the audit log, which includes the person making the adjustment, the adjustment time, the threshold before adjustment, the threshold after adjustment, and the reason for adjustment.

[0092] Step 202b: The anomaly encryption detection device performs entropy fusion calculation based on the entropy calculation results corresponding to the data of each of the above data types to obtain the entropy calculation results of the above data stream to be detected.

[0093] In some embodiments of this application, the calculation formula for entropy fusion calculation based on the entropy calculation results corresponding to each of the above data types is as follows: .

[0094] In this way, by classifying the data types of the files to be detected and adaptively selecting algorithm combinations based on the data types, the accuracy of identifying encryption behaviors of different types of data is improved and the false negative rate is reduced.

[0095] Step 203: Based on the aforementioned associated behavioral data, the anomaly encryption detection device performs multi-dimensional detection on the aforementioned data stream to be detected, and obtains the dimensional anomaly data of the data stream to be detected.

[0096] In some embodiments of this application, the above-mentioned multi-dimensional detection includes at least two of the following: document dimension detection, database dimension detection, and behavior dimension detection.

[0097] In some embodiments of this application, the above-mentioned file dimension detection includes at least one of the following: file header consistency verification, file body entropy calculation, file tail keyword retrieval, and file permission detection.

[0098] In some embodiments of this application, the above-mentioned file header consistency check includes: reading the first N (e.g., N can be 16) bytes of the file (if less than N bytes, read all bytes), comparing them with a preset file type-file header mapping table, and marking the file header as abnormal if the comparison is inconsistent. During the comparison, a byte-by-byte equality check can be used for consistency verification.

[0099] For example, the above file type-file header mapping table may include: .jpg corresponds to 0xFFD8FF, .png corresponds to 0x89504E47, .docx corresponds to 0x504B0304, etc.

[0100] In some embodiments of this application, the above-mentioned file body entropy value calculation includes: dividing the file into blocks according to a first preset threshold (e.g., 4KB) (it should be noted that if the last block is less than the first preset threshold, it is divided into blocks according to the actual size), calculating the fused entropy value for each block independently, and counting the proportion of blocks with entropy values ​​greater than the first threshold (e.g., 7.5). For example, if the entropy value of a block exceeds the first threshold (e.g., 30%), the file body is marked as abnormal.

[0101] In some embodiments of this application, the above-mentioned file tail keyword retrieval includes: reading the content of the last predetermined size of the file (e.g., 10KB) (it should be noted that if the file size is less than the predetermined size, the entire content of the file is read), matching ransomware keywords from a preset keyword library using regular expressions, and marking the file tail as abnormal if any keyword is matched.

[0102] For example, the aforementioned preset keyword library contains multiple related Chinese and English keywords. These related keywords may include: "ransom", "decrypt", "pay", "bitcoin", "Ethereum", "ransom", "decryption", etc.

[0103] In some embodiments of this application, the above-mentioned file permission detection includes: obtaining file permissions through the operating system application programming interface (API), for example, obtaining the permission list of the discretionary access control list (DACL) by calling the GetFileSecurity function through the API interface, and obtaining the st_mode field by calling the stat function in Linux to obtain file permissions.

[0104] In one example, if the permissions of more than M files in the same directory are changed to "everyone can read and write" (corresponding to FILE_ALL_ACCESS permission in Windows and 0777 permission in Linux) within a predetermined time (e.g., 1 hour), then a batch permission anomaly is marked; permission change records are extracted from the operating system event log (Windows event ID 4670, Linux / var / log / auth.log).

[0105] In some embodiments of this application, the database dimension detection mentioned above includes at least one of the following: table-level scan, record-level scan, field-level scan, and transaction log detection.

[0106] In some embodiments of this application, the above-mentioned database system view table-level scan includes: obtaining low-frequency modified tables (e.g., ≤3 times modified in the last 30 days) through the database system view, and monitoring the daily modification count (by comparing the table structure / data checksum of the current day with that of the previous day) to mark the static table as having abnormal changes if it is greater than or equal to X (e.g., 5); the checksum calculation adopts the message digest algorithm (MD5 Message-Digest Algorithm) to calculate the overall checksum after sorting the table data by the primary key.

[0107] For example, Oracle database system views are obtained through the LAST_DDL_TIME field of DBA_TABLES, while MySQL database system views are obtained by querying the UPDATE_TIME field of INFORMATION_SCHEMA.TABLES.

[0108] In some embodiments of this application, the above-mentioned record-level scanning includes: reading records in batches according to table partitions or primary key ranges, reading 1000 records in each batch to avoid memory overflow, calculating the fusion entropy value of a single record after concatenating the record field values, and marking the record encryption features as abnormal if the entropy value of records in the same table is greater than or equal to 5% and is greater than a third threshold (e.g., 7.5) and there are no reasonable business change records.

[0109] In some embodiments of this application, the aforementioned business change records are obtained from the database audit logs and must include the person making the change, the time of the change, and the reason for the change.

[0110] In some embodiments of this application, the above-mentioned field-level scanning includes: calculating the fusion entropy value for each field in the database table individually; if the entropy value of a single field is greater than the fourth threshold (e.g., 7.5) and the average entropy value of other fields is less than the fifth threshold (e.g., 6.5), then the field-level entropy value is marked as abnormal; when calculating the field entropy value, NULL values ​​and empty strings are ignored.

[0111] For example, each field in the above database table may include: an exclusion primary key, an auto-incrementing field, and a timestamp field.

[0112] In some embodiments of this application, the above-mentioned transaction log detection includes: parsing the database transaction log (Oracle parses REDO logs using the LogMiner tool, and MySQL parses binary logs (binlog, binlog) using the mysqlbinlog tool), counting the number of transaction rollbacks within a predetermined time (generally, Oracle rollback is identified by the UBA field, and MySQL rollback is identified by the ROLLBACK statement), and if there are more than or equal to fifty rollbacks and no normal business commit records, and normal business commit records must contain a business identifier field, then the transaction log is marked as abnormal.

[0113] In some embodiments of this application, the above-mentioned behavioral dimension detection includes at least one of the following: encryption rhythm analysis, time feature analysis, account anomaly detection, and operation sequence analysis.

[0114] In some embodiments of this application, the above-mentioned encryption rhythm analysis includes: counting the daily amount of encrypted data, and if it is less than or equal to one hundred, it meets the low and slow characteristic and is marked as having an abnormal encryption rhythm.

[0115] In some embodiments of this application, the daily encrypted data volume mentioned above can refer to the number of encrypted files or the number of records in the encrypted database. The encrypted data volume is extracted from the detection logs, and the statistical period is the calendar day.

[0116] In some embodiments of this application, the above-mentioned time feature analysis includes: extracting encryption operation timestamps accurate to the second; if more than 80% of the encryption operations occur between 10 p.m. and 6 a.m. the next day or throughout the weekend, and there is no preset operation plan in the "Operation Calendar" configured on the operation and maintenance management terminal, then the time feature is marked as abnormal.

[0117] For example, the above-mentioned operation and maintenance plan may include operation and maintenance time periods, operation and maintenance content, and operation and maintenance personnel.

[0118] In some embodiments of this application, the above-mentioned account anomaly detection includes: obtaining the operation account through operating system logs (Windows event ID 4624, Linux / var / log / secure) and database audit logs, querying the account permission list, and marking the account as abnormal if the account is not in the operation and maintenance group configured on the operation and maintenance management terminal (supports batch import / export) and has performed encryption-related operations.

[0119] In some embodiments of this application, the above-mentioned query account permission list may include: querying local user groups in Windows, querying / etc / group in Linux, and querying the system permission view in a database.

[0120] In some embodiments of this application, the above-mentioned encryption-related operations may include: file encryption corresponding to the operation type WRITE + permission change, and database encryption corresponding to the operation type UPDATE / INSERT + field value entropy value anomaly.

[0121] In some embodiments of this application, the above-mentioned operation sequence analysis may include: storing operation behavior sequences based on a time series database (InfluxDB2.0, retaining 90 days of data); identifying abnormal sequences before encryption using a sequence pattern mining algorithm with a minimum support of 0.01 and a minimum confidence of 0.8, and marking the operation sequence as abnormal if an abnormal sequence is matched;

[0122] In some embodiments of this application, the above-mentioned time-series database storage operation behavior sequence includes: operation type, operation time, operation object, and operation account.

[0123] In some embodiments of this application, the determination of the above-mentioned abnormal encryption pre-sequence may include: if the sequence length of the sequence of batch permission change, data access, and encryption operation is greater than or equal to the sixth threshold (e.g., 3), and the time interval between adjacent operations is less than or equal to the seventh threshold (e.g., 30 minutes), then the encryption pre-sequence is considered abnormal.

[0124] like Figure 3 As shown, the dimensions of ransomware anomaly encryption detection involved in the implementation of the anomaly encryption detection method provided in this application embodiment are as follows:

[0125] Document detection dimensions include:

[0126] B1 File header consistency (e.g., whether the header of a .jpg file is 0xFF08FF; if it does not match, an error will occur).

[0127] B2 file entropy value (e.g., for multi-algorithm summation calculations, an entropy value > 7.5 indicates encryption);

[0128] B3 file end signatures (e.g., containing ransom keywords such as "ransom" or "decrypt");

[0129] B4 permission batch anomalies (e.g., ≥100 files with permissions changed to "everyone" read and write within 1 hour).

[0130] Database detection dimensions include:

[0131] C1 Static table changes (e.g., low-frequency table modifications ≥ 5 times per day);

[0132] C2 field-level entropy value (e.g., local field entropy value > 7.5, other fields are normal);

[0133] C3 records encryption characteristics (e.g., abnormal entropy value of a single record, verifying the pattern of ransomware encryption).

[0134] C4 transaction log anomalies (e.g., ≥50 transactions rolled back within a short period of time, with no normal business records).

[0135] Behavioral analysis dimensions include:

[0136] D1 encryption rhythm (e.g., encrypting ≤100 data items per day (Low and Slow characteristic));

[0137] D2 time characteristics (e.g., encryption operations are concentrated at night (e.g., 10 PM - 6 AM) or on weekends);

[0138] D3 account anomalies (e.g., non-operation and maintenance account performing encryption-related operations).

[0139] D4 operation sequence (e.g., a sequence of batch permission changes or abnormal data access before encryption).

[0140] In some embodiments of this application, three dimensions are detected collaboratively using a weighted voting mechanism (file dimension weight 40%, database dimension weight 35%, behavior dimension weight 25%). An anomaly in a single dimension receives 1 vote, and if the cumulative votes are greater than or equal to 2, it is judged as a high-risk anomaly; if it receives 1 vote, it is judged as a medium-risk anomaly; if only 1 detection point in a single dimension is abnormal and receives 0 votes, it is judged as a low-risk anomaly. If an anomaly is found in any dimension, the corresponding level of alarm is triggered to ensure that the entire process from encryption startup, incubation to execution can be accurately identified.

[0141] In this way, a three-dimensional collaborative detection system of files, databases, and behaviors is constructed. By conducting multi-dimensional collaborative detection of abnormal encryption, abnormal encryption in network data can be detected more accurately, reducing the false negative rate of abnormal encryption.

[0142] Step 204: The anomaly encryption detection device determines the anomaly encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional anomaly data of the data stream to be detected.

[0143] In some embodiments of this application, step 204 above can be specifically implemented by step 204a, step 204b, or step 204c as follows:

[0144] Step 204a: When the entropy value calculation result of the data stream to be detected is greater than the first entropy value threshold, and the dimension abnormal data characterizes the detection results of at least two dimensions in the multi-dimensional detection as abnormal, the abnormal encryption detection device determines the data stream to be detected as the first abnormal encryption level.

[0145] In some embodiments of this application, determining the first abnormal encryption level of the data stream to be detected may include: determining the abnormal encryption level based on the entropy threshold and the feature detection situation. If the entropy calculation result is greater than the first threshold, and in the three-dimensional feature detection, two or more dimensions are detected as abnormal, then the above-mentioned abnormal determination result of the data stream to be detected is the first abnormal encryption level.

[0146] In some embodiments of this application, the first threshold can be 7.5.

[0147] In some embodiments of this application, the first abnormal encryption level can be abnormal.

[0148] Step 204b: When the entropy value calculation result of the data stream to be detected is less than or equal to the first entropy value threshold and greater than or equal to the second entropy value threshold, and the detection result of only one dimension detection in the multi-dimensional detection of dimensional abnormal data representation is abnormal, the abnormal encryption detection device determines that the data stream to be detected is of the second abnormal encryption level.

[0149] In some embodiments of this application, determining the data stream to be detected as the second abnormal encryption level may include: determining the abnormal encryption level based on the entropy threshold and the feature detection situation. If the entropy calculation result is less than or equal to the first threshold and greater than or equal to the second threshold, and in the three-dimensional feature detection, only one dimension is detected as abnormal, then the above-mentioned abnormal determination result of the data stream to be detected is the second abnormal encryption level.

[0150] In some embodiments of this application, the second threshold can be 6.

[0151] In some embodiments of this application, the aforementioned second abnormal encryption level can be a suspected abnormal level.

[0152] Step 204c: If the entropy value of the data stream to be detected is less than the second entropy threshold and the detection results of all dimensions in the multi-dimensional detection of the dimension abnormal data are normal, the abnormal encryption detection device determines that the data stream to be detected is at the third abnormal encryption level.

[0153] In some embodiments of this application, determining the data stream to be detected as the third abnormal encryption level may include: determining the abnormal encryption level based on the entropy threshold and the feature detection situation. If the entropy calculation result is less than the second threshold, and all dimensions are detected as normal in the three-dimensional feature detection, then the above-mentioned abnormal determination result of the data stream to be detected is the third abnormal encryption level.

[0154] In some embodiments of this application, the aforementioned third abnormal encryption level can be normal.

[0155] In some embodiments of this application, the first abnormal encryption level is higher than the second abnormal encryption level, and the second abnormal encryption level is higher than the third abnormal encryption level.

[0156] Thus, by combining the entropy calculation result of the data stream to be detected with multi-dimensional collaborative detection, the abnormal encryption level of the data stream to be detected can be determined more accurately, and the degree of abnormality of the data stream to be detected can be assessed more accurately.

[0157] The abnormal encryption detection method provided in this application, after acquiring the data stream to be detected and its associated behavioral data, can classify the data stream and adaptively select different algorithm combinations for different data types to calculate the entropy value used to characterize the degree of abnormal encryption of the data stream. Simultaneously, based on the associated behavioral data of the data stream, multi-dimensional detection is performed to obtain dimensional anomaly data for each dimension of the data stream. In this way, abnormal encryption judgment of the data stream can be comprehensively made from both the degree of abnormal encryption and multi-dimensional detection, resulting in more accurate abnormal encryption judgment results. This improves the accuracy of identifying different types of data encryption behavior and reduces the false negative rate of abnormal encryption detection. Furthermore, a three-dimensional collaborative detection system of files, databases, and behaviors is constructed, covering file encryption, fine-grained database encryption, and covert encryption behaviors, expanding the detection coverage.

[0158] In some embodiments of this application, combined with Figure 2 ,like Figure 4 As shown, after step 204 above, the power adjustment method provided in this application embodiment further includes step 301, step 302, or step 303.

[0159] Step 301: When the data stream to be detected is at the first abnormal encryption level, the abnormal encryption detection device outputs an alarm message.

[0160] In some embodiments of this application, if the abnormal encryption determination result of the data stream to be detected is the first abnormal encryption level, the data to be detected is considered to be abnormal encrypted data, and a high-risk alarm is triggered.

[0161] In some embodiments of this application, the above-mentioned triggering of high-risk alarms includes: the input is the high-risk anomaly judgment result, the processing stage triggers a pop-up window + email alarm within ten seconds, the pop-up window displays the abnormal data path, risk level, and emergency handling suggestions, the email contains a detailed detection report: anomaly screenshot, behavior log, and processing steps, and the output is a high-risk alarm notification and anomaly details, realizing a rapid response to serious encryption attacks.

[0162] Step 302: When the data stream to be detected is at the second abnormal encryption level, the abnormal encryption detection device sends a verification task information to the client.

[0163] In some embodiments of this application, the review task information is used to instruct the user to perform a review operation on the data stream to be tested;

[0164] In some embodiments of this application, if the abnormal encryption determination result of the data stream to be detected is the second abnormal encryption level, the data to be detected is considered to be suspected abnormal encrypted data, and then the process proceeds to review.

[0165] In some embodiments of this application, the above-mentioned review includes: the operation and maintenance management terminal pushes the review task through pop-up reminders and message notifications, which effectively reduces false alarms.

[0166] In some embodiments of this application, the above-mentioned review task information may include: review link, data sample download address, detection log, and output as review task and related materials.

[0167] Step 303: When the data stream to be detected is at the third level of abnormal encryption, the abnormal encryption detection device generates a searchable log based on the data stream to be detected.

[0168] In some embodiments of this application, the searchable log content includes detection task ID, data ID, data type, detection time, algorithm combination, entropy result, and judgment conclusion. The log is stored in daily partitions and retained for one year. It supports keyword querying and exporting, and the output is a searchable log to meet compliance audit requirements.

[0169] In this way, accurate detection of the data stream to be detected is achieved, and corresponding processing is carried out for different encryption anomaly assessment results. This realizes the classification of encryption anomalies for all files and provides a reference sample for subsequent encryption anomaly detection.

[0170] In some embodiments of this application, a "data access layer + core detection layer + application layer" architecture is constructed with "accurate identification of ransomware encryption" as the core. The data access layer enables the collection of all types of data, the core detection layer achieves accurate identification through multi-algorithm fusion and three-dimensional collaboration, and the application layer supports visual alarms and anomaly display, forming a closed loop for ransomware encryption identification. Based on the above system architecture, as... Figure 5 As shown, the technical solution provided in this application includes the following: 1) Data access layer: as the data input source of the system, it covers core data types and has a clear and feasible access method.

[0171] For example, the data access layer includes a file server, a database, business system files, and a data access module, wherein:

[0172] File server: Access to unstructured files via NFS / Samba, supporting Windows Server 2016+, Linux CentOS 7.9+, and Ubuntu 18.04+ operating systems.

[0173] Databases: Mainstream databases / Oracle19c / MySQL8.0, as well as SQLServer2019 and PostgreSQL14+, access structured data (tables, records, fields) via ODBC / Agent. Agents support silent installation and background operation without manual intervention.

[0174] Business system files: Accessed via RESTful API / Agent, the input is various types of raw data (no upper limit on file size, a single database table supports more than or equal to 100 million records), the output is a standardized data stream encoded in UTF-8, and the data transmission process uses AES-256 encryption to ensure that the data collection is complete and the transmission is secure.

[0175] Data access module: Pushes all types of data to the core detection layer.

[0176] 2) Core Detection Layer: As the core processing hub of the system, it receives all types of data input from the data access layer and completes the encryption and identification logic.

[0177] For example, the core detection layer includes an AI intelligent detection engine, an algorithm adaptation module, and a dimension collaboration module, wherein:

[0178] AI Intelligent Detection Engine: Deployment supports cluster mode (load balancing of 2 or more nodes, using Nginx for load distribution, and IP hashing for session persistence). Its core responsibility is "multi-algorithm adaptation + three-dimensional collaborative detection". The input is a standardized data stream (e.g., a single data entry is less than or equal to 10MB, batch input is supported, and the batch size can be configured to 100-1000 entries / batch). The algorithm adaptation module selects the optimal algorithm combination, and the dimension collaboration module integrates multi-dimensional features. The output is an encrypted anomaly judgment result (normal / abnormal / suspected), anomaly location (file path accurate to drive letter + directory + file name, database accurate to instance name - database name - table name - field name), and risk level (high risk / medium risk / low risk). The anomaly detection accuracy is greater than 99%, and the false alarm rate is less than 1%. A single node supports processing 1000 data records per second, and the processing capacity can be linearly expanded in cluster mode (the processing capacity increases by more than 80% for each additional node).

[0179] Algorithm adaptation module: It has multiple built-in entropy calculation algorithms. The specific implementation logic of these entropy calculation algorithms can be found in the previous explanation of various algorithms, and will not be repeated here.

[0180] For example, the system has a built-in "data type-algorithm mapping strategy configuration file (XML format)". The configuration file contains data type tags, algorithm combination tags, and weight allocation tags, and automatically selects the optimal algorithm combination according to the data type: text files use "most common value + Markov", databases use "collision test + compression test", and binary files use "collision test + compression test".

[0181] For example, the configuration file allows users to customize algorithm combinations through the operation and maintenance management terminal (algorithms can be added / deleted, and weight allocation can be adjusted; the total weight must be 1); the entropy threshold can be dynamically adjusted (normal data threshold < 6.5, encrypted data threshold > 7.5, with a step size of 0.1 for fine-tuning), and the threshold adjustment record is kept in the audit log (including the person who made the adjustment, the adjustment time, the threshold before adjustment, the threshold after adjustment, and the reason for adjustment).

[0182] The dimension collaboration module integrates file features, database features, and behavioral features through a data association engine (based on Redis caching hot data, with a cache validity period of 1 hour, the cache key being the data ID + dimension type, and the cache value being the feature summary). Feature data storage uses a MySQL 8.0 database with single-table partitioned storage (partitioned by the detection date, with a partition period of 1 day) to ensure query efficiency. It outputs collaborative detection results (JSON format, including anomaly scores (0-10 points) and weight percentages for each dimension (40% for file dimension, 35% for database dimension, and 25% for behavioral dimension). Anomaly score = Σ (anomaly marker for detection point × weight for detection point). Anomaly marker for detection point is 1 for anomaly and 0 for normal.

[0183] 3) Application layer: As the human-computer interaction entry point, the input is the detection results of the core detection layer, and the output is a visual display of anomalies and alarm notifications.

[0184] For example, the application layer described above includes a data security view, a security alert platform, and an operation and maintenance management terminal, wherein:

[0185] Data security view: Developed based on Vue3, it supports filtering and querying by data type, risk level, and time range, and displays abnormal data paths, risk levels, and related behavior logs.

[0186] Security Alarm Platform: Supports three alarm methods: pop-up (Windows / Linux system tray pop-up), email (SMTP protocol, supports SSL encryption), and SMS (connected to Alibaba Cloud SMS API). Alarm trigger conditions can be configured (e.g., high-risk alarm immediately, medium- and low-risk alarms after 3 cumulative alarms).

[0187] Operations and maintenance management terminal: Supports detection policy configuration (detection cycle minimum 5 minutes, maximum 24 hours; detection scope can be precisely selected by directory / database table) and whitelist management (supports adding whitelists by file extension, database table name, and IP address; whitelist effective time ≤ 5 minutes), ensuring rapid response by operations and maintenance personnel.

[0188] In some embodiments of this application, the core module of the aforementioned abnormal encryption identification device is an AI intelligent detection engine module. This module is the core identification hub of the system, achieving accurate identification of ransomware encryption through "dynamic fusion of multiple algorithms + three-dimensional collaboration," with clearly defined input, output, and processing logic for each technical point.

[0189] In some embodiments of this application, the ransomware anomaly encryption identification process covers the entire process of "data access - algorithm adaptation - three-dimensional collaboration - result judgment - alarm", ensuring accurate identification, input, processing, output and effect of encryption behavior.

[0190] In some embodiments of this application, such as Figure 6 As shown, the implementation process of the abnormal encryption detection method provided in this application embodiment includes the following steps:

[0191] S) Triggered Detection: Real-time / Scheduled (configured by policy). The input is the detection policy (real-time / scheduled) configured on the operations and maintenance side. Real-time detection targets file creation / modification / deletion events (monitored via the FileSystemWatcher component on Windows, and via the inotify mechanism on Linux) and database DML operation events (triggered via database triggers of type AFTERINSERT / UPDATE / DELETE). Scheduled detection is triggered at a preset period (minimum 5 minutes) via a timer (JavaQuartz framework, cron expression configuration). The output is a detection task start command (JSON format, containing parameters such as detection task ID, detection scope (file directory / database table), algorithm combination ID, and threshold configuration ID), achieving automated detection.

[0192] A) Data access: Collect file / database / behavioral data. The input consists of raw data from file servers, databases, and business systems. File data is read via file streams (large files (>1GB) are read in 64KB increments to avoid memory overflow). Database data is retrieved in batches via JDBC (1000 records per query, supporting cursor pagination (Oracle uses REFCURSOR, MySQL uses LIMIT pagination)). Business system data is retrieved via API pagination (500 records per page, supporting breakpoint resumption (validated via Last-Modified field)). The processing stage performs integrity checks on the data (files verify MD5 values ​​(calculate and merge block MD5s), databases verify record consistency (compare record counts before and after query)). If the check fails, it is retried 3 times (retry interval 10 seconds). If it still fails, it is marked as data anomaly and an alarm is triggered (alarm level is medium). The output is a standardized dataset (file data is converted to byte streams (Base64 encoding), database data is converted to JSON format (field names are lowercase, named with underscores), and business system data is standardized according to a pre-defined format (JSON format, unified field names)) to ensure that the detection covers all types of data.

[0193] B) Data Preprocessing: Classification (File / Database / Binary) + Format Standardization. The input is a standardized dataset. The processing steps classify the data by type (file / database / binary). File data is grouped by extension (8 major categories including document, image, video, etc.). Database data is classified by database name and table name. Binary files are classified by magic number. Database tables are converted to a unified JSON format (field name → field value mapping; date types are uniformly converted to ISO8601 format; numeric types are uniformly converted to strings). Files retain core features (filename, size, creation time, modification time, MD5 value). For binary files, the first 16 bytes of magic number and file size information are extracted. The output is the classified standardized data (data format is a JSON array, each data entry contains data_id, data_type, data_content, and data_feature fields), providing adaptation support for subsequent algorithm selection.

[0194] C) Algorithm Adaptation: Select algorithm combinations based on data type. The input is standardized data after classification. The processing stage reads the "Data Type-Algorithm Mapping Strategy Configuration File", creates corresponding algorithm instances through the factory pattern, calls the algorithm calculation methods, and outputs the algorithm calculation results (including the entropy value of each algorithm, calculation time, and whether it timed out), effectively improving the detection accuracy of different data types.

[0195] D) Three-dimensional collaborative detection: file features + database features + behavioral features. The input is the algorithm calculation results and associated behavioral data (data IDs and behavioral logs are linked through a data association engine). The processing stage executes detection logic according to the file, database, and behavioral dimensions respectively. The output is the detection results (abnormal / normal) of each dimension and details of abnormal detection points, realizing accurate identification of concealed and encrypted behaviors.

[0196] E) Result Determination: The input is the collaborative detection result. The processing stage determines the data status based on the entropy threshold and feature matching, and divides it into three categories: normal (entropy value less than 6.5 + no collaborative anomaly), abnormal (entropy value greater than 7.5 + 3D feature matching equals high risk), and suspected (entropy value 7.0-7.5 equals medium / low risk). The output is the determination result and risk level, which clarifies the data security status.

[0197] F) Record normal logs and continuously monitor: The input is the normal judgment result. The log content includes the detection task ID, data ID, data type, detection time, algorithm combination, entropy result, and judgment conclusion. The log is stored in daily partitions (retained for 1 year), supports keyword query and export, and the output is a searchable log to meet compliance audit requirements.

[0198] G) Trigger a high-risk alert: Push notifications of abnormal location and behavior details. The input is the high-risk anomaly assessment result. Within 10 seconds, the processing stage triggers a pop-up window and email alert. The pop-up window displays the abnormal data path, risk level, and emergency handling suggestions. The email contains a detailed detection report (including anomaly screenshots, behavior logs, and handling steps). The output is a high-risk alert notification and anomaly details, enabling rapid response to serious encryption attacks.

[0199] H) Entering the manual review queue: Pushing a review link + data sample. The input is the suspected judgment result. In the processing stage, the review task is pushed through the operation and maintenance management terminal (pop-up reminder + message notification). The push content includes the review link, data sample download address, and detection log. The output is the review task and related materials, effectively reducing false alarms.

[0200] I) Review Results: The input is the review conclusion of the operation and maintenance personnel. The processing steps update the detection result status according to the conclusion. If a false alarm is detected, the whitelist is added and the algorithm threshold is optimized. If a real anomaly is detected, the corresponding level of alarm is triggered. The output is the review result record (including reviewer, review time, and review conclusion). The detection rules are continuously optimized.

[0201] J) Add to whitelist and update algorithm threshold: The input is the false alarm result. The processing stage automatically adds data features (file extension, database table name, account, etc.) to the corresponding whitelist, updates the whitelist configuration file and synchronizes it to all detection nodes (synchronization time ≤ 5 minutes). At the same time, the algorithm threshold is adjusted (the threshold of the type of false alarm data ± 0.1). The output is the whitelist update record and threshold adjustment log to avoid false alarms of the same type of data again.

[0202] K) Trigger medium / low risk alarms and push handling suggestions: The input is the actual anomaly review conclusion. During the handling process, medium / low risk alarms are pushed (email + portal display). The alarm content includes anomaly details and handling suggestions (such as isolating abnormal files, verifying operation accounts, and restoring data backups). The output is an alarm notification to promptly handle minor encryption anomalies.

[0203] L) Record detection logs and retain them for at least 1 year: The input consists of records of all detection processes. The log format adopts the standardized JSON format and includes parameters of the entire detection process (detection task ID, data ID, algorithm combination, threshold configuration), results (judgment status, risk level, anomaly dimension, anomaly detection point), and time consumption (time consumption of each process, accurate to milliseconds). The storage adopts MySQL database sharding and table partitioning (partitioning by detection date, with the partitioning rule being shard_key=detection task ID%10). It supports searching by detection task ID, data ID, time range, and risk level. The search response time is ≤1 second. The output is a searchable log that meets compliance traceability requirements.

[0204] In some embodiments of this application, the entire process of identifying ransomware anomalies via encryption takes ≤10 minutes per 10TB of data (based on a RH5885V5 server, CPU 2×Intel Xeon Gold 6248, memory 128GB, storage 4×4TB SAS), ensuring efficient detection without affecting production operations.

[0205] The following describes the abnormal encryption detection method of this application through specific embodiments. Specifically, the implementation process of the abnormal encryption detection method provided in this application includes the following:

[0206] Data type determination, algorithm combination and invocation, entropy value fusion calculation, and exception detection.

[0207] In some embodiments of this application, the inputs are multi-algorithm detection calculation results, the data stream to be detected, and related behavioral data (encryption time accurate to milliseconds, operation account is the system login account, permission change records include operation type / operation time / operation account), and the processing stage constructs a three-dimensional detection system.

[0208] In some embodiments of this application, the output is the data entropy value calculation result and the normal / abnormal judgment mark. Its core function is to accurately adapt to the encryption characteristics of different types of data and significantly reduce the false alarm rate.

[0209] Among them, such as Figure 3 As shown, the detection logic for each dimension is as follows:

[0210] 1) File dimension detection includes: file header consistency verification, file body entropy calculation, file tail ransomware keyword retrieval, and file permission detection.

[0211] File dimension anomaly determination: If any two or more detection points are abnormal, the file dimension is determined to be abnormal. The weights of each detection point are as follows: file header consistency (0.2), file body entropy value (0.4), file tail feature (0.2), and permission batch anomaly (0.2).

[0212] 2) Database dimension detection includes: table-level scan, record-level scan, field-level scan, and transaction log detection.

[0213] Database dimension anomaly determination: If any one of the detection points is abnormal, the database dimension is determined to be abnormal. The weight allocation of each detection point is as follows: static table change (0.2), record encryption feature (0.3), field-level entropy value (0.3), transaction log anomaly (0.2).

[0214] 3) Behavioral dimension detection includes: encryption rhythm analysis, time feature analysis, account anomaly detection, and operation sequence analysis.

[0215] Behavioral dimension anomaly determination: If any two or more detection points are abnormal, the behavioral dimension is determined to be abnormal. The weight allocation of each detection point is as follows: encryption rhythm (0.2), time feature (0.3), account anomaly (0.3), operation sequence (0.2).

[0216] The output is a three-dimensional collaborative detection result and anomaly dimension markers. Its core function is to comprehensively cover hidden encryption behaviors and avoid the limitations of single-dimensional detection.

[0217] The false alarm handling and model optimization mechanism implementation process of the abnormal encryption detection method provided in this application includes the following:

[0218] 1) Result classification: The preliminary detection results are classified into "high risk (entropy value > 7.5 + ≥ 2 dimensions of 3D feature matching anomalies), medium risk (entropy value 7.0-7.5 or 1 dimension of anomaly), low risk (≤ 1 detection point of anomaly in a single dimension)" and the classification results are stored in the detection result table (table name detection_result, primary key is result_id), associated with the data sample ID, algorithm calculation log ID, and behavior log ID;

[0219] 2) Manual Review: Medium / low-risk results are automatically entered into the manual review queue. Reviewers can view the "entropy curve (drawn based on ECharts, with the X-axis representing the data block number and the Y-axis representing the fused entropy value, marked with normal / abnormal threshold lines), data samples (files can be downloaded and previewed (maximum support 100MB), the database can view the first 100 records (desensitized sensitive fields), and behavior logs (displaying the operation process in chronological order, marked with abnormal nodes)" through the operation and maintenance management terminal. The review conclusion supports three categories: "normal (false alarm), abnormal (real threat), and pending observation (requires an extended detection period, which can be configured to 1-7 days)". The review timeout is set to 24 hours. If the review is not processed within the timeout period, it will be automatically marked as "pending observation". The timeout reminder will be triggered once every 6 hours.

[0220] 3) Whitelist Update: False alarm data is added to the whitelist by type. For file-related data, batch addition is supported by file path (exact match) and file extension (fuzzy match). For database-related data, addition is supported by database name (fuzzy match), table name (fuzzy match), and field name (fuzzy match). For behavior-related data, addition is supported by account (exact match) and IP address (supports CIDR network segment matching). After the whitelist takes effect, subsequent detection will automatically exclude the corresponding data. The whitelist is audited regularly (by default on the 1st of each month). Manual cleanup of invalid whitelists is supported (invalid whitelists refer to records with no matching data for 30 consecutive days).

[0221] 4) Model Optimization: Collect 100,000 new encrypted samples (obtained from customer feedback, public vulnerability databases, and attack and defense drills) and false positive data every quarter, retrain the algorithm weight model (using logistic regression algorithm, implemented based on sklearn framework, 1000 iterations, learning rate 0.01, regularization parameter 0.001), and update it to the system through canary release (first covering 10% of detection nodes, running continuously for 72 hours without anomalies, and then releasing it to the whole system). The model performance (accuracy, false positive rate, and false negative rate) before and after optimization should be recorded in a comparison report and stored in the knowledge base.

[0222] The output includes the final detection results and whitelist update records. Its purpose is to control the false alarm rate to less than 1% and reduce the workload of operation and maintenance.

[0223] The following will illustrate the abnormal encryption detection method provided in this application with a specific embodiment:

[0224] 1. Application Scenario: The core accounting database (RDS) and customer information files of a research institute should be encrypted by ransomware attacks and partially encrypted by the database, meeting the requirements of "detection accuracy > 99% and false positive rate < 1%", and supporting the detection of 100TB of data per day.

[0225] 2. System Deployment Plan:

[0226] Data access layer: The detection proxy server remotely connects to the RDS database via ODBC; at the same time, it connects to two NAS storage devices via NFS to achieve data security detection;

[0227] Core detection layer: Deploy 5 physical domestic detection proxy servers, run AI intelligent detection engine, configure "database-collision test + compression test" and "text file-most common value + Markov" algorithm mapping strategy, and set the entropy threshold to 6.5-7.5;

[0228] Application layer: Interacts with the research institute's security situation awareness platform; alerts are displayed through the platform. High-risk alerts are pushed to operations and maintenance personnel via mobile phone and email.

[0229] 3. Implementation Results:

[0230] Detection Results: 12 months after deployment, it can identify encrypted data from database applications, and verification was also performed using simulated ransomware encryption sample data in a test environment. The detection accuracy rate was 99.8%, with a false positive rate of 0.3% (only one false positive, which was a normal compressed file and was resolved after being added to the whitelist); out of 200 encrypted samples provided by the application encryption service (including encrypted database field content), 199 were detected, achieving an accuracy rate of 99.5%.

[0231] Performance: Daily data processing time of 100TB is ≤6 hours, server CPU utilization is ≤10%, and core transaction business is not affected (transaction response time is stable within 50ms).

[0232] Thus, this application takes "accurate identification of ransomware encryption" as its core and constructs an architecture of "data access layer + core detection layer + application layer". The data access layer realizes the collection of all types of data, the core detection layer achieves accurate identification through multi-algorithm fusion and three-dimensional collaboration, and the application layer supports visual alarms and anomaly display, forming a closed loop for ransomware encryption identification. This results in more accurate anomaly encryption judgment results, which improves the accuracy of identifying different types of data encryption behavior and reduces the false negative rate of anomaly encryption detection.

[0233] It should be noted that the above-described method embodiments, or the various possible implementations of the method embodiments, can be executed individually, or, provided there is no conflict, they can be combined with each other. The specific implementation can be determined according to actual usage requirements, and this application embodiment does not impose any restrictions on this.

[0234] This application embodiment can divide the abnormal encryption detection device into functional modules according to the above method example. For example, each function can be divided into a separate functional module, or two or more functions can be integrated into one processing module. The integrated module can be implemented in hardware or as a software functional module. Optionally, the module division in this application embodiment is illustrative and only represents one logical functional division; other division methods may be used in actual implementation.

[0235] In some embodiments, this application also provides an abnormal encryption detection device. This abnormal encryption detection device may include one or more functional modules for implementing the abnormal encryption detection method of the above method embodiments.

[0236] For example, Figure 7 This is a schematic diagram of an anomaly encryption detection device provided in an embodiment of this application. Figure 7 As shown, the abnormal encryption detection device 900 includes: an acquisition module 901, a classification module 902, a calculation module 903, a detection module 904, and a determination module 905.

[0237] The aforementioned acquisition module 901 is used to acquire the data stream to be detected and the associated behavioral data of the data stream to be detected.

[0238] The classification module 902 described above is used to classify the data stream to be detected obtained by the acquisition module to obtain data of at least one data type, including: text type, database type and binary type;

[0239] The aforementioned calculation module 903 is used to process the data of each data type obtained by the classification module using an algorithm corresponding to each data type, and to obtain the entropy value calculation result of the data stream to be detected. The entropy value calculation result is used to characterize the degree of abnormal encryption of the data stream to be detected.

[0240] The aforementioned detection module 904 is used to perform multi-dimensional detection on the data stream to be detected based on the associated behavioral data obtained by the acquisition module, and to obtain the dimensional anomaly data of the data stream to be detected. The multi-dimensional detection includes at least two of the following: file dimension detection, database dimension detection and behavioral dimension detection.

[0241] The aforementioned determining module 905 is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result of the data stream to be detected calculated by the calculation module and the dimension abnormal data of the data stream to be detected obtained by the detection module.

[0242] The anomaly encryption detection device provided in this application offers a multi-algorithm fusion detection device. After acquiring the data stream to be detected and its associated behavioral data, the device can classify the data stream and adaptively select different algorithm combinations for different data types to calculate the entropy value representing the degree of anomaly encryption in the data stream. Simultaneously, based on the associated behavioral data, multi-dimensional detection is performed on the data stream to obtain anomaly data in each dimension. Thus, anomaly encryption judgment can be made on the data stream from both the degree of anomaly encryption and multi-dimensional detection, resulting in more accurate anomaly encryption judgment results. This improves the accuracy of identifying different types of data encryption behavior and reduces the false negative rate of anomaly encryption detection. Furthermore, a three-dimensional collaborative detection system of files, databases, and behaviors is constructed, covering file encryption, fine-grained database encryption, and covert encryption behaviors, expanding the detection coverage.

[0243] In some embodiments, the above-mentioned file dimension detection includes at least one of the following: file header consistency verification, file body entropy value calculation, file tail keyword retrieval, and file permission detection;

[0244] The database dimension detection mentioned above includes at least one of the following: table-level scan, record-level scan, field-level scan, and transaction log detection;

[0245] The aforementioned behavioral dimension detection includes at least one of the following: encryption rhythm analysis, time feature analysis, account anomaly detection, and operation sequence analysis.

[0246] In other embodiments, the above-mentioned computing module 903 is specifically used for:

[0247] The algorithm corresponding to each data type is used to process the data of each data type and obtain the entropy value calculation result corresponding to each data type. The algorithm includes at least one of the following: most common value estimation algorithm, collision test estimation algorithm, Markov test estimation algorithm, and compression test estimation algorithm.

[0248] Entropy fusion calculation is performed based on the entropy calculation results corresponding to each data type to obtain the entropy calculation result of the data stream to be detected.

[0249] In some other embodiments, the determining module 905 described above is specifically used for:

[0250] If the entropy value of the data stream to be detected is greater than the first entropy threshold, and the abnormal data in the dimensions indicate that the detection results of at least two dimensions in the multi-dimensional detection are abnormal, the data stream to be detected is determined to be at the first abnormal encryption level.

[0251] or,

[0252] If the entropy value of the data stream to be detected is less than or equal to the first entropy threshold and greater than or equal to the second entropy threshold, and the detection result of only one dimension in the multi-dimensional detection of dimensional anomaly data is abnormal, the data stream to be detected is determined to be at the second anomaly encryption level.

[0253] or,

[0254] If the entropy value of the data stream to be detected is less than the second entropy threshold, and the detection results of all dimensions in the multi-dimensional detection of the dimension anomaly data are normal, the data stream to be detected is determined to be at the third anomaly encryption level.

[0255] Among them, the first abnormal encryption level is higher than the second abnormal encryption level, and the second abnormal encryption level is higher than the third abnormal encryption level.

[0256] In some other embodiments, the above-described apparatus further includes: an output module, a transmission module, or a generation module;

[0257] The above output module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected, and output alarm information when the data stream to be detected is at the first abnormal encryption level.

[0258] or,

[0259] The aforementioned sending module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected. If the data stream to be detected is at the second abnormal encryption level, the module sends a review task information to the client. The review task information is used to instruct the user to perform a review operation on the data stream to be detected.

[0260] or,

[0261] The aforementioned generation module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected, and to generate a searchable log based on the data stream to be detected when the data stream to be detected is at the third abnormal encryption level.

[0262] It should be noted that the abnormal encryption detection device can implement all the processes implemented in the above method embodiments and achieve the same beneficial effects. To avoid repetition, it will not be described again here.

[0263] In the case where the functions of the integrated modules described above are implemented in hardware, this application provides a possible structural schematic diagram of the electronic device involved in the above embodiments. For example... Figure 8 As shown, the electronic device 90 includes: a processor 92, a communication interface 93, and a bus 94. Optionally, the electronic device 90 may also include a memory 91.

[0264] Processor 92 may implement or execute various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. Processor 92 may be a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. Processor 92 may also be a combination that implements computational functions, such as including one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

[0265] Communication interface 93 is used to connect to other devices via a communication network. This communication network can be Ethernet, wireless access network, wireless local area network (WLAN), etc.

[0266] The memory 91 may be a read-only memory (ROM) or other type of static storage device capable of storing static information and instructions, random access memory (RAM) or other type of dynamic storage device capable of storing information and instructions, or electrically erasable programmable read-only memory (EEPROM), disk storage medium or other magnetic storage device, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and accessible by a computer, but is not limited thereto.

[0267] As one possible implementation, the memory 91 can exist independently of the processor 92. The memory 91 can be connected to the processor 92 via a bus 94 and is used to store instructions or program code. When the processor 92 calls and executes the instructions or program code stored in the memory 91, it can implement the abnormal encryption detection method provided in the embodiments of this application.

[0268] In another possible implementation, memory 91 can also be integrated with processor 92.

[0269] Bus 94 can be an Extended Industry Standard Architecture (EISA) bus, etc. Bus 94 can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 8 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0270] Through the above description of the implementation methods, those skilled in the art can clearly understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the service calling device can be divided into different functional modules to complete all or part of the functions described above.

[0271] This application embodiment also provides a chip, which includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the various processes of the above-described abnormal encryption detection method embodiments and can achieve the same technical effect. To avoid repetition, it will not be described again here.

[0272] It should be understood that the chip mentioned in the embodiments of this application may also be referred to as a system-on-a-chip, system chip, chip system, or system-on-a-chip, etc.

[0273] This application also provides a readable storage medium storing a program or instructions that, when executed by a computer, implement the abnormal encryption detection method provided in the above embodiments. It is understood that all or part of the processes in the above method embodiments can be executed by computer instructions instructing related hardware; the readable storage medium can be any of the foregoing embodiments or memory; the readable storage medium can also be an external storage device of the service invocation device, such as a plug-in hard drive, SmartMediaCard (SMC), SecureDigital (SD) card, flashcard, etc., equipped on the service invocation device. Further, the readable storage medium can include both internal storage units of the service invocation device and external storage devices. The readable storage medium is used to store the computer program and other programs and data required by the service invocation device. The readable storage medium can also be used to temporarily store data that has been output or will be output.

[0274] This application also provides a computer program product, which is stored in a storage medium and implements the abnormal encryption detection method provided in the above embodiments when the computer program product is executed by a computer.

[0275] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

[0276] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a computer software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the various embodiments of this application.

[0277] The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of this application without departing from the spirit and scope of the claims, and all of these forms are within the protection scope of this application.

Claims

1. An abnormal encryption detection method, characterized in that, include: Obtain the data stream to be detected and the associated behavioral data of the data stream to be detected; The data stream to be detected is classified to obtain data of at least one data type, including: text type, database type and binary type; An algorithm corresponding to each data type is used to process the data of each data type to obtain the entropy value calculation result of the data stream to be detected. The entropy value calculation result is used to characterize the degree of abnormal encryption of the data stream to be detected. Based on the associated behavioral data, multi-dimensional detection is performed on the data stream to be detected to obtain dimensional anomaly data of the data stream to be detected. The multi-dimensional detection includes at least two of the following: file dimension detection, database dimension detection and behavioral dimension detection. Based on the entropy calculation result of the data stream to be detected and the dimensional anomaly data of the data stream to be detected, the abnormal encryption judgment result of the data stream to be detected is determined.

2. The anomaly encryption detection method according to claim 1, characterized in that, The file dimension detection includes at least one of the following: file header consistency verification, file body entropy calculation, file tail keyword retrieval, and file permission detection; The database dimension detection includes at least one of the following: table-level scan, record-level scan, field-level scan, and transaction log detection; The behavioral dimension detection includes at least one of the following: encryption rhythm analysis, time feature analysis, account anomaly detection, and operation sequence analysis.

3. The anomaly encryption detection method according to claim 1, characterized in that, The step of employing an algorithm corresponding to each data type to process the data of each data type and obtain the entropy calculation result of the data stream to be detected includes: The algorithm corresponding to each data type is used to process the data of each data type to obtain the entropy value calculation result corresponding to each data type. The algorithm includes at least one of the following: most common value estimation algorithm, collision test estimation algorithm, Markov test estimation algorithm, and compression test estimation algorithm. Entropy fusion calculation is performed based on the entropy calculation results corresponding to the data of each data type to obtain the entropy calculation result of the data stream to be detected.

4. The anomaly encryption detection method according to any one of claims 1 to 3, characterized in that, The determination of the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional anomaly data of the data stream to be detected includes: If the entropy value of the data stream to be detected is greater than the first entropy threshold, and the dimensional anomaly data indicates that the detection results of at least two dimensions in the multi-dimensional detection are abnormal, the data stream to be detected is determined to be at the first anomaly encryption level. or, If the entropy value of the data stream to be detected is less than or equal to the first entropy threshold and greater than or equal to the second entropy threshold, and the dimension anomaly data indicates that only one dimension of the multi-dimensional detection is abnormal, then the data stream to be detected is determined to be at the second anomaly encryption level. or, If the entropy value of the data stream to be detected is less than the second entropy threshold, and the dimension anomaly data indicates that the detection results of all dimensions in the multi-dimensional detection are normal, then the data stream to be detected is determined to be at the third anomaly encryption level. Wherein, the first abnormal encryption level is higher than the second abnormal encryption level, and the second abnormal encryption level is higher than the third abnormal encryption level.

5. The anomaly encryption detection method according to claim 4, characterized in that, After determining the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional anomaly data of the data stream to be detected, the method further includes: If the data stream to be detected is at the first abnormal encryption level, an alarm message is output. or, If the data stream to be detected is at the second abnormal encryption level, a review task information is sent to the client, which is used to instruct the user to perform a review operation on the data stream to be detected. or, If the data stream to be detected is at the third abnormal encryption level, a searchable log is generated based on the data stream to be detected.

6. An anomaly encryption detection device, characterized in that, include: Acquisition module, classification module, calculation module, detection module, determination module; The acquisition module is used to acquire the data stream to be detected and the associated behavioral data of the data stream to be detected; The classification module is used to classify the data stream to be detected obtained by the acquisition module to obtain data of at least one data type, including: text type, database type and binary type; The calculation module is used to process the data of each data type obtained by the classification module using an algorithm corresponding to each data type, and to obtain the entropy value calculation result of the data stream to be detected. The entropy value calculation result is used to characterize the degree of abnormal encryption of the data stream to be detected. The detection module is used to perform multi-dimensional detection on the data stream to be detected based on the associated behavior data obtained by the acquisition module, and obtain the dimension abnormal data of the data stream to be detected. The multi-dimensional detection includes at least two of the following: file dimension detection, database dimension detection and behavior dimension detection. The determining module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result of the data stream to be detected calculated by the calculation module and the dimension abnormal data of the data stream to be detected obtained by the detection module.

7. The anomaly encryption detection device according to claim 6, characterized in that, The file dimension detection includes at least one of the following: file header consistency verification, file body entropy calculation, file tail keyword retrieval, and file permission detection; The database dimension detection includes at least one of the following: table-level scan, record-level scan, field-level scan, and transaction log detection; The behavioral dimension detection includes at least one of the following: encryption rhythm analysis, time feature analysis, account anomaly detection, and operation sequence analysis.

8. The anomaly encryption detection device according to claim 6, characterized in that, The computing module is specifically used for: The algorithm corresponding to each data type is used to process the data of each data type to obtain the entropy value calculation result corresponding to each data type. The algorithm includes at least one of the following: most common value estimation algorithm, collision test estimation algorithm, Markov test estimation algorithm, and compression test estimation algorithm. Entropy fusion calculation is performed based on the entropy calculation results corresponding to the data of each data type to obtain the entropy calculation result of the data stream to be detected.

9. The anomaly encryption detection device according to any one of claims 6 to 8, characterized in that, The determining module is specifically used for: If the entropy value of the data stream to be detected is greater than the first entropy threshold, and the dimensional anomaly data indicates that the detection results of at least two dimensions in the multi-dimensional detection are abnormal, the data stream to be detected is determined to be at the first anomaly encryption level. or, If the entropy value of the data stream to be detected is less than or equal to the first entropy threshold and greater than or equal to the second entropy threshold, and the dimension anomaly data indicates that only one dimension of the multi-dimensional detection is abnormal, then the data stream to be detected is determined to be at the second anomaly encryption level. or, If the entropy value of the data stream to be detected is less than the second entropy threshold, and the dimension anomaly data indicates that the detection results of all dimensions in the multi-dimensional detection are normal, then the data stream to be detected is determined to be at the third anomaly encryption level. Wherein, the first abnormal encryption level is higher than the second abnormal encryption level, and the second abnormal encryption level is higher than the third abnormal encryption level.

10. The anomaly encryption detection device according to claim 9, characterized in that, The device further includes: an output module, a transmission module, or a generation module; The output module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected, and then output alarm information when the data stream to be detected is at the first abnormal encryption level. or, The sending module is used to determine the abnormal encryption judgment result of the data stream to be detected based on the entropy value calculation result and the dimensional abnormal data of the data stream to be detected, and then, if the data stream to be detected is at the second abnormal encryption level, send a review task information to the client. The review task information is used to instruct the user to perform a review operation on the data stream to be detected. or, The generation module is used to generate a searchable log based on the data stream under test after determining the abnormal encryption judgment result of the data stream under test based on the entropy value calculation result and the dimensional abnormal data of the data stream under test. If the data stream under test is at the third abnormal encryption level, the generation module is used to determine the abnormal encryption judgment result of the data stream under test.

11. An electronic device, characterized in that, It includes a processor and a memory, the memory storing a program or instructions that can run on the processor, the program or instructions being executed by the processor to implement the abnormal encryption detection method as described in any one of claims 1-5.

12. A readable storage medium, characterized in that, The readable storage medium stores a program or instructions, which, when executed by a computer, implement the anomaly encryption detection method as described in any one of claims 1-5.

13. A computer program product, characterized in that, The computer program product is stored in a storage medium, and when the computer program product is executed by a computer, it implements the anomaly encryption detection method as described in any one of claims 1-5.