System and method for detection of malicious data encryption programs
First Claim
1. A method for detection of malicious encryption programs, the method comprising:
- intercepting a file operation request from a client device on a file stored on a server;
responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server;
collecting information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file;
determining based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server;
when the file operation request came from an unknown encryption program, calculating, by a hardware processor, a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file;
when the difference is below a threshold, allowing the file operation request of the unknown encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and
sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detection of malicious encryption programs, the method comprising: intercepting, at a server, a file operation request from a client on a file stored on the server; collecting information about at least the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether the file operation request came from a known malicious encryption program; when the file operation request came from an unknown program, then calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; and calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file.
-
Citations
18 Claims
-
1. A method for detection of malicious encryption programs, the method comprising:
-
intercepting a file operation request from a client device on a file stored on a server; responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server; collecting information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file; determining based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server; when the file operation request came from an unknown encryption program, calculating, by a hardware processor, a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file; when the difference is below a threshold, allowing the file operation request of the unknown encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise blocking a connection between the client device and the server and restoring the backup copy of the file at the server; and sending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for detection of malicious encryption programs, the system comprising:
a server having a hardware processor configured to; intercept a file operation request from a client device on a file stored on the server; responsive to intercepting the file operation request, create and save a backup copy of the file at the server; collect information about at least the client device, the requested file and the file operation request, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file; determine based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation request on the server; when the file operation request came from an unknown encryption program, calculate a difference between a first entropy of a header of the file before the execution of the file operation request and a second entropy of a header of the data that the file operation request is attempting to write in place of the file; when the difference is below a threshold, allow the file operation request of the encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise;
block a connection between the client device and the server and restore the backup copy of the file at the server; andsend information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. A non-transitory computer readable medium storing computer executable instructions for detection of malicious encryption programs, including instructions for:
-
intercepting a file operation request from a client device on a file stored on a server; responsive to intercepting the file operation request, creating and saving a backup copy of the file at the server; collecting information about at least the client device, the requested file and the requested operation, wherein the collected information includes data buffers with original contents of the file and data that the file operation request is attempting to write in place of the file; determining, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file requested operation on the server; when the file operation request came from an unknown encryption program, calculating a difference between a first entropy of a header of the file before the execution of the requested operation and a second entropy of a header of the data that the file operation request is attempting to write in place of the file; when the difference is below a threshold, allowing the requested operation of the encryption program on the file to be performed on the server and deleting the backup copy of the file, otherwise;
blocking a connection between the client device and the server and restoring the backup copy of the file at the server; andsending information about the unknown encryption program to a component on the client device, the information comprising a name of a process executing the program, and wherein the component is enabled to search and stop the process on the client device initiating the file operation request based on a reception of the information. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification