SYSTEM AND METHOD FOR DETECTION OF MALICIOUS DATA ENCRYPTION PROGRAMS
First Claim
1. A method for detection of malicious encryption programs, the method comprising:
- intercepting, at a server, a file operation request from a client device on a file stored on the server;
creating and saving a backup copy of the file at the server;
collecting information about at least the client device, the requested file and the requested operation;
determining, by a hardware processor of the server, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation;
when the file operation request came from an unknown encryption program, calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file;
calculating, by the hardware processor, a difference between the calculated entropies;
when the difference is below a threshold, allowing the requested operation on the file; and
when the difference is above the threshold, denying the requested operation on the file and restoring the backup copy of the file at the server.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detection of malicious encryption programs, the method comprising: intercepting, at a server, a file operation request from a client on a file stored on the server; collecting information about at least the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether the file operation request came from a known malicious encryption program; when the file operation request came from an unknown program, then calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; and calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file.
43 Citations
21 Claims
-
1. A method for detection of malicious encryption programs, the method comprising:
-
intercepting, at a server, a file operation request from a client device on a file stored on the server; creating and saving a backup copy of the file at the server; collecting information about at least the client device, the requested file and the requested operation; determining, by a hardware processor of the server, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation; when the file operation request came from an unknown encryption program, calculating, by the hardware processor, entropies of at least a portion of the file before and after the execution of the requested operation on the file; calculating, by the hardware processor, a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file and restoring the backup copy of the file at the server. - View Dependent Claims (2, 3, 5, 6, 7)
-
-
4. (canceled)
-
8. A system for detection of malicious encryption programs, the system comprising:
a server having a hardware processor configured to; intercept a file operation request from a client device on a file stored on the server; create and save a backup copy of the file at the server; collect information about at least the client device, the requested file and the requested operation; determine based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation; when the file operation request came from an unknown encryption program, calculate entropies of at least a portion of the file before and after the execution of the requested operation on the file; calculate a difference between the calculated entropies; when the difference is below a threshold, allow the requested operation on the file; and when the difference is above the threshold, deny the requested operation on the file and restore the backup copy of the file at the server. - View Dependent Claims (9, 10, 12, 13, 14)
-
11. (canceled)
-
15. A non-transitory computer readable medium storing computer executable instructions for detection of malicious encryption programs, including instructions for:
-
intercepting, at a server, a file operation request from a client device on a file stored on the server; creating and saving a backup copy of the file at the server; collecting information about at least the client device, the requested file and the requested operation; determining, based on the collected information, whether a known malicious encryption program has been launched on the client device to attempt an execution of the file operation; when the file operation request came from an unknown encryption program, calculating entropies of at least a portion of the file before and after the execution of the requested operation on the file; calculating a difference between the calculated entropies; when the difference is below a threshold, allowing the requested operation on the file; and when the difference is above the threshold, denying the requested operation on the file and restoring the backup copy of the file at the server. - View Dependent Claims (16, 17, 19, 20, 21)
-
-
18. (canceled)
Specification