中圖分類號：TP309.5文獻標(biāo)識碼：ADOI:10.19358/j.issn.2097-1788.2025.08.002
引用格式：靳京. 基于內(nèi)核指令檢測技術(shù)的勒索病毒防護研究［J］.網(wǎng)絡(luò)安全與數(shù)據(jù)治理，2025，44（8）：10-16.

Research on ransomware protection based on kernel instruction detection technology

Abstract： The core and essence of ransomware is the encryption operation of data. Its sequence characteristics at the kernel instruction level are relatively fixed and regular. The basic features of the core instructions of typical encryption algorithms are summarized and modeled to form a typical encryption algorithm assembly language instruction set based on a specific CPU architecture. At the same time, a Trie-based recursive marching algorithm is used to dynamically parse and analyze the instruction code sequence in memory, match and detect the running encryption algorithm instructions and their sequence characteristics. It can achieve real-time monitoring and early warning of the core operations of typical encryption algorithms at the instruction level, thereby improving the accuracy and effectiveness of protection against ransomware attacks. Experimental results have shown that it has a good detection effect on ransomware viruses using specific encryption algorithm instructions on a certain ARM architecture platform.

Key words : instruction detection; recursive marching algorithm; ransomware protection; cybersecurity