Data detection method and electronic device

The invention claimed is: 1 . A data detection method, the method comprising: determining count features respectively corresponding to a plurality of time points based on data blocks of a storage object, wherein the count features comprise a plurality of count values for the data blocks, and wherein the data blocks are deduplicated data blocks; determining, for a first time point among the plurality of time points and according to the count features respectively corresponding to the plurality of time points, a plurality of corresponding correlation coefficients between a count feature for the first time point and count features for the other time points among the plurality of time points, wherein determining the count features respectively corresponding to the plurality of time points based on the data blocks of the storage object comprises: counting the number of the deduplicated data blocks in the storage object that conform to statistical features determined for the deduplicated data blocks at the plurality of time points, wherein the statistical features comprise numbers of reads and writes performed of the deduplicated data blocks, and generating the count features respectively corresponding to the plurality of time points according to the number counted; and determining, if a score determined according to the plurality of correlation coefficients is less than a predetermined threshold, that the storage object corresponding to the first time point is under attack, wherein the score comprises an average of the plurality of correlation coefficients. 2 . The method according to claim 1 , further comprising: determining the plurality of corresponding correlation coefficients based on distances between the count feature for the first time point and the count features for the other time points among the plurality of time points. 3 . The method according to claim 1 , further comprising: determining the statistical features of the data blocks prior to counting the number of the deduplicated data blocks in the storage object that conform to the statistical features at the plurality of time points, wherein the statistical features are binary bytes of a predetermined length. 4 . The method according to claim 1 , further comprising: determining, after determining that the storage object corresponding to the first time point is under attack, that snapshots of the storage object prior to the first time point are candidate snapshots; and locking the candidate snapshots to avoid being deleted. 5 . The method according to claim 4 , further comprising: checking the candidate snapshots and selecting a snapshot that corresponds to a time point when the storage system is not under attack by malware and has the latest generation time as a target snapshot; and recovering, according to the target snapshot, the storage system to a state corresponding to the target snapshot. 6 . The method according to claim 1 , further comprising: setting to preform, at a predetermined time interval, the counting of the number of the deduplicated data blocks in the storage object that conform to the statistical features. 7 . An electronic device for snapshot classification, comprising: a processor; and a memory coupled to the processor and having instructions stored therein, wherein the instructions, when executed by the processor, cause the electronic device to perform operations comprising: determining count features respectively corresponding to a plurality of time points based on data blocks of a storage object, wherein the count features comprise a plurality of count values for the data blocks, and wherein the data blocks are deduplicated data blocks; determining, for a first time point among the plurality of time points and according to the count features respectively corresponding to the plurality of time points, a plurality of corresponding correlation coefficients between a count feature for the first time point and count features for the other time points among the plurality of time points, wherein determining the count features respectively corresponding to the plurality of time points based on the data blocks of the storage object comprises: counting the number of the deduplicated data blocks in the storage object that conform to statistical features determined for the deduplicated data blocks at the plurality of time points, wherein the statistical features comprise numbers of reads and writes performed of the deduplicated data blocks, and generating the count features respectively corresponding to the plurality of time points according to the number counted; and determining, if a score determined according to the plurality of correlation coefficients is less than a predetermined threshold, that the storage object corresponding to the first time point is under attack, wherein the score comprises an average of the plurality of correlation coefficients. 8 . The electronic device according to claim 7 , wherein the operations further comprise: determining the plurality of corresponding correlation coefficients based on distances between the count feature for the first time point and the count features for the other time points among the plurality of time points. 9 . The electronic device according to claim 7 , wherein the operations further comprise: determining the statistical features of the data blocks prior to counting the number of the deduplicated data blocks in the storage object that conform to the statistical features at the plurality of time points, wherein the statistical features are binary bytes of a predetermined length. 10 . The electronic device according to claim 7 , wherein the operations further comprise: determining, after determining that the storage object corresponding to the first time point is under attack, that snapshots of the storage object prior to the first time point are candidate snapshots; and locking the candidate snapshots to avoid being deleted. 11 . The electronic device according to claim 10 , wherein the operations further comprise: checking the candidate snapshots and selecting a snapshot that corresponds to a time point when the storage system is not under attack by malware and has the latest generation time as a target snapshot; and recovering, according to the target snapshot, the storage system to a state corresponding to the target snapshot. 12 . The electronic device according to claim 7 , the actions further comprising: setting to preform, at a predetermined time interval, the counting of the number of the deduplicated data blocks in the storage object that conform to the statistical features. 13 . A computer program product having a non-transitory computer readable medium which stores a set of instructions for data detection; the set of instructions, when carried out by computerized circuitry, causing the computerized circuitry to perform a method of: determining count features respectively corresponding to a plurality of time points based on data blocks of a storage object, wherein the count features comprise a plurality of count values for the data blocks, and wherein the data blocks are deduplicated data blocks; determining, for a first time point among the plurality of time points and according to the count features respectively corresponding to the plurality of time points, a plurality of corresponding correlation coefficients between a count feature for the first time point and count features for the other time points among the plurality of time points, wherein determining the count features respectively corresponding to the plurality of time points based on the data blocks