TrojanUrlDetector: A Statistical Analysis Based Trojan URL Detecting System

With the development of the computer technology, Internet has become a more and more popular tool in daily life. However, along with all the utilities it brings to people, it also causes many threats to Web security. Trojan is a Web based malicious software and produces an increasing threat to the Web security.In order to detect and kill Trojans, this paper firstly discusses techniques used by Trojans, including hiding, undetecting, automatic running and uploading techniques; Second, three system monitoring techniques are introduced to help detecting Trojans, which are Inline Hook, SSDT Hook and IRP Hook.; Then the statistical feature of URL's web traffic is analyzed, and the result shows that the relation between the web traffic of a URL and its rank is an exponential function, which indicates that there is a good differentiation degree between any two URLs on their web traffic. Based on this conclusion, a web traffic based URL suspicious degree calculation algorithm is proposed to find Trojan URL; And last, according to the URL suspicious degree calculation algorithm and with the help of those system monitoring techniques a Trojan URL detecting framework, TrojanUrlDetector, is designed and realized.TrojanUrlDetector is a Virtual Machine (VM) based distributed system, which has two main modules:many web surfing VMs and one server VM. Each web surfing VM, on one side, visits URLs with different probability according to the distribution of web traffic at a fast speed and records all URLs that redirect the web browser automatically, on the other side monitors its system status. When a Trojan is downloaded in a VM, abnormal system status, such as creating new processes, will occure. In every time period, all web surfing VMs must submit the recorded URL list and system status to the server VM. The server VM will find Trojan URLs according to the URL suspicious degree calculation algorithm.Theoretical provement and simulation experiments show that TrojanUrlDetector can efficiently detect Trojan URLs, and greatly increase the security level of web security.