| With the rapid development of the computer technology and network technology, a variety of attacks against computer networks are intensified, network security issues become prominent. Large numbers of computers are invaded by the Trojans, viruses and other malicious codes each year, causing serious economic losses. Because of the characteristics of its strong concealment, large attack range, endanger large etc, Trojan attacks become one of the most common network attacks techniques, posing a serious threat to computer security.Currently the mainstream Trojan detection methods mainly use signature technology, real-time monitoring technology and heuristic virtual machines. Behavioral analysis can detect unknown Trojans, viruses and other malicious programs, having the characteristic of active defense, becoming a hot research field of the current anti-Trojan and anti-virus research. It is different from the traditionally static signature-based scanning technology, through the analysis of the dynamic behavior characteristics shown when an unknown program is running, determining whether it is a malicious program. Because of high false negative rate and false alarm rate, low application efficiency and other shortcomings, it has not been a wide range of applications, requiring further research.Accurately analyzing and summarizing the behavioral characteristics of Trojans is the premise that behavior analysis technology applies to the field of anti-Trojan. In the experiment 226 Trojans were collected, referring to the Symantec, CERT and other authoritative security vendors'laboratory about the technical details of Trojans, the behavioral characteristics of Trojans were verified by experiment, combined with relevant technical literature, analyzing and summarizing the behavioral characteristics of Trojan server in the implantation, installation, operation and communication phase. This paper introduced the principles of Trojans behavior analysis and the advantages and disadvantages of it, and discussed in-depth the implementation of Trojans behavior analysis techniques.Decision tree classification algorithm based on the values of multiple attributes to classify the samples, can achieve the classification of unknown types of samples. Decision tree classification algorithm can be used to analyze the behavior characteristics of the unknown programs in the analysis of Trojan behavior, determineing whether they are Trojans. This paper selected C4.5 algorithm, choosing the attributes which have the higher information gain ratio as the split property, constructing a decision tree model.The paper discussed decision tree classification algorithm in the application of Trojan behavior analysis, classifying the behavioral characteristics of the unknown programs to construct a decision tree model, analyzing the false alarm rate and false negative rate, and verified the application effect of the algorithm. In the experiment, altogether 226 Trojan samples and 230 legitimate programs were collected, 7 typically behavioral characteristics were extracted for the experiments.According to the statistical analysis of Trojan behavioral characteristics derived from the experiment, the paper chose the first six attributes as the split property which has higher frequency, and adding "visual interface presented" as the split property in which the legitimate programs are typically different from Trojans.Besides,built on the basis of Trojan behavior analysis and constructing a decision tree model, this paper presented a new strategy of anti-Trojan which is based on decision tree algorithm, and implemented a preliminary prototype. The strategy uses API HOOK technique to detect unknown programs API calls, combined with Trojan Identification Rules Knowledge Base which is based on decision tree classification algorithm, automatically determining whether the unknown programs are Trojans. The strategy makes use of Detours to achieve DLL injection and API interception. |
PDF Full Text Request