Research On Network Communication Signature Generation Technology Of Trojan Horses

Aiming at the problems that malwares like Trojan horses are performing more and more harmful to the network security, to improve the efficiency of Trojan horse detection by NIDS, the characteristics and network communication forms of Trojan horses are analyzed. Then combined with a sequence alignment algorithm, a model for signature generation of Trojan horses is designed and implemented.Firstly, this thesis studies the current mainstream network signature generation techniques of malicious code, including the character of signature generation system, implementation process and the effect of signature generation. The advantages and disadvantages of these signature generation techniques and the applicability of Trojans and other malicious codes are analyzed. These are important reference for the design of the system.Secondly, we studied the working principle and the communication mechanism of Trojan horses, particularly the remote-control Trojan communication technologies. The causes and forms of the noise during the communication of Trojan signatures generation are discussed. And then sequence alignment algorithm which is widely used in bioinformatics is studied. According to the characteristics of network traffic of Trojans, the two-sequence global alignment algorithm is extended. Then an improved hierarchical multiple sequence alignment algorithm based on iteration is designed. It can be proved that the performance is improved compared with of the original algorithm, especially when the quantity of noise is small.Thirdly, according to the study of automatic malware network signature generation and Trojan communication technology, a signature generation system of Trojans is designed. This system is mainly consisted of packet capture module, signatures generation module, signature transform module and rules selection module. Extended two-sequence global alignment algorithm and the improved hierarchical multiple sequences alignment algorithm based on iteration are used in signature generation module. Combined with the form and characteristics of Trojans, a united alarm form is designed to increase the accuracy of Trojan detection. And this system is proved to be practical and effective through the experiments.Finally, the shortages of the system and the way to improve the system are pointed out.