| In recent years,the number of "trojan horse" is increasing so rapidly that trojans now amount to the most part among all the illegal programs. Trojans have brought much more serious damages and losses.As a result,the research of anti-trojan has already become the hotspot and the main emphasis in the area of network security.Because of its ability of detecting unknown trojans.behavioral analysis has currently turned into hotpot in the anti-trojan research area. Unlike traditional signature-based scanning,the technique classifies programs according to their behavioral characteristics.However.it hasn't been widely applied due to its "high rate of false alarm" problem.As it is necessary to find out trojans' characteristics before doing any analysis of them, the thesis roundly sums up techniques applied by trojans to realize file hiding and autostart at installation time,process hiding at startup and network communication hiding,then analyzes and summarizes trojan servers' behaviors and objects corresponding to these techniques.The thesis also introduces principle and advantages of trojan behavioral analysis and probes into techniques to realize it.Classification algorithms, such as Naive Bayes Algorithm, classify samples according to values of their attributes.Furthermore all of them are used for classification of unsorted samples.which could therefore be applied in trojan behavioral analysis to detect unkown trojans.The thesis describes the work flow of trojan behavioral analysis module in current security softewares.points out causes of its false alarm and missing report and puts forward the application of Naive Bayes Algorithm expected to reduce rates of false alarm and missing report in the analysis. In order to test the algorithm's effect, two classification experiments were carried out on the same group of trojans and legitimateprograms with two different analysis methods-one is from some security software and another one integrated with Naive Bayes Algorithm is put forward by this thesis-whose rates of false alarm and missing report were compared.228 legitimate programs were collected and technical details of 224 trojans were looked up and studied for the experiments.The rate of false alarm and missing report of the method brought forward in the thesis is about 0.44% and 10.71%,which is approximately 12% and 40% less than test result of another way of trojan behavioral analysis.Besides, a new strategy of trojan behavioral analysis is designed based on the above theoretical analysis and experiments,which adopts techniques such as DLL remote injection and Import Address Table modification ,and is integrated with Naive Bayes Algorithm to detect trojans. |
PDF Full Text Request