Research On Classification Algorithms Of Trojan Horse Detection Based On Behavior Analysis

The rapid development and wide application of network are raising more and more concerns on information security. Trojan-horse is always associated with information crimes, be it economical, political or both. No practical solution has been found. The significance of the Trojan-horse problem is represented in the frequency and severity of related cases. Solving the problem has attracted concentrated effort of information research.Current anti-Trojan is almost signature-based strategies. Behavior analysis, with the ability to detect Trojans with unknown signatures, is a technique of initiative defense. Its potential to meet the future needs of information security has made behavior analysis a hotspot in anti-Trojan studies. Current behavior analysis based anti-Trojan strategies have the following problems: high false or failure alarm rate, poor efficiency, and poor user-friendly interface design, etc. we conclude that the core problem lies in the immature categorization algorithm model, which is used to analyze and judge the behaviors. Most of the previous studies have used existing classification algorithms that were not specifically designed for anti-Trojan and may cause problems. This paper works on the design of an anti-Trojan oriented algorithm based on behavior analysis. Our work is as follows:Firstly, we conclude that the core problem lies in anti-Trojan based on behavior analysis. We analyze the process of the Trojan harm, and next its class and character of behavior and illustrate the industry chain based on Trojan. Then we discuss the main anti-Trojan technique and criterion. We introduce the behavior analysis and point out the virtue with the above compeers. Some existing examples are proposed to present the anti-Trojan base on behavior analysis for the purpose that finding out the core problem, and we point out that the immature categorization algorithm model is the key, which is used to analyze and judge the behaviors.Secondly, we construct standard of anti-Trojan algorithm system and point the up-limit of the precision. We began with the theory that all malicious codes in a Von Neumann System cannot be precisely predicted within a polynomial computation time, so theoretically there is an up-limit of the precision of detection. First, we point out three principles of algorithm design: first, the algorithm should automatically extract features. Second, the algorithm should adapt its efficiency to increasing number of features Third, the algorithm should self-adaptively converge to a certain precision within polynomial computation time.Thirdly, we propose algorithms of Trojan horse detection based on behavior analysis. Fuzzy classification is a method that deals with some fuzzy pattern which always have a fuzzy domain but clearly pattern. The feature of both Trojan and legal code belongs to the fuzzy pattern. Based on the certain fuzzy point and three principles, we propose algorithms of Trojan horse detection based on behavior analysis. The method can adaptively tune the confidence value based on whether it is false or right classification primly in order to train the rules, finally, to get a powerful classification machine for anti-Trojan.Fourthly, we organize the experiment to get the result. In order to insure the authority of experiment and to solve the problem of limited of pattern number, we introduced the cross-fold method to test the algorithm. 200 legal codes and 200 pattern description of Trojan from Symantec corp. were analyzed, from which 7 behavioral features were extracted for experiment. Our results show 100% local accuracy after a practical amount of training, and high precision classification in the testing phase. We've compared our algorithm with the Bayesian classification algorithm. Under equal conditions, our algorithm yielded better results in terms of both average and optimal accuracy.