| Together with the arrival of the information age, network security threats appear as well as Internet applications. According to statistics, the Trojan has become the most serious factor of destruction and theft of information. Consequently, how to effectively detect and prevent the Trojan has become the focus of attention.Nowadays general methods of Trojan detection are based on single-computer security protection and are difficult to provide effective network monitoring for regulatory authorities. Detection methods that based on Intrusion Detection System mostly focus on communication ports and it is difficult to accurately identify Trojan without the deep-level content of communications. In order to provide more effective Trojan detection, it is necessary to develop new dedicated Network Trojan Detection System.This thesis designs and implements a Trojan Detection System Based on Network communication Content which is based on a network security supervision project.In this paper, after research on basic principles and communication mechanisms of Trojan, analyze the Trojan detection products on the market, compare a variety of packet capture technologies ( BPF based Libpcap, New-API, Memory-Map, PF_RING Real-time IRQ ) and pattern matching algorithms (Simple pattern matching algorithm, Knuth-Morris-Pratt algorithm, Boyer-Moore algorithm, Boyer-Moore-Horspool algorithm ), a Trojan detection method based on network communication content is issued with the packet capture technology which integrates PF_RING, NAPI, Real-time IRQ and the pattern matching algorithm which is called BMH algorithm.Subsequently, this thesis detailedly designs a Trojan Detection System Based on Network Communication Content. This system is a distributed C/S system which is composed of four layers, such as packet capture layer, protocol analysis layer, Trojan detection layer and response layer. This system captures packets on 1000Mbit-network in high speed and analysis protocols to get key information in real-time. Then it detects Trojan and checks TCP connection. Last, it outputs results to database or interrupt TCP connections as response.After design the structure and functions of this system in detail, this paper implements this system and describes implementations of server, client, packet capture module, protocol analysis module, Trojan detection module and response module with flow charts, data structures, interfaces.The key modules of this system, the pattern matching algorithm, the TCP interrupt function and the whole system has been tested after implementation. According to the tests, every fuction of this system work normally and stably. This system can capture packets almost in wire-speed and detect Trojan sample which is called ZXShell accurately in the network of 800Mbit/s to 900Mbit/s flow rate.Finally, this thesis summarizes the system and put forward the direction of future work.This Trojan Detection System Based on Network Communication Content is expected to do a good help for network supervision of our nation. |
PDF Full Text Request