| The unknown Trojan definited in this paper is the one that has invaded the host but users can’t find the thread. There are many good methods to defense the known Trojan currently. However, the detection of unknown Trojan is still the main task in the network security. The unknown Trojan which can modify its signatures in the antivirus or modify the rules of network communication is easy to accomplish bypass antivirus software or firewall, that causes the great thread to personal information. Based on the analysis and summary of behavior for the unknown Trojan, this paper uses the improved classification algorithm to distinguish unknown Trojan and normal procedure, which achieved a good result in experiments. This paper work as follows:(1) This paper puts forward a new kind of detection Trojan algorithm. This algorithm combines the rough sets theory with Bayesian theory and uses the rough sets of attribute reduction method to extract effective behavior properties between normal procedure and Trojan effectively considering to the known Trojans behavior properties, and combines the improved Bayesian classification method to classify the normal and Trojans in test set. Experiments show that, using Naive Bayesian algorithm can effectively improve the accuracy of detection and reduce the false positive rate and false negative rate.(2) This paper also proposes a new SVM parameters optimization to complete the classification of the unknown Trojan and normal program. The method for pattern search method to determine the initial point of the problem with randomness, a coarse grid search from a number of basic points, and divided into several basic points range, while the second difference between the techniques used to obtain early starting point of the method. Experimental results show that, and simply use the pattern search algorithm, this method can be to stabilize the higher accuracy.(3) According to test results, we develop the corresponding Snort rules and construct the unknown Trojan detection system based on Snort. The system can properly detect the follow-up attack of the unknown Trojan, so as to achieve the purpose of defense. |
PDF Full Text Request