Design And Implementation Of Process Behavior Match Based Trojan Analysis And Detection System

In this paper, we designed and implement a process behavior match based analysis of Trojan detection system. Traditional Trojan detection technology can be divided into two categories:static scan and dynamic scan (active defense). The defect of static scan is the incapability of detect variant Trojan in time, and active defense system needs to be running all the time which has a great influence on the system performance, and it is also has limited ability for detection Trojan which is installed before the active defense system. This system is designed to draw the strengths of the two method, and propose a new ideas of Trojan detection, using monitoring technology of active defense to capture the behavior of the installation of Trojan, then combined with the participation of human to abstract the match rule from all the behaviors which is used to match and determine whether the target exist Trojan. Because this method does not rely on signatures, the system is also suitable for the detection of variants of Trojan or unknown Trojans.The process bavior match based Trojan analysis and detection system described in this paper if divided on usage, there is analytics part and detection part, if divided on function module, there is behavior catch module, rule database module and behavior match module. Under the support of data caught by kernel level behavior catch module, we build two kinds of rules:normal rule and specified rule. And designed a classify algorithm based on Bayesian algorithm for normal rule to classify Trojan. In this system, the process of normal rule and process of specified rule has a feed back for each other, which make this system a self-learning system to handle the new Trojan from Internet over and over again. Specifically, the paper’s main tasks include the followings:1) Designed the architecture of process behavior match based Trojan analysis and detection system. 2) Designed the Trojan classify algorithm based on bayesian algorithm.3) Describe the implementation detail of every module in the process behavior match based Trojan analysis and detection system.