Research On Technology Of Trojan Horse Detection Based On Behavior Analysis

With the rapid development of the network technology, network security has become animportant research topic. At present the main security threat from intrusion and network wormto the web with horse which can propagate Trojan horses.The Trojan horses through stealingprivacy information, classified documents, all kinds of account to make excessive profits, andto set bonnet commands, to make group attack, which seriously threat to the privacy ofinternet users and data security. Therefore, in the present opened network environment, theTrojan detection technology has become an important component about computer securitytechnology.At present, there are two kinds of technologies which can detect Trojan horse. One isanomaly detection. This technology is first to establish a normal character lib, and whenmonitoring in real-time, it judge the attacks through matching character form the lib. Althoughthis method has the ability of detecting the unknown Trojan, it has high FPP and FNP. Theother is misuse; it accords to certain experience knowledge and relevant invasion eventswhich are collected by expert system to establish a feature database about attacking. Whenmonitor the system, it can match the character from the database, and to detect the intrusion.Misuse detection can detect most known intrusion, but the unknown invasion can hardly bedetected. Moreover, it is difficulty to establish such feature library. Therefore, this paperpresents the Trojan-detection technology based on behavioral analysis, which can detect andjudge know and unknown Trojan. The main idea of design is following, the firstly, extractingthe behavior characteristic of the Trojan, and establishing the Trojan’s characteristic database,and based on which, analyzing the system call which is intercepted, according to thisanalytical result to judge whether the program is the Trojans, then do the appropriateprocessing at last. What’ more, combining the SVM algorithm to classify the program. Thispaper has completed the following researches:(1) Studied the Trojan detection technology and the Trojan working mechanism,thorough analyzed the deficiency about the traditional Trojan detection technology, and putthe behavioral analysis technology into the Trojan detection.(2) Analyzed the Trojan behavior characteristic deeply. this paper mainly adopts theWindow API Hook to analyze the Trojan’s behavior. Used API hook technology extraction the system calls of Trojan behavior, and analyzed and summarized them.(3) Put the support vector machine classification algorithm into the Trojan detection field,through experiment to establish classification model, and then reach the purpose of classifying,and finally judge the program is Trojans or legitimacy program.(4) Finally established the Trojan detection model which based on behavior analysis. Themodel concludes five modules: program extraction module, behavior monitoring module,behavioral analysis module, training module, judge response module. Meanwhile, introducedthe system implementation, and at last, do some related experiments.Experimental results show that the algorithm achieved better effect on detecting knowand unknown Trojan, and comparing with the traditional Trojan detection technology, thisalgorithm has lower rate of false alarm and rate of missing report., and the precision hasimproved obviously.