Research On Proactive Defense Technology Of Of Special Trojan Horse Based On Behavior Analysis

Special trojan horse is a tailored malicious program for spying staff, which has greatoffensive and destruction on classified internal network of government and enterprises. Asrepresentation of the special trojan horse, ferry horse is a kind of Trojan horse whose attackmeans is to steal sensitive data through offline ferry. It has made existing anti-virus softwaresand firewalls facing great challenge. Therefore, only the protective measure of changing thetraditional passive defense to positive proactive defense is more effective. Study of specialtrojan horse’s proactive defense technology contributes to guarantee national informationsecurity and business secret security of enterprises, which has extremely importantapplication value.This paper, at the foundation of research on ferry Trojan horse attack techniques andexisting detection technology, has designed an active defense framework based on threelayers security model of the ferry Trojan protection system, which included driver layer,behavior analysis engine and application layer. From the functional perspective, ferry Trojanprotection system includes five modules: file monitoring, application monitoring, registrymonitoring, network monitoring and environmental detection. Environmental detectionmodule which is based on the idea of the heuristic analysis obtaining and analyzing thesystem operating environment and the host status information, can detect systemvulnerabilities, and generate analysis reports. Then we research the method of driver layer tocapture the behavior of the program, focus on the analysis of the API hook technology andfile filter driver. After that, we discuss the core of the initiative defense: behavior analysis.Through the study of Bayesian classification algorithm and the strategy of summing weightedbehavior, we summarize the strengths and weaknesses of the two above-mentioned behavioranalysis strategies and propose Bayesian behavior analysis algorithm based on weightedfeature. We analyze its feasibility from the theory perspective, constructe WFB model, andgive the instruction of the weights selection, then give the approach of this algorithm appliedto the defense of ferry horse at the end.At last, we carry out the function test for the Defense System again ferry horse on virtualmachine. Then we test the system respectively using native bayesian classification algorithmand the strategy of summing weighted behavior in the behavior analysis engine.The results of experiment show that the functional modules of the Defense System again ferry horse runstable,and under the same experimental conditions, the behavior analysis algorithm this paperproposed is higher on accuracy and lower on false positive rate and missing alarm rate thannaive Bayesian classification algorithm and the strategy of summing weighted behavior.