Research On Detection Of Web Trojan Based On Dynamic Analysis

Internet has greatly changed the human way of life and working habits,people benefit a lot in all aspects. Meanwhile, Internet is encounteringincreasingly serious security problem just because of its internal opening andvulnerability. Of all the security problems, web Trojan is the most prevalent,as it can be easily made, efficiently spread, variant forms, diversity ways oflinked to Trojan. It causes quite a lot of serious security problems for generalInternet users, so doing research on defense and detection of web Trojan is inurgent demands. This paper analyzed dynamic behavior of web Trojan in thecommunication process, designed a detection system based on dynamicanalysis.Firstly, this paper studied the major attack technologies of web Trojanincluding attack process and insert mode. Then the paper analyzed the typicalbehavior characteristics of web Trojan in the communication process,simulate its behavior and figure out the testing environment. On the basis ofthat, we accumulated a large quantity of sample web Trojans of differentkinds as sample library. And we took advantage of all kinds of software andglobal sequence alignment algorithm to analyze samples’ behavior,summarized key behaviors used in the detection.Secondly, according to these key behaviors, this paper designed andimplemented a detection system based on dynamic analysis. We figured outthe design target and structure, concretely discussed the function, keytechnology of all the modules such as Snort intrusion detection systemmodule, weight analysis module and threshold judge module. Snort intrusiondetection system module mainly analyzed the testing samples, determine what kinds of key behaviors that a certain sample has triggered so that thesample can be scored. Weight analysis module took advantage of AnalyticHierarchy Process (AHP) to analyze the behavior characteristic in theprevious modules, entrust each behavior a corresponding weight, and thenadd them together to deduce the scoring mechanism. Threshold judge moduleconstructed a confusion matrix, defined such items as false alarm rate andmissing alarm rate in order to figure out the best threshold.Finally, this paper tested the detection system. The results proved theeffectiveness and practical value of the system. What’s more, according to alarge quantity of sample tests, this paper gained the best threshold to judgeweb Trojan.