| Nowadays, with new Trojan’s constant appearance on the Internet, it is difficult forsignature-based firewall and IDS to detect the unknown malwares. Besides, the host-based behaviordetection can hardly be deployed in IP layer. This paper proposes a new malware detection modelbased on the network communication behavior named DTrojan, which combines with Bayesianclassification algorithm theory and ideas. In this model, the known Trojan network features areabstracted, extracted and generalized to be detected(classified) feature items. Afterwards, adetecting engine, namely classification machine, can be formed by training Trojan sample data.Thus, a model of detecting unknown Trojan detection can be realized.This model is deployed on the gateway of the whole LAN, with the basis of the whole LANcommunication data, and detects communication features during different phases includingcommunication connection establishment, data interaction, and connection retention. This modelwould not judge from single feature, but from tests for many times and multiple feature detections.It also provides suspicious probability to users as reference. Judging from the above features, themodel not only has the ability to detect unknown Trojan, but also has low false positive rate.The malware detection prototype system DTrojanPrototype is built on the basis of the abovemodel. This system can effectively detect the traffic feature of hosts in the whole LAN to de fend thethe LAN. Thus, it can solve the problems of cross-platform and repeat installations in single hostdetection system. |
PDF Full Text Request