Research On Trojan Communication Behavior Detection Technology Based On Petri Net

With the development of theft Trojan horse technology,Trojan detection technology based on host has been unable to meet the security requirements. This thesis studies the description of Trojan communication behavior and Trojan behavior detection. By analyzing the Trojan’s communication process and its behavioral characteristics, this thesis analyses Trojan communication technology, proposes a network data stream compression method combined with data mining technology and uses Petri net for formal description of Trojan traffic flow. Finally, on the basis of the proposition of Trojan detection model based on Petri nets, we implement a Trojan behavior detection system with a low rate of false positives and false negative rate.First, we study the working principle and key technologies of Trojan, focus on Trojan communication technology. Through analysing the actual traffic flow of Trojan samples, we divided Trojan communication into three stages and extract the behavioral characteristics of each stage. Based on the extracted behavior characteristic, we analyse the detection methods of Trojan communication behavior and discuss advantages and disadvantages of each method from the versatility, the detection accuracy and detection efficiency.Secondly, based on the correlation between the network packet, using data mining methods, we select the most favorable granularity to describe network traffic flow, compress network traffic flow, and then classify the compressed data into normal TCP data, DNS data, heartbeat data, small packets interactive data and large packets interactive data.Finally, based on the data obtained by efficient collection and processing method, we proposed the behavior sequence detection method based on Petri net, thereby establishing the Trojan communication behavior detection model. Using data window technology and asynchronous interaction capabilities of Petri nets, we construct an efficient detection model capable of dynamic window threshold adjustment according to experience and state. According to this detection model, we designed and realized a Trojan communication behavior detection system, analyzed the distribution of network 5-tuple flow, designed a conversation storage structure combining the hash table and multi-level linked list, improved the efficiency of the system. Then some main tests are implemented, and experiment results show that, proposed system can detect common Trojan and Trojan variants effectively.