Research On The Technology Of Ferry Trojan Detection Based On Behavior Analysis

"Ferry Trojan" is a special Trojan which aims to realize the intrusion of the intranet and some classified network. It has a characteristic of strong pertinency. Its targets are often related to the important departments and classified information systems, such as core competitiveness of the national defense, military industrial enterprises, scientific research institutes, government agencies, economic and financial agencies, etc. Once a system has been successfully intruded, Trojan attackers could steal a large number of classified information and important documentations related to the core national interests illegally, which will pose a serious threat to the national security. Compared with the traditional Trojans which are usually used for stealing account information, Ferry Trojan is more serious in classified network and national security.Obviously, the research on Ferry Trojan detection techniques is significant and important to protect national secret security, business secret security, and financial security. Meanwhile, Behavior analysis is one of the hot spots in the field of network security, especially in the field of intrusion detection. Compared with the traditional feature code and other detection technologies, behavior analysis has more obvious technical advantages.First of all, based on the introductions to ferry attack principle and feature code detection, and integrity detection of Trojan detection technology, this paper focuses on the Ferry Trojan about key API calls and key call parameters and establishes a set of key API calls, which is used for representating Ferry Trojan behavior feature abstraction.Secondly, we propose a scheme of representating of Ferry Trojan behavior feature abstraction and analysing the behavior characteristics of Ferry Trojan. Especially, we utilize API calls to describe all the characteristics of program behavior, utilize short sequences of API calls to represent program behavior abstract representation unit and perform the process of abstraction unit weighted calculation with some important attributes, which contains integrated call timing, critical call parameters and so on.Finally, we present and design Ferry Trojan detection system based on behavior analysis, which consists of monitoring module, behavior analysis module and detection module. Based on the experiment results about training and test of the sample set, our proposed scheme has several advantages of representating Ferry Trojan behavior feature abstraction effectively, higher Ferry Trojan detection rate and lower false alarm rate. Consequently, this scheme could realize the objective of Ferry Trojan detection correctly.