Research And Implementation Of Detection Of Trojan Horse Based On Sandbox

In recent years, with the rapid development of computer technology, Internet applications get rapid popularization, Internet users also in a sharp increase, which also makes Internet users machine constantly exposed to hackers control and monitoring, to become a target for hackers, and even the user’s machine as an intermediate attack of the terminal to the other machine. Trojan program as a malicious program, often used by hacker as an important means of attack to steal the user’s account information on the internet, private information or business secrets and so on. Compared with other kinds of malicious programs, Trojan program has more destructive and dangerous, so this paper mainly research the technology of Trojan horse detectionDetection of Trojan generally divided into static and dynamic detection technology, static detection technology does not need to run the program directly, so, it not only will not cause real damage on the system, but also fast detection speed and low false alarm rate. However, it requires a large feature library support, when facing the known Trojans hidden and changes slightly less, for unknown Trojans also is helpless; and dynamic detection technology can real-time capture of Trojan behavior, according to the Trojan behavior detection a new Trojan as well, but running the program requires more system resources lead to low efficiency, and Trojan program, will cause harm in fact. The sandbox technology is a security protection mechanism of quarantine restrictions through implementation of the program can be used to test the suspicious program, in order to avoid the malicious behavior cause harm to the system, the program to generate and modify the redirection of resources into the sandbox, operating procedures and not real resources, but virtual resources or is a copy, so as to realize the procedure of isolation. So the sandbox as the realization of the dynamic Trojan detection isolation, can protect the real host not be damaged and have the same effect as well as real host.This paper mainly for Windows PE file, analyzes the shortage of current technology of Trojan horse detection and has carried on the summary, Focuses on the research of Trojan behavior analysis technology and extended attack tree model applied in the Trojan detection, put forward a kind of improved of Trojan horse detection method based on extended attack tree model. Through the comparison and analysis of the characteristics of the static analysis of the PE file and based on monitoring and controlling technology of sandbox, by approach of combination of technology of static detection and dynamic detection of based on sandbox, realization of the detection of Trojan horse more efficiently and completely.The main innovations of this paper are as follows:(1) Based on the analysis of behavior feature, the extended attack tree model is introduced into the Trojan detection, and the model is extended by extending the node attribute information, realizing a more accurate matching model.(2) Put forward a kind of improved attack tree model of Trojan horse detection method based on extended, which improves the risk index algorithm and model matching algorithm. Using detection technology based on Trojan behavior. The experimental results show that the improved method has better performance in the false positive rate and false negative rate.(3) Using C++ programming technology, the design and implementation of the prototype system of Sandbox for Trojan detection.