Research On The Behavior Monitoring Method Of The Trojan Native File Accessing

With the rapid development of computer technology, the new internet technology is rapidly used by all fields, and has brought great convenience for them. However, the internet technology has brought great convenience, but also brought a lot of security issues. At present, the computer security field is facing enormous challenges, traditional viruses, worms and other programs which are on purpose of destroying the computer have gradually been replaced by the Trojan which is more undercover and mainly stealing the users' information. Therefore, the study of theory, technology of the Trojans and the corresponding detecting techniques for their behaviors is on great significance.This paper systematically analyzes the Trojan's working theory, behavioral characteristics, hiding techniques and existing monitoring technologies.On the foundation of the existing Trojans defense and detect, by studying the Trojan behavior patterns, we propose a new method based on monitoring Trojan native file access behavior to monitor the Trojan behaviors. The method extracts a particular pattern of behavior sequence of Trojans- the behavior sequence of the Trojan native file searching behavior and the reading writing behavior of the files, because this behavior pattern in normal program is hardly to see, so by monitoring program's behavior is consistent with the behavior of the model,we can determine whether it is the Trojan.The key technology of this new method is mainly using API HOOK, SSDT HOOK,and then introducing the principle, features and application scenarios of each technology.Finally, the prototype system of the new monitoring method of the Trojan native file access behavior is realized,and the its intended function is also tested to verify the validity and accuracy of its monitoring results.Finally, according to the using technology of the prototype system of the Trojan behavior monitoring and defensing, combined with the existing firewall technology, Active Defense technology, the paper concludes and prospects the new Trojan monitoring methods.