| With the development of computer networks, internet security issues emerge as well. Trojan, as one of the major hacker attack, is updating and developing rapidly.Once a trojan installs in the system,detection rate of traditional methods will decline sharply. Therefore, it has raised concern how to detect trojan embedded and hidden in the system.This paper firstly describes the attack means and hiding technique of a trojan, and by analyzing the appliance and feature of traditional trojan detection technology at present, advantages and limitations of traditional trojan detection technology can be obtained, which arises the idea of trojan detection system based on network behavior as well as the design of a framework for the detection of tracing trojan files location from the network behavior.This paper also discusses in detail how to compare normal data with trojan ones through data analysis, from which five characteristics are extracted: upload and download ratio, the number of command packets - a new concept proposed in this article, small packets proportion, session duration and the total number of packets.Data is classified by decision tree algorithm based on feature extraction. Hooking the packets sending function and auditing the incoming parameters, we monitor the sending function then track the call stack of the function by using stack trace technology, and finally find the specific location of the trojan file according to its call address, so as to locate the trojan program.Finally, this paper shows how this trojan detection technology realized given the determined parameter values. From the experimental result, it is proved that the trojan detection technology proposed in this paper has high universality and great accuracy. |
PDF Full Text Request