| With the rapid development of network,more and more industries access to the Internet."The development of the Internet greatly facilitates people's daily life,but it also brings many problems of security such as trojans, viruses and so on. Problems such as stealing private information, cheating consumption and breaking system, are causing great harm to people's mental and property. According to the statistics, the Trojan becomes the most serious factor of destruction and theft of information. Therefore, the research of Trojan detection is significant and valuable.The popular technology of Trojan detection is mostly based on the scan of signature codes, this technique is the most mature, reliable and effective technology of malware detection, but it cannot detect the Trojans which are unknown. According to the analysis of existing Trojans and variants, we find a high similarities between some Trojans, and these Trojans can be classified into a family.And we call these similar characteristics as family-gene.In this article, we add the analysis of family-gene into the Trojan detection system, and explore a Trojan detection system based on the anomaly of the network.In this paper, the Trojan detection system consists of four main components, including the data collection and filtering module, the data analysis module, the Trojan detection module and the response processing module. The data collection and filtering module combines the technology of the NDISHOOK and Winsock 2 SPI to capture frames of network data. The data analysis module uses the technology of protocol analysis to analyze the data frame. The Trojan detection module uses the multiple pattern matching algorithm of Wu-Manber to match the data of transport layer with the database of Trojan family genetics.The response process module is used to process the results.Finally, we implement an environment to test this detection system, according to the analysis of the result, the result demonstrates the precision of this system. |
PDF Full Text Request