Detection Technology Of Trojan Based On Network Traffic

Trojan is a kind of network attack existing for a long time whose attack principle changing sustainable.With the rapid development of network,the Trojans is moving on.Continuously changing its way of existing,the way of its attack is also evolving,which aggravated the network environment and had a negative impact on the society.How to detect and prevent Trojan attacks rapidly and accurately is still an important issue.Analysing the network traffic characteristics of both the Trojans and common applications,this paper proposes a Trojan detection model which combines the multi-pattern matching principle and the random detection algorithm.To some extent,the model improves and complements the existing Trojan detection technology,and satisfies the requirements of Trojan detection.The main contributions of this paper are as follow:(1)Researching on the application layer protocol of several typical Trojan samples and some common applications,this paper concludes both the protocol characteristics and regular pattern of them.Meanwhile,this paper uses the network packet analysis software to analyze the communication of the applications,extracts regex characteristics of the application layer protocol and summarizes its generality by comparing the application layer data of multiple communications.(2)Designing a protocol feature regex matching algorithm based on the series-parallel AC algorithm,this paper combines the regex and AC algorithm to map the network flow and the protocol library,which identified unencrypted Trojans and common applications effectively.(3)Proposing an Encrypted-Trojan oriented detection algorithm based on the estimation of weighted accumulative algorithm,which(4)applies Random estimation algorithm to the detection of encrypted Trojans,this paper estimated the weighted accumulative value of multiple samples,and combines the traffic characteristics of Trojan to identify the encrypted Trojans.(5)Combining the above two algorithms,this paper propose a Trojan detection model,which using the series-parallel AC algorithm to detect the unencrypted Trojans along with applying the estimation of weighted accumulative algorithm to identify the encrypted Trojans.This model could identify Trojans effectively with the two algorithms' mutual complementation.Analysing both the Trojans and common applications,this paper designs a Trojan detection model which combines the deep packet inspection algorithm and the random detection algorithm,and proves the model's effectiveness through job related simulation assessment on massive data.