| Cyber-attacks have become a growing threat in recent years.In particular,the Remote Access Trojan,a spyware usually used to steal data constantly and snugly,becomes popular among attackers.Once installed completely in a system,it is really hard to find it out.Every year few RAT samples are found and they often have concealed for many years before their exposure.Various IDSs such as Snort have been proposed to defense against the intrusion;however,most of them are based on signatures which can be easily evaded using confusion and polymorphism.Methods based on flow behavior analysis are efficient and resource saving,but they mainly utilize machine learning on collectivity features such as the average packet payload size or average inter-arrival time without considering the packets arrival time sequences.In addition,the imbalanced data has a negative impact on classification.Low accuracy makes it hard to be applied to industry deployment.This thesis analyzed a general feature of Trojan external control and put forward a Trojan interaction detection framework based on time sequence analysis.Firstly,flow slicing algorithm was applied to separate application rapid-exchange behaviors.Then frequent sequence mining algorithm was leveraged to recognize application heartbeats.Finally,na?ve Bayes validated whether the rapid-exchange behaviors belonged to a Trojan or not.The experiments show that our method has stability over time to detect a Trojan interaction in the early stage of Trojan sessions.And real-word traces verify the efficiency of our method in detecting external control with a low false positive rate.The contributions of the thesis are as follows.Firstly,the thesis analyzed the research status of Trojan detection,in particular the network traffic analysis technique for concealment.Then,Trojan communication process was researched to show the limitation of the widely used machine learning in the technique.Interaction stage and keep alive stage in Trojan communicaitons are the point of our research,which shows that the packet sequences are enough to distinguish Trojan from normal communications.Secondly,the thesis put forward an analysis method based on time slicing and up/download sequences.Traffic data was divided into several slices by timestamps,and the up/down sequence patterns in slices were counted to stand for the macroscopical characteristic of traffic sequences.The statistics are convergence over time.Since our method takes self-similarity and time sequences into account,traffic integrity makes little difference on the results.Thirdly,the thesis applied frequent sequence minning with timestamp in sequence slices to finding application heartbeats.The repeatitive patterns in slice sequences were searched to efficiently filter the heartbeat noise of the interactions.Then the flow slices were used in na?ve Bayes to distinguish the Trojan communications from the normal traffic.Finally,the thesis designed and constructed the Trojan network interaction detection system and tested the accuracy and time stability.After testing the system on network data and deploying the system on campus gateway,the result showed that the system was efficient in detecting Trojan command and control behaviors with a low false positive rate,which demonstrated the feasibility of the system.The data processed from the system also represents the Trojan behavior characteristics,which demonstrates the effectiveness of the system. |
PDF Full Text Request