| In recent years,cyber attacks emerge endlessly with the wide application of Internet technologies.In particular,APT attacks have become important threats to national security,social stability and economic development.However,APT attacks can not be separated from the application of Trojan software.Therefore,to identify attack behaviors,it is very important to analyze the network behavior features of APT Trojan.In this paper,we study the network behavior feature extraction technology of APT Trojan and propose a reverse method of Trojan network protocol.Through this method we can achieve the automatic extraction of the behavior features of Trojan network.The theoretical basis of the protocol reverse method is the statistical regularity generated by the internal constraints of the network protocol.We traps the Trojan controlled end communication data through the sandbox environment,including Trojan running environment and network environment.After the Token serialization preprocessing,applying the sequence alignment and the clustering algorithm to the preprocessed Token sequence for further analysis,the division of Token will be improved sequentially.In this way,the Token classification constantly approximate the true format of the protocol and protocol reverse will be achieved at last.And then,we can extract network features from the network protocol format.This automated analysis method supports certain semantic analysis through sandbox context information and dynamically adjusts the protocol format of variable-length data fields.Experiments show that the prototype system of APT Trojan network behavior analysis described in this paper can effectively analyze the network features for text type network protocol Trojans,binary type network protocol Trojans and HTTP protocol tunnel Trojans. |
PDF Full Text Request