| The rapid development of the Internet has greatly facilitated the interaction of information and brought a richer experience to people's learning,life and work.However,there may be some attackers who use remote control Trojans to remote control and information theft because of the openness of the network platform and the imperfection of various security mechanisms.This Trojan can spread via e-mail,software downloads,web pages,etc.Remote access Trojans are characterized by high concealment and long-lasting durability.The Trojan's transmission features and its own characteristics have seriously affected the network security.This study evaluates the advantages and disadvantages of the current remote Trojan horse detection technology and proposes a remote control Trojan horse detection method based on abnormal network behavior.This model can effectively discover the remote access Trojan communication information and support security personnel to obtain the evidence.For the working methods of remote control Trojans and the characteristics of communications in the network,we have proposed a variety of network features which are suitable for detecting the abnormal network behavior of remote access Trojans and designing a method for extracting multivariate features.In this design,these characteristics come from two dimensions of sessions and flows.The determination of network behavior characteristic provides a foundation for the subsequent realization of a more efficient remote control Trojan detection model.The effective features are obtained before the traffic detection scheme was proposed and implemented.In this scheme,the problem of data imbalance in traffic detection is solved from the two dimensions of data and algorithm.It is the first time to introduce the efficient detection algorithm in Remote Access Trojan detection.At the data level,we synthesize new samples by referring to the distribution characteristics of the existing few samples,and inject synthetic samples into the original few samples because of the small number of remote access Trojans.The synthesized sample reflects the distribution of the few samples in the original training sample data to the greatest extent.Based on this,it is the first time that the eXtreme Gradient Boosting classification algorithm is used to detect the remote access Trojans at the algorithm level,and we optimized the parameters of the algorithm by the gridsearch and cross validation.Through the effective combination of algorithms and data,we have implemented a remote access Trojan detection model which is based on abnormal network behavior.The model is built before we have conducted a comparative test.The advantages of this model can be reflected from three aspects through the experiments.Firstly,we apply the model which is proposed in this paper and the model is generated by the algorithms which are commonly used in recent studies to detect the same traffic,that confirm the proposed model can be better applied to the detection of remote access Trojan.Secondly,we compared the model generated from the algorithm level with which the model detection results of the combination of the data level and the algorithm level.And confirmed that the method which is used in this model can effectively reduced the model's false negative rate.In addition,for testing of this model detecting unknown Trojans ability,we test samples contain remote access Trojan samples which did not appear in the train samples.And we prove that this model has preliminary ability of detect the unknown remote access Trojans. |
PDF Full Text Request