Research On Trojan Detect Technology Based On Communication Flow

In recent years,with the frequent attacks on network attacks,network security caused great concern of the government,enterprises.Among them,the Trojan virus is an important tool for the implementation of network attacks.Currently on the market mainstream antivirus system,the general use of simple signature matching technology,according to the static characteristics of the host to kill.With the rapid development of Trojan horse killing technology,file free to kill,change the signature code,plus flowers instructions,addiction and other anti-kill Trojan horse kill technology,highly dependent on anti-virus software,computer systems constitute a great threat.However,some Trojans in the communication process will show the inherent characteristics,and will not change the static characteristics of the program at both ends of the change,therefore,based on traffic flow Trojan detection research is of great significance.In view of the shortcomings of the above Trojan detection technology,this paper designs a set of Trojan horse detection system based on network session statistics.The main contents of this paper are as follows(1)This paper studies the communication characteristics of Trojans,analyzes the network traffic acquisition technology and malicious traffic identification technology,and finally confirms the establishment of real-time network data acquisition platform based on Netfilter framework,and proposes protocol recognition technology based on feature statistics to identify malicious traffic.(2)The mechanism of the Trojan horse detection system is developed based on the modular design idea.The whole function of the system is divided into three modules: data acquisition module,off-line training module and trojan recognition module,each module is divided into different sub-modules,and the various modules of a reasonable functional design.(3)Design of flow acquisition module.Based on the Netfilter framework in the Linux kernel design,real-time traffic acquisition in the kernel layer,and in the user layer packet session reorganization.(4)Design of offline training module.14 kinds of statistical based network session features are designed for the training of model base,and a feature selection algorithm based on relative deviation is proposed to select different combinations of network features for encrypted and unencrypted traffic respectively.Based on these characteristics of the off-line data packet analysis,feature extraction and write to the model library.(5)Design of trojan recognition module.The K_L distance is used as the detection algorithm to detect the similarity between the session and the model library,and the algorithm is improved based on the realistic scene.Check the flow and the model library similarity calculation,alarm it if less than the threshold,otherwise regarded as normal traffic.In order to improve the real-time performance of the system,only the first 10 to 20 packets of each session are detected.In this paper,the detection system is used to detect the encryption and non-encrypted Trojans.Experimental results show that the system to meet the real-time at the same time the accuracy rate of 87% or more,to meet the current demand for Trojan detection.