Research On Trojan Detection Method Based On Host And Network Feature Correlation

In recent years,APT(Advanced Persistent Threat)attacks have occurred frequently.Trojans as a highly latent,high-threat,and high-hidden malware,play an important role in APT attacks.Trojan horse programs pose a serious threat to the security of cyberspace for individuals,businesses,social organizations and countries.The detection of Trojans has always been a research hotspot in the field of network security.Researchers at home and abroad have proposed many Trojan detection methods,but most of the current detection methods are separate analysis of the characteristics of the host or network.And the false negative rate of detection and the false positive rate still needs to be reduced,and the reliability of the test results needs to be improved.This paper firstly analyzes the operation principle of the Trojan horse program and the different performances of different stages in the communication process.Aiming at the detection delay caused by the current network-based Trojan detection method,it takes a period of time to calculate the traffic characteristics.A fast Trojan detection method based on network traffic analysis is proposed,which realizes the rapid detection of Trojan communication session in the early stage of Trojan communication.Secondly,in order to further reduce the false positive rate and false negative rate of Trojan detection and enhance the ability of Trojan detection anti-aliasing technology,a segmentation Trojan detection method based on host and network feature association is proposed,which will host features and network characteristics.Associations were made and different detectors were trained using machine learning classification algorithms for two different phases of Trojan communication.Finally,a real experimental environment was built and experiments were carried out.The experimental results show that the fast Trojan detection method based on network traffic analysis can quickly detect Trojan communication in the early stage of Trojan communication.The method based on host and network feature correlation further reduces the false negative rate and false positive rate based on the anti-aliasing technology,which also verified the effectiveness of the method.