一种基于网络流量分析的快速木马检测方法

doi:10.3969/j.issn.1006-2475.2019.06.002

计算机与现代化

一种基于网络流量分析的快速木马检测方法

(1.贵州大学计算机科学与技术学院,贵州贵阳550025;2.贵州省公共大数据重点实验室,贵州贵阳550025)

收稿日期:2019-03-25 出版日期:2019-06-14 发布日期:2019-06-14
作者简介:宋紫华(1994-),男,四川广元人,硕士研究生,研究方向:网络与信息安全,E-mail: sc_zhsong@163.com；郭春（1986-）,男,贵州贵阳人,副教授,博士,研究方向:网络与信息安全; 蒋朝惠(1965-),男,四川广安人,教授,硕士,研究方向:网络与信息安全,E-mail: jiangchaohui@126.com。
基金资助:
国家自然科学基金资助项目(61540049); 贵州省科技计划项目(［2017］1051，［2018］3001); 贵州省公共大数据重点实验室开放课题(2017BDKFJJ025); 河南省科技攻关计划项目(182102210123)

A Fast Trojan Detection Method Based on Network Traffic Analysis

(1. College of Computer Science and Technology, Guizhou University, Guiyang 550025, China;
2. Guizhou Provincial Key Laboratory of Public Big Data, Guiyang 550025, China)

Received:2019-03-25 Online:2019-06-14 Published:2019-06-14

摘要/Abstract

摘要： 木马程序作为一种窃密工具，常在APT（Advanced Persistent Threat）攻击中被使用，其对网络空间的安全造成了严重的危害。对木马的检测也受到了研究者的广泛关注，研究者提出了许多基于网络流量分析的检测方法，然而目前的方法一般都需要分析完整的通信流量，因此会造成一定的检测延迟，从而导致防御措施不能及时被部署。为了尽早地保护内部敏感信息不被泄露，本文仅使用木马通信连接建立后的前5个数据包来抽取流量特征，并以此构建木马通信会话快速检测模型。实验结果表明，本文方法在分析通信早期数据的情况下，获得了较高的准确率和较低的误报率，验证了本文方法的有效性。

关键词: 木马检测, 网络流量分析, 特征分析, 远控型木马

Abstract: As a stealing tool, Trojans are often used in APT(Advanced Persistent Threat) attacks, which causes a serious hazard to the security of cyberspace. The detection of Trojans has also received extensive attention from researchers. At present, researchers have proposed many detection methods based on network traffic analysis. However, these methods generally need to analyze complete communication traffic, so it will cause certain detection delay and cause that the defense measures cannot be deployed in time. In order to protect the internal sensitive information from being leaked as early as possible, this paper analyzes the traffic characteristics of the Trojan communication and extracts the traffic features from the first five packets after the communication being established, and then constructs a rapid detection model of Trojan communication session. The experimental results show that the proposed method obtains higher accuracy and lower false positive rate when analyzing the early data of communication, which verifies the effectiveness of the proposed method.

Key words: Trojan detection, network traffic analysis, characteristics analysis, remote access Trojan

中图分类号:

TP393.08

宋紫华1,2,郭春1,2,蒋朝惠1,2. 一种基于网络流量分析的快速木马检测方法[J]. 计算机与现代化, doi: 10.3969/j.issn.1006-2475.2019.06.002.

SONG Zi-hua1,2, GUO Chun1,2, JIANG Chao-hui1,2. A Fast Trojan Detection Method Based on Network Traffic Analysis[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2019.06.002.

参考文献

［1］国家互联网应急中心. 2017年中国互联网网络安全报告［EB/OL］. ［2019-03-25］. http://www.cert.org.cn/publish/main/upload/File/2017annual(1).pdf.
［2］ DULLIEN T, ROLLES R. Graph-based comparison of executable objects［J］. Sstic, 2005:1-13.
［3］ GAO D, REITER M K, SONG D. BinHunt: Automatically finding semantic differences in binary programs［M］// Information and Communications Security. Springer, 2008:238-255.
［4］ MOON D, PAN S B, KIM I. Host-based intrusion detection system for secure human-centric computing［J］. Journal of Supercomputing, 2016,72(7):2520-2536.
［5］ CANALI D, LANZI A, BALZAROTTI D, et al. A quantitative study of accuracy in system call-based malware detection［C］// Proceedings of 2012 International Symposium on Software Testing and Analysis. 2012:122-132.
［6］张瑜,刘庆中,李涛，等. Rootkit研究综述［J］. 电子科技大学学报, 2015,44(4):563-578.
［7］曹胤超. 基于木马行为特征的动态检测技术研究［D］. 武汉:华中科技大学, 2014.
［8］邹腾宽,汪钰颖,吴承荣. 网络背景流量的分类与识别研究综述［J］. 计算机应用, 2019,39(3):802-811.
［9］赵双,陈曙晖. 基于机器学习的流量识别技术综述与展望［J］. 计算机工程与科学, 2018,40(10):34-44.
［10］姚忠将,葛敬国,张潇丹,等. 流量混淆技术及相应识别、追踪技术研究综述［J］. 软件学报, 2018,29(10):313-330.
［11］ROESCH M. Snort-light weight intrusion detection for networks［C］// Usenix Conference on System Administration. 1999:229-238.
［12］PARVAT T J, CHANDRA P. A novel approach to deep packet inspection for intrusion detection［J］. Procedia Computer Science, 2015,45(C):506-513.
［13］VIDAL J M, OROZCO A L S, VILLALBA L J G. Alert correlation framework for malware detection by anomaly-based packet payload analysis［J］. Journal of Network and Computer Applications, 2017,97:11-22.
［14］GU G F, ZHANG J J, LEE W. BotSniffer: Detecting botnet command and control channels in network traffic［C］// Proceedings of the 15th Annual Network and Distributed System Security Symposium. 2008.
［15］李巍,李丽辉,李佳，等. 远控型木马通信三阶段流量行为特征分析［J］. 信息网络安全, 2015(5):10-15.
［16］孙海涛. 基于通信行为分析的木马检测技术研究［D］. 郑州：解放军信息工程大学, 2011.
［17］李世淙,云晓春,张永铮. 一种基于分层聚类方法的木马通信行为检测模型［J］. 计算机研究与发展, 2012,49(S2):9-16.
［18］YAMADA M, MORINAGA M, UNNO Y, et al. RAT-based malicious activities detection on enterprise internal networks［C］// 2015 10th International Conference for Internet Technology and Secured Transactions. 2015:321-325.
［19］兰景宏,刘胜利,李晔,等. 一种基于多层联合分析的HTTP隧道木马检测方法［J］. 计算机应用研究, 2016,33(1):240-244.
［20］罗友强,刘胜利,颜猛,等. 基于通信行为分析的DNS隧道木马检测方法［J］. 浙江大学学报(工学版), 2017,51(9):1780-1787.
［21］JIANG D, OMOTE K. An approach to detect remote access trojan in the early stage of communication［C］// 2015 IEEE 29th International Conference on Advanced Information Networking and Applications. 2015:706-713.
［22］DUSI M, CROTTI M, GRINGOLI F, et al. Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting［J］. Computer Networks, 2009,53(1):81-97.
［23］彭建芬,周亚建,王枞,等. TCP流量早期识别方法［J］. 应用科学学报, 2011,29(1):73-77.
［24］吴双. 基于时间序列分析的木马网络会话检测技术研究［D］. 郑州:解放军信息工程大学, 2017.

[1]	贾潇瑶, . 融合CatBoost和SHAP的乳腺癌预测及特征分析[J]. 计算机与现代化, 2023, 0(10): 32-38.
[2]	黄丽梅;吴丽娟;冼月萍. 基于特征选择优化算法的非线性SVM木马检测模型[J]. 计算机与现代化, 2013, 218(10): 106-109,.

一种基于网络流量分析的快速木马检测方法

A Fast Trojan Detection Method Based on Network Traffic Analysis

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 2

编辑推荐

Metrics

本文评价