木马网络通信时序分析方法  

Trojan Sessions Detection Based on Time Sequence Analysis

在线阅读下载全文

作  者:吴双 刘胜利 赵幸 刘雨辰 WU Shuang;LIU Shengli;ZHAO Xing;LIU Yuchen(State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China)

机构地区:[1]数学工程与先进计算国家重点实验室

出  处:《信息工程大学学报》2019年第3期313-318,327,共7页Journal of Information Engineering University

基  金:国家自然科学基金资助项目(61271252);国家重点研发计划资助项目(2016YFB0801505,2016YFB0801601)

摘  要:远程控制木马在网络攻击中发挥重要作用,其样本发现时间往往滞后于木马投入使用时间。网络流量分析成为检测新样本的重要手段。常见的机器学习方法由于不考虑数据流时序序列,对木马的识别率还存在提高空间。通过分析具有一般性的木马外部控制特性,提出一种基于序列分析的木马网络交互行为检测方法。通过时间聚合分离出应用程序的交互行为,将频繁模式挖掘算法应用于心跳检测,最后通过朴素贝叶斯分析验证交互序列是否属于木马或正常应用。该方法在一定的时间尺度内具有稳定性,可在交互行为的初期即检测出木马。将该方法应用于现实网络数据集,可有效检测木马的外部控制行为,且误报较低。Remote access Trojan plays an important role in cyber-attacks.Once installed completely in a system,it is really hard to find it out.Network traffic data analysis has become a popular method for it.Conventional methods such as machine learning,since it focuses little on data sequentiality,still have a relatively higher false positive rate than other fields.This paper analyzes the general feature of Trojan external control and puts forward a detection method based on time sequence analysis.Firstly,time aggression is applied to separate application exchange behaviors.Then frequent itemset mining algorithm is leveraged to recognize application heartbeat.Finally,Na ve Bayes validates whether the exchange behaviors belong to a Trojan or not.The experiments show that our method has stability over certain time to detect an early Trojan interaction.Real-world network traffic data verifies the efficiency of our method in detecting external control with a low false positive rate.

关 键 词:流量分类 通信行为分析 木马交互 序列分析 入侵检测 

分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象