HTTP-based Trojans which can avoid detection by a network security monitoring system are a major threat to internet security. In this paper we obtain six characteristics that can represent the network behavior of such Trojans through analyzing and comparing the network behavior of HTTP-based Trojan and normal program samples. We propose a model for Trojan detection that utilizes a single-linkage hierarchical clustering algorithm, the Davies-Bouldin index and a k-means clustering algorithm. The results show that the model of Trojan detection is suitable for detecting Trojans with high accuracy and low false positive ratios.
YI JunKai;LIU JianMin;WAN Jing.
A model of an HTTP-based Trojan detection based on network behavior analysis[J]. Journal of Beijing University of Chemical Technology, 2014, 41(3): 114-118
{{custom_sec.title}}
{{custom_sec.title}}
{{custom_sec.content}}
参考文献
[1]Guo F, Ferrie P, Chiueh T C. A study of the packer problem and its solutions[C]∥Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, USA, 2008: 98-115. [2]Li S C, Yun X C, Zhang Y Z, et al. A general framework of trojan communication detection based on network traces[C]∥7th International Conference on Networking, Architecture, and Storage (NAS), Xiamen, Fujian, 2012: 49-58. [3]Nari S, Ghorbani A A. Automated malware classification based on network behavior[C]∥International Conference on Computing, Networking and Communications (ICNC), San Diego, USA, 2013: 642-647. [4]Rossow C, Dietrich C J, Bos H, et al. Sandnet: Network traffic analysis of malicious software[C]∥Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg, Austria, 2011: 78-88. [5]Ding Y J, Cai W D. A method for HTTP-tunnel detection based on statistical features of traffic[C]∥3rd International Conference on Communication Software and Networks (ICCSN), Xi'an, 2011: 247-250. [6]孙海涛, 刘胜利, 陈嘉勇, 等. 基于操作行为的隧道木马检测方法[J]. 计算机工程, 2011, 37(20): 123-126. Sun H T, Liu S L, Chen J Y, et al. Tunnel trojan detection method based on operation behavior[J]. Computer Engineering, 2011, 37(20): 123-126. (in Chinese) [7]Perdisci R, Ariu D, Giacinto G. Scalable fine-grained behavioral clustering of HTTP-based malware[J]. Computer Networks, 2013, 57(2): 487-500. [8]易军凯, 陈利, 孙建伟. 网络心跳包序列的数据流分簇检测方法[J]. 计算机工程, 2011, 37(24): 61-63. Yi J K, Chen L, Sun J W. Data flow clustering detection approach of network heartbeat packet sequence[J]. Computer Engineering, 2011, 37(24): 61-63. (in Chinese) [9]Davies D L, Bouldin D W. A cluster separation measure[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1979 (2): 224-227. [10]孙吉贵, 刘杰, 赵连宇. 聚类算法研究[J]. 软件学报, 2008, 19(1): 48-61. Sun J G, Liu J, Zhao L Y. Clustering algorithms research[J]. Journal of Software, 2008, 19(1): 48-61. (in Chinese)