一种基于网络行为分析的HTTP木马检测模型

易军凯;刘健民;万静*

北京化工大学学报(自然科学版) ›› 2014, Vol. 41 ›› Issue (3) : 114-118.

PDF(1140 KB)
欢迎访问北京化工大学学报(自然科学版),今天是 2025年5月6日 星期二
Email Alert  RSS
PDF(1140 KB)
北京化工大学学报(自然科学版) ›› 2014, Vol. 41 ›› Issue (3) : 114-118.
机电工程和信息科学

一种基于网络行为分析的HTTP木马检测模型

  • 易军凯;刘健民;万静*
作者信息 +

A model of an HTTP-based Trojan detection based on network behavior analysis

  • YI JunKai;LIU JianMin;WAN Jing
Author information +
文章历史 +

摘要

基于HTTP协议进行网络通信的木马能够躲避部分网络安全监控系统的检测,是互联网安全的一个重大威胁。通过对该类木马样本和普通程序样本网络行为的对比分析,得到该类木马的6个网络行为特征,综合利用层级聚类、Davies-Bouldin指数和k-means聚类方法提出了一种木马检测模型,实现了HTTP木马检测。结果表明,该HTTP木马检测模型准确率较高,误报率较低。

Abstract

HTTP-based Trojans which can avoid detection by a network security monitoring system are a major threat to internet security. In this paper we obtain six characteristics that can represent the network behavior of such Trojans through analyzing and comparing the network behavior of HTTP-based Trojan and normal program samples. We propose a model for Trojan detection that utilizes a single-linkage hierarchical clustering algorithm, the Davies-Bouldin index and a k-means clustering algorithm. The results show that the model of Trojan detection is suitable for detecting Trojans with high accuracy and low false positive ratios.

引用本文

EndNote

Ris (Procite)

Bibtex

导出引用
易军凯;刘健民;万静*. 一种基于网络行为分析的HTTP木马检测模型[J]. 北京化工大学学报(自然科学版), 2014, 41(3): 114-118
YI JunKai;LIU JianMin;WAN Jing. A model of an HTTP-based Trojan detection based on network behavior analysis[J]. Journal of Beijing University of Chemical Technology, 2014, 41(3): 114-118

参考文献

[1]Guo F, Ferrie P, Chiueh T C. A study of the packer problem and its solutions[C]∥Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, USA, 2008: 98-115.
[2]Li S C, Yun X C, Zhang Y Z, et al. A general framework of trojan communication detection based on network traces[C]∥7th International Conference on Networking, Architecture, and Storage (NAS), Xiamen, Fujian, 2012: 49-58.
[3]Nari S, Ghorbani A A. Automated malware classification based on network behavior[C]∥International Conference on Computing, Networking and Communications (ICNC), San Diego, USA, 2013: 642-647.
[4]Rossow C, Dietrich C J, Bos H, et al. Sandnet: Network traffic analysis of malicious software[C]∥Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg, Austria, 2011: 78-88.
[5]Ding Y J, Cai W D. A method for HTTP-tunnel detection based on statistical features of traffic[C]∥3rd International Conference on Communication Software and Networks (ICCSN), Xi'an, 2011: 247-250.
[6]孙海涛, 刘胜利, 陈嘉勇, 等. 基于操作行为的隧道木马检测方法[J]. 计算机工程, 2011, 37(20): 123-126.
Sun H T, Liu S L, Chen J Y, et al. Tunnel trojan detection method based on operation behavior[J]. Computer Engineering, 2011, 37(20): 123-126. (in Chinese)
[7]Perdisci R, Ariu D, Giacinto G. Scalable fine-grained behavioral clustering of HTTP-based malware[J]. Computer Networks, 2013, 57(2): 487-500.
[8]易军凯, 陈利, 孙建伟. 网络心跳包序列的数据流分簇检测方法[J]. 计算机工程, 2011, 37(24): 61-63.
Yi J K, Chen L, Sun J W. Data flow clustering detection approach of network heartbeat packet sequence[J]. Computer Engineering, 2011, 37(24): 61-63. (in Chinese)
[9]Davies D L, Bouldin D W. A cluster separation measure[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1979 (2): 224-227.
[10]孙吉贵, 刘杰, 赵连宇. 聚类算法研究[J]. 软件学报, 2008, 19(1): 48-61.
Sun J G, Liu J, Zhao L Y. Clustering algorithms research[J]. Journal of Software, 2008, 19(1): 48-61. (in Chinese)
PDF(1140 KB)

1846

Accesses

0

Citation

Detail
段落导航
相关文章
版权所有 © 《北京化工大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发
技术支持:support@magtech.com.cn
总访问量:  今日访问:   在线人数:

联系我们

地址:北京市朝阳区北三环东路15号 邮政编码:100029

/