一种基于网络行为分析的HTTP木马检测模型

易军凯;刘健民;万静*

北京化工大学学报(自然科学版) ›› 2014, Vol. 41 ›› Issue (3) : 114-118.

PDF(1140 KB)
欢迎访问北京化工大学学报(自然科学版),今天是 2025年5月6日 星期二
Email Alert  RSS
PDF(1140 KB)
北京化工大学学报(自然科学版) ›› 2014, Vol. 41 ›› Issue (3) : 114-118.
机电工程和信息科学

一种基于网络行为分析的HTTP木马检测模型

  • 易军凯;刘健民;万静*
作者信息 +

A model of an HTTP-based Trojan detection based on network behavior analysis

  • YI JunKai;LIU JianMin;WAN Jing
Author information +
文章历史 +

摘要

基于HTTP协议进行网络通信的木马能够躲避部分网络安全监控系统的检测,是互联网安全的一个重大威胁。通过对该类木马样本和普通程序样本网络行为的对比分析,得到该类木马的6个网络行为特征,综合利用层级聚类、Davies-Bouldin指数和k-means聚类方法提出了一种木马检测模型,实现了HTTP木马检测。结果表明,该HTTP木马检测模型准确率较高,误报率较低。

Abstract

HTTP-based Trojans which can avoid detection by a network security monitoring system are a major threat to internet security. In this paper we obtain six characteristics that can represent the network behavior of such Trojans through analyzing and comparing the network behavior of HTTP-based Trojan and normal program samples. We propose a model for Trojan detection that utilizes a single-linkage hierarchical clustering algorithm, the Davies-Bouldin index and a k-means clustering algorithm. The results show that the model of Trojan detection is suitable for detecting Trojans with high accuracy and low false positive ratios.

引用本文

导出引用
易军凯;刘健民;万静*. 一种基于网络行为分析的HTTP木马检测模型[J]. 北京化工大学学报(自然科学版), 2014, 41(3): 114-118
YI JunKai;LIU JianMin;WAN Jing. A model of an HTTP-based Trojan detection based on network behavior analysis[J]. Journal of Beijing University of Chemical Technology, 2014, 41(3): 114-118

参考文献

[1]Guo F, Ferrie P, Chiueh T C. A study of the packer problem and its solutions[C]∥Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, USA, 2008: 98-115.
[2]Li S C, Yun X C, Zhang Y Z, et al. A general framework of trojan communication detection based on network traces[C]∥7th International Conference on Networking, Architecture, and Storage (NAS), Xiamen, Fujian, 2012: 49-58.
[3]Nari S, Ghorbani A A. Automated malware classification based on network behavior[C]∥International Conference on Computing, Networking and Communications (ICNC), San Diego, USA, 2013: 642-647.
[4]Rossow C, Dietrich C J, Bos H, et al. Sandnet: Network traffic analysis of malicious software[C]∥Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg, Austria, 2011: 78-88.
[5]Ding Y J, Cai W D. A method for HTTP-tunnel detection based on statistical features of traffic[C]∥3rd International Conference on Communication Software and Networks (ICCSN), Xi'an, 2011: 247-250.
[6]孙海涛, 刘胜利, 陈嘉勇, 等. 基于操作行为的隧道木马检测方法[J]. 计算机工程, 2011, 37(20): 123-126.
Sun H T, Liu S L, Chen J Y, et al. Tunnel trojan detection method based on operation behavior[J]. Computer Engineering, 2011, 37(20): 123-126. (in Chinese)
[7]Perdisci R, Ariu D, Giacinto G. Scalable fine-grained behavioral clustering of HTTP-based malware[J]. Computer Networks, 2013, 57(2): 487-500.
[8]易军凯, 陈利, 孙建伟. 网络心跳包序列的数据流分簇检测方法[J]. 计算机工程, 2011, 37(24): 61-63.
Yi J K, Chen L, Sun J W. Data flow clustering detection approach of network heartbeat packet sequence[J]. Computer Engineering, 2011, 37(24): 61-63. (in Chinese)
[9]Davies D L, Bouldin D W. A cluster separation measure[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1979 (2): 224-227.
[10]孙吉贵, 刘杰, 赵连宇. 聚类算法研究[J]. 软件学报, 2008, 19(1): 48-61.
Sun J G, Liu J, Zhao L Y. Clustering algorithms research[J]. Journal of Software, 2008, 19(1): 48-61. (in Chinese)
PDF(1140 KB)

1846

Accesses

0

Citation

Detail

段落导航
相关文章

/