Wooden horse monitoring and auditing method and system thereof

Abstract

The invention discloses a wooden horse monitoring and auditing method and a system thereof, wherein the method comprises the following steps: acquiring a network data packet in real time; determining the current session, checking whether the network data packet belongs to the established network session, if so, inserting the network data packet into the established session, and otherwise, establishing new session; judging whether the current session is wooden horse communication session, if so, recording the content of wooden horse network communication session when the current session belongs to the wooden horse network communication session; according to the recorded content of the wooden horse network communication session, detecting whether the content is wooden horse network operation behavior, if so, recording and monitoring the wooden horse network operation behavior. According to the invention, not only the type of the wooden horse can be recognized, but also the network behavior of the wooden horse can be monitored.

Description

technical field [0001] The invention relates to the field of information technology network security, in particular to a Trojan horse monitoring and auditing method and system. Background technique [0002] Trojan horse programs are more harmful than traditional viruses. They can not only damage the host system, paralyze the host system, but also completely control the target host. The files in the target host are downloaded to the Trojan horse control terminal and upload new Trojan horse programs or other virus programs. At present, the detection and protection of Trojans are mainly based on products such as virus scanning, desktop active defense, security virus gateway, firewall, etc. The technologies used in these products mainly fall into three categories: [0003] The first category is to identify Trojan horses based on the static features of Trojan horse programs. Through the static analysis of the Trojan horse program, the feature string that can be used to identify...

AI Technical Summary

Problems solved by technology

With the popularity of packing and flowering technology and more and more related software, a large number of variant Trojans are flooding the Internet, which not only increases the workload of Trojan horse analysis, but also causes frequent updates of signature databases.

[0009] 2) Identification and detection based on static features will not only increase the number of feature databases, resulting in a decline in detection performance, but also affect the performance of the target host system, which will take up more and more CPU, memory, and disk resources; in addition, because it takes a certain amount of time to analyze new features, it will also cause a lag in response. This technical approach cannot determine whether the Trojan horse program has already been run, what type of operation it has done, etc.

[0011] 4) With the popularization of Trojan horse's wall-climbing technology and port bounce technology, the effectiveness of blocking Trojan horse communication connections based on abnormal network communication behaviors is becoming less a

Images