Method and system for detecting file stealing Trojan based on thread behavior

Abstract

The invention provides a method for detecting file stealing Trojan based on a thread behavior, which comprises the following steps of: monitoring file operation and network operation of a thread; forming a behavior sequence buffer queue by the monitored thread, the process of the monitored thread, intercepted file operation, data read by a file, the network operation and data transmitted by a network; judging whether the file read by the thread is a file transmitted by the network or not according to the behavior sequence in the buffer queue; and if SO, checking whether the thread and the process of the thread have secrecy, if SO, judging whether a behavior that Trojan steals the file exists. The invention also provides a system for detecting the file stealing Trojan based on the thread behavior. According to the method and the system, provided by the invention, the misreport of the normal file transmission can be reduced, and the detection to the behavior that the Trojan steals the file is improved.

Description

technical field [0001] The invention relates to the field of malicious behavior detection of computer malware, in particular to a method and system for detecting files stolen by Trojans based on thread behavior. Background technique [0002] The technology of using Trojan horses to transfer files to protect the security of files has not yet appeared in mainstream antivirus software. The current monitoring of Trojan horse detection behavior is mainly through the creation of remote threads, services, and other abnormal actions of Trojan horses, rather than data security monitoring. [0003] The existing patent "File Transfer Monitoring Method Based on Process Correlation" uses the data content of conventional network protocols HTTP, FTP, and SMTP to determine whether a file transfer is in progress. Since the protocol adopted by most Trojans is a non-standard application protocol for file transfer, standard protocol parsing and matching data cannot detect most Trojans stealing...

AI Technical Summary

Problems solved by technology

[0003] The existing patent "File Transfer Monitoring Method Based on Process Correlation" uses the data content of conventional network protocols HTTP, FTP, and SMTP to determine whether a file transfer is in progress. Since the protocol adopted by most Trojan horses is a non-standard application protocol for file transfer, standard protocol parsing and matching data cannot detect most Trojan horse stealing files

At the same time, the purpose of this method in the application is to prevent information leakage, but it will generate false positives for files uploaded by users' active IE mail uploads, FTP and other tools, but it cannot detect Trojan horses and cause false positives.

In addition, the patent implementation technology needs to use the file access time to match the data packet sending time to judge the file transmission. This method will cause some Trojan horses to perform compression processing and special transformation after reading the file before sending it, resulting in the reading time of the file being different from the network sending time. time is not consistent

Images