Method and device for detecting intranet Trojans

A detection method and technology for Trojan horses, applied in the field of Internet security, can solve the problems that unknown Trojan horses or potential Trojan horses cannot be found, and it is easy to cause false negatives.

Active Publication Date: 2012-07-18
BEIJING BAIDU NETCOM SCI & TECH CO LTD
View PDF5 Cites 53 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This detection technology based on signature matching relies on the update of the signature database. It lacks the discovery and detection of virus and Trojan behavior. It...

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting intranet Trojans
  • Method and device for detecting intranet Trojans
  • Method and device for detecting intranet Trojans

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0081] figure 1 It is the flow chart of the detection method of the intranet Trojan provided by the present embodiment, as figure 1 As shown, the method includes:

[0082] Step S101, collecting network data packets.

[0083] After the Trojan horse is successfully implanted into the target computer, the Trojan horse control terminal must establish a connection relationship with the controlled terminal to communicate, so as to remotely control the controlled host computer to steal information. The controlled end of the Trojan horse sends a DNS (domain name resolution) request to the remote domain name server according to the preset control domain name of the control end, and then resolves the IP address of the control end according to the received DNS request response, and initiates a connection to the IP address of the control end.

[0084] After invading the target system, the Trojan horse uses various means to deceive users and disguise itself, such as packing, adding flowe...

Embodiment 2

[0183] Figure 7 The structure diagram of the detection device for the intranet Trojan horse provided by this embodiment, such as Figure 7 As shown, the device includes: a collection module 10 , a domain name identification module 20 and a Trojan horse identification module 30 . in

[0184] The collecting module 10 is used for collecting network data packets.

[0185] The collection module 10 is used to collect network data packets in real time, so that subsequent modules can extract data conforming to the characteristics of Trojan horse communication behaviors from the collected network data packets, so as to determine whether there is a potential safety hazard. The collected network data packets may include but not limited to: data packets of protocols such as DNS, TCP, or HTTP.

[0186] The domain name identification module 20 is used to obtain the DNS request data in the network data packet, utilize at least one of the first domain name identification module 201 to the...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a method and device for detecting intranet Trojans. The method for detecting the intranet Trojans comprises the following steps: S1, collecting network data packets; S2, identifying baleful domain names by using D1-D3, wherein D1 is for identifying the domain names of DNS request data with abnormal heartbeats, D2 is for judging whether the domain names pointing to special IPs are skipped to be DNS requests pointing to normal IP, and D3 is for judging whether the domain names accessed by the DNS appear in browser access domain names; and S3, identifying the Trojans by using D4-D5, wherein D4 is for judging whether reverse traffic appears, if yes, identifying to be the Trojan, and D5 is for judging whether a request packet or a response packet in the traffic accords with RFC provisions, if not, identifying to be the Trojan. According to the method and device for detecting the intranet Trojans disclosed by the invention, comprehensive detection is performed based on communication behavior characteristics of the Trojans, the unknown Trojans can be found timely and alarmed more accurately, and failure in alarm can be reduced.

Description

【Technical field】 [0001] The invention relates to the technical field of Internet security, in particular to a method and device for detecting an intranet Trojan horse. 【Background technique】 [0002] At present, in the Internet industry, security problems are becoming more and more prominent. Malicious attackers often use Trojan horses to attack Internet sites for remote control and information theft. A Trojan horse is a hidden and spontaneous program that can be used to perform malicious acts. Attackers use the Trojan horse program lurking in the computer to intrude, steal information or control rights. Once a computer in the intranet is infected with a Trojan horse program, other computers in the intranet will be infected, seriously threatening the security of the entire LAN. [0003] Existing Trojan horse detection technology mainly adopts signature matching technology, first through malicious DNS (Domain Name System, domain name resolution) access requests collected fr...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/08H04L29/12
Inventor 赵林林
Owner BEIJING BAIDU NETCOM SCI & TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap