Trojan horse detection method based on communication behavior clustering

A detection method and clustering technology, applied in the field of information security, can solve the problems of improper selection of feature clustering algorithm, unsatisfactory detection effect, and inability to detect TCP sessions in real time.
CN104168272AInactive Publication Date: 2014-11-26STATE GRID CORP OF CHINA +2
2 Cites 41 Cited by

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
STATE GRID CORP OF CHINA
Publication Date
2014-11-26
Estimated Expiration
Not applicable · inactive patent

Smart Images

  • Figure 1
    Figure 1
  • Figure 2
    Figure 2
  • Figure 3
    Figure 3
Patent Text Reader

Abstract

The invention discloses a Trojan horse detection method based on communication behavior clustering, and belongs to the field of information safety. The unknown Trojan horse detection method is excellent in feature extraction performance, proper in clustering algorithm and high in detection efficiency and accuracy in order to resolve the problems that the existing Trojan horse detection technology is low in feature extraction capacity, improper in clustering algorithm selection and the like. According to the technical scheme, the Trojan horse detection method comprises the steps of extracting a network flow data package, recombining a TCP conversation, extracting a Trojan horse reverse connecting feature, an entropy feature, a heart beat feature and the like, building a feature vector of the TCP conversation and carrying out real-time clustering on the feature vector based on a real-time increment clustering algorithm of LSH. According to the difference of communication behavior features of a Trojan horse conversation and normal network communication behaviors, the Trojan horse detection method marks the difference of the communication behavior features of the Trojan horse conversation and the normal network communication behaviors by combining the statistic analysis and the time series analysis technology, guarantees high detection accuracy and a zero false alarm rate, lowers the false alarm rate, and can effectively carry out real-time detection on the abnormal communication behaviors of a Trojan horse.
Need to check novelty before this filing date? Find Prior Art

Description

technical field

[0001] The invention relates to the field of information security, in particular to a Trojan horse detection method based on communication behavior clustering. Background technique

[0002] In recent years, the threats to network information security have undergone tremendous changes. Hacker attacks have gradually changed from traditional individual behaviors with the nature of pranks and technology showing off to organized, specific goals, extremely long duration, and pursuit of business or other specific interests. professional conduct. In order to break through the traditional network security defense methods, an attack method called APT (Advanced Persistent Threat, APT for short) has developed rapidly and has become the biggest network security threat in recent years. As one of the most important links in APT attacks, Trojan horses have become the key research and prevention objects of network security.

[0003] Usually, at the beginning of a new APT at...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More