Attack chain behavior analysis based Trojan horse detection method and system

Abstract

The invention relates to network safety and aims at providing an attack chain behavior analysis based Trojan horse detection method and system. The attack chain behavior analysis based Trojan horse detection system comprises a DNS domain name anomaly detection module, a Trojan horse incubation behavior anomaly detection module and a Trojan horse communication behavior anomaly detection module andcan perform anomaly detection on three behavior processes, including, a Trojan horse connection process, a Trojan horse incubation process and a Trojan horse communication process, in a Trojan horse permeation attacking process; when the anomaly detection condition of the Trojan horse connection process, the Trojan horse incubation process and the Trojan horse communication process is met, a factthat a Trojan horse is detected is confirmed and the Trojan horse detection is realized. By performing sequential associated analysis on the three Trojan horse behavior processes, including, the Trojan horse connection process, the Trojan horse incubation process and the Trojan horse communication process, the comprehensive and efficient Trojan horse detection method and system are provided respectively based on the behavior features of the three Trojan horse processes, the accuracy of Trojan horse detection is enabled to be higher, and the missing report rate is enabled to be lower.

Description

technical field [0001] The invention relates to the field of network security, in particular to a Trojan horse detection method and system based on attack chain behavior analysis. Background technique [0002] In the field of network security, the threat index of Trojan horse attacks ranks second only to software vulnerabilities. The harm of network attacks mainly based on Trojan horses is becoming more and more serious, and the resulting economic losses are also increasing. Trojan horse attack detection technology has always been a research hotspot in the field of network security, because its attack method is carefully constructed, and the attack behavior is highly personalized. It is difficult to find the attack behavior of Trojan horse through traditional intrusion detection technology. [0003] The existing Trojan horse detection technology mainly adopts the following two methods: [0004] 1. Based on the static signature of the Trojan horse code: By scanning all files...

AI Technical Summary

Problems solved by technology

There is a patent 2: Trojan horse communication behavior feature extraction method based on network data flow analysis (application number: CN201110158055.1), this patent is based on the ratio of the communication time, the number of small communication packets, the amount of uploaded data packets to the amount of downloaded data packets at the controlled end Threshold division of such indicators to detect and judge whether it is the behavior characteristics of the Trojan horse operation stage. The disadvantages are: in the actual Internet application process, there are various types of application services, the duration of data transmission through the application server, the characteristics of data packets, and the operating behavior characteristics of Trojan horses. There is a certain similarity, and there will be more false positives when using this method for detection

Images