A method for detecting network traffic of rebound type remote control Trojan based on behavior analysis
A technology for network traffic and behavior analysis, applied in the field of network security
Active Publication Date: 2022-02-01
STATE GRID HUNAN ELECTRIC POWER +2
View PDF6 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
[0004] From the perspective of network behavior analysis, there must be differences between rebounding remote-control Trojans and normal business behaviors. However, there is no public literature that proposes a method that can intelligently analyze network behavior and efficiently and accurately detect rebounding remote-control Trojans. Network traffic
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment Construction
[0020] This embodiment includes the following two stages:
[0021] The first stage of model training stage
[0022] The first step is to collect training samples. Collected 370 real rebound remote control Trojan traffic files from public websites, about 30% of which are encrypted traffic. 2190 normal network business traffic files were collected from enterprise switches. Normal business traffic includes e-mail, QQ and other instant messaging, web browsing, P2P and other cloud service traffic. Mark all collected network traffic as malicious Trojan horse traffic or normal network traffic.
[0023] In the second step, the complete network traffic of each TCP session is extracted from the network traffic. The data packets in the traffic file collected in the first step are sorted by arrival time and a collection of all traffic in the LAN. First, the traffic needs to be reorganized in units of network sessions. A TCP session refers to a complete TCP session between the same pai...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses a rebound type remote control Trojan network flow detection method based on behavior analysis. Firstly, after performing TCP session reorganization, session feature extraction and session marking on training samples, the session features and session marking are input into a random forest detection model. By comparing the index performance of the model under different parameters, adjust the model, and finally determine the optimized Trojan horse detection model. Then, TCP session reorganization and session feature extraction are performed on the real-time raw traffic data collected on the probe, and the session features are input into the Trojan horse detection model optimized in the first stage, and the model classifies it as Trojan horse traffic or normal business traffic. The technical effect of the present invention is that, starting from the traffic characteristics produced by the Trojan horse's own characteristics, the traffic files are directly detected through the model, so the present invention does not rely on the existing Trojan horse feature library, and can also detect unknown new remote control Trojan horses. Trojans that encrypt communication traffic can be detected.
Description
technical field [0001] The invention relates to the field of network security, in particular to a behavior analysis-based rebound type remote control Trojan network traffic detection method. Background technique [0002] Because hackers can remotely control Trojan horses to steal corporate sensitive data, monitor key user behaviors, and perform malicious operations, remote control Trojan horses have become one of the important information security threats faced by enterprises. The remote control Trojan horse program is composed of two independent parts - the control terminal and the controlled terminal. These two parts exchange data through the Internet. The controlled program is secretly installed on the infected computer through phishing emails or USB flash drives, and receives commands from hackers remotely. The control program is mastered by hackers and sends commands to the infected computer. Remote control Trojans can be divided into two categories according to the c...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): H04L9/40
CPCH04L63/1408H04L63/145
Inventor 朱宏宇田建伟田峥乔宏黎曦刘洁
Owner STATE GRID HUNAN ELECTRIC POWER