An encrypted Trojan horse detection method for https covert tunnel
A detection method and Trojan horse technology, applied in transmission systems, electrical components, etc., can solve problems such as unsatisfactory results, complicated environments, and difficulty in obtaining new sample flow, and achieve the effect of improving detection accuracy
Active Publication Date: 2021-03-26
ZHENGZHOU UNIVERSITY OF LIGHT INDUSTRY
View PDF6 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
[0013] Trojan horse programs involve huge economic interests or military purposes, and few organizations or institutions will disclose samples of Trojan horse tools, so it is difficult to obtain new sample traffic during the research process
Moreover, due to the complexity of the real network environment, the features selected by the detection algorithm are too dependent on the specific environment, and the features learned through research are not ideal in actual deployment.
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0045] Embodiment 1: a kind of encryption Trojan detection method facing HTTPS covert tunnel, comprises the following steps:
[0046] Due to the strong discreteness of Trojan horse communication traffic, a TCP session is divided into multiple data packet groups according to the time difference between adjacent data packets. The data packet group is a set of data packets with strong time correlation, which is managed in the form of a list in the present invention. If the time difference between two adjacent data packets does not exceed the time threshold T, they are considered to belong to the same data packet group, otherwise, they are considered to be different data packet groups.
[0047] basic definition
[0048] Definition 1 triplet includes: source IP address, destination IP address and upper layer protocol. can be expressed as .
[0049] Definition 2 packet list Expressed as .
[0050] Definition 3 records the source IP address, destination IP address, arriva...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention relates to the technical field of encrypted Trojan horse detection for HTTPS hidden tunnels, and particularly relates to an HTTPS covert tunnel-oriented encrypted Trojan detection method, which comprises the following steps: firstly, analyzing Trojan sessions from the perspective of time sequence, finding that a single Trojan session has the characteristic of being capable of being segmented into small session flows for multiple times, and proposing a method for segmenting interactive sessions in sequence by combining a time slice algorithm; Then further analyzing the small session process one by one; finding an application data interaction sequence in the heartbeat data packet interference session of the Trojan; filtering heartbeat data packets in each time cluster by usinga frequent vector mining algorithm; and finally, distinguishing the Trojan traffic and the normal conversation are distinguished by using Naive Bayes, so that identification of Trojan and normal communication is realized on the premise of being irrelevant to a protocol, the command control behavior of the Trojan can be effectively detected, the obtained data can represent the characteristics of the operation behavior of the Trojan, and the practicability is relatively good.
Description
technical field [0001] The invention relates to the technical field of encrypted Trojan horse detection for HTTPS hidden tunnels, in particular to an encrypted Trojan horse detection method for HTTPS hidden tunnels. Background technique [0002] Trojan horses are mainly used for host control and information theft. Usually, they will not damage the user system, nor will they reproduce themselves, and have high concealment. In recent years, more and more Trojan horse programs use tunneling technology to improve their penetration and use encryption technology to resist DPI detection, which brings new challenges to the identification of Trojan horse communication traffic. No matter how the Trojan modifies the features in the host to avoid host-side detection, or encrypts the payload with a complex encryption algorithm, the interaction process will not change, and the controlled end needs to accept commands from the control end and give feedback. Therefore, the study of encrypte...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/145
Inventor 王文冰赵晓君毛艳芳张玲孙海燕
Owner ZHENGZHOU UNIVERSITY OF LIGHT INDUSTRY