Mining Trojan horse detection system based on flow analysis

Abstract

The invention discloses a mining Trojan horse detection system based on flow analysis, which relates to the field of computer network security and comprises a connectionmining pool mining Trojan horsebehavior detection subsystem and a p2p mining network mining Trojan horse behavior detection subsystem. According to the invention, the static pcap data packet or the real-time flow is used as the input, two modes of detecting and connecting mine pool mining and p2p mining can be selected, the mining flow is analyzed through the field feature extraction or communication flow feature extraction and identification of the system, and the alarm information is output to the user. Aiming at the conditions of plaintext communication and ciphertext communication, the system has the capability of quickly processing mass data, and can meet the requirements of personal hosts and enterprise-level users at the same time.

Description

technical field [0001] The invention relates to the field of computer network security, in particular to a mining Trojan horse detection system based on flow analysis. Background technique [0002] The blockchain is a huge decentralized ledger, and in the decentralized system, the status of each participating node is equal. In order to maintain the consistency of the blockchain at each node, the blockchain system requires each node to follow the same Consensus mechanism to achieve consensus. A widely adopted consensus mechanism is the proof-of-work (PoW) mechanism proposed by Satoshi Nakamoto in 2009. Nodes participating in the blockchain network use the computing power of computers (hereinafter referred to as computing power) to perform "difficult calculations" to obtain A random number answer that meets the difficulty requirements. If the answer is calculated and verified by the entire network, the node will have the right to generate and record the block, and will receiv...

AI Technical Summary

Problems solved by technology

[0004] At present, the detection methods of mining Trojans are concentrated on the host side. The traditional detection methods include identifying abnormally high CPU usage, identifying abnormally high hash calculations, identifying codes of malicious processes or malicious files, and monitoring abnormally high heat. The hardware temperature of the system, the use of active defense software to monitor the calls of sensitive system resources and functions by the process, and the use of the blacklist mechanism to block the mining pool addresses used by known mining Trojan horses, etc., can perform more accurate behaviors on the mining Trojan horse at the host level Judgment, however, there are still deficiencies in the judgment method based on the host level. The mining Trojan horse can use technologies such as Rootkit to hide the mining process, hide features by limiting CPU usage and usage time, and use technical means such as packing and code obfuscation to avoid The matching of code fragments in the virus database uses "fileless" technology or process image replacement to hide files. The identification method based on the host side has inherent defects and deficiencies in the fight against various hiding methods

Images