CN103095714A - Trojan horse detection method based on Trojan horse virus type classification modeling - Google Patents
Trojan horse detection method based on Trojan horse virus type classification modeling Download PDFInfo
- Publication number
- CN103095714A CN103095714A CN2013100288160A CN201310028816A CN103095714A CN 103095714 A CN103095714 A CN 103095714A CN 2013100288160 A CN2013100288160 A CN 2013100288160A CN 201310028816 A CN201310028816 A CN 201310028816A CN 103095714 A CN103095714 A CN 103095714A
- Authority
- CN
- China
- Prior art keywords
- wooden horse
- trojan horse
- horse
- class libraries
- trojan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a Trojan horse detection method based on Trojan horse virus type classification modeling. The method comprises following steps of (1) classifying found Trojan horse according to characteristics; (2) forming a Trojan horse identification class library; (3) collecting characteristics of an operation system, identifying the Trojan horse through the Trojan horse identification class library in the step (2), and positioning in the belonging categories and characteristics of Trojan horse in; (4) positioning suspicious items; (5) according to the collected characteristics of the operation system in the step (3), conducting pattern matching in the class library through an algorithm to identify the Trojan horse in the system; (6) finding the same Trojan horse with pattern matching in the class library, and judging the Trojan horse to be detected. The method can conduct rapidly identification and analysis for existing Trojan horse in the system and particularly for the unknown novel Trojan horse. Compared with a traditional detection manner, detection capability for the Trojan horse, particularly for recognition and detection capability for the unknown novel Trojan horse has great improvement.
Description
Technical field
The present invention relates to a kind of Trojan detecting method, particularly a kind of Trojan detecting method based on trojan horse kind classification model construction.
Background technology
The network safety events such as webpage tamper, network steal-number, Denial of Service attack, system's invasion, worm virus spreading, malware threats are of common occurrence at present, and wherein the situation of infected by computer virus trojan horse program is the most outstanding.Trojan horse program with its disguised characteristics such as strong snatch password, the operation such as control system, become serious security threat.Developing rapidly to fail-safe software of wooden horse Compiling Technique brought new challenge, and the utilization of the technology such as code morphing and encryption technology makes the mutation program of various wooden horses walk crosswise in network, makes traditional Trojan Horse Detection lose effect.
Summary of the invention
Purpose of the present invention just is to provide in order to address the above problem a kind of Trojan detecting method based on trojan horse kind classification model construction that can identify fast and analyze unknown New Trojan Horse.
The present invention is achieved through the following technical solutions above-mentioned purpose:
A kind of Trojan detecting method based on trojan horse kind classification model construction comprises the following steps:
(1) wooden horse of having found is classified according to its feature; There are registry category wooden horse, service to start class wooden horse, BIOS class wooden horse etc. according to starting tagsort, have according to the route of transmission classification: autorun wooden horse, camouflage class wooden horse, Vermes etc. have according to the classification of wooden horse file type: exe type wooden horse, dynamic base class wooden horse, driving wooden horse etc.
(2) according to certain algorithm, the feature of every kind is carried out modeling, form one with the wooden horse identification class libraries of medelling coupling; Autorun wooden horse for example, the common trait of this type of wooden horse is all can generate an autorun.inf file under the drive root, this type of wooden horse all exists executable file corresponding with autorun.inf simultaneously, this type of wooden horse can both accesses network, autorun.inf file, executable file and accesses network, just can carry out killing as the common trait of this type of wooden horse so.
(3) collect operating system features, and identify wooden horse and navigate to wooden horse affiliated classification and feature by the wooden horse identification class libraries of step (2); File 1.exe is in system, and it has startup item in certain position, and simultaneously, it has revised some system's sensitive document, and we just say that we can belong to by these feature location which kind of wooden horse to 1.exe so.Simultaneously, modeling also can be according to process modeling, as, process 1.exe starts by certain mode, has injected again some process simultaneously, has accessed some file or the network address, and we just can come localization 1.exe to belong to and which kind of by these features.
(4) location is suspicious, according to access to netwoks behavior or the self-starting behavior of system, is positioned at and belongs to the activity of suspicious in system, and then the feature of suspicious according to these, class libraries coupling in addition, the position of orienting wooden horse; At first, in numerous processes of system, file, determine first which belongs to suspicious.Determine that whether suspicious method mainly by having the access to netwoks behavior.In service at actual wooden horse, particularly in the situation that suspension, whether wooden horse can ceaselessly go detection network to be communicated with, according to these characteristics, we can remove the suspicious item in navigation system, then these suspicious are analyzed according to the feature in class libraries, find out the place of wooden horse.
The operating system features of (5) collecting according to step (3) is carried out pattern matching and is come wooden horse in recognition system in class libraries by algorithm; When carrying out the wooden horse analysis, first the system informations such as system related information, process relevant information, network related information to be enumerated, the result that then will enumerate is sorted out according to the description to feature in class libraries.These points of enumerating are called as sample analysis in the process that behavior is analyzed, obtain the sample that the wooden horse behavior may exist in operating system, take these samples of getting, carry out in the wooden horse class library whether having wooden horse in the matching analysis system, and wooden horse has which behavior etc.
(6) find with class libraries in pattern be complementary to be judged as and wooden horse detected, and enumerate this wooden horse and carry out all operations in process and the characteristic behavior of this type of wooden horse.
Further, described wooden horse identification class libraries can according to different classes of independent use, also can form a huge class libraries network with the whole combination of class libraries and use.For some extraordinary wooden horse, not necessarily simple integrated a kind of wooden horse class libraries, be more likely the advantage that has mixed, gathered multiple class libraries.Based on this reason, we can combine above class libraries, form a huge wooden horse classification behavior recognition network, cooperatively interact to complete the tracing and positioning analytic function of wooden horse.
Beneficial effect of the present invention is:
The present invention can to the wooden horse that exists in system, particularly identify, analyze unknown New Trojan Horse fast.Not only can tell the position of user's wooden horse file, can also tell which operation function and wooden horse that user's wooden horse has may do in the system the inside, this kind detection mode is compared with the traditional detection mode, detectability to wooden horse, particularly in identification and detectability to unknown New Trojan Horse, very large raising is arranged.
Description of drawings
Fig. 1 is the flow chart of a kind of Trojan detecting method based on trojan horse kind classification model construction of the present invention;
Fig. 2 is the workflow diagram of the wooden horse A in the present invention.
Embodiment
The invention will be further described below in conjunction with accompanying drawing:
As shown in Figure 1, a kind of Trojan detecting method based on trojan horse kind classification model construction of the present invention comprises the following steps:
(1) wooden horse of having found is classified according to its feature;
(2) feature of every kind is carried out modeling, form one with the wooden horse identification class libraries of medelling coupling; Described wooden horse identification class libraries can according to different classes of independent use, also can form a huge class libraries network with the whole combination of class libraries and use.
(3) collect operating system features, and identify wooden horse and navigate to wooden horse affiliated classification and feature by the wooden horse identification class libraries of step (2);
(4) location is suspicious, according to access to netwoks behavior or the self-starting behavior of system, is positioned at and belongs to the activity of suspicious in system, and then the feature of suspicious according to these, class libraries coupling in addition, the position of orienting wooden horse;
The operating system features of (5) collecting according to step (3) is carried out pattern matching and is come wooden horse in recognition system in class libraries by algorithm;
(6) find with class libraries in pattern be complementary to be judged as and wooden horse detected, and enumerate this wooden horse and carry out all operations in process and the characteristic behavior of this type of wooden horse.
Case study on implementation: wooden horse inspection
Wooden horse A is the wooden horse that a effect free to kill is done well.Adopting the mode that drives coded communication to use transfer server B to carry out rebounding type with external host is connected.Therefore, when machine has suffered this kind wooden horse, done free to killly due to wooden horse, can escape the inspection based on main flow antivirus software and the wooden horse checking tool of condition code.Because wooden horse is in communication process, used the mode of encrypting that drives, so just mean no matter be local image data bag or network ids (intruding detection system), all can't parse those packets is packets that wooden horse is received and sent messages, and just can't judge that also wooden horse and those machines carry out data interaction.
The workflow diagram of this wooden horse A is roughly as shown in Figure 2: in this flow process, can find out, if on victim host, can not locate position and the behavior of wooden horse A, be difficult to navigate to by other method the position at hacker place.
Use the method for classification model construction, sum up and drive wooden horse, encrypt the common trait of wooden horse and bounce-back class wooden horse.As drive wooden horse, and before driving the wooden horse transceiving data, be more difficult because some information is obtained in driving, so this type of wooden horse is all generally before driving transceiving data, all with application layer, the mutual of data arranged.This type of may be to adopt IRP(application layer and drive the semaphore of communicating by letter alternately) or pass through the mode of file indirect transfer information.The cryptographic operation of encrypting wooden horse has common feature (calling as the HASH class function) in internal memory, and bounce-back class wooden horse, and the process of and server data interaction is more arranged, and can connect the server at real hacker place after mutual.
According to above characteristics, this class of wooden horse A is driven the wooden horse of encrypting spring-back properties, according to driving wooden horse, encrypting the modeling of wooden horse and bounce-back class wooden horse common trait, just had one to overlap clearly that model framework can mate out to wooden horse A, coupling flow process roughly is as follows:
According to driving the wooden horse feature, detect those packets in the process that sends, the data interaction of overdrive layer and application layer is arranged, such as IRP communicates by letter, such as file access etc.By this pattern, it is relevant with suspicious wooden horse not only can navigating to those network datas, can also orient may be relevant to suspicious wooden horse driving and application layer module.
After article one pattern matching, navigated to network data and module, and then according to the characteristics of encrypting wooden horse communication, to driving or the inside modules data analysis, can and use the feature of function to identify cipher mode by data characteristics.
According to the feature of bounce-back wooden horse, after wooden horse access transfer server, transfer server can be told wooden horse A with the address of down hop.By module that first two steps are drawn by analysis with drive feature, the network service behavior that continues to monitor wooden horse A just can be found wooden horse next step and hacker's actual communication content.So far, wooden horse module, wooden horse driving, cipher mode, hacker's geographical position is all checked accurately.
Claims (2)
1. Trojan detecting method based on trojan horse kind classification model construction is characterized in that: comprise the following steps:
(1) wooden horse of having found is classified according to its feature;
(2) feature of every kind is carried out modeling, form one with the wooden horse identification class libraries of medelling coupling;
(3) collect operating system features, and identify wooden horse and navigate to wooden horse affiliated classification and feature by the wooden horse identification class libraries of step (2);
(4) location is suspicious, according to access to netwoks behavior or the self-starting behavior of system, is positioned at and belongs to the activity of suspicious in system, and then the feature of suspicious according to these, class libraries coupling in addition, the position of orienting wooden horse;
The operating system features of (5) collecting according to step (3) is carried out pattern matching and is come wooden horse in recognition system in class libraries by algorithm;
(6) find with class libraries in pattern be complementary to be judged as and wooden horse detected, and enumerate this wooden horse and carry out all operations in process and the characteristic behavior of this type of wooden horse.
2. a kind of Trojan detecting method based on trojan horse kind classification model construction according to claim 1, it is characterized in that: described wooden horse identification class libraries can according to different classes of independent use, also can form a huge class libraries network with the whole combination of class libraries and use.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100288160A CN103095714A (en) | 2013-01-25 | 2013-01-25 | Trojan horse detection method based on Trojan horse virus type classification modeling |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100288160A CN103095714A (en) | 2013-01-25 | 2013-01-25 | Trojan horse detection method based on Trojan horse virus type classification modeling |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103095714A true CN103095714A (en) | 2013-05-08 |
Family
ID=48207847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100288160A Pending CN103095714A (en) | 2013-01-25 | 2013-01-25 | Trojan horse detection method based on Trojan horse virus type classification modeling |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103095714A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491077A (en) * | 2013-09-09 | 2014-01-01 | 无锡华御信息技术有限公司 | Method and system for recall Trojan horse control site network behavior function reconstruction |
| CN104598820A (en) * | 2015-01-14 | 2015-05-06 | 国家电网公司 | Trojan virus detection method based on feature behavior activity |
| CN111859386A (en) * | 2020-08-03 | 2020-10-30 | 深圳市联软科技股份有限公司 | Trojan horse detection method and system based on behavior analysis |
| CN114020366A (en) * | 2022-01-06 | 2022-02-08 | 北京微步在线科技有限公司 | Remote control Trojan horse unloading method and device based on threat information |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN101547126A (en) * | 2008-03-27 | 2009-09-30 | 北京启明星辰信息技术股份有限公司 | Network virus detecting method based on network data streams and device thereof |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| CN102779249A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Malicious program detection method and scan engine |
-
2013
- 2013-01-25 CN CN2013100288160A patent/CN103095714A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547126A (en) * | 2008-03-27 | 2009-09-30 | 北京启明星辰信息技术股份有限公司 | Network virus detecting method based on network data streams and device thereof |
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN101854275A (en) * | 2010-05-25 | 2010-10-06 | 军工思波信息科技产业有限公司 | Method and device for detecting Trojans by analyzing network behaviors |
| CN102779249A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Malicious program detection method and scan engine |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491077A (en) * | 2013-09-09 | 2014-01-01 | 无锡华御信息技术有限公司 | Method and system for recall Trojan horse control site network behavior function reconstruction |
| CN103491077B (en) * | 2013-09-09 | 2016-08-10 | 无锡华御信息技术有限公司 | Bounce-back wooden horse controls the method and system of end network behavior reconstruction |
| CN104598820A (en) * | 2015-01-14 | 2015-05-06 | 国家电网公司 | Trojan virus detection method based on feature behavior activity |
| CN111859386A (en) * | 2020-08-03 | 2020-10-30 | 深圳市联软科技股份有限公司 | Trojan horse detection method and system based on behavior analysis |
| CN114020366A (en) * | 2022-01-06 | 2022-02-08 | 北京微步在线科技有限公司 | Remote control Trojan horse unloading method and device based on threat information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lin et al. | Identifying android malicious repackaged applications by thread-grained system call sequences | |
| Aslan et al. | Investigation of possibilities to detect malware using existing tools | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| Mohaisen et al. | Av-meter: An evaluation of antivirus scans and labels | |
| CN107688743B (en) | Malicious program detection and analysis method and system | |
| Sadeghi et al. | Analysis of android inter-app security vulnerabilities using covert | |
| CN107004088B (en) | Determining device, determining method and recording medium | |
| CN110837640B (en) | Malicious file searching and killing method, device, storage medium and device | |
| CN105229612A (en) | Use the detection that the abnormal program of hardware based microarchitecture data performs | |
| CN108009425A (en) | File detects and threat level decision method, apparatus and system | |
| US20140195793A1 (en) | Remotely Establishing Device Platform Integrity | |
| CN107392028A (en) | The detection method and its detection means of sensitive information, storage medium, electronic equipment | |
| EP3340097B1 (en) | Analysis device, analysis method, and analysis program | |
| EP4172823A1 (en) | Deep learning-based analysis of signals for threat detection | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| Peddoju et al. | Natural language processing based anomalous system call sequences detection with virtual memory introspection | |
| CN103095714A (en) | Trojan horse detection method based on Trojan horse virus type classification modeling | |
| Efe et al. | Malware visualization techniques | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| CN114662111B (en) | Malicious code software gene homology analysis method | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| JP6258189B2 (en) | Specific apparatus, specific method, and specific program | |
| CN111125701B (en) | File detection method, equipment, storage medium and device | |
| CN112948829A (en) | File searching and killing method, system, equipment and storage medium | |
| Jawhar | A Survey on Malware Attacks Analysis and Detected |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130508 |