CN107370752B - Efficient remote control Trojan detection method - Google Patents

Efficient remote control Trojan detection method Download PDF

Info

Publication number
CN107370752B
CN107370752B CN201710719001.5A CN201710719001A CN107370752B CN 107370752 B CN107370752 B CN 107370752B CN 201710719001 A CN201710719001 A CN 201710719001A CN 107370752 B CN107370752 B CN 107370752B
Authority
CN
China
Prior art keywords
flow
module
classifier
remote control
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710719001.5A
Other languages
Chinese (zh)
Other versions
CN107370752A (en
Inventor
姜伟
吴贤达
庄俊玺
潘邵芹
田原
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN201710719001.5A priority Critical patent/CN107370752B/en
Publication of CN107370752A publication Critical patent/CN107370752A/en
Application granted granted Critical
Publication of CN107370752B publication Critical patent/CN107370752B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an efficient remote control Trojan detection method which judges whether a remote control Trojan exists in a network or not through network behavior characteristics. The method can be applied to the detection of the actual network flow, and the false alarm rate is close to 0. The whole method comprises the following four stages: the first stage, collecting flow; second, behavior feature extraction; and in the third stage, the method is realized: by combining SMOTE oversampling and XGboost classification methods, the SMOTE oversampling algorithm solves the classification problem of unbalanced data sets in a data layer. The XGboost classification method which is a new classification algorithm with high precision in the field of machine learning is used for Trojan horse detection for the first time, so that the classification problem of unbalanced data sets is solved on the aspect of an algorithm while high accuracy is achieved. And in the fourth stage, optimizing and evaluating the method. The method focuses on the mining and finding rule of network mixed flow, is suitable for finishing the identification work of the known Trojan horse, and can also detect the unknown remote control Trojan horse.

Description

Efficient remote control Trojan detection method
Technical Field
The invention belongs to the technical field of information, and particularly relates to an efficient remote control Trojan horse detection method. The method and the device can accurately detect the known remote control trojan in the mixed flow, can also identify the unknown remote control trojan, and have important significance for maintaining network safety and reducing national, enterprise and personal losses.
Background
In recent years, remote control trojans are continuously used for remote control and information stealing by attackers, which brings serious threat to network security and causes serious influence and huge loss to countries, enterprises and individuals. The remote control trojan consists of a control end (client) and a controlled end (server). Under the normal condition, an attacker searches for an infected machine by using spear fishing and social engineering attack, and then realizes real-time communication between a control end and a controlled end by using a standard TCP/IP (transmission control protocol/Internet protocol) or UDP (user datagram protocol) protocol. The attacker sends a control instruction through the control end, and the controlled end monitors the control instruction in the host of the victim and then executes corresponding controlled behaviors, and transmits the result back to the control end through the network. Unlike traditional security threats from viruses and trojans, the following are: the Trojan horse has comprehensive functions, is commonly used for data stealing and privacy snooping in APT attack, has concealment and long persistence, and is extremely harmful. Well-known remote trojans, for example: gray pigeon, Gh0st, PcShare, Nuclear, dark com, xtramrat, glacier, plug x, etc., up to thirty more, some unknown and these known variants of trojan horse are silently affecting our privacy in the network. More seriously, once the host system is broken, the intruder can use the host to distribute the remote control trojan to other vulnerable computers to establish a botnet. The current intrusion detection system is mainly designed aiming at various safety problems in a local area network, and the particularity of a remote control trojan is possibly ignored, so that the remote control trojan possibly bypasses a detection mechanism of the intrusion detection system. How to rapidly and effectively detect and further prevent remote control trojans becomes an important challenge in the field of safety.
According to remote control Trojan detection technology based on different environments, the detection of the remote control Trojan can be divided into detection based on a host and detection based on a network, and a detection mode of fusing host and network characteristics. With the faster and faster Trojan horse mutation speed, the detection efficiency based on the behavior characteristics of the host is greatly reduced, and the detection based on the network behavior is more suitable for detecting the new unknown threats existing in the network. The commonality of host-based and converged host and network feature detection approaches is that behavioral features need to be extracted on the host. In order to enable the obtained method to have better portability, the behavior characteristics are not considered to be extracted from the host, only the characteristics on an effective network are selected, and a proper detection algorithm is searched in a matching mode, so that an efficient remote control Trojan horse detection method is generated. In recent years, most researchers apply the machine learning method to Trojan horse detection based on communication behaviors, but most of the existing methods have high false alarm rate and are not suitable for detection of special remote control Trojan horses.
Dan Jiang et al, which is dedicated to detecting at the initial stage of remote control trojan communication, extracts seven network features from data with a packet interval of less than 1S in a network transport layer. The detection method is realized through a random forest algorithm. Although the experiment has higher accuracy, the false alarm rate is higher, the selection of the samples is only a remote control Trojan horse sample and 10 normal application samples, and the method is not suitable for mixed flow.
Li Wei et al analyzed the communication characteristics of Trojan horse in detail, selected 7 network behavior characteristics such as periodic DNS, ratio of uplink and downlink bytes, ratio of uplink and downlink packets, and packet occupancy, selected KNN and C4.5 algorithm, but also had the problem of higher false alarm.
Shicong Li et al, through a clustering algorithm, achieve the detection of Trojan horse, the algorithm has selected the characteristics of network layer and IP layer, has finished the detection method of mixed traffic, but the characteristic that the method chooses is not necessarily effective to apply to the detection of the remote control type Trojan horse. The accuracy rate and the false alarm rate of the detection method are superior to those of the method.
The basic concept to which the present invention relates is explained below.
Flow: screening the collected traffic, selecting traffic based on TCP protocol, and selecting destination IP address according to source IP address]The difference in (2) extracts a different "stream". Each flow k in the method is a flow which starts to be acquired by three-way handshake starting from a flag bit "SYN" until a time threshold T (T is 300S) is reached, and the total length of the flow is denoted as Fk(k=1,2,3,...k)。
Conversation: a session is formed by the reassembly and filtering of streams. Each flow can be broken down into 1 to n different [ source IP address, source port, destination IP address, destination port ] communication "sessions".
And (3) periodic flow: obtaining the 'transmission time interval' between every two adjacent packets is defined as T, TLinternalThe interval used to store all packets in the stream is denoted TLinternal={t0,t1,t2.........tN-1}; all T are connectedLinternalThe sum of the medium elements is recorded as the total time and is expressed by SUMT; all streams within T are referred to as "periodic streams", andthe period stream has all time interval set as TLinternal
Disclosure of Invention
The invention aims to solve the technical problem of detection of remote control trojans, and mainly provides a detection method for effectively detecting the remote control trojans, which is used for accurately detecting known and unknown remote control trojans. The method comprises the following steps:
1. collecting network communication data packets, and extracting different 'streams' according to the difference of the source IP address and the destination IP address;
2. for each captured flow, a segment of traffic analysis is required starting with a three-way handshake starting with a flag bit "SYN", until a time threshold T (300S) is reached, extracting the following features:
f0: counting flag bits [ FIN, ACK ] in periodic stream]Or [ RST, ACK)]The number of all packets;
f1: counting the number of sessions contained in the periodic stream;
f2: the longest conversation is proposed from the regular flow, and the variance of the sequence formed by all uplink packets of the longest conversation is calculated;
f3: calculating the average value of each mark bit of the uplink in the regular stream as [ PUSH, ACK]The packet size minus each downstream flag bit is [ PUSH, ACK ]]A value of packet size; if the value is 1 when the value is larger than 0, the value is 0 when the value is equal to 0, and the value is-1 when the value is smaller than 0; the sum of bytes of a packet with PUSH as the uplink flag in the T time is PbupThe number is Cbup(ii) a The downlink flag bit is [ PUSH, ACK]Is PbdownThe number is Cbdown. Then there are:
Figure GDA0002396231620000031
f4: the average number of bytes sent downstream per second in the periodic stream. We find out the total byte number P of all downlink packets in T timedownAnd according to TLinternalObtaining the total time T used for downlink packet transmission in the T timedown
Figure GDA0002396231620000032
f5: the average number of bytes per second in the upper row of the periodic stream is divided by the average number of bytes per second in the lower row. According to TLinternalObtaining the total time used for transmitting the uplink packet in the T time as TupTotal number of bytes P of all uplink packets sent in T timeupAnd then:
Figure GDA0002396231620000033
f6: the number of packets in the periodic stream having a packet size greater than 90;
f7: the number of downlink packets sent per second in the periodic stream, i.e. the total number of downlink packets divided by the time taken by the downlink packets; recording the number of all downlink packets in T time as CdownThen there is
Figure GDA0002396231620000034
3. Labeling each captured flow, marking the communication flow of the remote control Trojan horse as 1, and marking the normal communication flow as 0. Storing the labels and the corresponding 8 kinds of behavior characteristic data into a database to generate a training set;
4. the SMOTE sampling algorithm and the XGboost classification algorithm are combined, and the classification problem of unbalanced data sets is solved by improving the data level and the algorithm level simultaneously. And then processing the training set by a SMOTE sampling algorithm to obtain a new training set. And carrying out classification learning on the new synthetic training set by utilizing the XGboost algorithm to obtain an original classifier.
5. The method is characterized in that a grid searching method is utilized to systematically traverse various classifier parameter combinations, the optimal parameters are determined through cross validation, and then the parameters are used for optimizing the original classifier in the whole training process.
6. And analyzing the detection result of the method by taking the actual network flow as a detection object.
The invention has the beneficial effects that: the method selects the characteristics of the size, the number, the identification, the time and the like of the network data packet, and effectively realizes the remote control Trojan horse detection method. The method mainly contributes to the combination of SMOTE oversampling and XGboost classification methods, and solves the classification problem of unbalanced data sets through simultaneous improvement of a data level and an algorithm level. The generation method is not limited to the detection of the host-side flow, and can be used for detecting whether known or unknown remote control trojans exist in the key nodes of the network.
Drawings
FIG. 1 is a schematic flow chart of the method.
Detailed Description
S1, the remote control Trojan detection method mainly comprises the following four modules: the system comprises a flow collection module, a behavior feature extraction module, a classifier creation module and an optimization evaluation module of a classifier.
S2, the flow collection module is responsible for creating and detecting a data set required by the acquisition method;
s21, flow collection: the method comprises the steps of utilizing NetAnalyzer and wireshark software to capture communication flows of seven computers (two of which are embedded with Trojan programs) in a controllable environment, wherein the communication flows can be divided into three types, namely 24 remote control Trojan sample communication flows collected at home and abroad, known 10 normal application software communication flows and mixed network flows. Eventually we collected 291.17 hours of traffic, which was stored in the pcap file format.
S22, flow screening: filtering of communication traffic. And selecting the flow based on the TCP protocol from the saved pcap file, and extracting different flows according to the difference of the source IP address and the destination IP address.
S23, the recombination of the communication flow satisfies the following two conditions: (1) a segment of flow starting with a three-way handshake starting with a flag bit "SYN" until a time threshold T (T300S) is reached, each flow may consist of 1 to N different [ source IP address, source port, destination IP address, destination port ] communication "sessions"; (2) the duration of the whole section of the stream is greater than 1S, namely the stream which is finished when the duration is less than 1S is not considered;
s3, the behavior feature extraction module is responsible for analyzing the remote control trojan and the host networkDifferences in the flow of network traffic seek network traffic characteristics that are effectively suitable for such detection. Record each processed periodic flow as Fk(k ═ 1,2,3.. k), the behavior extraction module comprises the steps of:
s31, counting the flag bits in the bidirectional flow as [ FIN, ACK]Or [ RAT, ACK]Total number of (2) is denoted as f0
S32, counting FkThe number of packets with the size of the middle packet larger than 90; regular flow filtering and recombination can be decomposed into 1 to n different source IP addresses, source ports, destination IP addresses and destination ports]Communication "Session" composition, the longest Session being denoted as MsCounting the number of sessions and recording it as f1(ii) a To MsAll the uplink packets in the sequence are combined into a new sequence, and the variance of the sequence is calculated and recorded as f2
S33. periodic flow FkAverage each flag bit of the uplink and the downlink is [ PUSH, ACK]The packet size minus each downstream flag bit is [ PUSH, ACK ]]Bag size, denoted f3(ii) a If the value is 1 when the value is larger than 0, the value is 0 when the value is equal to 0, and the value is-1 when the value is smaller than 0; recording the uplink flag bit as [ PUSH, ACK ] in T time]Is PbupThe number is Cbup(ii) a The downlink flag bit is [ PUSH, ACK]Is PbdownThe number is Cbdown. Then there are:
Figure GDA0002396231620000051
s35, calculating the average downlink sending byte number per second in the periodic flow, and recording as f4(ii) a We find out the total byte number P of all downlink packets in T timedownAnd according to TLinternalObtaining the total time T used for downlink packet transmission in the T timedown
Figure GDA0002396231620000052
S36, calculating the average byte number per second of the upper row in the periodic stream divided by the average byte number per second of the lower row to be recorded as f5(ii) a According to TLinternalGet the uplink packet dispatching station in T timeTotal time of use is TupTotal number of bytes P of all uplink packets sent in T timeupAnd then:
Figure GDA0002396231620000053
s37, calculating the number of downlink packets sent per second in the periodic flow and recording the number as f7Dividing the total number of the downlink packets by the time used by the downlink packets; recording the number of all downlink packets in T time as CdownThen there is
Figure GDA0002396231620000061
S4, the classifier creating module is responsible for classifying and learning the training set newly synthesized by the SMOTE algorithm by using the XGboost algorithm to generate an original classifier;
s41, labeling each captured stream, marking the communication flow of the remote control Trojan horse as 1, and marking the normal communication flow as 0. Storing the labels and the corresponding 8 behavior characteristics into a database to generate a method training set; the training set T1 is 1862 flows obtained by 291.17 hours of flow screening and filtering by seven machines, 119 flows of which were generated by remote trojans. We used 70% of the data in T1 as training and as TR1, and the remaining 30% as testing and as TE 1; the data of TR1 were then processed using SMOTE algorithm, and the ratio of normal flow and remote trojan flow in the initial TR1 was: 1214: 89;
and S42, considering the problem of unbalanced class proportion in the training set sample, and realizing the SMOTE sampling algorithm. After the SMOTE algorithm is used for carrying out some operations on the original data set, the proportion of the normal stream and the remote control Trojan horse in a new synthesized sample is obtained as follows: 1214: 1246. the newly synthesized training set was designated tsynthesis. furthermore, test set TE2 was 1342 streams filtered by 145.83 hours of flow sieves from five additional machines, 86 of which were generated by remote control trojans.
S43, performing classification learning training by using an XGboost algorithm, and performing K-fold cross validation to effectively avoid the occurrence of over-learning and under-learning states. The K-fold Cross Validation is to divide the original data into K groups, make each subset data a verification set respectively, use the rest K-1 groups of subset data as training sets, thus will obtain K methods, use the average number of classification accuracy of the verification set that this K method is final as the performance index of this classifier under K-CV. Finally, generating a detection method;
and S5, an optimization evaluation module of the classifier is used for selecting important parameters of the original classifier and evaluating the detection effect of the optimal classifier.
S51, the grid searching method is utilized to systematically traverse various parameter combinations, the optimal parameters are determined through cross validation, and then the parameter setting optimization method is used in the whole training. The parameters determined include the number of estimators 72, the sum of the minimum leaf node sample weights 1, the maximum depth of the tree 6, the proportion of random samples per tree 0.9, the ratio of the number of columns per random sample 0.8, and the minimum loss function degradation value required for node splitting 0.2.
And S52, bringing the optimal parameters into the original classifier to generate an optimal detection classifier.
S53, the test set is placed into a detection classifier for identification, the detection classifier judges data in the test set, if remote control Trojan communication exists, the corresponding communication flow output is 1, otherwise, the communication flow output is 0, experimental results show that the classifier generated according to the method can effectively detect all remote control Trojan communication in the test set (as shown in a table 3, the false alarm rate is almost 0;
TABLE 1 Trojan horse name and corresponding version number selected for this model
RAT samples Number of versions RAT samples Number of versions
Nuclear 3 Gh0st 2
Bandook 1 Shangxing remote control 1
Big white shark 1 DarkComent 2
Gray pigeon 1 remote 1
Bozok 1 Taidoor 1
CyberGate RAT 1 PoisionIvy 2
Pandora RAT 1 SpyNet 1
Comet Rat 1 Hole focusing remote control 1
Star RAT 1 Xtreme RAT 2
Pcshare 1 njRAT 3
VanToM RAT 1 Plugx 2
X RAT 1 HAKOPS RAT 1
TABLE 2 Cross-validation of the four assays
Figure GDA0002396231620000071
Figure GDA0002396231620000081
TABLE 3 comparison of the results of the three methods
Figure GDA0002396231620000082

Claims (2)

1. A remote control Trojan detection method is characterized in that the generation of the method comprises four main modules; the first module, the second module, the third module and the fourth module respectively represent: the system comprises a flow collection module, a behavior feature extraction module, a classifier creation module and an optimization evaluation module of a classifier; the flow collection module is responsible for collecting a data set required by the creation and detection of the classifier; screening out communication flow based on a transmission layer TCP protocol, and dividing the communication flow according to a source IP address and a destination IP address to obtain a plurality of flows; the behavior characteristic extraction module is responsible for analyzing the difference of network communication flows of the remote control trojan and the host and finding out network communication characteristics suitable for the detection; the classifier creating module generates an original classifier by using the generated training set; the optimization evaluation module of the classifier is used for optimizing the original classifier for matching parameters of the generated classifier to obtain a new classifier, and then classifying and evaluating the detection result of the test set by using the new classifier;
the first module is realized according to the following modes: and (3) for each divided flow k, a section of flow analysis is required to be carried out until three-way handshake starting from the flag bit of SYN is reached and a time threshold value T is reached, and the section of flow is marked as a regular flow Fk(k ═ 1,2,3.. k); the time threshold T is a set value;
the behavior feature extraction module processes each section of periodic flow F after the module Ik(k ═ 1,2,3.. k), features were extracted as follows:
the method comprises the following steps: statistics of flag bits [ FIN, ACK ] in bidirectional flow]Or [ RST, ACK)]Total number of (2) is denoted as f0
Step two: statistics FkThe number of packets with the size of the middle packet larger than 90; regular flow filtering and recombination can be decomposed into 1 to n different source IP addresses, source ports, destination IP addresses and destination ports]Communication "Session" composition, the longest Session being denoted as MsCounting the number of sessions and recording it as f1(ii) a To MsAll the uplink packets in the sequence are combined into a new sequence, and the variance of the sequence is calculated and recorded as f2
Step three:periodic flow FkAverage each flag bit of the uplink and the downlink is [ PUSH, ACK]The packet size minus each downstream flag bit is [ PUSH, ACK ]]Bag size, denoted f3(ii) a If the value is 1 when the value is larger than 0, the value is 0 when the value is equal to 0, and the value is-1 when the value is smaller than 0; the sum of bytes of a packet with PUSH as the uplink flag in the T time is PbupThe number is Cbup(ii) a The downlink flag is [ PUSH, ACK]Is PbdownThe number is Cbdown(ii) a Then there are:
Figure FDA0002492716840000011
step four: calculating the average downlink byte number per second sent in the periodic flow, and recording as f4(ii) a We find out the total byte number P of all downlink packets in T timedownAnd according to TLinternalObtaining the total time T used for downlink packet transmission in the T timedown;TLinternalAll time intervals are collected for regular flows;
Figure FDA0002492716840000021
step five: calculating the average number of bytes per second of the upper row in the periodic flow divided by the average number of bytes per second of the lower row as f5(ii) a According to TLinternalObtaining the total time used for transmitting the uplink packet in the T time as TupTotal number of bytes P of all uplink packets sent in T timeupAnd then:
Figure FDA0002492716840000022
step six: counting the number of packets with the size larger than 90 in the regular stream, and recording as f 6;
step seven: calculating the number of downlink packets sent per second in the periodic flow and recording as f7Dividing the total number of the downlink packets by the time used by the downlink packets; recording the number of all downlink packets in T time as CdownThen there is
Figure FDA0002492716840000023
The third module is realized according to the following modes:
labeling each captured stream, wherein the communication flow of the remote control Trojan horse is marked as 1, and the normal communication flow is marked as 0; storing the labels and the corresponding 8 behavior characteristic values into a database as a method training set; aiming at the problem of unbalanced category proportion in the training set sample, an SMOTE sampling algorithm is realized, and a new synthetic training set is generated; and performing classification learning on the new synthetic training set by using the XGboost algorithm to generate an original classifier.
2. The method of claim 1, further comprising: module four is implemented as follows:
the method comprises the following steps: the method comprises the steps of systematically traversing various parameter combinations by utilizing a grid searching method, determining optimal parameters through cross validation, and then setting and optimizing an original classifier by using the parameters in the whole training; determining parameters including the number of estimators 72, the sum of the minimum leaf node sample weights 1, the maximum depth of the tree 6, the proportion of random sampling of each tree 0.9, the ratio of the number of columns of each random sampling 0.8, and the minimum loss function reduction value required for node splitting 0.2;
step two: bringing the optimal parameters obtained in the step one into the generated original classifier to generate an optimal classifier;
step three: processing the test sample by using the first module and the second module; and putting a test set generated after the data to be detected is subjected to behavior feature extraction into an optimal classifier, and outputting a judgment result of the data in the test set by the identification classifier, wherein if remote control Trojan communication exists, the corresponding communication flow is output to be 1, and otherwise, the corresponding communication flow is 0.
CN201710719001.5A 2017-08-21 2017-08-21 Efficient remote control Trojan detection method Active CN107370752B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710719001.5A CN107370752B (en) 2017-08-21 2017-08-21 Efficient remote control Trojan detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710719001.5A CN107370752B (en) 2017-08-21 2017-08-21 Efficient remote control Trojan detection method

Publications (2)

Publication Number Publication Date
CN107370752A CN107370752A (en) 2017-11-21
CN107370752B true CN107370752B (en) 2020-09-25

Family

ID=60308969

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710719001.5A Active CN107370752B (en) 2017-08-21 2017-08-21 Efficient remote control Trojan detection method

Country Status (1)

Country Link
CN (1) CN107370752B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108809989B (en) * 2018-06-14 2021-04-23 北京中油瑞飞信息技术有限责任公司 Botnet detection method and device
CN109104437B (en) * 2018-10-22 2021-09-28 苏州盛科通信股份有限公司 Routing domain, method and device for processing IP message in routing domain
CN109684834B (en) * 2018-12-21 2022-10-25 福州大学 XGboost-based gate-level hardware Trojan horse identification method
CN110929301B (en) * 2019-11-20 2022-07-26 海宁利伊电子科技有限公司 Hardware Trojan horse detection method based on lifting algorithm
CN111967343B (en) * 2020-07-27 2023-07-28 广东工业大学 Detection method based on fusion of simple neural network and extreme gradient lifting model
CN112818344B (en) * 2020-08-17 2024-06-04 北京辰信领创信息技术有限公司 Method for improving virus killing rate by using artificial intelligence algorithm
CN111983429B (en) * 2020-08-19 2023-07-18 Oppo广东移动通信有限公司 Chip verification system, chip verification method, terminal and storage medium
CN113806338B (en) * 2021-11-18 2022-02-18 深圳索信达数据技术有限公司 Data discrimination method and system based on data sample imaging

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103475663A (en) * 2013-09-13 2013-12-25 无锡华御信息技术有限公司 Trojan recognition method based on network communication behavior characteristics
CN104168272A (en) * 2014-08-04 2014-11-26 国家电网公司 Trojan horse detection method based on communication behavior clustering
CN105227408A (en) * 2015-10-22 2016-01-06 蓝盾信息安全技术股份有限公司 A kind of intelligent wooden horse recognition device and method
CN106790193A (en) * 2016-12-30 2017-05-31 山石网科通信技术有限公司 The method for detecting abnormality and device of Intrusion Detection based on host network behavior

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8346951B2 (en) * 2002-03-05 2013-01-01 Blackridge Technology Holdings, Inc. Method for first packet authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103475663A (en) * 2013-09-13 2013-12-25 无锡华御信息技术有限公司 Trojan recognition method based on network communication behavior characteristics
CN104168272A (en) * 2014-08-04 2014-11-26 国家电网公司 Trojan horse detection method based on communication behavior clustering
CN105227408A (en) * 2015-10-22 2016-01-06 蓝盾信息安全技术股份有限公司 A kind of intelligent wooden horse recognition device and method
CN106790193A (en) * 2016-12-30 2017-05-31 山石网科通信技术有限公司 The method for detecting abnormality and device of Intrusion Detection based on host network behavior

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"An Approach to Detect Remote Access Trojan in the Early Stage of Communication";Dan Jiang等;《2015 IEEE 29th International Conference on Advanced Information Networking and Applications》;20150430;第706-703页 *
"远控型木马通信三阶段流量行为特征分析";李巍等;《信息网络安全》;20150531(第5期);第10-15页 *

Also Published As

Publication number Publication date
CN107370752A (en) 2017-11-21

Similar Documents

Publication Publication Date Title
CN107370752B (en) Efficient remote control Trojan detection method
CN112398779B (en) Network traffic data analysis method and system
CN105208037B (en) A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection
Bilge et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis
Gogoi et al. Packet and flow based network intrusion dataset
CN107733851A (en) DNS tunnels Trojan detecting method based on communication behavior analysis
Qin et al. DDoS attack detection using flow entropy and clustering technique
Gogoi et al. MLH-IDS: a multi-level hybrid intrusion detection method
Haddadi et al. Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification
CN111988285A (en) Network attack tracing method based on behavior portrait
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN113259313A (en) Malicious HTTPS flow intelligent analysis method based on online training algorithm
CN111817982A (en) Encrypted flow identification method for category imbalance
CN111224994A (en) Botnet detection method based on feature selection
Watson A comparison of header and deep packet features when detecting network intrusions
CN112800424A (en) Botnet malicious traffic monitoring method based on random forest
Esposito et al. Evaluating pattern recognition techniques in intrusion detection systems
Nalavade et al. Mining association rules to evade network intrusion in network audit data
Haddadi et al. How to choose from different botnet detection systems?
CN110519228B (en) Method and system for identifying malicious cloud robot in black-production scene
Sharma et al. An overview of flow-based anomaly detection
Lu et al. Botnets detection based on irc-community
Catak Two-layer malicious network flow detection system with sparse linear model based feature selection
Tian et al. A transductive scheme based inference techniques for network forensic analysis
Yang et al. Multi-class DRDoS attack detection method based on feature selection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant