CN109257379A - A kind of detection method of trojan horse program, device, equipment and storage medium - Google Patents

A kind of detection method of trojan horse program, device, equipment and storage medium Download PDF

Info

Publication number
CN109257379A
CN109257379A CN201811319308.7A CN201811319308A CN109257379A CN 109257379 A CN109257379 A CN 109257379A CN 201811319308 A CN201811319308 A CN 201811319308A CN 109257379 A CN109257379 A CN 109257379A
Authority
CN
China
Prior art keywords
traffic
downlink
trojan horse
processes
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811319308.7A
Other languages
Chinese (zh)
Inventor
林素红
王蒙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201811319308.7A priority Critical patent/CN109257379A/en
Publication of CN109257379A publication Critical patent/CN109257379A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

This application discloses a kind of detection methods of trojan horse program, are applied to server, comprising: when detecting computer processes, obtain the uplink traffic and downlink traffic of computer processes;Then judge whether uplink traffic is greater than downlink traffic;If so, determining that there are wooden horse processes in computer processes, so that it is determined that there are trojan horse programs in server out.Due to when there are when trojan horse program in server, regardless of trojan horse program pretends, hides, as long as its function of completing and purpose are constant, the traffic characteristic so transmitted between server and client computer is just difficult to change, therefore, compared to the prior art, this method can be detected more accurately in server with the presence or absence of trojan horse program, so as to killing be carried out to trojan horse program, to ensure the safety of server.Disclosed herein as well is a kind of detection device of trojan horse program, equipment and computer readable storage mediums, all have above-mentioned beneficial effect.

Description

A kind of detection method of trojan horse program, device, equipment and storage medium
Technical field
The present invention relates to network safety filed, in particular to a kind of detection method of trojan horse program, device, equipment and calculating Machine readable storage medium storing program for executing.
Background technique
With the fast development of computer technology, network security problem is also increasingly serious, wherein as caused by trojan horse program Network security problem is increasingly valued by people.Trojan horse program is that hacker is used for through client computer (control terminal) control service One section of specific program of device (controlled terminal), the service of the trojan horse program in controlled terminal is once run and connect with control terminal It connecing, control terminal will enjoy most of operating right of controlled terminal, the information such as file, picture, the webpage in controlled terminal are stolen, To be posed a serious threat to the safety of controlled terminal.
In the prior art, in order to improve controlled terminal server safety, usually pass through spy in the server Levy the modes recognition detection trojan horse programs such as code scanning or virtual machine technique.But due to the camouflage of trojan horse program, hidden attribute, So that being difficult to detect by trojan horse program by modes such as signature scan or virtual machine techniques;In addition, due to the puppet of trojan horse program Dress and concealing technology are also rapidly developing, priori knowledge ability of the mode of the prior art due to needing to obtain trojan horse program in advance Detection identification is carried out to trojan horse program, therefore when there is new camouflage and hiding means, the method for the prior art will be unable to reality Now to the detection of trojan horse program, so that there are still threats for the safety of the server of controlled terminal.
Therefore, how trojan horse program is more accurately detected, ensures that the safety of server is that those skilled in the art are current The technical issues that need to address.
Summary of the invention
In view of this, can more accurately be detected the purpose of the present invention is to provide a kind of detection method of trojan horse program Trojan horse program ensures the safety of server;It is a further object of the present invention to provide a kind of detection devices of trojan horse program, equipment And computer readable storage medium, all have above-mentioned beneficial effect.
In order to solve the above technical problems, the present invention provides a kind of detection method of trojan horse program, it is applied to server, packet It includes:
When detecting computer processes, the uplink traffic and downlink traffic of the computer processes are obtained;
Judge whether the uplink traffic is greater than the downlink traffic;
If so, determining that there are wooden horse processes in the computer processes.
Preferably, after judging that the uplink traffic is greater than the downlink traffic, further comprise:
Second total stream of the first total flow value of the uplink traffic and the downlink traffic in accumulative first preset time Magnitude;
The ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;
Judge the total flow ratio whether in first threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
Preferably, after judging the total flow ratio in the first threshold range, further comprise:
Calculate separately the first flow mean value of the uplink traffic and the second flow mean value of the downlink traffic;
Go out uplink and downlink average flow rate ratio according to the first flow mean value and the second flow mean value computation;
Judge the uplink and downlink average flow rate ratio whether within the scope of second threshold;
If so, determining the step of there are wooden horse processes in the computer processes into described.
Preferably, after judging the total flow ratio in the first threshold range, further comprise:
It calculates in the second preset time, the time that the uplink traffic is greater than the downlink traffic, which accounts for uplink and downlink flow, to be had The ratio of the time of difference, obtains time ratios;
Judge the time ratios whether in third threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
Preferably, the second threshold range is between 0.5 to 5.
Preferably, the third threshold range is between 0.5 to 0.6.
Preferably, the uplink traffic for obtaining the computer processes and the step of downlink traffic, specifically wrap It includes:
The upstream data packet and downlink data packet of the computer processes are obtained using WinPcap;
Filter the protocol package in the upstream data packet and the downlink data packet;
The flow for counting filtered the upstream data packet and the downlink data packet respectively, obtains the uplink traffic With the downlink traffic.
In order to solve the above technical problems, being applied to server, packet the present invention also provides a kind of detection device of trojan horse program It includes:
Module is obtained, for when detecting computer processes, obtaining the uplink traffic and downlink of the computer processes Flow;
Judgment module, for judging whether the uplink traffic is greater than the downlink traffic;
Determination module, for if so, determining that there are wooden horse processes in the computer processes.
In order to solve the above technical problems, the present invention also provides a kind of detection devices of trojan horse program, comprising:
Memory, for storing computer program;
Processor realizes the step of the detection method of any of the above-described kind of trojan horse program when for executing the computer program Suddenly.
In order to solve the above technical problems, the present invention also provides a kind of computer readable storage medium, it is described computer-readable Computer program is stored on storage medium, the computer program realizes any of the above-described kind of trojan horse program when being executed by processor Detection method the step of.
A kind of detection method of trojan horse program provided by the invention, be applied to server, comprising: when detect computer into Cheng Shi obtains the uplink traffic and downlink traffic of computer processes;Then judge whether uplink traffic is greater than downlink traffic;If It is then to determine that there are wooden horse processes in computer processes, so that it is determined that there are trojan horse programs in server out.Due to working as server In there are when trojan horse program, regardless of trojan horse program pretends, hides, as long as its function for completing and purpose are constant, then taking The traffic characteristic transmitted between business device and client computer is just difficult to change, and this method utilizes this feature, to the upper of computer processes Downlink traffic is compared, to judge in computer processes with the presence or absence of wooden horse process.Using special in compared to the prior art The scanning of sign code or virtual machine technique are detected, and there is the case where can not detecting trojan horse program, this method can be more accurately It detects with the presence or absence of trojan horse program in server, so as to killing be carried out to trojan horse program, to ensure the peace of server Quan Xing.
In order to solve the above technical problems, the present invention also provides a kind of detection device of trojan horse program, equipment and computers Readable storage medium storing program for executing all has above-mentioned beneficial effect.
Detailed description of the invention
It in order to illustrate the embodiments of the present invention more clearly or the technical solution of the prior art, below will be to embodiment or existing Attached drawing needed in technical description is briefly described, it should be apparent that, the accompanying drawings in the following description is only this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to the attached drawing of offer.
Fig. 1 is a kind of flow chart of the detection method of trojan horse program provided in an embodiment of the present invention;
Fig. 2 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention;
Fig. 3 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
The core of the embodiment of the present invention is to provide a kind of detection method of trojan horse program, can more accurately detect wooden horse journey Sequence ensures the safety of server;Another core of the invention is to provide the detection device, equipment and calculating of a kind of trojan horse program Machine readable storage medium storing program for executing all has above-mentioned beneficial effect.
It is right with reference to the accompanying drawings and detailed description in order to make those skilled in the art more fully understand the present invention program The present invention is described in further detail.
Fig. 1 is a kind of flow chart of the detection method of trojan horse program provided in an embodiment of the present invention.It should be noted that this The detection method for the trojan horse program that inventive embodiments provide is applied to server, as shown in Figure 1, this method includes:
S10: when detecting computer processes, the uplink traffic and downlink traffic of computer processes are obtained.
It in the present embodiment, is that the uplink traffic of computer processes is obtained when detecting computer processes under first Row flow.Specifically, can be the uplink traffic and downlink traffic that computer processes are obtained in such a way that setting detects program, It is also possible to obtain the uplink traffic and downlink traffic of computer processes, the present embodiment using the task manager of server itself It does not limit this.
It should be noted that uplink traffic refers to that server is sent to the byte number of network, downlink traffic refers to taking The byte number that business device is downloaded from network.In this step, it can be while obtaining respectively the upstream of multiple computer processes Amount and downlink traffic, to judge multiple computer processes with the presence or absence of wooden horse process simultaneously.
S20: judge whether uplink traffic is greater than downlink traffic;If so, executing S30;
S30: determine that there are wooden horse processes in computer processes.
It should be noted that general computer processes are that client computer (control terminal) is asked to server (controlled terminal) sending It asks, the result of request is returned to client by server, and during this, the instruction request data that control terminal issues are smaller, But the result returned may be a file, picture or webpage, therefore will appear the feelings that downlink traffic is much larger than uplink traffic Condition.And wooden horse process and general computer processes are just the opposite, the controlled terminal for being implanted into trojan horse program is server, and control terminal is Client computer, controlled terminal respond the operation of control terminal, and the content of passback may include the information such as file, screenshot, webpage, The data volume of passback can much larger than send order data volume, therefore can show uplink traffic much larger than downlink traffic this with The feature that general networking program is completely contradicted.
In this step, after the uplink traffic and downlink traffic for getting computer processes, judge that uplink traffic is It is no to be greater than downlink traffic, to judge with the presence or absence of wooden horse process in computer processes, so that it is determined that with the presence or absence of wood in server Horse program.Specifically, then entering S30 when judging that uplink traffic is greater than downlink traffic, namely determine exist in computer processes Wooden horse process;If uplink traffic is less than downlink traffic, indicate that the computer processes are normal;If uplink traffic is equal to downlink traffic, Indicate that the computer processes are not run.
A kind of detection method of trojan horse program provided in an embodiment of the present invention is applied to server, comprising: counts when detecting When calculation machine process, the uplink traffic and downlink traffic of computer processes are obtained;Then judge whether uplink traffic is greater than downstream Amount;If so, determining that there are wooden horse processes in computer processes, so that it is determined that there are trojan horse programs in server out.Due to working as There are when trojan horse program in server, regardless of trojan horse program pretends, hides, as long as its function for completing and purpose are constant, The traffic characteristic so transmitted between server and client computer is just difficult to change, this method utilize this feature, to computer into The uplink and downlink flow of journey is compared, to judge in computer processes with the presence or absence of wooden horse process.In compared to the prior art It is detected using signature scan or virtual machine technique, there is the case where can not detecting trojan horse program, this method can be more It accurately detects with the presence or absence of trojan horse program in server, so as to killing be carried out to trojan horse program, to ensure service The safety of device.
On the basis of the above embodiments, the present embodiment has made further instruction and optimization to technical solution, specifically, After judging that uplink traffic is greater than downlink traffic, further comprise:
First total flow value of uplink traffic and the second total flow value of downlink traffic in accumulative first preset time;
The ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;
Judge total flow ratio whether in first threshold range;
The step of there are wooden horse processes in computer processes is determined if so, entering.
Specifically, depositing inspection at a time in view of when detecting the uplink traffic and downlink traffic of computer processes Survey the case where there are errors, therefore, in the present embodiment, as preferred embodiment, in the case where judging that uplink traffic is greater than After row flow, further add up second total stream of the first total flow value of uplink traffic and downlink traffic in the first preset time Magnitude;Then the ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;Total flow ratio is judged again Whether in first threshold range;When total flow ratio is in first threshold range, then determine there is wood in computer processes Horse process.As it can be seen that this method can further increase the accuracy for detecting the trojan horse program in server, so as to wooden horse journey Sequence carries out killing, and then improves the safety of server.
On the basis of the above embodiments, the present embodiment has made further instruction and optimization to technical solution, specifically, After judging total flow ratio in first threshold range, further comprise:
Calculate separately the first flow mean value of uplink traffic and the second flow mean value of downlink traffic;
Go out uplink and downlink average flow rate ratio according to first flow mean value and second flow mean value computation;
Judge uplink and downlink average flow rate ratio whether within the scope of second threshold;
The step of there are wooden horse processes in computer processes is determined if so, entering.
Specifically, in the present embodiment, according to the first total flow value of uplink traffic in accumulative first preset time under Second total flow value of row flow, calculates separately the first flow mean value of uplink traffic and the second flow mean value of downlink traffic, Then uplink and downlink average flow rate ratio is gone out according to first flow mean value and second flow mean value computation, namely calculated in unit The data traffic of interior transmission, shown in the specific following formula of calculation:
Wherein, AR indicates uplink and downlink average flow rate ratio;t1For the first preset time;MupFor uplink traffic,It is upper First total flow value of the row flow in the first preset time;MdownFor downlink traffic,It is pre- first for downlink traffic If the second total flow value in the time.It is flat using calculated uplink and downlink after calculating uplink and downlink average flow rate ratio AR Equal flow ratio AR is compared with second threshold, to judge in the computer processes with the presence or absence of wooden horse process.
As it can be seen that the detection method of trojan horse program provided in this embodiment, by compared to a upper embodiment, by utilizing the Uplink and downlink average flow rate ratio in one preset time is compared with second threshold, can more accurately judge computer processes In whether there is wooden horse process, so that it is determined that in server whether there is trojan horse program, so as to trojan horse program carry out killing, from And ensure the safety of server.
On the basis of the above embodiments, the present embodiment has made further instruction and optimization to technical solution, specifically, After judging total flow ratio in first threshold range, further comprise:
Calculate in the second preset time, uplink traffic be greater than downlink traffic time account for uplink and downlink flow it is discrepant when Between ratio, obtain time ratios;
Judge time ratios whether in third threshold range;
The step of there are wooden horse processes in computer processes is determined if so, entering.
Specifically, it is variant that the time that uplink traffic is greater than downlink traffic accounts for uplink and downlink flow in the second preset time Time ratio calculation are as follows:
Wherein, RTR refers to that uplink traffic accounts for the time of uplink and downlink flow variant time greater than the time of downlink traffic Ratio;t2For the second preset time;Refer to that uplink traffic is greater than the cumulative time of downlink traffic; Refer to the cumulative time that uplink traffic and downlink traffic have differences.It is understood that uploading or downloading when server exists When operation, uplink and downlink flow value inconsistent situation will occur, that is, have differences, at this time tup≠tdown.Calculate RTR it Afterwards, whether the relationship for further judging RTR Yu third threshold range, specifically judge RTR in third threshold range;If so, Then indicate that there are wooden horse processes in current computer processes.It should be strongly noted that the first preset time and second is preset Time can be the identical period, be also possible to the different periods, as long as AR value and RTR value can be calculated, The present embodiment does not limit this.
It should be noted that the feature of trojan horse program further include trojan horse program at runtime, computer processes will be made Uplink traffic be greater than downlink traffic account for data transmission time ratio it is relatively high, therefore the present embodiment by further calculating on The time that row flow is greater than downlink traffic accounts for the ratio of uplink and downlink flow discrepant time, obtains time ratios RTR, recycles Time ratios RTR is compared with third threshold range, to judge with the presence or absence of wooden horse process in computer processes, that is, It says, another feature when the present embodiment is run using trojan horse program, on the basis of the above embodiments, judges to count from another angle It is carried out in calculation machine process with the presence or absence of wooden horse, therefore the accuracy of the trojan horse program in detection service device can be further increased.
As preferred embodiment, second threshold range is between 0.5 to 5;Third threshold range be 0.5 to 0.6 it Between.
As shown in Table 1 and Table 2, table 1 be the verification and measurement ratio of the different corresponding trojan horse programs of AR value obtained according to experiment and Rate of false alarm situation, table 2 are the verification and measurement ratio and rate of false alarm situation of the corresponding trojan horse program of different RTR values obtained according to experiment.
Table 1
AR 0.02 0.05 0.1 0.2 0.5 5 6
Verification and measurement ratio 100 100 100 100 100 100 80
Rate of false alarm 86.67 73.33 33.33 13.33 6.67 6.67 6.67
Table 2
RTR 0.2 0.3 0.4 0.5 0.6 0.7
Verification and measurement ratio 100 100 100 100 100 80
Rate of false alarm 53.33 26.67 13.33 6.67 6.67 6.67
It can be concluded that, when AR value is between 0.5 to 5, detect that the verification and measurement ratio of trojan horse program is higher and reports by mistake from table Rate is lower, when RTR value is between 0.5 to 0.6, detects that trojan horse detection rate is higher and rate of false alarm is lower, therefore can pass through AR and RTR value is monitored, that is to say, that if it is judged that AR value between 0.5 to 5 and RTR value 0.5 to 0.6 it Between, then determine that there are wooden horse processes in the computer processes, i.e., there are trojan horse programs in server.Therefore, in the present embodiment, Being preferably set up second threshold range is between 0.5 to 5, and setting third threshold range is between 0.5 to 0.6.It is understood that It is that above-mentioned threshold range refers to preferred embodiment, in other implementations, can also sets according to actual needs Other value ranges are set to, the present embodiment does not limit this.
As preferred embodiment, the step of obtaining the uplink traffic and downlink traffic of computer processes, is specifically included:
The upstream data packet and downlink data packet of computer processes are obtained using WinPcap;
Filter the protocol package in upstream data packet and downlink data packet;
The flow for counting filtered upstream data packet and downlink data packet respectively, obtains uplink traffic and downlink traffic.
Specifically, WinPcap (Windows Packet capture) is that windows platform is next free, public Network access system.It can capture raw data packets, including control terminal (client computer) sends/connects with controlled terminal (server) The data packet of receipts and the data packet exchanged between each other, namely obtain the upstream data packet and downlink data of computer processes Packet.Then certain special Packet Filterings are fallen according to customized rule, is to filter out protocol package in the present embodiment;Again The flow for counting filtered upstream data packet and downlink data packet respectively, obtains uplink traffic and downlink traffic.
As it can be seen that the present embodiment obtains the uplink traffic and downlink traffic of computer processes, mode of operation letter by WinPcap Single, the mode for obtaining uplink traffic and downlink traffic is accurate, in order to more accurately judge in computer processes with the presence or absence of wood Horse process.
A kind of embodiment of the detection method of trojan horse program provided by the invention is described in detail above, this Invention additionally provides detection device, equipment and the computer readable storage medium of a kind of trojan horse program corresponding with this method, by Mutually correlate in the embodiment of device, equipment and computer readable storage medium part and the embodiment of method part, therefore fills Set, the embodiment of equipment and computer readable storage medium part refer to method part embodiment description, here wouldn't It repeats.
Fig. 2 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention, as shown in Fig. 2, a kind of The detection device of trojan horse program is applied to server, comprising:
Module 21 is obtained, for when detecting computer processes, obtaining the uplink traffic and downstream of computer processes Amount;
Judgment module 22, for judging whether uplink traffic is greater than downlink traffic;
Determination module 23, for if so, determining that there are wooden horse processes in computer processes.
The detection device of trojan horse program provided in an embodiment of the present invention has the beneficial of the detection method of above-mentioned trojan horse program Effect.
Fig. 3 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention, as shown in figure 3, a kind of The detection device of trojan horse program includes:
Memory 31, for storing computer program;
Processor 32, when for executing computer program the step of the realization such as detection method of above-mentioned trojan horse program.
The detection device of trojan horse program provided in an embodiment of the present invention has the beneficial of the detection method of above-mentioned trojan horse program Effect.
In order to solve the above technical problems, the present invention also provides a kind of computer readable storage medium, computer-readable storage It is stored with computer program on medium, realizes when computer program is executed by processor such as the detection method of above-mentioned trojan horse program Step.
Computer readable storage medium provided in an embodiment of the present invention has the beneficial of the detection method of above-mentioned trojan horse program Effect.
Above to the detection method of trojan horse program provided by the present invention, device, equipment and computer readable storage medium It is described in detail.Principle and implementation of the present invention are described for specific embodiment used herein, above The explanation of embodiment is merely used to help understand method and its core concept of the invention.It should be pointed out that for the art Those of ordinary skill for, without departing from the principle of the present invention, can also to the present invention carry out it is several improvement and repair Decorations, these improvements and modifications also fall within the scope of protection of the claims of the present invention.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration ?.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.

Claims (10)

1. a kind of detection method of trojan horse program, which is characterized in that be applied to server, comprising:
When detecting computer processes, the uplink traffic and downlink traffic of the computer processes are obtained;
Judge whether the uplink traffic is greater than the downlink traffic;
If so, determining that there are wooden horse processes in the computer processes.
2. the method according to claim 1, wherein judging the uplink traffic greater than the downlink traffic Later, further comprise:
First total flow value of the uplink traffic and the second total flow value of the downlink traffic in accumulative first preset time;
The ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;
Judge the total flow ratio whether in first threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
3. according to the method described in claim 2, it is characterized in that, judging the total flow ratio in the first threshold After in range, further comprise:
Calculate separately the first flow mean value of the uplink traffic and the second flow mean value of the downlink traffic;
Go out uplink and downlink average flow rate ratio according to the first flow mean value and the second flow mean value computation;
Judge the uplink and downlink average flow rate ratio whether within the scope of second threshold;
If so, determining the step of there are wooden horse processes in the computer processes into described.
4. according to the method described in claim 3, it is characterized in that, judging the total flow ratio in the first threshold After in range, further comprise:
It calculates in the second preset time, it is variant that the time that the uplink traffic is greater than the downlink traffic accounts for uplink and downlink flow Time ratio, obtain time ratios;
Judge the time ratios whether in third threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
5. according to the method described in claim 3, it is characterized in that, the second threshold range is between 0.5 to 5.
6. according to the method described in claim 4, it is characterized in that, the third threshold range is between 0.5 to 0.6.
7. method according to any one of claims 1 to 6, which is characterized in that the institute for obtaining the computer processes The step of stating uplink traffic and the downlink traffic specifically includes:
The upstream data packet and downlink data packet of the computer processes are obtained using WinPcap;
Filter the protocol package in the upstream data packet and the downlink data packet;
The flow for counting filtered the upstream data packet and the downlink data packet respectively, obtains the uplink traffic and institute State downlink traffic.
8. a kind of detection device of trojan horse program, which is characterized in that be applied to server, comprising:
Module is obtained, for when detecting computer processes, obtaining the uplink traffic and downlink traffic of the computer processes;
Judgment module, for judging whether the uplink traffic is greater than the downlink traffic;
Determination module, for if so, determining that there are wooden horse processes in the computer processes.
9. a kind of detection device of trojan horse program characterized by comprising
Memory, for storing computer program;
Processor realizes the inspection of trojan horse program as described in any one of claim 1 to 7 when for executing the computer program The step of survey method.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program, the computer program realize the detection of trojan horse program as described in any one of claim 1 to 7 when being executed by processor The step of method.
CN201811319308.7A 2018-11-07 2018-11-07 A kind of detection method of trojan horse program, device, equipment and storage medium Pending CN109257379A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811319308.7A CN109257379A (en) 2018-11-07 2018-11-07 A kind of detection method of trojan horse program, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811319308.7A CN109257379A (en) 2018-11-07 2018-11-07 A kind of detection method of trojan horse program, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN109257379A true CN109257379A (en) 2019-01-22

Family

ID=65044674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811319308.7A Pending CN109257379A (en) 2018-11-07 2018-11-07 A kind of detection method of trojan horse program, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN109257379A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905415A (en) * 2013-10-25 2014-07-02 哈尔滨安天科技股份有限公司 Method and system for preventing remote control type Trojan viruses
CN104102872A (en) * 2013-04-12 2014-10-15 中国移动通信集团安徽有限公司 Password protection method and system
WO2014209781A1 (en) * 2013-06-24 2014-12-31 Alibaba Group Holding Limited Two factor authentication
CN106713324A (en) * 2016-12-28 2017-05-24 北京奇艺世纪科技有限公司 Flow detection method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104102872A (en) * 2013-04-12 2014-10-15 中国移动通信集团安徽有限公司 Password protection method and system
WO2014209781A1 (en) * 2013-06-24 2014-12-31 Alibaba Group Holding Limited Two factor authentication
CN103905415A (en) * 2013-10-25 2014-07-02 哈尔滨安天科技股份有限公司 Method and system for preventing remote control type Trojan viruses
CN106713324A (en) * 2016-12-28 2017-05-24 北京奇艺世纪科技有限公司 Flow detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
彭国军、王泰格、邵玉如、刘梦冷: ""基于网络流量特征的未知木马检测技术及其实现"", 《信息网络安全NETINFO SECURITY》 *

Similar Documents

Publication Publication Date Title
EP3481029B1 (en) Internet defense method and authentication server
US20100146638A1 (en) Detection filter
US9462011B2 (en) Determining trustworthiness of API requests based on source computer applications' responses to attack messages
US9009846B2 (en) Virtual avatar authentication
CN111629010B (en) Malicious user identification method and device
WO2016081516A2 (en) Method and system for detecting threats using passive cluster mapping
CN109698809A (en) A kind of recognition methods of account abnormal login and device
CN110084011A (en) A kind of method and device of the verifying of user's operation
CN109040140A (en) A kind of attack detection method and device at a slow speed
CN107426136B (en) Network attack identification method and device
CN108600145B (en) Method and device for determining DDoS attack equipment
CN110365712A (en) A kind of defence method and system of distributed denial of service attack
US10587629B1 (en) Reducing false positives in bot detection
CN111092912A (en) Security defense method and device
CN114186206A (en) Login method and device based on small program, electronic equipment and storage medium
CN106506553B (en) A kind of Internet protocol IP filter method and system
CN109688099A (en) Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing
CN109257379A (en) A kind of detection method of trojan horse program, device, equipment and storage medium
CN111953635B (en) Interface request processing method and computer-readable storage medium
CN103916365A (en) Method and apparatus for exporting and verifying network behavioral characteristics of malicious code
CN107045613B (en) Information monitoring control method and device
CN107154930B (en) Method and system for testing vulnerability
CN106817364B (en) Brute force cracking detection method and device
CN113438225B (en) Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium
CN107819739B (en) Method and server for determining whether long-link connection exists in terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190122