CN109257379A - A kind of detection method of trojan horse program, device, equipment and storage medium - Google Patents
A kind of detection method of trojan horse program, device, equipment and storage medium Download PDFInfo
- Publication number
- CN109257379A CN109257379A CN201811319308.7A CN201811319308A CN109257379A CN 109257379 A CN109257379 A CN 109257379A CN 201811319308 A CN201811319308 A CN 201811319308A CN 109257379 A CN109257379 A CN 109257379A
- Authority
- CN
- China
- Prior art keywords
- traffic
- downlink
- trojan horse
- processes
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
This application discloses a kind of detection methods of trojan horse program, are applied to server, comprising: when detecting computer processes, obtain the uplink traffic and downlink traffic of computer processes;Then judge whether uplink traffic is greater than downlink traffic;If so, determining that there are wooden horse processes in computer processes, so that it is determined that there are trojan horse programs in server out.Due to when there are when trojan horse program in server, regardless of trojan horse program pretends, hides, as long as its function of completing and purpose are constant, the traffic characteristic so transmitted between server and client computer is just difficult to change, therefore, compared to the prior art, this method can be detected more accurately in server with the presence or absence of trojan horse program, so as to killing be carried out to trojan horse program, to ensure the safety of server.Disclosed herein as well is a kind of detection device of trojan horse program, equipment and computer readable storage mediums, all have above-mentioned beneficial effect.
Description
Technical field
The present invention relates to network safety filed, in particular to a kind of detection method of trojan horse program, device, equipment and calculating
Machine readable storage medium storing program for executing.
Background technique
With the fast development of computer technology, network security problem is also increasingly serious, wherein as caused by trojan horse program
Network security problem is increasingly valued by people.Trojan horse program is that hacker is used for through client computer (control terminal) control service
One section of specific program of device (controlled terminal), the service of the trojan horse program in controlled terminal is once run and connect with control terminal
It connecing, control terminal will enjoy most of operating right of controlled terminal, the information such as file, picture, the webpage in controlled terminal are stolen,
To be posed a serious threat to the safety of controlled terminal.
In the prior art, in order to improve controlled terminal server safety, usually pass through spy in the server
Levy the modes recognition detection trojan horse programs such as code scanning or virtual machine technique.But due to the camouflage of trojan horse program, hidden attribute,
So that being difficult to detect by trojan horse program by modes such as signature scan or virtual machine techniques;In addition, due to the puppet of trojan horse program
Dress and concealing technology are also rapidly developing, priori knowledge ability of the mode of the prior art due to needing to obtain trojan horse program in advance
Detection identification is carried out to trojan horse program, therefore when there is new camouflage and hiding means, the method for the prior art will be unable to reality
Now to the detection of trojan horse program, so that there are still threats for the safety of the server of controlled terminal.
Therefore, how trojan horse program is more accurately detected, ensures that the safety of server is that those skilled in the art are current
The technical issues that need to address.
Summary of the invention
In view of this, can more accurately be detected the purpose of the present invention is to provide a kind of detection method of trojan horse program
Trojan horse program ensures the safety of server;It is a further object of the present invention to provide a kind of detection devices of trojan horse program, equipment
And computer readable storage medium, all have above-mentioned beneficial effect.
In order to solve the above technical problems, the present invention provides a kind of detection method of trojan horse program, it is applied to server, packet
It includes:
When detecting computer processes, the uplink traffic and downlink traffic of the computer processes are obtained;
Judge whether the uplink traffic is greater than the downlink traffic;
If so, determining that there are wooden horse processes in the computer processes.
Preferably, after judging that the uplink traffic is greater than the downlink traffic, further comprise:
Second total stream of the first total flow value of the uplink traffic and the downlink traffic in accumulative first preset time
Magnitude;
The ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;
Judge the total flow ratio whether in first threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
Preferably, after judging the total flow ratio in the first threshold range, further comprise:
Calculate separately the first flow mean value of the uplink traffic and the second flow mean value of the downlink traffic;
Go out uplink and downlink average flow rate ratio according to the first flow mean value and the second flow mean value computation;
Judge the uplink and downlink average flow rate ratio whether within the scope of second threshold;
If so, determining the step of there are wooden horse processes in the computer processes into described.
Preferably, after judging the total flow ratio in the first threshold range, further comprise:
It calculates in the second preset time, the time that the uplink traffic is greater than the downlink traffic, which accounts for uplink and downlink flow, to be had
The ratio of the time of difference, obtains time ratios;
Judge the time ratios whether in third threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
Preferably, the second threshold range is between 0.5 to 5.
Preferably, the third threshold range is between 0.5 to 0.6.
Preferably, the uplink traffic for obtaining the computer processes and the step of downlink traffic, specifically wrap
It includes:
The upstream data packet and downlink data packet of the computer processes are obtained using WinPcap;
Filter the protocol package in the upstream data packet and the downlink data packet;
The flow for counting filtered the upstream data packet and the downlink data packet respectively, obtains the uplink traffic
With the downlink traffic.
In order to solve the above technical problems, being applied to server, packet the present invention also provides a kind of detection device of trojan horse program
It includes:
Module is obtained, for when detecting computer processes, obtaining the uplink traffic and downlink of the computer processes
Flow;
Judgment module, for judging whether the uplink traffic is greater than the downlink traffic;
Determination module, for if so, determining that there are wooden horse processes in the computer processes.
In order to solve the above technical problems, the present invention also provides a kind of detection devices of trojan horse program, comprising:
Memory, for storing computer program;
Processor realizes the step of the detection method of any of the above-described kind of trojan horse program when for executing the computer program
Suddenly.
In order to solve the above technical problems, the present invention also provides a kind of computer readable storage medium, it is described computer-readable
Computer program is stored on storage medium, the computer program realizes any of the above-described kind of trojan horse program when being executed by processor
Detection method the step of.
A kind of detection method of trojan horse program provided by the invention, be applied to server, comprising: when detect computer into
Cheng Shi obtains the uplink traffic and downlink traffic of computer processes;Then judge whether uplink traffic is greater than downlink traffic;If
It is then to determine that there are wooden horse processes in computer processes, so that it is determined that there are trojan horse programs in server out.Due to working as server
In there are when trojan horse program, regardless of trojan horse program pretends, hides, as long as its function for completing and purpose are constant, then taking
The traffic characteristic transmitted between business device and client computer is just difficult to change, and this method utilizes this feature, to the upper of computer processes
Downlink traffic is compared, to judge in computer processes with the presence or absence of wooden horse process.Using special in compared to the prior art
The scanning of sign code or virtual machine technique are detected, and there is the case where can not detecting trojan horse program, this method can be more accurately
It detects with the presence or absence of trojan horse program in server, so as to killing be carried out to trojan horse program, to ensure the peace of server
Quan Xing.
In order to solve the above technical problems, the present invention also provides a kind of detection device of trojan horse program, equipment and computers
Readable storage medium storing program for executing all has above-mentioned beneficial effect.
Detailed description of the invention
It in order to illustrate the embodiments of the present invention more clearly or the technical solution of the prior art, below will be to embodiment or existing
Attached drawing needed in technical description is briefly described, it should be apparent that, the accompanying drawings in the following description is only this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to the attached drawing of offer.
Fig. 1 is a kind of flow chart of the detection method of trojan horse program provided in an embodiment of the present invention;
Fig. 2 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention;
Fig. 3 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The core of the embodiment of the present invention is to provide a kind of detection method of trojan horse program, can more accurately detect wooden horse journey
Sequence ensures the safety of server;Another core of the invention is to provide the detection device, equipment and calculating of a kind of trojan horse program
Machine readable storage medium storing program for executing all has above-mentioned beneficial effect.
It is right with reference to the accompanying drawings and detailed description in order to make those skilled in the art more fully understand the present invention program
The present invention is described in further detail.
Fig. 1 is a kind of flow chart of the detection method of trojan horse program provided in an embodiment of the present invention.It should be noted that this
The detection method for the trojan horse program that inventive embodiments provide is applied to server, as shown in Figure 1, this method includes:
S10: when detecting computer processes, the uplink traffic and downlink traffic of computer processes are obtained.
It in the present embodiment, is that the uplink traffic of computer processes is obtained when detecting computer processes under first
Row flow.Specifically, can be the uplink traffic and downlink traffic that computer processes are obtained in such a way that setting detects program,
It is also possible to obtain the uplink traffic and downlink traffic of computer processes, the present embodiment using the task manager of server itself
It does not limit this.
It should be noted that uplink traffic refers to that server is sent to the byte number of network, downlink traffic refers to taking
The byte number that business device is downloaded from network.In this step, it can be while obtaining respectively the upstream of multiple computer processes
Amount and downlink traffic, to judge multiple computer processes with the presence or absence of wooden horse process simultaneously.
S20: judge whether uplink traffic is greater than downlink traffic;If so, executing S30;
S30: determine that there are wooden horse processes in computer processes.
It should be noted that general computer processes are that client computer (control terminal) is asked to server (controlled terminal) sending
It asks, the result of request is returned to client by server, and during this, the instruction request data that control terminal issues are smaller,
But the result returned may be a file, picture or webpage, therefore will appear the feelings that downlink traffic is much larger than uplink traffic
Condition.And wooden horse process and general computer processes are just the opposite, the controlled terminal for being implanted into trojan horse program is server, and control terminal is
Client computer, controlled terminal respond the operation of control terminal, and the content of passback may include the information such as file, screenshot, webpage,
The data volume of passback can much larger than send order data volume, therefore can show uplink traffic much larger than downlink traffic this with
The feature that general networking program is completely contradicted.
In this step, after the uplink traffic and downlink traffic for getting computer processes, judge that uplink traffic is
It is no to be greater than downlink traffic, to judge with the presence or absence of wooden horse process in computer processes, so that it is determined that with the presence or absence of wood in server
Horse program.Specifically, then entering S30 when judging that uplink traffic is greater than downlink traffic, namely determine exist in computer processes
Wooden horse process;If uplink traffic is less than downlink traffic, indicate that the computer processes are normal;If uplink traffic is equal to downlink traffic,
Indicate that the computer processes are not run.
A kind of detection method of trojan horse program provided in an embodiment of the present invention is applied to server, comprising: counts when detecting
When calculation machine process, the uplink traffic and downlink traffic of computer processes are obtained;Then judge whether uplink traffic is greater than downstream
Amount;If so, determining that there are wooden horse processes in computer processes, so that it is determined that there are trojan horse programs in server out.Due to working as
There are when trojan horse program in server, regardless of trojan horse program pretends, hides, as long as its function for completing and purpose are constant,
The traffic characteristic so transmitted between server and client computer is just difficult to change, this method utilize this feature, to computer into
The uplink and downlink flow of journey is compared, to judge in computer processes with the presence or absence of wooden horse process.In compared to the prior art
It is detected using signature scan or virtual machine technique, there is the case where can not detecting trojan horse program, this method can be more
It accurately detects with the presence or absence of trojan horse program in server, so as to killing be carried out to trojan horse program, to ensure service
The safety of device.
On the basis of the above embodiments, the present embodiment has made further instruction and optimization to technical solution, specifically,
After judging that uplink traffic is greater than downlink traffic, further comprise:
First total flow value of uplink traffic and the second total flow value of downlink traffic in accumulative first preset time;
The ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;
Judge total flow ratio whether in first threshold range;
The step of there are wooden horse processes in computer processes is determined if so, entering.
Specifically, depositing inspection at a time in view of when detecting the uplink traffic and downlink traffic of computer processes
Survey the case where there are errors, therefore, in the present embodiment, as preferred embodiment, in the case where judging that uplink traffic is greater than
After row flow, further add up second total stream of the first total flow value of uplink traffic and downlink traffic in the first preset time
Magnitude;Then the ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;Total flow ratio is judged again
Whether in first threshold range;When total flow ratio is in first threshold range, then determine there is wood in computer processes
Horse process.As it can be seen that this method can further increase the accuracy for detecting the trojan horse program in server, so as to wooden horse journey
Sequence carries out killing, and then improves the safety of server.
On the basis of the above embodiments, the present embodiment has made further instruction and optimization to technical solution, specifically,
After judging total flow ratio in first threshold range, further comprise:
Calculate separately the first flow mean value of uplink traffic and the second flow mean value of downlink traffic;
Go out uplink and downlink average flow rate ratio according to first flow mean value and second flow mean value computation;
Judge uplink and downlink average flow rate ratio whether within the scope of second threshold;
The step of there are wooden horse processes in computer processes is determined if so, entering.
Specifically, in the present embodiment, according to the first total flow value of uplink traffic in accumulative first preset time under
Second total flow value of row flow, calculates separately the first flow mean value of uplink traffic and the second flow mean value of downlink traffic,
Then uplink and downlink average flow rate ratio is gone out according to first flow mean value and second flow mean value computation, namely calculated in unit
The data traffic of interior transmission, shown in the specific following formula of calculation:
Wherein, AR indicates uplink and downlink average flow rate ratio;t1For the first preset time;MupFor uplink traffic,It is upper
First total flow value of the row flow in the first preset time;MdownFor downlink traffic,It is pre- first for downlink traffic
If the second total flow value in the time.It is flat using calculated uplink and downlink after calculating uplink and downlink average flow rate ratio AR
Equal flow ratio AR is compared with second threshold, to judge in the computer processes with the presence or absence of wooden horse process.
As it can be seen that the detection method of trojan horse program provided in this embodiment, by compared to a upper embodiment, by utilizing the
Uplink and downlink average flow rate ratio in one preset time is compared with second threshold, can more accurately judge computer processes
In whether there is wooden horse process, so that it is determined that in server whether there is trojan horse program, so as to trojan horse program carry out killing, from
And ensure the safety of server.
On the basis of the above embodiments, the present embodiment has made further instruction and optimization to technical solution, specifically,
After judging total flow ratio in first threshold range, further comprise:
Calculate in the second preset time, uplink traffic be greater than downlink traffic time account for uplink and downlink flow it is discrepant when
Between ratio, obtain time ratios;
Judge time ratios whether in third threshold range;
The step of there are wooden horse processes in computer processes is determined if so, entering.
Specifically, it is variant that the time that uplink traffic is greater than downlink traffic accounts for uplink and downlink flow in the second preset time
Time ratio calculation are as follows:
Wherein, RTR refers to that uplink traffic accounts for the time of uplink and downlink flow variant time greater than the time of downlink traffic
Ratio;t2For the second preset time;Refer to that uplink traffic is greater than the cumulative time of downlink traffic;
Refer to the cumulative time that uplink traffic and downlink traffic have differences.It is understood that uploading or downloading when server exists
When operation, uplink and downlink flow value inconsistent situation will occur, that is, have differences, at this time tup≠tdown.Calculate RTR it
Afterwards, whether the relationship for further judging RTR Yu third threshold range, specifically judge RTR in third threshold range;If so,
Then indicate that there are wooden horse processes in current computer processes.It should be strongly noted that the first preset time and second is preset
Time can be the identical period, be also possible to the different periods, as long as AR value and RTR value can be calculated,
The present embodiment does not limit this.
It should be noted that the feature of trojan horse program further include trojan horse program at runtime, computer processes will be made
Uplink traffic be greater than downlink traffic account for data transmission time ratio it is relatively high, therefore the present embodiment by further calculating on
The time that row flow is greater than downlink traffic accounts for the ratio of uplink and downlink flow discrepant time, obtains time ratios RTR, recycles
Time ratios RTR is compared with third threshold range, to judge with the presence or absence of wooden horse process in computer processes, that is,
It says, another feature when the present embodiment is run using trojan horse program, on the basis of the above embodiments, judges to count from another angle
It is carried out in calculation machine process with the presence or absence of wooden horse, therefore the accuracy of the trojan horse program in detection service device can be further increased.
As preferred embodiment, second threshold range is between 0.5 to 5;Third threshold range be 0.5 to 0.6 it
Between.
As shown in Table 1 and Table 2, table 1 be the verification and measurement ratio of the different corresponding trojan horse programs of AR value obtained according to experiment and
Rate of false alarm situation, table 2 are the verification and measurement ratio and rate of false alarm situation of the corresponding trojan horse program of different RTR values obtained according to experiment.
Table 1
AR | 0.02 | 0.05 | 0.1 | 0.2 | 0.5 | 5 | 6 |
Verification and measurement ratio | 100 | 100 | 100 | 100 | 100 | 100 | 80 |
Rate of false alarm | 86.67 | 73.33 | 33.33 | 13.33 | 6.67 | 6.67 | 6.67 |
Table 2
RTR | 0.2 | 0.3 | 0.4 | 0.5 | 0.6 | 0.7 |
Verification and measurement ratio | 100 | 100 | 100 | 100 | 100 | 80 |
Rate of false alarm | 53.33 | 26.67 | 13.33 | 6.67 | 6.67 | 6.67 |
It can be concluded that, when AR value is between 0.5 to 5, detect that the verification and measurement ratio of trojan horse program is higher and reports by mistake from table
Rate is lower, when RTR value is between 0.5 to 0.6, detects that trojan horse detection rate is higher and rate of false alarm is lower, therefore can pass through
AR and RTR value is monitored, that is to say, that if it is judged that AR value between 0.5 to 5 and RTR value 0.5 to 0.6 it
Between, then determine that there are wooden horse processes in the computer processes, i.e., there are trojan horse programs in server.Therefore, in the present embodiment,
Being preferably set up second threshold range is between 0.5 to 5, and setting third threshold range is between 0.5 to 0.6.It is understood that
It is that above-mentioned threshold range refers to preferred embodiment, in other implementations, can also sets according to actual needs
Other value ranges are set to, the present embodiment does not limit this.
As preferred embodiment, the step of obtaining the uplink traffic and downlink traffic of computer processes, is specifically included:
The upstream data packet and downlink data packet of computer processes are obtained using WinPcap;
Filter the protocol package in upstream data packet and downlink data packet;
The flow for counting filtered upstream data packet and downlink data packet respectively, obtains uplink traffic and downlink traffic.
Specifically, WinPcap (Windows Packet capture) is that windows platform is next free, public
Network access system.It can capture raw data packets, including control terminal (client computer) sends/connects with controlled terminal (server)
The data packet of receipts and the data packet exchanged between each other, namely obtain the upstream data packet and downlink data of computer processes
Packet.Then certain special Packet Filterings are fallen according to customized rule, is to filter out protocol package in the present embodiment;Again
The flow for counting filtered upstream data packet and downlink data packet respectively, obtains uplink traffic and downlink traffic.
As it can be seen that the present embodiment obtains the uplink traffic and downlink traffic of computer processes, mode of operation letter by WinPcap
Single, the mode for obtaining uplink traffic and downlink traffic is accurate, in order to more accurately judge in computer processes with the presence or absence of wood
Horse process.
A kind of embodiment of the detection method of trojan horse program provided by the invention is described in detail above, this
Invention additionally provides detection device, equipment and the computer readable storage medium of a kind of trojan horse program corresponding with this method, by
Mutually correlate in the embodiment of device, equipment and computer readable storage medium part and the embodiment of method part, therefore fills
Set, the embodiment of equipment and computer readable storage medium part refer to method part embodiment description, here wouldn't
It repeats.
Fig. 2 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention, as shown in Fig. 2, a kind of
The detection device of trojan horse program is applied to server, comprising:
Module 21 is obtained, for when detecting computer processes, obtaining the uplink traffic and downstream of computer processes
Amount;
Judgment module 22, for judging whether uplink traffic is greater than downlink traffic;
Determination module 23, for if so, determining that there are wooden horse processes in computer processes.
The detection device of trojan horse program provided in an embodiment of the present invention has the beneficial of the detection method of above-mentioned trojan horse program
Effect.
Fig. 3 is a kind of structure chart of the detection device of trojan horse program provided in an embodiment of the present invention, as shown in figure 3, a kind of
The detection device of trojan horse program includes:
Memory 31, for storing computer program;
Processor 32, when for executing computer program the step of the realization such as detection method of above-mentioned trojan horse program.
The detection device of trojan horse program provided in an embodiment of the present invention has the beneficial of the detection method of above-mentioned trojan horse program
Effect.
In order to solve the above technical problems, the present invention also provides a kind of computer readable storage medium, computer-readable storage
It is stored with computer program on medium, realizes when computer program is executed by processor such as the detection method of above-mentioned trojan horse program
Step.
Computer readable storage medium provided in an embodiment of the present invention has the beneficial of the detection method of above-mentioned trojan horse program
Effect.
Above to the detection method of trojan horse program provided by the present invention, device, equipment and computer readable storage medium
It is described in detail.Principle and implementation of the present invention are described for specific embodiment used herein, above
The explanation of embodiment is merely used to help understand method and its core concept of the invention.It should be pointed out that for the art
Those of ordinary skill for, without departing from the principle of the present invention, can also to the present invention carry out it is several improvement and repair
Decorations, these improvements and modifications also fall within the scope of protection of the claims of the present invention.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities
The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment
Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration
?.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
Claims (10)
1. a kind of detection method of trojan horse program, which is characterized in that be applied to server, comprising:
When detecting computer processes, the uplink traffic and downlink traffic of the computer processes are obtained;
Judge whether the uplink traffic is greater than the downlink traffic;
If so, determining that there are wooden horse processes in the computer processes.
2. the method according to claim 1, wherein judging the uplink traffic greater than the downlink traffic
Later, further comprise:
First total flow value of the uplink traffic and the second total flow value of the downlink traffic in accumulative first preset time;
The ratio for calculating the first total flow value and the second total flow value, obtains total flow ratio;
Judge the total flow ratio whether in first threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
3. according to the method described in claim 2, it is characterized in that, judging the total flow ratio in the first threshold
After in range, further comprise:
Calculate separately the first flow mean value of the uplink traffic and the second flow mean value of the downlink traffic;
Go out uplink and downlink average flow rate ratio according to the first flow mean value and the second flow mean value computation;
Judge the uplink and downlink average flow rate ratio whether within the scope of second threshold;
If so, determining the step of there are wooden horse processes in the computer processes into described.
4. according to the method described in claim 3, it is characterized in that, judging the total flow ratio in the first threshold
After in range, further comprise:
It calculates in the second preset time, it is variant that the time that the uplink traffic is greater than the downlink traffic accounts for uplink and downlink flow
Time ratio, obtain time ratios;
Judge the time ratios whether in third threshold range;
If so, determining the step of there are wooden horse processes in the computer processes into described.
5. according to the method described in claim 3, it is characterized in that, the second threshold range is between 0.5 to 5.
6. according to the method described in claim 4, it is characterized in that, the third threshold range is between 0.5 to 0.6.
7. method according to any one of claims 1 to 6, which is characterized in that the institute for obtaining the computer processes
The step of stating uplink traffic and the downlink traffic specifically includes:
The upstream data packet and downlink data packet of the computer processes are obtained using WinPcap;
Filter the protocol package in the upstream data packet and the downlink data packet;
The flow for counting filtered the upstream data packet and the downlink data packet respectively, obtains the uplink traffic and institute
State downlink traffic.
8. a kind of detection device of trojan horse program, which is characterized in that be applied to server, comprising:
Module is obtained, for when detecting computer processes, obtaining the uplink traffic and downlink traffic of the computer processes;
Judgment module, for judging whether the uplink traffic is greater than the downlink traffic;
Determination module, for if so, determining that there are wooden horse processes in the computer processes.
9. a kind of detection device of trojan horse program characterized by comprising
Memory, for storing computer program;
Processor realizes the inspection of trojan horse program as described in any one of claim 1 to 7 when for executing the computer program
The step of survey method.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program, the computer program realize the detection of trojan horse program as described in any one of claim 1 to 7 when being executed by processor
The step of method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811319308.7A CN109257379A (en) | 2018-11-07 | 2018-11-07 | A kind of detection method of trojan horse program, device, equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811319308.7A CN109257379A (en) | 2018-11-07 | 2018-11-07 | A kind of detection method of trojan horse program, device, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109257379A true CN109257379A (en) | 2019-01-22 |
Family
ID=65044674
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811319308.7A Pending CN109257379A (en) | 2018-11-07 | 2018-11-07 | A kind of detection method of trojan horse program, device, equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109257379A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905415A (en) * | 2013-10-25 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Method and system for preventing remote control type Trojan viruses |
CN104102872A (en) * | 2013-04-12 | 2014-10-15 | 中国移动通信集团安徽有限公司 | Password protection method and system |
WO2014209781A1 (en) * | 2013-06-24 | 2014-12-31 | Alibaba Group Holding Limited | Two factor authentication |
CN106713324A (en) * | 2016-12-28 | 2017-05-24 | 北京奇艺世纪科技有限公司 | Flow detection method and device |
-
2018
- 2018-11-07 CN CN201811319308.7A patent/CN109257379A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104102872A (en) * | 2013-04-12 | 2014-10-15 | 中国移动通信集团安徽有限公司 | Password protection method and system |
WO2014209781A1 (en) * | 2013-06-24 | 2014-12-31 | Alibaba Group Holding Limited | Two factor authentication |
CN103905415A (en) * | 2013-10-25 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Method and system for preventing remote control type Trojan viruses |
CN106713324A (en) * | 2016-12-28 | 2017-05-24 | 北京奇艺世纪科技有限公司 | Flow detection method and device |
Non-Patent Citations (1)
Title |
---|
彭国军、王泰格、邵玉如、刘梦冷: ""基于网络流量特征的未知木马检测技术及其实现"", 《信息网络安全NETINFO SECURITY》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3481029B1 (en) | Internet defense method and authentication server | |
US20100146638A1 (en) | Detection filter | |
US9462011B2 (en) | Determining trustworthiness of API requests based on source computer applications' responses to attack messages | |
US9009846B2 (en) | Virtual avatar authentication | |
CN111629010B (en) | Malicious user identification method and device | |
WO2016081516A2 (en) | Method and system for detecting threats using passive cluster mapping | |
CN109698809A (en) | A kind of recognition methods of account abnormal login and device | |
CN110084011A (en) | A kind of method and device of the verifying of user's operation | |
CN109040140A (en) | A kind of attack detection method and device at a slow speed | |
CN107426136B (en) | Network attack identification method and device | |
CN108600145B (en) | Method and device for determining DDoS attack equipment | |
CN110365712A (en) | A kind of defence method and system of distributed denial of service attack | |
US10587629B1 (en) | Reducing false positives in bot detection | |
CN111092912A (en) | Security defense method and device | |
CN114186206A (en) | Login method and device based on small program, electronic equipment and storage medium | |
CN106506553B (en) | A kind of Internet protocol IP filter method and system | |
CN109688099A (en) | Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing | |
CN109257379A (en) | A kind of detection method of trojan horse program, device, equipment and storage medium | |
CN111953635B (en) | Interface request processing method and computer-readable storage medium | |
CN103916365A (en) | Method and apparatus for exporting and verifying network behavioral characteristics of malicious code | |
CN107045613B (en) | Information monitoring control method and device | |
CN107154930B (en) | Method and system for testing vulnerability | |
CN106817364B (en) | Brute force cracking detection method and device | |
CN113438225B (en) | Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium | |
CN107819739B (en) | Method and server for determining whether long-link connection exists in terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190122 |