信息网络安全 ›› 2015, Vol. 15 ›› Issue (5): 10-15.doi: 10.3969/j.issn.1671-1122.2015.05.002

• 技术研究 • 上一篇    下一篇

远控型木马通信三阶段流量行为特征分析

李巍1, 李丽辉1,2(), 李佳2, 林绅文2   

  1. 1.北京航空航天大学计算机学院,北京 100191
    2. 国家计算机网络应急技术处理协调中心,北京 100029
  • 收稿日期:2015-04-15 出版日期:2015-05-10 发布日期:2018-07-16
  • 作者简介:

    作者简介: 李巍 (1970-),女,北京,副教授,博士,主要研究方向:移动位置服务及其安全性、网络测量和性能分析、分布式应用测量及性能分析;李丽辉 (1990-),女,河北,硕士研究生,主要研究方向:网络安全;李佳(1983-),男,河北,高级工程师,硕士,主要研究方向:网络安全;林绅文(1982-),男,江西,工程师,硕士,主要研究方向:网络安全。

  • 基金资助:
    国家自然科学基金[61171193];国家科技支撑计划[2015BAK21B01]

Characteristics Analysis of Traffic Behavior of Remote Access Trojan in Three Communication Phases

LI Wei1, LI Li-hui1,2(), LI Jia2, LIN Shen-wen2   

  1. 1. School of Computer Science , Beihang University , Beijing 100191, China
    2. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China
  • Received:2015-04-15 Online:2015-05-10 Published:2018-07-16

摘要:

随着互联网技术的发展,网络的应用也得到更好的普及,而保障网络安全成为亟待解决的问题。目前,木马是网络安全最严重的威胁之一,针对木马的主要检测方法是基于特征码的木马检测和基于行为的木马检测。文章从远程控制类型木马通信的3个阶段分析其流量行为特征,发现木马在建立连接阶段会有动态DNS行为,在数据传输时报文会置推送标志位PSH为1,导致PSH报文数量增大;在命令交互阶段,上下行流量不对称,小数据包比例大;在保持连接阶段会有心跳数据包。文章通过实验比较了正常应用通信流量与远程控制类型木马通信流量在上述特征上的表现行为,分析它们的异同点,从而为木马流量行为特征识别提供依据。

关键词: 远控型木马, 流量行为, 特征分析, 木马检测

Abstract:

With the development of Internet technologies, network applications have also been better spread, and ensuring network security has become an urgent problem. Currently, the Trojan is one of the most serious threats to network security. The main methods of Trojan detection are characteristics-based Trojan detection and behavior-based Trojan detection. This paper analyzes the characteristics of the traffic behavior from the three communication stages of remote access Trojan. During establishing the connection, the Trojans have dynamic DNS behavior, and the PSH flag of TCP packet is set 1 when data is transferred, causing the number of PSH packets increasing. During command interaction , upload traffic and download traffic are asymmetrical, and the ratio of small packets is high. During keeping connection, the server sends keep-alive packets. This paper designs experiments to compare normal application traffic behavior with remote access Trojan traffic behavior on the above features, and analyze their similarities and differences, providing a basis for identifying the Trojan through traffic behavior characteristics.

Key words: remote access Trojan, traffic behavior, characteristics analysis, Trojan detection

中图分类号: