远控型木马通信三阶段流量行为特征分析

doi:10.3969/j.issn.1671-1122.2015.05.002

信息网络安全 ›› 2015, Vol. 15 ›› Issue (5): 10-15.doi: 10.3969/j.issn.1671-1122.2015.05.002

远控型木马通信三阶段流量行为特征分析

李巍¹, 李丽辉^1,²(), 李佳², 林绅文²

1.北京航空航天大学计算机学院,北京 100191
2. 国家计算机网络应急技术处理协调中心,北京 100029

收稿日期:2015-04-15 出版日期:2015-05-10 发布日期:2018-07-16
作者简介:
作者简介：李巍（1970-）,女,北京,副教授,博士,主要研究方向：移动位置服务及其安全性、网络测量和性能分析、分布式应用测量及性能分析;李丽辉（1990-）,女,河北,硕士研究生,主要研究方向：网络安全;李佳（1983-）,男,河北,高级工程师,硕士,主要研究方向：网络安全;林绅文（1982-）,男,江西,工程师,硕士,主要研究方向：网络安全。
基金资助:
国家自然科学基金[61171193];国家科技支撑计划[2015BAK21B01]

Characteristics Analysis of Traffic Behavior of Remote Access Trojan in Three Communication Phases

Wei LI¹, Li-hui LI^1,²(), Jia LI², Shen-wen LIN²

1. School of Computer Science , Beihang University , Beijing 100191, China
2. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China

Received:2015-04-15 Online:2015-05-10 Published:2018-07-16

摘要/Abstract

摘要：

随着互联网技术的发展,网络的应用也得到更好的普及,而保障网络安全成为亟待解决的问题。目前,木马是网络安全最严重的威胁之一,针对木马的主要检测方法是基于特征码的木马检测和基于行为的木马检测。文章从远程控制类型木马通信的3个阶段分析其流量行为特征,发现木马在建立连接阶段会有动态DNS行为,在数据传输时报文会置推送标志位PSH为1,导致PSH报文数量增大;在命令交互阶段,上下行流量不对称,小数据包比例大;在保持连接阶段会有心跳数据包。文章通过实验比较了正常应用通信流量与远程控制类型木马通信流量在上述特征上的表现行为,分析它们的异同点,从而为木马流量行为特征识别提供依据。

关键词: 远控型木马, 流量行为, 特征分析, 木马检测

Abstract:

With the development of Internet technologies, network applications have also been better spread, and ensuring network security has become an urgent problem. Currently, the Trojan is one of the most serious threats to network security. The main methods of Trojan detection are characteristics-based Trojan detection and behavior-based Trojan detection. This paper analyzes the characteristics of the traffic behavior from the three communication stages of remote access Trojan. During establishing the connection, the Trojans have dynamic DNS behavior, and the PSH flag of TCP packet is set 1 when data is transferred, causing the number of PSH packets increasing. During command interaction , upload traffic and download traffic are asymmetrical, and the ratio of small packets is high. During keeping connection, the server sends keep-alive packets. This paper designs experiments to compare normal application traffic behavior with remote access Trojan traffic behavior on the above features, and analyze their similarities and differences, providing a basis for identifying the Trojan through traffic behavior characteristics.

Key words: remote access Trojan, traffic behavior, characteristics analysis, Trojan detection

中图分类号:

TP309

李巍, 李丽辉, 李佳, 林绅文. 远控型木马通信三阶段流量行为特征分析[J]. 信息网络安全, 2015, 15(5): 10-15.

Wei LI, Li-hui LI, Jia LI, Shen-wen LIN. Characteristics Analysis of Traffic Behavior of Remote Access Trojan in Three Communication Phases[J]. Netinfo Security, 2015, 15(5): 10-15.

图/表 9

图1

图2

图3

图4

图5

图6

图7

表1

图8

参考文献 23

[1]	国家互联网应急中心.CNCERT互联网安全威胁报告[EB/OL]. .
[2]	Kolter J Z, Maloof M A.Learning to detect and classify malicious executables in the wild[J]. The Journal of Machine Learning Research, 2006,(7): 2721-2744.
[3]	Gao D, Reiter M K, Song D.Binhunt: Automatically finding semantic differences in binary programs[M]. Heidelberg: Springer Berlin, 2008.
[4]	Chen Q Z, Cheng R, Gu Y J.Classification algorithms of Trojan horse detection based on behavior[C]// International Conference on IEEE, 2009, (2): 510-513.
[5]	liu Yu feng, Zhang Li-wei, Liang Jian, et al. Detecting trojan horses based on system behavior using machine learning method[C]// Proceedings of the Ninth International Conference on Machine Learning and Cybernetics, Qingdao, 2010,(7):11-14 .
[6]	Bayer U, Comparetti P M, Hlauschek C, et al.Scalable, Behavior-Based Malware Clustering[C]//NDSS. 2009, (9): 8-11.
[7]	韩奕. 基于行为分析的恶意代码检测与评估研究[D].北京:北京交通大学,2014.
[8]	Kirda E, Kruegel C, Banks G, et al.Behavior-based Spyware Detection[C]// Usenix Security,2006.
[9]	商海波. 木马的行为分析及新型反木马策略的研究[D].杭州:浙江工业大学,2005.
[10]	Qin J, Yan H, Si Q, et al.A Trojan horse Detection Technology Based on Behavior Analysis[C]// Proceedings of Wireless Communications Networking and Mobile Computing (WiCOM), 2010 6th International Conference on,2010: 1-4.
[11]	Valenti S, Rossi D, Dainotti A, et al.Reviewing traffic classification[M]. Heidelberg: Springer Berlin ,2013.
[12]	Xue Y, Wang D, Zhang L.Traffic classification: Issues and challenges[C]//Computing, Networking and Communications (ICNC), 2013 International Conference on. IEEE, 2013: 545-549.
[13]	姚姜源. 基于网络通信内容的木马检测系统设计与实现[D].北京:北京交通大学,2009.
[14]	Myers A, Nystrom N, Zheng L, et al. Java Information flow [EB/OL]. .
[15]	Perdisci R, Lee W, Feamster N.Behavior clustering of Http-based malware and signature generation using malicious network traces [EB/OL]. ,2011.
[16]	Li S, Yun X, Zhang Y, et al.A General Framework of Trojan Communication Detection Based on Network Traces[C]//Networking, Architecture and Storage (NAS), 2012 IEEE 7th International Conference on. IEEE, 2012: 49-58.
[17]	Li S, Yun X C, Zhang Y Z, et al.A novel approach of detecting Trojan based on network behavior analysis[C]// Communication Technology (ICCT), 2012 IEEE 14th International Conference on. IEEE, 2012: 513-518.
[18]	Meng L, Liu S L, Liu L, et al.Trojan Rapid Detection Method Based on Heartbeat Behavior Analysis[J]. Computer Engineering, 2012, (14): 5.
[19]	孙海涛. 基于通信行为分析的木马检测技术[D].郑州:解放军信息工程大学,2011.
[20]	唐彰国,李焕洲,等.基于网络通信指纹的启发式木马识别系统[J]. 计算机工程,2011,(9): 119-122.
[21]	Xiaochen Zhang, Shengli Liu, et al.Trojan Detection Based on Network Flow Clustering[C]// 2012 Fourth International Conference on Mutimedia Information Networking and Security,2012.
[22]	Zhang J, Chen C, Xiang Y, et al.An effective network traffic classification method with unknown flow detection[J]. Network and Service Management, IEEE Transactions on, 2013, 10(2): 133-147.
[23]	Zhang J, Chen X, Xiang Y, et al. Robust Network Traffic Classification[J]. IEEE/ACM Trans. Netw,2014,pp(99):1-14.

远控型木马通信三阶段流量行为特征分析

Characteristics Analysis of Traffic Behavior of Remote Access Trojan in Three Communication Phases

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 23

相关文章 4

编辑推荐

Metrics

本文评价

[1]	郝增帅, 郭荣华, 文伟平, 孟正. 基于特征分析和行为监控的未知木马检测系统研究与实现[J]. 信息网络安全, 2015, 15(2): 57-65.
[2]	刘昊辰;罗森林. Android系统木马隐藏及检测技术[J]. , 2013, 13(1): 0-0.
[3]	杨卫军;张舒;胡光俊. 基于攻击树模型的木马检测方法[J]. , 2011, 11(9): 0-0.
[4]	赵天福;周丹平;王康;张博. 一种基于网络行为分析的反弹式木马检测方法[J]. , 2011, 11(9): 0-0.