Research and Implementation on Unknown Trojan Detection System Based on Feature Analysis and Behavior Monitoring

doi:10.3969/j.issn.1671-1122.2015.02.010

Abstract

Abstract:

Trojan is a malicious program that exists mainly to steal user’s personal information and file data, and even to control user’s computer remotely, while hides itself as far as possible. In recent years, the hacker’s behavior has become more professional, interest-oriented, and group-organized, and network intrusion and attacking means have experienced daily changes. Nowadays, Trojan detection depends on the ability of anti-virus software in general, anti-virus software executes Trojan killing usually by using characteristic codes comparison and behavior recognition technology. This way needs anti-virus software to intercept the Trojan samples for analysis, extract the Trojan samples, and identify Trojan after upgrading the Trojan special library. So the hysteresis is very strong, which can’t kill the new Trojans and the Trojans without known characteristics. This paper discusses technology against anti-virus, hiding technology and active defense breakthrough technology, puts forward the Trojan detection method based on feature analysis and behavior monitoring, and completes the design and realization of the unknown Trojan detection system. The system covers the shortage that the existing anti-virus software and security measures can only kill and monitor the known Trojans but can’t identify and kill the unknown Trojans.

Key words: Trojan detection, Trojan killing, feature analysis, behavior monitoring

CLC Number:

TP309

HAO Zeng-shuai, GUO Rong-hua, WEN Wei-ping, MENG Zheng. Research and Implementation on Unknown Trojan Detection System Based on Feature Analysis and Behavior Monitoring[J]. Netinfo Security, 2015, 15(2): 57-65.

Figures/Tables 15

References 22

[1]	Michael A.Davis,Hacking Exposed:Malware & Rootkits Secrets & Solutions[M].NewYork: McGraw-Hill Osborne Media, 2009.
[2]	王鼎. 高隐藏性木马的深度检测技术实现研究[D].成都:电子科技大学,2010.
[3]	王蕊,冯登国,杨轶,等. 基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012,(2):378-393.
[4]	全宇. 特洛伊木马的表现及防范[J].湛江师范学院学报,2010,31(3):18-26.
[5]	李云亚. 特种木马的分析与识别[J].江苏科技信息,2010,(2):30-32.
[6]	王鹏. Windows PE文件保护技术研究与实现[D].成都:四川师范大学,2009.
[7]	刘喆,张家旺. Rootkit木马隐藏技术分析与检测技术综述[J].信息安全与通信保密,2010,(11):61-65.
[8]	什么是特洛伊木马及其6个特性[J].计算机与网络,2013,39(7):43.
[9]	孙海涛. 基于通信行为分析的木马检测技术研究[D],郑州:中国人民解放军信息工程大学,2011.
[10]	李伟. 基于内核驱动的恶意代码动态检测技术[J].中国科学院研究生院学报,2010. 27(5):695-704.
[11]	张新宇,卿斯汉,张恒太,等.特洛伊木马隐藏技术研究[J].通信学报,2004,(7):153-159.
[12]	刘牧星. 木马攻击与隐蔽技术研究[D].天津:天津大学,2006.
[13]	张健. 恶意代码危害性评估标准和检测技术[D].天津:南开大学, 2009.
[14]	王东. VMware虚拟机检测技术研究[J], 计算机光盘软件与应用,2011,(10):73.
[15]	康治平,向宏,傅鹂. 基于API HOOK技术的特洛伊木马攻防研究[J].信息安全与通信保密,2007,(2):145-148.
[16]	胡燕京,张冰,王海义,等.主流木马技术分析及攻防研究[J].现代电子技术,2007,(13):96-100.
[17]	李阳. 恶意代码检测及其行为分析[D].西安:西安电子科技大学. 2010.
[18]	胡明科. 未知木马检测技术研究[D].沈阳:沈阳航空航天大学,2011.
[19]	赵天福,周丹平,王康,等.一种基于网络行为分析的反弹式木马检测方法[J].信息网络安全,2011,(9):80-83.
[20]	彭国军,王泰格,邵玉如,等.基于网络流量特征的未知木马检测技术及其实现[J].信息网络安全,2012,(10):5-9.
[21]	杨卫军,张舒,胡光俊.基于攻击树模型的木马检测方法[J].信息网络安全,2011,(9):170-172.
[22]	刘昊辰,罗森林.Android系统木马隐藏及检测技术[J].信息网络安全,2013,(1):33-37.