CN119172113A - Remote control Trojan defense method and device based on flow in connection establishment phase - Google Patents
Remote control Trojan defense method and device based on flow in connection establishment phase Download PDFInfo
- Publication number
- CN119172113A CN119172113A CN202411180205.2A CN202411180205A CN119172113A CN 119172113 A CN119172113 A CN 119172113A CN 202411180205 A CN202411180205 A CN 202411180205A CN 119172113 A CN119172113 A CN 119172113A
- Authority
- CN
- China
- Prior art keywords
- flow
- remote control
- session
- traffic
- trojan horse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The remote control Trojan horse defense method and device based on the flow of the connection establishment stage belong to intrusion detection and information security, and particularly relate to detection and termination of remote control Trojan horse; the method comprises the steps of monitoring a network card on a host, capturing network traffic flowing through the network card in real time, preprocessing the captured network traffic, obtaining a Markov matrix representing the session traffic according to the session traffic in a connection establishment stage, and judging the generated Markov matrix by using a deep learning model or a machine learning model. The remote control Trojan horse defense method and device based on the connection establishment stage flow are suitable for detection and termination of remote control Trojan horses.
Description
Technical Field
The invention relates to intrusion detection and information security, in particular to detection and termination of remote control trojans.
Background
A remote control trojan (program) is a remote control program that can be propagated and implanted into a victim host in a variety of ways to gain control thereof and steal confidential information of a user. The remote control Trojan attack can cause leakage of important data, and seriously threatens the network space safety.
The remote Trojan program has a client/server (C/S) architecture. Accordingly, the remote Trojan horse component implanted on the victim host is referred to as the "client" and the corresponding component used by the attacker to communicate with the client is referred to as the "server". An attacker can send an attack instruction through the server, and then the client performs corresponding malicious operation on the victim host and returns the execution result to the server. The remote trojan horse has strong concealment, and once the host is infected, various malicious operations can be carried out on the victim host in a secret mode.
Undoubtedly, remote trojan attacks pose a significant threat to data security for individuals and organizations. The corresponding remote control Trojan detection technology is developed to timely and accurately detect and terminate the process before the remote control Trojan attacks the victim host, and has important theoretical research significance and practical application value for maintaining the network space safety.
At present, the traditional remote control Trojan horse detection method (technology) can be divided into three research directions according to different detection objects (files, host behaviors and network traffic), namely a file-based static detection method, a host-based dynamic detection method and a network traffic-based detection method, wherein:
the file-based static detection method detects remote trojans by extracting static features from file forms such as binary files, executable files or decompiled files. The static detection method commonly used in the industry is a blacklist method for comparing by calculating hash values of executable files. Although the static detection method based on the file can finish detection without running a remote control Trojan program, the method is difficult to solve the problems of code confusion or shell adding and the like, and has poor detection effect on unknown samples.
The host-based dynamic detection method is to run a remote Trojan in a controlled virtual environment, monitor and record the modification of a host file system, the modification of registry entry values, the injection of remote processes, the specific Application Programming Interface (API) function call, and the like, and then analyze these characteristics to determine whether the program is a remote Trojan. In general, host-based dynamic detection methods focus on host behavior characteristics of an application at runtime, rather than relying on static characteristics of files, and can detect remote trojans that use code obfuscation or shelling techniques. However, this method requires deployment of the detection system on each protected host, which is expensive to deploy, requires high system privileges, and consumes more system resources.
Network traffic-based detection methods can be broadly divided into two types, statistical feature-based detection methods and traffic load-based detection methods.
The detection method based on the statistical characteristics mainly analyzes the communication behavior of the remote control Trojan horse and detects by extracting the statistical characteristics of the RAT in the communication process. Existing methods of this type require time-consuming engineering of features to achieve high detection accuracy on the one hand and their effectiveness on the other hand depends on expert experience.
The method for detecting the traffic load mainly takes the TCP load of a TCP data packet in network traffic generated by software in the communication process as an analysis object to determine whether a host is attacked by a remote control Trojan horse. Although existing such methods do not require expert knowledge and time consuming feature engineering, these methods use part of the flow of the remote trojans in the command and control phase, resulting in the methods not being able to accurately detect the remote trojans before the victim host is under attack.
The detection method based on the network traffic is a research hotspot in the current remote control Trojan detection field. However, most of the detection methods at present mainly concern the accuracy of detection of the remote control Trojan, and the timeliness of detection of the remote control Trojan is poor, so that the detection method cannot accurately detect the remote control Trojan before the remote control Trojan attacks a victim host, and when the remote control Trojan is detected, the confidential information of a user is leaked, so that the detection has no practical significance from the viewpoint of data security. In addition, the current detection method based on network traffic also has the tendency of heavy detection and light blocking, and only the detection of the remote control Trojan traffic is focused, and further remote control Trojan termination or poor termination effect is not considered, so that although a plurality of methods can detect the remote control Trojan traffic with higher accuracy, the remote control Trojan traffic cannot be effectively terminated in time, and the application value of the method in actual scenes is not high.
In view of the foregoing, there is a need for a remote Trojan detection and termination method that can detect and implement termination of a remote Trojan in a timely and accurate manner before the remote Trojan initiates an attack on a victim host.
Disclosure of Invention
The invention provides a remote control Trojan horse defense method and device based on traffic in a connection establishment stage, which solve the defects of poor timeliness and light blocking of heavy detection of the remote control Trojan horse in the existing network traffic-based detection method, and further solve the problem that the remote control Trojan horse cannot be detected and terminated accurately in time before the attack of the remote control Trojan horse on a victim host computer is initiated.
The invention relates to a remote control Trojan horse defense method based on connection establishment stage flow, which has the following technical scheme:
The method comprises the following steps:
s1, monitoring a network card on a host, and capturing network flow flowing through the network card in real time;
s2, preprocessing the captured network traffic to obtain session traffic, and obtaining a Markov matrix representing the session traffic according to the session traffic in the connection establishment stage, wherein the step S2 comprises the following steps:
s2.1, cutting the captured network traffic into different session traffic according to triplets, wherein the triplets comprise a source IP, a destination IP and a transport layer protocol;
s2.2, extracting a byte sequence of session traffic in a connection establishment stage;
s2.3, generating a corresponding Markov matrix according to the acquired byte sequence so as to characterize the session flow;
s3, judging the generated Markov matrix by using a deep learning model or a machine learning model, and judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not:
if the remote control Trojan is judged, according to the related information of the session flow, positioning a remote control Trojan process corresponding to the session flow represented by the Markov matrix, and immediately stopping the remote control Trojan process;
otherwise, not blocking the process corresponding to the session flow represented by the Markov matrix;
S4, judging whether continuous monitoring is needed or not:
If the continuous monitoring is needed, returning to the step S1;
Otherwise, the flow of the remote control Trojan horse defending method is ended.
Further, a preferred embodiment is provided, wherein the session traffic in the connection establishment stage starts with SYN packets in the session traffic and ends with a first TCP packet sent by the client to its server and carrying a TCP load of not less than 60 bytes.
Further, a preferred embodiment is provided, in the step S3, a deep learning model is used to determine the generated markov matrix;
the deep learning model is a CNN model;
the CNN model is used for outputting class labels of the Markov matrix;
The category label is used for judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not.
Further, a preferred embodiment is provided, the markov matrix being represented as follows:
Where P m,n represents the transition probability of byte m to the next byte n, n e {0,1,.. The.,. 255};
where f m,n denotes the frequency of moving from byte m to byte n.
Further, a preferred embodiment is provided, and the step S3 further includes the following steps:
and when judging that the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse, sending an alarm mail to a user mailbox.
The invention also provides a remote control Trojan horse defending device based on the flow in the connection establishment stage, which has the following technical scheme:
The device comprises a flow real-time capturing module, a flow preprocessing module, a detection analysis module and a termination module;
The flow real-time capturing module is used for monitoring a network card on a host and capturing network flow flowing through the network card in real time;
the flow preprocessing module is used for preprocessing the captured network flow to obtain session flow, and obtaining a Markov matrix representing the session flow according to the session flow in the connection establishment stage;
The flow dividing unit is used for dividing the captured network flow into different session flows according to the triples;
the triplets comprise a source IP, a destination IP and a transmission layer protocol;
The byte extraction unit is used for extracting a byte sequence of the session flow in the connection establishment stage;
The Trojan judging unit is used for generating a corresponding Markov matrix according to the acquired byte sequence so as to characterize the session flow;
The detection analysis module is used for judging the generated Markov matrix by using a deep learning model or a machine learning model, and judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not:
if the remote control Trojan is judged, according to the related information of the session flow, positioning a remote control Trojan process corresponding to the session flow represented by the Markov matrix, and immediately stopping the remote control Trojan process;
otherwise, not blocking the process corresponding to the session flow represented by the Markov matrix;
the termination module is used for judging whether continuous monitoring is needed or not:
If the continuous monitoring is needed, returning to the step S1;
Otherwise, the flow of the remote control Trojan horse defending method is ended.
Further, there is provided a preferred embodiment, the detection and analysis module further includes an alarm unit:
and the alarm unit is used for sending alarm mail to the user mailbox when judging that the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse.
The invention also provides a computer system, which has the following technical scheme:
A computer system comprising a processor and a memory for storing executable instructions of the processor, the processor being configured to perform the above-described remote Trojan horse defense method based on establishing connection phase traffic via execution of the executable instructions.
The invention also provides a computer storage medium, which has the following technical scheme:
the storage medium stores a computer program, and when the computer program runs, the remote control Trojan horse defense method based on the connection establishment stage flow is executed.
The invention also provides a computer program product, which has the following technical scheme:
A computer program product comprising computer programs/instructions which when executed by a processor implement the steps of the remote Trojan horse defense method based on establishing connection phase traffic as described above.
The invention has the following beneficial effects:
1. The remote control Trojan horse defense method based on the connection establishment stage flow identifies the remote control Trojan horse based on the connection establishment stage flow, timely and accurately detects the remote control Trojan horse, and can take effective termination measures to avoid the loss of a user caused by the infection of the remote control Trojan horse by a host.
2. According to the remote control Trojan horse defense method based on the connection establishment stage flow, the network flow flowing through the host network card is captured in real time, remote control Trojan horse detection is carried out by analyzing the network flow of the software in the connection establishment stage, timeliness, accuracy and real-time termination capability of the remote control Trojan horse detection are considered, and the remote control Trojan horse can be detected and real-time termination can be implemented before attack is initiated on a victim host by the remote control Trojan horse.
The remote control Trojan horse defense method and device based on the connection establishment stage flow are suitable for detection and termination of remote control Trojan horses.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a remote trojan defense method based on a connection establishment phase flow in an embodiment of the invention;
Fig. 2 is a schematic structural diagram of a deep learning model (specifically, CNN model) according to an embodiment of the present invention, wherein conv layer represents a convolution layer, english of conv is totally referred to as Convolution, conv1 layer represents a 1 st convolution layer, conv2 layer represents a 2 nd convolution layer, pooling layer represents a pooling layer, flat layer represents a flattening layer, BN layer represents a batch normalization layer, fc layer represents a Fully Connected layer, english of Fc is totally referred to as a fusion Connected, dropout layer is understood as a table "random deactivation layer", and Softmax layer is an activation function layer for processing output of classification problems.
Detailed Description
In order to make the technical scheme and the advantages of the present invention more clear, the following detailed description of the specific embodiments of the present invention will be further described in detail with reference to the accompanying drawings. The embodiments described below are only a part of preferred embodiments of the present invention, but not all embodiments, are intended to be illustrative of the present invention and not to be construed as limiting the present invention, a reasonable combination of technical features defined by the embodiments of the present invention, and all other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present invention without making an inventive effort are within the scope of protection of the present invention.
In a first embodiment, a description is given of the present embodiment with reference to fig. 1 and 2, and the present embodiment provides a remote Trojan horse defense method based on a connection establishment phase flow, which is specifically implemented as follows:
The method comprises the following steps:
s1, monitoring a network card on a host, and capturing network flow flowing through the network card in real time;
s2, preprocessing the captured network traffic to obtain session traffic, and obtaining a Markov matrix representing the session traffic according to the session traffic in the connection establishment stage, wherein the step S2 comprises the following steps:
s2.1, cutting the captured network traffic into different session traffic according to triplets, wherein the triplets comprise a source IP, a destination IP and a transport layer protocol;
s2.2, extracting a byte sequence of session traffic in a connection establishment stage;
s2.3, generating a corresponding Markov matrix according to the acquired byte sequence so as to characterize the session flow;
s3, judging the generated Markov matrix by using a deep learning model or a machine learning model, and judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not:
if the remote control Trojan is judged, according to the related information of the session flow, positioning a remote control Trojan process corresponding to the session flow represented by the Markov matrix, and immediately stopping the remote control Trojan process;
otherwise, not blocking the process corresponding to the session flow represented by the Markov matrix;
S4, judging whether continuous monitoring is needed or not:
If the continuous monitoring is needed, returning to the step S1;
Otherwise, the flow of the remote control Trojan horse defending method is ended.
In this embodiment, the expression format of the triplets is { source IP, destination IP, transport layer protocol }.
In this embodiment, if the process corresponding to the session traffic represented by the markov matrix is determined not to be a remote trojan, it is determined as benign software, the process is not blocked, and the benign software can normally run in the system.
In this embodiment, if the process corresponding to the session flow represented by the markov matrix is determined to be a remote-controlled Trojan, the corresponding remote-controlled Trojan process is immediately terminated, so as to prevent further malicious behavior of the remote-controlled Trojan, and effectively avoid loss caused by infection of the user by the host computer.
In the second embodiment, the present embodiment is described with reference to fig. 1 and 2, and the present embodiment is further limited to the remote trojan horse defense method based on the traffic in the connection establishment stage described in the first embodiment, and the specific implementation contents are as follows:
And the session flow in the connection establishment stage starts with SYN packets in the session flow and ends with a first TCP data packet which is sent to the server by the client and carries TCP load not less than 60 bytes.
In this embodiment, the first TCP packet with a TCP load of not less than 60 bytes sent by the client to the server is the first wire packet of the remote trojan or benign software.
In this embodiment, the "SYN packet" initiated and the "TCP packet" terminated are used to locate the connection establishment phase of the remote trojan or benign software.
In a third embodiment, the present embodiment is described with reference to fig. 1 and 2, and the present embodiment is further limited to the remote trojan horse defense method based on the traffic in the connection establishment stage according to the first embodiment, and the specific implementation contents are as follows:
in the step S3, a deep learning model is adopted to judge the generated Markov matrix;
the deep learning model is a CNN model;
the CNN model is used for outputting class labels of the Markov matrix;
The category label is used for judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not.
In the present embodiment, the size of the markov matrix to be input to the CNN model is a fixed size, specifically 256×256.
In this embodiment, the CNN model outputs the class labels of the markov matrix through a Softmax function.
In this embodiment, the CNN model includes 2 convolutional layers, 2 pooling layers, 1 flat layer, 1 BN layer, 1 fully connected layer, 1 Dropout layer, and 1 Softmax layer;
in the CNN model, the 1 st convolution layer, the 1 st pooling layer, the 2 nd convolution layer, the 2 nd pooling layer, the 1 flatten layer, the 1 BN layer, the 1 full connection layer, the 1 Dropout layer, and the 1 Softmax layer are sequentially connected in the direction from input to output.
In this embodiment, the deep learning model is constructed and trained by Python language in combination with keras and tensorflow.
A fourth embodiment is described with reference to fig. 1 and 2, and the present embodiment is further limited to the remote trojan horse defense method based on the traffic in the connection establishment stage according to the first embodiment, and the specific implementation contents are as follows:
the Markov matrix is represented as follows:
Where P m,n represents the transition probability of byte m to the next byte n, m, n e {0,1,.. The.,. 255};
where f m,n denotes the frequency of moving from byte m to byte n.
In this embodiment, the markov matrix M is calculated as follows:
Let the Byte sequence of one session extracted be bytes= { Bytes i:i >0};
Assuming that the probability of occurrence of Byte i is related to Byte i-1 only, the Byte sequence is therefore a Markov chain;
The possible value of each byte in the byte sequence is 0 to 255, i.e. there are 256 states per byte, and each state can be transferred to any one state, and further a markov matrix M with a fixed size of 256×256 can be generated, in particular:
Let P m,n denote the transition probability of byte m to the next byte n, then P m,n denote as follows:
where f m,n represents the frequency of moving from byte m to byte n, m, n e {0,1,.. The.;
after the transition probability from each byte to each other byte is calculated by adopting the method, a Markov matrix M is obtained:
In a fifth embodiment, the present embodiment is described with reference to fig. 1 and 2, and the present embodiment is further limited to the remote trojan horse defense method based on the traffic in the connection establishment stage according to the first embodiment, and the specific implementation contents are as follows:
the step S3 further comprises the following steps:
and when judging that the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse, sending an alarm mail to a user mailbox.
In a sixth embodiment, the present embodiment is described with reference to fig. 1 and 2, and the present embodiment provides a remote trojan horse defense device based on a connection establishment phase flow, which is specifically implemented as follows:
The device comprises a flow real-time capturing module, a flow preprocessing module, a detection analysis module and a termination module;
The flow real-time capturing module is used for monitoring a network card on a host and capturing network flow flowing through the network card in real time;
the flow preprocessing module is used for preprocessing the captured network flow to obtain session flow, and obtaining a Markov matrix representing the session flow according to the session flow in the connection establishment stage;
The flow dividing unit is used for dividing the captured network flow into different session flows according to the triples;
the triplets comprise a source IP, a destination IP and a transmission layer protocol;
The byte extraction unit is used for extracting a byte sequence of the session flow in the connection establishment stage;
The Trojan judging unit is used for generating a corresponding Markov matrix according to the acquired byte sequence so as to characterize the session flow;
The detection analysis module is used for judging the generated Markov matrix by using a deep learning model or a machine learning model, and judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not:
if the remote control Trojan is judged, according to the related information of the session flow, positioning a remote control Trojan process corresponding to the session flow represented by the Markov matrix, and immediately stopping the remote control Trojan process;
otherwise, not blocking the process corresponding to the session flow represented by the Markov matrix;
the termination module is used for judging whether continuous monitoring is needed or not:
If the continuous monitoring is needed, returning to the step S1;
Otherwise, the flow of the remote control Trojan horse defending method is ended.
In this embodiment, the apparatus is configured to implement the method of embodiment one.
In a seventh embodiment, the present embodiment is described with reference to fig. 1 and 2, and the present embodiment is further limited to the remote trojan protection device based on the flow rate in the connection establishment stage described in the sixth embodiment, and the specific implementation contents are as follows:
The detection and analysis module further comprises an alarm unit:
and the alarm unit is used for sending alarm mail to the user mailbox when judging that the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse.
In order to illustrate the effects of the method described in the above embodiment, a comparative experiment test is provided in this embodiment.
The comparative experiment tests the detection effect of the method described in the above embodiment with other remote Trojan flow detection methods on a data set containing 67 remote Trojan horses and 67 benign software network flows.
In the comparative experiment test, the method (abbreviated as the method) in the embodiment is mainly tested for the detection capability of the unknown remote control Trojan horse (namely, the remote control Trojan horse which is not used for training the detection model) from the practical point of view, and the experimental result shows that the method can detect the unknown remote control Trojan horse with the detection accuracy of 98.6 percent on the data set and is superior to other detection methods.
In the comparative experimental test, the experimental sample set was divided into a remote control Trojan horse sample and a benign software sample, see Table 1 and Table 2, respectively.
TABLE 1 remote control Trojan horse sample
TABLE 2 benign software samples
In the comparative experimental test, the deployment of the experimental environment is as follows:
The remote control Trojan horse (active in 2013 to 2018) clients with serial numbers of 1 to 52 in the tables 1 and 2 and benign software are deployed in one or more virtual running environments in {Windows 7Professional(32-bit),Windows 7Enterprise(64-bit),Windows 8(64-bit),Windows10 Professional(64-bit),Windows Server 2019(64-bit)}, and the generated session traffic is divided into a training set and a verification set according to 4:1;
Remote Trojan (active in 2018 to 2024) clients numbered 53 to 67 in tables 1 and 2 and benign software were deployed in the { Windows 10 reduction (64-bit), windows 11Professional (64-bit) } virtual runtime environment to generate session traffic for the test set.
In the comparative experimental test, the distribution and composition of the data sets are shown in table 3, in which the training set, the validation set and the test set have no intersection with each other.
TABLE 3 distribution and composition of datasets
In the comparative experimental test, the detection effect of the method and other detection methods is shown in table 4.
TABLE 4 detection results for different methods
The experimental result shows that the method (namely the method) in the embodiment has the detection accuracy of 98.6 percent, which is superior to other detection methods.
The method can implement remote control Trojan detection in the establishment and connection stage of the remote control Trojan, has higher detection precision, namely can accurately detect the remote control Trojan before the remote control Trojan initiates attack to the victim host, and has important practical significance for timely detecting the remote control Trojan and implementing effective termination and protecting confidential information of a user.
In the comparative experimental test, the literature sources for other detection methods compared to the present method are as follows:
Jiang W,Wu X,Cui X,et al.A highly efficient remote access Trojan detection method[J].International Journal of Digital Crime and Forensics(IJDCF),2019,11(4):1-13.
Jiang D,Omote K.An approach to detect remote access trojan in the early stage of communication[C]//2015IEEE 29th international conference on advanced information networking and applications.IEEE,2015:706-713.
guo Chun, pi Ben, shen Guowei, and the like, a remote control Trojan horse flow early detection model construction method, a remote control Trojan horse flow early detection device and a remote control Trojan horse flow early detection method based on a convolutional neural network are 202211455368.8[ P ] 20221121.
The technical solution provided by the present invention is described in further detail through several specific embodiments, so as to highlight the advantages and benefits of the technical solution provided by the present invention, however, the above specific embodiments are not intended to be limiting, and any reasonable modification and improvement, reasonable combination of embodiments, equivalent substitution, etc. of the present invention based on the spirit and principle of the present invention should be included in the scope of protection of the present invention.
Claims (10)
1. The remote control Trojan horse defense method based on the connection establishment stage flow is characterized by comprising the following steps of:
s1, monitoring a network card on a host, and capturing network flow flowing through the network card in real time;
s2, preprocessing the captured network traffic to obtain session traffic, and obtaining a Markov matrix representing the session traffic according to the session traffic in the connection establishment stage, wherein the step S2 comprises the following steps:
s2.1, cutting the captured network traffic into different session traffic according to triplets, wherein the triplets comprise a source IP, a destination IP and a transport layer protocol;
s2.2, extracting a byte sequence of session traffic in a connection establishment stage;
s2.3, generating a corresponding Markov matrix according to the acquired byte sequence so as to characterize the session flow;
s3, judging the generated Markov matrix by using a deep learning model or a machine learning model, and judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not:
if the remote control Trojan is judged, according to the related information of the session flow, positioning a remote control Trojan process corresponding to the session flow represented by the Markov matrix, and immediately stopping the remote control Trojan process;
otherwise, not blocking the process corresponding to the session flow represented by the Markov matrix;
S4, judging whether continuous monitoring is needed or not:
If the continuous monitoring is needed, returning to the step S1;
Otherwise, the flow of the remote control Trojan horse defending method is ended.
2. The method according to claim 1, wherein the session traffic in the connection establishment phase starts with SYN packets in the session traffic and ends with a first TCP packet sent by the client to its server with a TCP load not less than 60 bytes.
3. The method for defending a remote control Trojan horse based on the traffic of the connection establishment stage according to claim 1, wherein in the step S3, a deep learning model is adopted to judge the generated Markov matrix;
the deep learning model is a CNN model;
the CNN model is used for outputting class labels of the Markov matrix;
The category label is used for judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not.
4. The method of remote trojan defense based on connection phase traffic according to claim 1, wherein the markov matrix is expressed as follows:
Where P m,n represents the transition probability of byte m to the next byte n, m, n e {0,1,.. The.,. 255};
where f m,n denotes the frequency of moving from byte m to byte n.
5. The method for defending a remote trojan horse based on the traffic of the connection establishment phase according to claim 1, wherein the step S3 further comprises the steps of:
and when judging that the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse, sending an alarm mail to a user mailbox.
6. The remote control Trojan horse defense device based on the flow in the connection establishment stage is characterized by comprising a flow real-time capturing module, a flow preprocessing module, a detection analysis module and a termination module;
The flow real-time capturing module is used for monitoring a network card on a host and capturing network flow flowing through the network card in real time;
the flow preprocessing module is used for preprocessing the captured network flow to obtain session flow, and obtaining a Markov matrix representing the session flow according to the session flow in the connection establishment stage;
The flow dividing unit is used for dividing the captured network flow into different session flows according to triplets, wherein the triplets comprise a source IP, a destination IP and a transport layer protocol;
The byte extraction unit is used for extracting a byte sequence of the session flow in the connection establishment stage;
The Trojan judging unit is used for generating a corresponding Markov matrix according to the acquired byte sequence so as to characterize the session flow;
The detection analysis module is used for judging the generated Markov matrix by using a deep learning model or a machine learning model, and judging whether the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse or not:
if the remote control Trojan is judged, according to the related information of the session flow, positioning a remote control Trojan process corresponding to the session flow represented by the Markov matrix, and immediately stopping the remote control Trojan process;
otherwise, not blocking the process corresponding to the session flow represented by the Markov matrix;
the termination module is used for judging whether continuous monitoring is needed or not:
If the continuous monitoring is needed, returning to the step S1;
Otherwise, the flow of the remote control Trojan horse defending method is ended.
7. The remote control Trojan horse defense device based on the connection stage flow establishment of claim 6, wherein the detection analysis module further comprises an alarm unit:
and the alarm unit is used for sending alarm mail to the user mailbox when judging that the process corresponding to the session flow represented by the Markov matrix is a remote control Trojan horse.
8. A computer system comprising a processor and a memory, wherein the memory is configured to store executable instructions for the processor, the processor being configured to perform the remote Trojan horse defense method based on establishing connection phase traffic of any of claims 1-5 via execution of the executable instructions.
9. A computer storage medium, wherein a computer program is stored in the storage medium, and when the computer program is run, the remote Trojan horse defense method based on the traffic of the connection establishment stage according to any one of claims 1 to 5 is executed.
10. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the remote Trojan horse defense method based on establishing connection phase traffic as claimed in any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411180205.2A CN119172113A (en) | 2024-08-27 | 2024-08-27 | Remote control Trojan defense method and device based on flow in connection establishment phase |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411180205.2A CN119172113A (en) | 2024-08-27 | 2024-08-27 | Remote control Trojan defense method and device based on flow in connection establishment phase |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119172113A true CN119172113A (en) | 2024-12-20 |
Family
ID=93879807
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411180205.2A Pending CN119172113A (en) | 2024-08-27 | 2024-08-27 | Remote control Trojan defense method and device based on flow in connection establishment phase |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119172113A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103475663A (en) * | 2013-09-13 | 2013-12-25 | 无锡华御信息技术有限公司 | Trojan recognition method based on network communication behavior characteristics |
| CN109600394A (en) * | 2019-01-19 | 2019-04-09 | 郑州轻工业学院 | A kind of tunnel HTTP Trojan detecting method based on deep learning |
| CN111818049A (en) * | 2020-07-08 | 2020-10-23 | 宝牧科技(天津)有限公司 | Botnet flow detection method and system based on Markov model |
| US20230140790A1 (en) * | 2021-11-01 | 2023-05-04 | Recorded Future, Inc. | Malware Victim Identification |
| CN116266799A (en) * | 2022-11-21 | 2023-06-20 | 贵州大学 | Remote control Trojan flow early detection model construction method, device and detection method based on convolutional neural network |
| CN117176382A (en) * | 2023-07-08 | 2023-12-05 | 中国人民解放军战略支援部队信息工程大学 | A remote control Trojan traffic detection method based on fusion sequence |
-
2024
- 2024-08-27 CN CN202411180205.2A patent/CN119172113A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103475663A (en) * | 2013-09-13 | 2013-12-25 | 无锡华御信息技术有限公司 | Trojan recognition method based on network communication behavior characteristics |
| CN109600394A (en) * | 2019-01-19 | 2019-04-09 | 郑州轻工业学院 | A kind of tunnel HTTP Trojan detecting method based on deep learning |
| CN111818049A (en) * | 2020-07-08 | 2020-10-23 | 宝牧科技(天津)有限公司 | Botnet flow detection method and system based on Markov model |
| US20230140790A1 (en) * | 2021-11-01 | 2023-05-04 | Recorded Future, Inc. | Malware Victim Identification |
| CN116266799A (en) * | 2022-11-21 | 2023-06-20 | 贵州大学 | Remote control Trojan flow early detection model construction method, device and detection method based on convolutional neural network |
| CN117176382A (en) * | 2023-07-08 | 2023-12-05 | 中国人民解放军战略支援部队信息工程大学 | A remote control Trojan traffic detection method based on fusion sequence |
Non-Patent Citations (2)
| Title |
|---|
| BEN PI 等: "Remote access trojan traffic early detection method based on Markov matrices and deep learning", 《ELSEVIER》, 30 November 2023 (2023-11-30), pages 1 - 11 * |
| 王晨 等: "利用序列分析的远控木马早期检测方法研究", 《计算机科学与探索》, 30 September 2020 (2020-09-30), pages 2315 - 2326 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US8763127B2 (en) | Systems and method for malware detection | |
| Kamoun et al. | AI and machine learning: A mixed blessing for cybersecurity | |
| Kaur et al. | Automatic attack signature generation systems: A review | |
| CN111786966A (en) | Method and device for browsing webpage | |
| EP3509001B1 (en) | Method and apparatus for detecting zombie feature | |
| Fallah et al. | Android malware detection using network traffic based on sequential deep learning models | |
| US20250097256A1 (en) | Network Environment Control Scanning Engine | |
| Almousa et al. | Identification of ransomware families by analyzing network traffic using machine learning techniques | |
| Liu et al. | Loocipher ransomware detection using lightweight packet characteristics | |
| CN115967566A (en) | Method, device, electronic device and storage medium for processing network threat information | |
| Casolare et al. | On the resilience of shallow machine learning classification in image-based malware detection | |
| Najafi et al. | Nlp-based entity behavior analytics for malware detection | |
| CN118890211A (en) | APT attack behavior detection method, system and readable storage medium | |
| EP1607823A2 (en) | Method and system for virus detection based on finite automata | |
| TW202205116A (en) | Method for detecting malicious attacks and network security management device | |
| CN119172113A (en) | Remote control Trojan defense method and device based on flow in connection establishment phase | |
| CN116266799A (en) | Remote control Trojan flow early detection model construction method, device and detection method based on convolutional neural network | |
| Sopuru et al. | Modeling A malware detection and categorization system based on seven network flow-based features | |
| Maslan et al. | DDoS detection on network protocol using cosine similarity and N-Gram+ Method | |
| Hafid et al. | Strengthening Security in the Internet of Things (IoT): Integrated Approach of Intrusion Detection Systems (IDS) and Edge Computing | |
| CN120074966B (en) | Network intrusion detection method, device, computer equipment and storage medium | |
| Tafkov | Cloud Intelligence Network for Ransomware Detection and Infection Effect Reversing,” | |
| Rafique et al. | Xminer: Nip the zero day exploits in the bud | |
| JP7675046B2 (en) | Abnormal part identification device, abnormal part identification method, and abnormal part identification program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |