Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method for detecting Trojan quickly based on heartbeat behavior analysis

A detection method and behavior analysis technology, applied in digital transmission systems, electrical components, transmission systems, etc., can solve the problem that small data packets cannot be effectively detected, and achieve high session reorganization efficiency and improved storage space

Active Publication Date: 2011-09-28
PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
View PDF4 Cites 28 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

But in the actual Trojan horse communication process, different algorithms can be used to make the arrival time interval of adjacent data packets meet various distribution requirements. In addition, the arrival time interval of data packets will be affected by the network topology to a large extent, so the arrival time interval of data packets is used It has certain disadvantages as a description of behavior
Moreover, the short commands in the Trojan horse communication process can be hidden in the larger HTML page information, so emphasizing the proportion of small data packets in the communication process cannot achieve effective detection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for detecting Trojan quickly based on heartbeat behavior analysis
  • Method for detecting Trojan quickly based on heartbeat behavior analysis
  • Method for detecting Trojan quickly based on heartbeat behavior analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0060] Embodiment one: the fast Trojan detection method based on heartbeat behavior analysis is:

[0061] Organize the captured network data according to network sessions: use the IP address and port of the monitoring object as the source IP address and source port. The data packet is divided into sessions according to the equivalent quadruple, that is, each session is uniquely identified by the equivalent quadruple (at this time, each session linked list contains a bidirectional data flow), and the session linked list is selected as the data structure for storing the session. The reason for choosing the session linked list as the data structure for recording the session is: since the network communication is a dynamic process, the data packets in the session will continue to increase as the communication progresses, and the data structure used to save the session will also change dynamically accordingly. . In the process of building the session linked list, it is necessary t...

Embodiment 2

[0092] Embodiment 2: The similarities between this embodiment and Embodiment 1 will not be repeated, and the difference is: due to the high computational complexity of DFT transform, it can also be based on the essential construction of the secondary haar wavelet decomposition with relatively low computational complexity. Low statistics to detect Trojan heartbeat behavior. Still remember that X represents the time interval sampling set of unidirectional data flow packets, so that is the transformed feature vector. Pick

[0093] t i = x i - x i - 1 2 ;

[0094] w i = t i - t i ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for detecting Trojan quickly based on heartbeat behavior analysis, which is characterized in that the differences between a Trojan communication behavior and a normal network communication behavior are analyzed at the stage by analyzing whether a heartbeat gap between two adjacent heartbeat processes is regular and the ratio of the numbers of packets received and sent respectively by a controlled terminal is equal; essential distinctions between the Trojan communication behavior and the normal network communication behavior are mined and behavioral characteristics are extracted as well as suspected Trojan is detected. The method is utilized to realize effective detection of the Trojan communications in networks by analyzing the Trojan heartbeat behaviors so as to disconnect the controlled Trojan terminal with an attacker in real time, thereby preventing stealing information.

Description

technical field [0001] The invention relates to a Trojan horse detection technology based on communication behavior analysis, in particular to a fast Trojan horse detection method based on heartbeat behavior analysis. Background technique [0002] Most of the current stealing attacks are realized by using Trojan horses. The biggest feature of Trojan horses is that their behavior often has strong concealment. After the Trojan horse is successfully implanted into the target computer, the Trojan horse control terminal must communicate with the controlled terminal, so as to issue control instructions to the controlled terminal or control the controlled terminal to return the obtained information to the control terminal. The concealment of communication determines the survivability of the Trojan horse to a large extent. The network covert channel technology that has emerged in recent years, that is, the technology of embedding communication data into normal network communication...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L12/24H04L12/26H04L29/06
Inventor 刘胜利陈嘉勇孟磊吴林锦曾诚
Owner PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com