基于流量的木马检测技术

发布时间：2018-06-27 21:40

本文选题：木马检测 + 流量检测　；参考：《电子科技大学》2014年硕士论文

【摘要】：当前计算机木马已成为传播最广泛影响最深远的病毒种类,已成为不法分子获取经济利益的广泛手段之一。然而针对木马检测的技术手段仍不完善,当前主流杀毒软件都已具备较强的木马查杀功能,但它们面向的主要是用户级对象,而针对企业级网络的专业木马检测系统并未出现。在此背景下,论文着手研究木马技术及其检测原理,并提出基于流量的木马检测新思路。本论文的核心是研究当前成熟的PC端木马检测技术和入侵检测系统,并将前者采用的技术以某种形式转换利用于后者,最终形成一套针对企业网络级的木马检测系统方案。论文主要工作包括木马及其检测技术研究、流量检测模型及关键技术研究、系统开发与测试。第一部分,木马技术研究着重对各类主流木马进行分析,了解木马核心技术和原理等;第二部分,木马检测技术则从PC端检测技术和入侵检测技术两方面进行研究,前者对当前PC端主流检测技术进行详尽分析,深入了解其中原理和方法,而对入侵检测技术的研究则主要是对入侵检测模型及其中关键问题进行深入分析;论文第三部分为本系统核心,提出了基于流量检测模型及模型中关键技术设计,包括流量处理、数据包乱序及实时检测三大部分。论文第四部分在前文的基础上详细设计整个系统并实现前述算法思想,在系统原型的基础上搭建测试环境并进行充分测试。为验证论文所提方案的可行性,系统分别对系统负载压力、木马检测能力做测试。实验证明系统对大流量的抗压能力较好,随着系统的运行时间加长,系统对抗负载压力逐渐提高。其次系统具备良好的木马检测能力,针对木马植入及活动阶段,系统能有效检测出内网中活动主机潜在风险,但系统漏报率及误报率相对终端检测软件偏高。本系统证明基于流量进行木马监控是可行的,面向终端的检测技术可应用于面向网络流量的检测技术中,且与前者相比具有部署成本低、覆盖面广的特性。论文对未来病毒木马检测技术具有一定的参考意义,对当前及未来入侵检测系统、入侵防御系统具有拓展性意义。
[Abstract]:At present, the computer Trojan horse has become the most widely spread of the most far-reaching types of viruses, has become one of the illegal elements to obtain economic benefits of one of the wide range of means. However, the technical means for Trojan detection are still imperfect, the current mainstream anti-virus software has a strong Trojan detection function, but they are mainly oriented to user-level objects, but the professional Trojan detection system for enterprise network has not appeared. Under this background, the paper studies Trojan horse technology and its detection principle, and puts forward a new idea of Trojan horse detection based on traffic. The core of this paper is to study the current mature detection technology and intrusion detection system of the PC Trojan horse, and use the technology of the former in some form to use in the latter, and finally form a set of Trojan horse detection system scheme aimed at the enterprise network level. The main work includes Trojan horse and its detection technology, traffic detection model and key technology research, system development and testing. In the first part, the Trojan horse technology research focuses on the analysis of all kinds of mainstream Trojan horses, to understand the core techniques and principles of Trojan horses, and the second part, Trojan detection technology from the PC side detection technology and intrusion detection technology two aspects of research. The former makes a detailed analysis of the current mainstream detection technology of PC, and deeply understands the principle and method of it, while the research of intrusion detection technology mainly analyzes the intrusion detection model and its key problems. The third part of this paper is the core of the system, and proposes the key technology design based on the traffic detection model, including three parts: traffic processing, packet disordering and real-time detection. In the fourth part of the thesis, the whole system is designed in detail on the basis of the above, and the algorithm thought mentioned above is realized. The test environment is built on the basis of the prototype of the system, and the test environment is fully tested. In order to verify the feasibility of the proposed scheme, the system tests the system load pressure and Trojan detection ability. The experimental results show that the system has better resistance to large flow, and with the running time of the system increasing, the system resistance to load pressure increases gradually. Secondly, the system has a good Trojan detection ability, aiming at the Trojan Horse implantation and activity stage, the system can effectively detect the potential risks of the active host in the inner network, but the false alarm rate and the false alarm rate of the system are relatively high compared with the terminal detection software. The system proves that it is feasible to monitor Trojan horse based on traffic, and terminal oriented detection technology can be applied to network traffic detection technology, and compared with the former, it has the characteristics of low deployment cost and wide coverage. This paper has certain reference significance to the future virus Trojan horse detection technology, to the present and the future intrusion detection system, the intrusion prevention system has the expansion significance.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】