With the development of Internet technologies, network applications have also been better spread, and ensuring network security has become an urgent problem. Currently, the Trojan is one of the most serious threats to network security. The main methods of Trojan detection are characteristics-based Trojan detection and behavior-based Trojan detection. This paper analyzes the characteristics of the trafifc behavior from the three communication stages of remote access Trojan. During establishing the connection, the Trojans have dynamic DNS behavior, and the PSH flag of TCP packet is set 1 when data is transferred, causing the number of PSH packets increasing. During command interaction , upload traffic and download traffic are asymmetrical, and the ratio of small packets is high. During keeping connection, the server sends keep-alive packets. This paper designs experiments to compare normal application trafifc behavior with remote access Trojan trafifc behavior on the above features, and analyze their similarities and differences, providing a basis for identifying the Trojan through trafifc behavior characteristics.%随着互联网技术的发展,网络的应用也得到更好的普及,而保障网络安全成为亟待解决的问题.目前,木马是网络安全最严重的威胁之一,针对木马的主要检测方法是基于特征码的木马检测和基于行为的木马检测.文章从远程控制类型木马通信的3个阶段分析其流量行为特征,发现木马在建立连接阶段会有动态DNS行为,在数据传输时报文会置推送标志位PSH为1,导致PSH报文数量增大;在命令交互阶段,上下行流量不对称,小数据包比例大;在保持连接阶段会有心跳数据包.文章通过实验比较了正常应用通信流量与远程控制类型木马通信流量在上述特征上的表现行为,分析它们的异同点,从而为木马流量行为特征识别提供依据.
展开▼
