基于网络活动分析的窃密木马检测技术研究

项目名称： 基于网络活动分析的窃密木马检测技术研究

项目编号： No.61502505

项目类型： 青年科学基金项目

立项/批准年度： 2016

项目学科： 自动化技术、计算机技术

项目作者： 张金玲

作者单位： 中国人民大学

项目金额： 21万元

中文摘要： 在网络安全领域中，利用窃密木马进行各类信息窃取的现象愈发严重，为解决这一问题，出现了很多有针对性的解决方法，其中大量的工作是针对数据内容本身的识别和标记，对窃密软件特征码的检测也占到了较大的比例。虽然这些方法能够取得较高的检测准确率，但是它们无法应对加密、加壳技术的出现，同时还需要维护一个不断增大的样本库。.针对上述问题，本项目拟结合当前网络窃密手段的主流趋势，从应对加密混淆技术、降低计算开销和减少防护系统维护成本等方面出发，对网络窃密行为的检测技术展开研究。本项目提出了一种新的基于NetFlow记录文件的网络窃密行为检测方法，以此为基础，研究一种基于IP对通信会话的远控型木马网络行为检测方法，同时对对HTTP 隧道检测和木马 C&C 通信检测提出基于TCP连接的窃密软件通信传输行为的检测方法，最终实现一个计算开销较小，防护系统维护成本较低的检测系统。

中文关键词： 网络活动；网络窃密；流量分析；木马通信

英文摘要： In the field of network security, the use of espionage Trojan steal phenomenon is more serious for all kinds of information. In order to solve this problem, there are many targeted solutions which is a lot of work for data identification and marking content itself, and detecting spy software feature codes also accounted for a larger proportion. Although these methods can obtain high detection accuracy, but they failed to deal with encryption, and the emergence of shell technology, at the same time, they also need to maintain a constant increase of sample library..According to the above problem, this project is combined with the current trend of cyber spying means, from a confused encryption technology, to reduce the computational overhead and maintenance costs, reduce the protection system of cyber spying action detection technology. This project proposes a new network espionage behavior detection method based on NetFlow records file, on this basis, the research on the communication session an ip-based remote control type Trojan network behavior detection method, at the same time both the HTTP tunnel inspection and Trojan for C&C communication based on TCP connection and testing method of spy software communication transmission behavior, ultimately achieve a smaller computational overhead, protection system maintenance costs lower detection system.

英文关键词： network activity;cyber spying;netFlow;trojan communication