摘要
针对目前网络安全领域准确高效检测木马的需求,设计了1种基于网络通信会话特征统计的实时木马检测系统.系统结合基于统计的协议识别算法分析设计了14种网络通信会话特征,特征包含数据包长度、方向、载荷数据等方面,提出了改进后的K_L距离作为检测算法用来检测待检会话和协议模型库的相似度,并根据加密型与非加密型木马不同的通信特征选取不同的度量特征组合.为提高系统检测的实时性,只检测每条会话的前10个到20个数据包.实验结果表明,系统在满足实时性的同时准确率达到87%以上,满足当前木马检测的需求.
The paper designed a real-time Trojan detection system based on communicating session characteristics stat istics of network to need of accurately and efficiently detecting Trojan in the field of internet security.The system designed 14 attribute meters of communicating session which include data packet length,data packet direction,payload data and so on,then proposed improved Kullback_Leibler divergence as detection algorithm to detect the similarity between session to be inspected and protocol model base.And the system used different groups of attribute meters according to the communicating characteristics of encrypted Trojan and unencrypted Trojan.The system only detect the first 10 to 20 packets to elevate the real-time.Experimental results show that the system meet real-time requirements and the accuracy is over 87%,it meet current requirements of Trojan detection.
出处
《河北工业大学学报》
CAS
2016年第6期9-15,共7页
Journal of Hebei University of Technology
基金
国家自然科学基金(61501167)
关键词
通信会话
木马检测
特征统计
K_L距离
加密型木马
实时性
communicating session
trojan detection
characteristics statistics
Kullback_Leibler divergence
encrypted trojan
real-time
