摘要
针对现有的基于网络层或传输层的木马通信行为检测方法应用到HTTP隧道木马的检测中识别精度较低的问题,提出一种基于多层联合分析的HTTP隧道木马检测方法。从应用层、传输层和网络层三个层面提取HTTP会话过程中区分隧道木马通信和正常通信的行为统计特征,采用基于主动学习的SVM算法生成分类规则,建立检测系统。实验结果表明,基于多层联合分析的检测方法降低了已有方法的误报率和漏报率,并且引入主动学习方法有效减少了人工标记的样本数量,提高了基于通信行为分析的HTTP隧道木马检测方法的实用性。
According to that current Trojan communication behavior detection methods based on network layer or transport la- yer had poor recognition when they were applied to the detection of HTFP tunnel Trojan, this paper proposed an HTFP tunnel Trojan detection method based on multi-layer network data conjoint analysis. It first extracted behavior statistic characteristics to distinguish HTI'P tunnel Trojan communication and normal communication on network layer, transport layer and application layer. Then it created classification rules and established a detection system by using active learning SVM algorithm. Experi- mental results show that this method decreases the detection false positives and false negatives of current methods. It also effec- tively reduces the amount of artificial labeled samples when introduces active learning method, improves the practicability of tunnel Trojan detection methods based on the analysis of communication behavior.
出处
《计算机应用研究》
CSCD
北大核心
2016年第1期240-244,共5页
Application Research of Computers
基金
国家科技支撑计划资助项目(2012BAH47B01)
郑州市科技创新团队资助项目(10CXTD150)
上海市科研计划资助项目(13DZ1108800)
国家自然科学基金资助项目(61271252)
关键词
HTTP隧道木马
通信行为
联合分析
主动学习
分类
HTFP tunnel Trojan
communication behavior
conjoint analysis
active learning
classification
