

Research on Web Trojan Bayesian-based Detection

【作者】 李炜

【导师】 韩兰胜;

【作者基本信息】 华中科技大学 , 计算机技术, 2011, 硕士

【摘要】 伴随互联网的飞速发展,计算机应用已经渗透到社会的各个领域,互联网给我们提供了很多服务,给生活和工作带来了便利,但是让信息安全问题成为了一个很重要的问题。由于浏览器的广泛应用,黑客利用浏览器和第三方软件的漏洞传播网页木马,获得系统权限,破坏、窃取用户信息,使用户利益受到了很大的损失。网页木马具有传播速度快,变形简单等特点,传统的特征码检测技术很难检测网页木马。网页木马的检测方法研究是必要的。网页木马和传统的木马不同之处在于网页木马的运行必须借助浏览器。当浏览器触发网页木马程序后,网页木马就会利用对方系统或者浏览器的漏洞自动将配置好的木马服务端下载到访问者的电脑,然后自动执行,从而达到破坏、窃取计算机信息的目的。因此,本课题首次提出利用贝叶斯理论的多项式事件模型计算待检测程序的威胁值,依此判定是否是网页木马。课题采用网页程序的静态代码和动态行为作为检测特征,运用信息增益的概念对特征进行分类筛选。在特征集的筛选过程中,课题重点考虑了特征的出现次数。课题基于贝叶斯分类方法,使用基于词频的多项式事件模型,计算未知网页程序的静态代码特征和动态行为特征威胁值,并分别与相应的阀值比较,从而判定待检测程序是否是网页木马。最后,实验部分以新的检测模型为理论依据,设计了网页木马检测系统,并给出了部分检测系统的算法设计和实现。实验验证了检测模型的可行性,为网页木马的检测技术提供了一个新的思路。

【Abstract】 With the rapid development of Internet, computer applications have penetrated into all areas of the society, provides us a lot of services and bring conveniences to our life and work. At the same time, information security has become an important issue. As the browser widely used, hackers use browser vulnerabilities and third-party software to deliver web Trojan and obtain system privileges, destroy and steal user information. It make the users interests a great loss.Web Trojan spreads fast and easily changes its forms. Traditional signal-based virus detection techniques are hard to detect web Trojan. It is necessary to find a new detection method.The difference between the web Trojan and the traditional Trojan is the browser. The web Trojan must use the browser. When the browser is triggering the malicious web page, web Trojan download the Trojan program by using the vulnerabilities, and achieve the destruction and theft of computer information purposes. Therefore, the paper firstly extract features of the static code characteristics and dynamic behavior characteristics and calculate threats by using the Multinomial event Model based on Bayes theory. The threats determine whether the web page program is a Trojan.The method takes static code characteristics and dynamic behavior characteristics, propose detection principle, uses the concept of information gaining to filter the characteristics, and describes the static code features and API call sequence feature extraction method, then details the API interception technology. The paper focuses on the events of Bayesian classification and polynomial model,using the model to determine whether the unknown web program is web Trojan.

  • 【分类号】TP393.092
  • 【被引频次】4
  • 【下载频次】130