| 发明名称 |
TROJAN DETECTION METHOD AND DEVICE |
| 摘要 |
A trojan detection method and device, used to solve the problem in the prior art of being unable to effectively detect a trojan in a network, the method comprising: when a trojan heartbeat is detected in a session, according to whether the trojan heartbeat detection frequency is fixed, increasing the recorded session weight by a corresponding weight and recording the increased weight, and checking whether each packet transmitted from a controlling end to a controlled end complies with the characteristics of a trojan control command packet; if yes, then increasing by a third weight onto the recorded session weight and recording the same, and when the session weight reaches an alarm threshold, generating an alarm to notify that the session is initiated by a trojan. An embodiment of the present invention achieves trojan detection by detecting the packet in the session, thereby the trojan in a network can be detected. The detection to the packet in the session is not simply string matching, thus reducing false alarm rate and effectively detecting the trojan in the network. |
| 申请公布号 |
US2014344935(A1) |
申请公布日期 |
2014.11.20 |
| 申请号 |
US201214366665 |
申请日期 |
2012.12.18 |
| 申请人 |
NSFOCUS INFORMATION TECHNOLOGY CO., LTD. |
发明人 |
Duan Yuxuan;Cheng Lijun;Han Peng |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method of detecting Trojan, the method comprising:
detecting whether Trojan heartbeat detection is present in a session between a control end and a controlled end according to each message sent by the control end to the controlled end; continuing with detecting whether the Trojan heartbeat detection is present in the session upon detecting the absence of Trojan heartbeat detection; judging whether the frequency of Trojan heartbeat detection in the session is fixed upon detecting the presence of Trojan heartbeat detection, and if so, then increasing by a first weight and recording a recorded session weight; otherwise, increasing by a second weight and recording the recorded session weight; and for each message sent by the control end to the controlled end, detecting whether a characteristic of the message conforms with a characteristic of a Trojan control command message; and if the characteristic of the message conforms with the characteristic of the Trojan control command message, then increasing by a third weight and recording the recorded session weight; otherwise, continuing with detecting whether a characteristic of a next message conforms with the characteristic of the Trojan control command message; and issuing an alarm to notify that the session is a Trojan initiated session when the recorded session weight reaches an alarm threshold. |
| 地址 |
Beijing CN |
