基于SVM的木马流量特征检测方法

针对木马能以隐蔽的方式盗取用户敏感信息、文件资源或远程监控用户行为,对网络安全构成极大威胁,提出一种基于流量特征的木马检测方法,通过统计分析服务器端口有序性、服务器使用客户端端口号、客户端发包数、服务器端发包数等特征,使用支持向量机(support vector machine,SVM)算法进行分类训练并建立基于流量的木马监测模型;基于流量特征的普遍性和通用性,该方法对于未知木马也比较有效.仿真测试结果表明,所提出方法具备对常见木马或未知木马的良好检测能力,实验条件下盲检测准确率可达96.61%.

Trojan traffic characteristic detection methods based on SVM

Trojans can steal sensitive user information or file resources,or remotely monitor of user behavior in a hidden way,which poses a great threat to network security,therefore,the Trojan detection methods based on traffic characteristics is proposed,and the support vector machine (SVM) algorithm was used (for classification by statistically analyzing such characteristics as the ports' order of a server,the client's port number used by server,the data packets number from client,and the of data packets number from server,etc.The optimal detection parameters are obtained and the traffic-based Trojan monitoring model is built according to the training results.Because of the generalization and universality of traffic characteristics,the proposed methods also have some effects on those unknown Trojans.The simulation results show that the proposed methods have good detection ability for either common Trojans or unknown Trojans,and the blind detection accuracy rate can be up to 96.61% under certain experiment conditions.