Research On Remote Control Trojan Detection Method Based On Time Series Analysis

Remote Access Trojan(RAT)is a type of malicious programs whose main purpose is to steal confidential information.It is often used in the post-infiltration stage of Advanced Persistent Threat(APT)attacks,which seriously threaten the security of cyberspace.The research of RAT detection methods has important practical significance.At this stage,most of the network-based RAT detection methods have higher requirement for the integrity of the data stream,and their detection has a certain extent,and the FNR and FPR in the corresponding early detection methods need to be further reduced.Few researchers consider the time series characteristics of the RAT communication traffic.As a group of random variables sorted in chronological order,time series can provide diverse characteristic information and improve the accuracy of detection methods.This article takes the time sequence of the traffic in the RAT’s communication behavior as the research object,and analyzes the timing sequence of the initial communication of the RAT.First of all,according to the time series difference characteristics of RAT and the normal application in the initial stage of establishing communication,a RAT detection method based on KNN-DTW is proposed,this method focuses on the network communication session at the initial stage of software operation,and extracts the direction sequence and load sequence of the first t seconds from the first TCP flow,and then combines the KNN-DTW algorithm to construct a detection model to realize the flow discrimination.Experimental results show that this method can effectively detect the RAT traffic,and it can detect the RAT traffic with high accuracy in a short data stream.Secondly,in order to further reduce the FNR and FPR of detecting RAT,an early detection method of RAT fusing statistical features and timing characteristics is proposed.This method takes the first TCP stream in the interaction between the RAT controlled end and the control end as the analysis object,and focuses on the first data packet in the stream that is sent from the internal host to the external network and the data packet transmission layer load is greater than α bytes(called information return packet)as well as several subsequent data packets,from which three-dimensional features including transmission load size sequence,transmission byte number and time interval are extracted and machine learning algorithms are used to construct an efficient early detection model.Experimental results show that this method has the ability to quickly detect RAT.It can detect RAT traffic with high accuracy through a small amount of data packets at the initial stage after the RAT session is established.