Jisuanji kexue yu tansuo (Dec 2021)

Research of Remote Access Trojan Early Detection Method Using Sequence Analysis

  • WANG Chen, GUO Chun, SHEN Guowei, CUI Yunhe

DOI
https://doi.org/10.3778/j.issn.1673-9418.2007087
Journal volume & issue
Vol. 15, no. 12
pp. 2315 – 2326

Abstract

Read online

Remote access Trojan (RAT) is a kind of malware. The main intent of RAT is to steal confidential information and it seriously threatens the security of cyberspace. Most of current network-based RAT detection methods have high requirement on the integrity of the data stream, and their detection are delayed to a certain extent. Based on the analysis of the sequence characteristics of the initial traffic of RAT after the session is established, this paper proposes an RAT early detection method using sequence analysis. The proposed method takes the first TCP stream in the interaction between the RAT??s controlled and control ends as the analysis object, and focuses on the first packet that is sent from the internal host to the external network in the stream and whose transmission layer payload is greater than [α] bytes (called information return packet) as well as several subsequent packets. In the proposed method, three-dimensional features including transmission payload size sequence, transmission byte and time interval are extracted, and a machine learning algorithm is used to construct an efficient early detection model. Experimental results show that this method has the ability to quickly detect RAT, and it can detect RAT traffic with a high accuracy through a small number of data packets in the early stage.

Keywords