Data Stolen Trojan Detection based on Network Behaviors

It is well known that data loss caused by data stolen Trojans is huge as it could upload privacy or secret data to hackers who controls it remotely. Most of current security tools monitor Trojans by scanning the signature code that is distinguished from normal software. However, this method can only recognize known Trojan except up-to-date malicious software that has unknown signature code. Some other security tools requiring preinstalled on hosts detects Trojans by program behaviors. This paper proposes a novel medel to detect data stolen Trojans based on their network behaviors. It consists of three detectors: 1) keep-alive detector detects keep-alive packets or connections; 2) master-slave-connection detector tries to find master and slave connections and 3) mistake detector analyses the rate of download vs. upload and connection time for different protocol. The experiments show that this method is efficient in recognizing data stolenTrojans. This protyped system proves the possibility of detection Trojans from network