Along with constant popularization of Internet technologies, the issue of network security has become increasingly prominent, and especially the flooding of Trojan program may directly result in illegal embezzlement and corruption of various types of important information. At present the Trojan program has become a common means for a network attacker to make an attack, where the attacker may obtain a control privilege of a target host and embezzle a user account, a user password and other important information by means of the Trojan program. For this reason, how to detect, intercept and protect against Trojan has become an issue highly desirable to be addressed.
In the prior art, Trojan is detected by matching a characteristic of a local file generated by some program, e.g., the characteristic string, size, directory or another characteristic of the file, with a characteristic of a local file generated by Trojan program and monitoring locally some normal operational behaviors of the program, e.g., modification of a registry, setting of a file self-startup option, modification of a system file configuration and other behaviors for the purpose of detecting the Trojan program.
However this approach is limited only to detection of local Trojan but fails to detect and protect against Trojan in the network. Moreover Trojan is well known for its “capriciousness”, and it may be also difficult to detect various variants of Trojan effectively by detecting Trojan merely based upon an analysis of a static file.
Trojan is detected in the prior art alternatively by extracting common strings of characters in communication data streams of Trojan, creating a library of common strings of characters and matching a string of characters in a communication data stream of the network with the strings of characters in the library of common strings of characters and confirming the presence of Trojan in communication if there is a successful match.
However there are a variety of communication protocols and communication data in the network, so there will definitely a high ratio of false alarms in this approach only with simple matching of strings of characters.
In view of this, it is impossible for the approaches of detecting Trojan in the prior art to detect Trojan in the network effectively.