Date of Award
Computer and Information Science
Computer viruses, Computer networks -- Security measures, Detecting backdoor trojans
Trojan horses commonly known as "Trojans" are the computer threats that have been recently causing trouble on the internet because of their new propagation techniques. Social engineering has become a popular strategy to deceive people to run the attacker's malicious programs. Trojans use this technique to propagate themselves from a computer or a network to others, thus making them hard to prevent. The only way to keep computers and networks safe from them is by detecting them as soon as possible. Because of their quiet behavior, it's hard to detect by only IDS (Intrusion Detection System) log analysis therefore, multiple log analysis is presented for detecting zero-day Trojans. Since there are many kinds of Trojans nowadays, for the first phase we will only concentrate on zero-day backdoor Trojans. Basically, IDS logs, connection logs, process activity logs and system logs are considered for monitoring user activities and traffic behavior. We make the list of process activities from studying the behavior of many kinds of backdoor Trojans. For example, most backdoor Trojans are downloaded from suspicious websites, which can be revealed from IDS logs and connection logs. Next, process activity logs and system logs can monitor applications' behavior when users try to install backdoor Trojans such as opening unusual ports, hiding processes, modifying the registry for auto-startup, or disabling antivirus services. We look closer at IDS logs if infected machines try to connect to remote IRC servers for sending information every time they start or close or if they generate anomalous traffic such as port scanning or DDos (Distributed Denial of Service) used to attack neighbors. Because of thorough examination, multiple log analysis can create a powerful and accurate alarm for detecting zero-day backdoor Trojans
Caravut, Sinchai, "Multiple Logs Analysis for Detecting Zero-Day Backdoor Trojans" (2008). ETD Archive. 546.