An Unknown Trojan Detection Method Based on ... - Springer Link

2013, Vol.18 No.5, 369-376 Article ID 1007-1202(2013)05-0369-08 DOI 10.1007/s11859-013-0944-6

An Unknown Trojan Detection Method Based on Software Network Behavior 0

□ LIANG Yu1, PENG Guojun1,2†, 1

Introduction

1

ZHANG Huanguo , WANG Ying

1. School of Computer/Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, Wuhan University, Wuhan 430072, Hubei, China; 2. Law School, Renmin University of China, Beijing 100872, China © Wuhan University and Springer-Verlag Berlin Heidelberg 2013

Abstract: Aiming at the difficulty of unknown Trojan detection in the APT flooding situation, an improved detecting method has been proposed. The basic idea of this method originates from advanced persistent threat (APT) attack intents: besides dealing with damaging or destroying facilities, the more essential purpose of APT attacks is to gather confidential data from target hosts by planting Trojans. Inspired by this idea and some in-depth analyses on recently happened APT attacks, five typical communication characteristics are adopted to describe application’s network behavior, with which a fine-grained classifier based on Decision Tree and Naïve Bayes is modeled. Finally, with the training of supervised machine learning approaches, the classification detection method is implemented. Compared with general methods, this method is capable of enhancing the detection and awareness capability of unknown Trojans with less resource consumption. Key words: targeted attack; unknown Trojan detection; software network behavior; machine learning CLC number: TP 305 Received date: 2013-03-19 Foundation item: Supported by the National Natural Science Foundation of China (61202387, 61103220), Major Projects of National Science and Technology of China(2010ZX03006-001-01), Doctoral Fund of Ministry of Education of China (2012014110002), China Postdoctoral Science Foundation (2012M510641), Hubei Province Natural Science Foundation (2011CDB456), and Wuhan Chenguang Plan Project(2012710367) Biography: LIANG Yu, male, Ph.D. candidate, research direction: network and information system security. E-mail: [email protected] † To whom correspondence should be addressed. E-mail: [email protected]

Targeted attacks aiming at governments, militaries, enterprises, and some important organizations have happened frequently in recent years. Due to their serious harms and impacts, such attacks, also called advanced persistent threat (APT), have been considered as one of the greatest threats to network security in following years [1]. In APT attacks, the Trojans stealing confidential data play a role like “Swiss Army Knife” to achieve their ultimate purpose. Generally, Trojans for APT attacks are not spread widely, which means that they are still unknown for antivirus and intrusion detection system (IDS) products. Using Zero-Day vulnerabilities or valid digital signature, Trojans can easily escape from the detecting of security software [2]. The IDS has the capability of automatically detecting abnormal traffic in a specified network, but for these special Trojans, it is almost incapable. From the perspective of network layer, controlling and camouflaging its own network communication behavior can easily make the traffic become normal. Therefore, such unknown Trojans can escape from the IDS detection, and it is very difficult to detect and defense against such threats timely. Typically, APT attack has two types of purpose: 1) one is to damage or destroy the target’s facilities, this can be found in the famous APT attack aimed at Iran [2,3], etc., and 2) another more common purpose is to gather information and steal confidential data [4]. Motivated by the second purpose above, in this paper, we propose a method based on application’s network behavior to detect unknown Trojans equipped by APT attacks.

370

1

Wuhan University Journal of Natural Sciences 2013, Vol.18 No.5

Related Work

Malware detection based on network traffics has been recently studied in Refs. [5-12]. Binde et al [5] tried to uncover APT by assessing outbound traffic using Snort and Scapy. Though it is effective for some specific Trojans, the necessary of specialized experience make it difficult for large-scale deployment. Sun et al [7] proposed a method to detect the HTTP tunneling Trojans by using operation behavior characteristics. In their studies, they used six statistics eigenvalues to depict the difference between normal HTTP session and Trojan operating session with HTTP tunneling. However, they did not consider the network topology of Trojan’s communication when they choose characteristics. Besides, they extract and calculate these eigenvalues on data link layer; as a consequence, they need to reconstruct the Ethernet frames and reorganize the HTTP session first. Performing the session reorganization needs lots of resources, such as storage space, time, and the CPU usage. All these limitations make their method fail to perform a real-time detection. Tang et al [9] introduced the concept of communication fingerprint to expand the extension of communication characteristics. Actually, this method is similar to Liu’s in essence. Due to the same network traffic capture mechanism, the necessity of reorganizing HTTP sessions from Ethernet frames still exists. Another limitation in Tang and Sun’s approaches [7,9] is that network traffics over data link layer do not contain too much information of processes running in hosts. This would result in the difficulty of associating abnormal network behavior to Trojans’ system behaviors. Malware detection based on behavior analysis is also a hot research topic in recent years. Perdisci et al [6] proposed a fine-grained clustering model for HTTPbased malwares. He also gave a solution for generate malware’s signature by using malware’s network traces. Brumley et al [13] showed their research on detecting malware’s hidden behaviors, which is active when properly triggered. A new technique called guest view casting was introduced in Jiang et al’s research [14]. This technique overcame the semantic gap between virtual machine and host in stealthy malware detection. In Inoue’s research, they executed and analyzed malware samples in a virtual Internet environment, which can avoid further unwanted propagation [15].

2 2.1

Software Network

Definition Generally, software’s network behavior directly relates to its usage and feature. Automatically gathering information and unidirectional transmission of data can distinguish Trojans from normal applications, most of which need human-computer interactions via input/output devices in order to finish specified features. Therefore, from the perspective of network level, five characteristics were chosen to describe applications’ network behavior. 2.1.1 Ratio of sent and received traffic size For Trojans with information steal intent, the most obvious network characteristic is of the communication traffic size. Usually, a Trojan has three network communication states: 1) Without network connection This state means that the Trojans could not establish connections with their remote command servers or neighbor hosts in their P2P networks. In this paper, we do not care about this state. 2) Keeping connections silently During this state, Trojans only use network to query remote command severs and keep online in a relatively fixed time interval. In this state, the traffic size sent and received are almost equal. 3) Active period During the active period, Trojans need to receive commands and send execution results frequently; as a result, the traffic size changes a lot. Figure 1 shows the network traffic’s changing while perpetrating some malicious behaviors. For the majority of malicious behaviors, the response (sent) traffic size is much bigger than request (received) traffic size. However, to most widely used applications, such as web browser, download tools, and online video players, their received network traffic size is much bigger than sent network traffic size (Fig. 2). Therefore, we can use the ratio between sent and received traffic size as a characteristic to detect Trojans. 2.1.2 Number of connections Number of connections is the total number of network connections established during an application’s lifecycle. Under normal circumstances, Trojans only keep one or two connections with their remote control servers. However, normal network-based applications have large number of connections while interacting with users. Figure 3 demonstrates the large number of

LIANG Yu et al : An Unknown Trojan Detection Method Based on Software …

Fig. 1

Fig. 2

The change of Trojans’ network traffic in interaction state

Network traffics while visiting Baidu, Google, and Gmail using IE6

Fig. 3

371

connections in the user’s computer. Most applications’ number of connections is larger than Trojans, so we choose the number of connections as a characteristic. 2.1.3 Proportion of upload connection During some specified circumstances, there are some normal applications having a big traffic size. For example, while a user send an email with some attachments and do nothing else with network, the laws we presented before may be broken. Therefore, we introduce the proportion of uploadconnection as a network characteristic to eliminate potential mistakes. Upload connection is the connection that its traffic size ratio of sent and received is bigger than a certain value; generally, this value is bigger than or equal to one. For normal applications, such as web browser, it would generate lots of connections while running, but

Widely used application’s number of connections in a certain period

① Chrome; ② kxescore.exe; ③ ThunderServiceLite.exe; ④ ikucmc.exe; ⑤ 360se.exe; ⑥ ikuace.exe; ⑦ 360Tray.exe; ⑧ 360sdUpe.exe; ⑨ YodaoDict.exe; ⑩ SogouCloud.exe; QQ.exe

372

Wuhan University Journal of Natural Sciences 2013, Vol.18 No.5

upload connections are very few, so the proportion of upload connections is very low. However, Trojans have a few of connections during its lifecycle, once the upload connections appear, the proportion increased accordingly. Therefore, using this characteristic can support the first characteristic and distinguish the normal applications’ sent traffic from Trojans’ sent traffic. 2.1.4 Proportion of concurrent connections Concurrent connection refers to the connection that was established during a quit small time interval since the establishment of previous connection. Although the user’s behavoir of the time when to click the next link while browsing the webpage has some arndomness, we found that the browser has many concurrent connections while performing the navigation. As Table 1 shows, while we visiting douban.com using Google Chrome Browser, there are lots of concurrent connections. Not only browsers, lots of applications use multithreads to communicate with servers to get hight performance; as a result, there are many concurrent connections while running. Table 1

Connections’ timelines while visiting douban.com

Request path http://douban.com/

Type

Start time/ms

text/html

0

http://img3.douban.com/css/core/ packed__init_500824067.css

text/css

http://img3.douban.com/css/packe d_anonymous_home8839397659. css

text/css

https://www.douban.com/pics/bla nk.gif

image/gif

http://img3.douban.com/pics/new _menu.gif

image/gif

http://img3.douban.com/js/core/d o/packed__init_5832834905.js

Javascript

http://img3.douban.com/pics/nav/ anony_nav_logo4.png

image/png

http://img3.douban.com/pics/nav/l ogo_db.png

image/png

9 104 124 119

during their lifecycle, they communicate with lots of distinct IPs. While we visit http://www.weibo.com, TCP connections need to be established with several distinct IPs shown as follows: 74.125.71.*, 74.125.235.*, 180.208.78.*, 180.149.134.*, and 121.192.0.*. Based on the previous analysis, finally, the software network communication characteristics we choose are listed as follows: ● ratio of sent and received traffic size; ● number of connections; ● proportion of upload connection; ● proportion of concurrent connection; ● number of distinct IP. The unknown Trojan detecting model built with these characteristics will be discussed in Section 3. 2.2 Extraction In order to obtain the Application’s network communication characteristic set, we have to extract the application’s connection session information first. On Microsoft Windows Platforms, the operating system provides two types of network interfaces that allow developer to obtain applications’ network communication information. One is the Service Provider Interface on User-Mode, and the other is NDIS Intermediate Diver on Kernel-Mode. Nowadays, the majority of Trojans prefer UserMode APIs to finish their network communications. Trojans using drivers to implement their network communication on Kernel-Mode directly are quite rare because of the difficulty of loading a driver silently. On Windows platform, the SPI Layer is the lowest layer in User-Mode, as shown in Fig. 4. We can easily obtain all User-Mode network information by installing our own service provider into SPI chain.

218 292 293

Trojans themselves have few connections, and the time interval between new connection and previous connection is larger than that in normal applications. As a result, compared with normal applications, Trojans’ proportion of concurrent connections is higher. 2.1.5 Diversity of connected IPs Influenced by Trojans’ C&C network architecture, Trojans communicate with only several hosts, so the number of distinct IPs is very small. Normal applications,

Fig. 4

Network interfaces on Windows

Hence, it is not necessary to capture the network communication information in the Kernel. Besides, User-Mode applications’ portability and stability are better than that of Kernel-Mode modules. Therefore, we extract network information based on SPI.

373

LIANG Yu et al : An Unknown Trojan Detection Method Based on Software …

According to the characteristics defined in pervious Section 2.1, the network connection information we need to obtain from the applications are listed as follows: ● Tstart: Connection start time; ● Ssend: Sent traffic size in current connection; ● Srecv: Received traffic size in current connection; ● VIP: The value of remote IP in the current connection. These values can be obtained in LSP (Layer of Service Provider, a kind of Windows Service Provider). Therefore, our goal is to implement an LSP module and to install it as a Layer Service Provider. In the LSP module, we just follow the specification of Windows SPI development. Besides, we need to rewrite some Winsock functions so that while the application calling Winsock functions, our rewritten functions have the chance to access the arguments of the Winsock functions. In order to get values in the set {Tstart, Ssend, Srecv, VIP}, we just need rewrite the following functions. ● Connect: Get the remote IP value VIP and the connection start time Tstart; ● Send (Sendto): Get the current sent traffic size and add it to total sent traffic size of this connection Ssent; ● Recv (Recvfrom): Get the current received traffic size and add it to total receive traffic size of this connection Srecv. With the value of this set {Tstart, Ssend, Srecv, VIP}, now, we can easily figure the characteristic set out. 2.3 Calculation The calculation of characteristics can be performed by following several steps: 1) Count the total connections in a process and get the value N con ; 2) Count the distinct values of VIP and get the value N IP ; 3) Count the upload connections, and get the value N up-con (the threshold of the ratio of Sent-Received Traffic size is 1.1, which can be used to determine whether a

Fig. 5

connection is an upload connection); 4) Count the concurrent connections and get the value N con-con ; 5) Calculate the ratio of traffic size between sent N con

N con

1

1

and received Rsent/recv :  Ssent

S

recv

;

6) The proportion of upload connection Rup can be calculated as follows: N up-con N con ; 7) Calculate the proportion of concurrent connection Rcon : N con-con N con . So far, each value of software network communication characteristics has been calculated.

3

System Implementation

3.1

Framework The system framework of proposed Trojan detection method based on network communication characteristics is shown in Fig. 5. The system implementation can be divided into three parts: 1) Connection information extract module (LSP Module) This module can be automatically loaded into applications needing network communication and then send the gathered connection information to this detection system via named pipe. 2) Detection system based on NBTree classifier The detection component is the core part of the whole system. It receives the connection information from different applications and stores them into the database. Besides, a trained classifier based on NBTree is also contained that can be used to perform the classification. 3) Connection information database We store all connection information into the SQLite database 3.2 NBTree Classifier As the core part, the Trojan detection classifier works as shown in Fig. 6.

The framework of the detecting system

374

Wuhan University Journal of Natural Sciences 2013, Vol.18 No.5

Fig. 6

Workflow of Trojan detection

Instead of just using a single model independently, better performance can be obtained by combining decision tree and Naïve Bayes classify methods together as the classifier called NBTree. 3.2.1 NBTree Decision tree is a method commonly used in pattern recognition and machine learning. The goal is to create a model that predicts the value or region of a target variable based on several input variables. Typically, the “binary tree” can be learned by splitting the source set into subsets based on an attribute value test. This process can be repeated on each derived subset in a recursive manner called recursive partitioning. During each top-down repeat step, a variable is chosen as the next best variable to split the set of items. At last, each subset at a node of the tree has all the same value or split condition. Decision tree is a simple but widely used classify model that works by partition the input space into cuboid regions. However, because of the “greedy approach” that decision tree model used during the learning procedure, an over-complex tree that does not generalize data well can be created. This is called “over-fitting” [16]. Bishop [17] shows that: besides a constant, some simple model can also be assigned to regions split by the decision tree. Hence, in our NBTree Classifier, assign a Naïve Bayes classifier to the leaf node. A Naïve Bayes classifier is a simple probabilistic classifier based on applying Bayes’ theorem with strong (naive) independence assumptions. This classifier assumes that the presence of a particular of a class is unrelated to the presence of any other feature, given the class variable. In simple items, it just considers all of these properties to independently contribute to the probability that a particular item belongs to certain class. Depending on the precise nature of the probability model, Naïve Bayes classifier can be trained very efficiently in a su-

pervised learning setting [10]. Hence, a classifier model combined decision tree and Naïve Bayes together is used to detect malware. Before it works efficiently and adaptively, some supervised machine learning approach is necessary. 3.2.2 Training set In order to ensure the reliability, all sample data in the training set come from the real world. The training set can be divided into two subsets {Trojans, normal}. All sample procedures are conducted in Windows XP. Considering the influence of user behavior and personal habits on applications’ network behavior, we gather the normal applications’ communication characteristics information from five individual computers in 6 hours, and during the whole information gathering process, there was no extensive unnecessary interference. At last, about 40 applications’ characteristics are gathered. These applications almost cover the most frequently used applications for common users. Because of the difficulty to get enough unique Trojans that can be used to perform a runtime sample procedure of network communication characteristics, the Trojans training sets are only sampled from 6 famous Trojans, as Table 2 shows. Considering that most Trojans with information gather intention have similar communication characteristics, from this perspective, the Trojans training set is sufficient. Table 2

Basic information of Trojans in training set

Name Beike Security RAT Poison Ivy HuiGeZi Gh0st Jaws PcShare

Version 2011 v2 2.3.2 2012 Pro 2012 2011 SP1 2011 Pro

3.2.3 Training the classifier The mechanism of NBTree model has been illustrated in the previous section, and then the following is on training the classifier. Weka is a well-known data mining tool. In this paper, we use it to perform model training. After some preprocess on the original characteristic information, we import the training sets into Weka. In order to improve the efficiency, ten folds cross-validation are employed. As the result, an NBTree model with 2 leaves and 3 nodes has been trained, as shown in Fig. 7. The decision tree’s root node is “Distinct IPs”, and each lave is Naïve Bayes classifier (NB1 and NB2). When the value of application’s Distinct IPs is bigger than 1.5, then this sam-

375

LIANG Yu et al : An Unknown Trojan Detection Method Based on Software … Table 4

ple will be classified by “NB 2” leaf, a Naïve Bayes classifier; otherwise, it will be classified by “NB 1” leaf, which is also a Naïve Bayes classifier. The details of the training result are in Table 3.

Fig. 7

The trained NBTree model

Table 3 Class Trojan Normal Average weight

TP rate 1 0.975

Detailed accuracy by class

FP ROC Precision Recall F-Measure rate area 0.025 0.857 1 0.923 0.977 0

0.978 0.003

1

0.975

0.987

0.977

0.981

0.978

0.979

0.977

The trained classifier has a high TP rate and a low FP rate, so it is able to meet our requirements to detect (predict) unknown Trojans.

4 4.1

Evaluation

Performance Efficiency In the performance efficiency experiment, the test data set was sampled from Trojans and normal applications. The Trojans’ dataset was sampled by executing seven unknown Trojans and three used Trojans. In the seven unknown Trojans, five of them never appeared in the training set, and the rest were Trojans that modified from training set and cannot be detected by other anti-virus software (Kaspersky Anti-Virus 2013). Besides, 27 normal applications’ network communication data was extracted from three individual computers without any intentional interference. Totally, there were 34 items in the test set. This system detected these samples in the test set with a perfect predict result. The false/positive ratio is 2.94%, which means that all these samples’ accurate ratio of detection is nearly up to 97.05%. Besides, the detecting result also shows that this method has an efficiency detection result on “unknown malware” detection, because all the predefined unknown malware were successfully detected. Tracing back to the only false positive item, we found that the sample is “ikuacc.exe” (a p2p accelerate tool used to shared videos). During our sampling period, this application’s characteristics are shown in Table 4.

Ikuacc.exe’s characteristics

Application

N IP

Rsent/recv

Rup

Rcon

N con

ikuacc.exe

1

2 550

1

0

1

All the characteristics are in line with the characteristics of Trojans; therefore, the classifier cannot work effectively. As “ikuacc.exee” is a network application coming from Youku, which can be trusted; the combination of application’s attribute to the network behavior detecting method would improve the accuracy. 4.2 Performance Overhead While our system is running, software’s network behaviors will be monitored; this may lead to some overhead on network communication. In order to measure this kind of cost, we performed the following experiment: In the experiment, the performance overhead was evaluated through two kinds of network behaviors: browsing webpages and downloading files. Chrome itself supplies the “developer tool” feature, with which the time consumption could be easily accessed while loading a webpage. Similarly, we can get the time consumption via “Firebug Extension”. The download tool “thunder” supplies the time consumption directly. We first recorded the applications’ time consumption without deploying our detection system, and then it was recorded again while the detection system is running. By using two different times, we calculated the performance overhead. The previous procedure was repeated 10 times, and the average value was calculated to reduce the influence of the software’s instability factors on experimental results (Table 5). In Table 5, the overhead is about 2.28%, and different applications have various overheads. The major time consumption comes from online analysis. Generally, the little bit extra time consumption while accessing the network will not be noticed by users. Therefore, our detecting system can be accepted when deployed to end-users. Table 5 Software Firefox(18.02) Chrome (v24.0) Thunder (7.2)

5

Performance overhead

Time without detection / s 1.581 0.889 138

Time with detection / s 1.632 0.902 141

Overhead /% 3.23 1.46 2.17

Conclusion

A novel method aimed at detecting unknown Trojans equipped by APT attacks is proposed. This method is based on software’s network behavior and also takes

376

Wuhan University Journal of Natural Sciences 2013, Vol.18 No.5

user’s behaving manner into consideration, which makes it more adaptive. By introducing the analysis of software’s network behavior, which can supply some fine-grained network traffic characteristics corresponding to the software itself, the false positive ratio has been reduced to 2.94%, and the performance overhead’s average value is only 2.28%. The implemented detecting system with high detecting accuracy and low performance overhead performs perfectly on unknown Trojan detection, especially for Trojans with information gather intention. Compared with IDS and other network threats detecting method based on network traffic, the method has the following advantages: 1) This method is more sensitive on threats awareness for targeted attack. Generally, for security organizations like CNCERT, only the abnormal traffics reach the specified threshold value or up to a large-scale can the alarm be triggered. However, Trojans equipped by APT or targeted attacks would not have a large-scale spread, which make their detection mechanism a failure. 2) Our method supplies finegrained detection, which can be refined to processes, modules, and other related characteristics of an application. The detailed information about an application that can reduce false alarms and find out Trojans is to be ignored easily. All these advantages prove that the unknown Trojan detecting method proposed in this paper has great value for practical use in defense against APT attacks. However, there are still some limitations in our method. Currently, software’s system behavior is not combined with its network behavior adaptively. This combination would be an important part of our future work, which may improve the detection method significantly.

pdf. [5]

Binde B, McRee R, O’Connor T J. Assessing outbound traffic to uncover advanced persistent threat [EB/OL]. [201104-22]. http://www. symantec. com/ content/ en/us/ enterprise/media/secruity_response/whitepapers/w32_stuxnet_dos sier.pdf.

[6]

Perdisci R, Lee W, Feamster N. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces [EB/OL]. [2011-06-14]. http://static. usenix.org/event/nsdi10/tech/full_papers/perdisci.pdf.

[7]

Sun Haitao, Liu Shengli, Chen Jiayong, et al. Tunnel Trojan detection method Based on operation behavior [J]. Computer Engineering, 2011, 37(20): 123-126.

[8]

Sun Xiaoyan, Xing Yundong, Liu Shengli, et al. Generation of Trojan communication signatures based on support [J]. Journal on Communications, 2010, 31(9): 176-182.

[9]

Tang Zhangguo, Li Huanzhou, Zhong Mingquan, et al. Heuristic Trojan identification system based on network communication fingerprint [J]. Computer Engineering, 2011, 37(17): 119-122.

[10] Bayer U, Comparetti P M, Hlauschek C, et al. Scalable, behavior-based malware clustering [EB/OL]. [2012-04-19]. http://citeserrix.ist.psu.edu/viewdoc/download?doi=10.1.1.1 48.7690&rep=rep1&type=pdf. [11] Jacob G, Hund R, Kruegel C, et al. JACKSTRAWS: picking command and control connections from bot traffic [EB/OL]. [2012-07-21]. https://www.usenix.org/legacy/event/sec11/tech/ full_papers/jacob.pdf. [12] Yen T F, Reiter M K. Detection of Intrusions and Malware, and Vulnerability Assessment [M]. Berlin, Heidelberg: Springer-Verlag, 2008, 5137: 207-227. [13] Brumley D, Hartwig C, Liang Z, et al. Automatically identifying trigger-based behavior in malware [J]. Botnet Detection, 2008, 36: 65-88. [14] Jiang X, Wang X, Xu D. Stealthy malware detection through

References [1]

vmm-based out-of-the-box semantic view reconstruction [C]//

Zhou Yonglin, Wang Minghua. 2011 China internet network security situation [EB/OL]. [2012-05-21]. http://www. cert. org.cn/userfiles/file/201203192011annualreport(1).pdf.

[2]

Matrosov A, Rodionov E, Harley D, et al. Stuxnet under the microscope [EB/OL]. [2012-10-17]. http://www.eset.com/us/ resources/white-papers/stuxnet_under_the_mciroscope.pdf.

[3]

Falliere N, Murchu O L, Chien E. W32. stuxnet dossier [EB/OL].

[2012-05-21].

http://www.cert.org.cn/userfiles/

file/201203192011annualreport(1).pdf. [4]

Bencsáth B, Pek G, Buttyan L, et al. Duqu: A Stuxnet-like malware found in the wild [EB/OL]. [2012-07-14]. http:// www.crysys.hu/mfelegyhazi/publications/Bencsath2011duqu.

Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM Press, 2007: 128-138. [15] Inoue D, Yoshioka K, Eto M, et al. Malware behavior analysis in isolated miniature network for revealing malware's network activity [C]//Proceedings of the IEEE International Conference on Communications. New York: IEEE Press, 2008: 1715-1721. [16] Bramer M. Principles of Data Mining [M]. New York: Springer-Verlag, 2007. [17] Bishop C M. Pattern Recognition and Machine Learning [M]. New York: Springer-Verlag, 2006: 653-656.

□