基于Linux進(jìn)程行為的入侵檢測技術(shù)研究
發(fā)布時(shí)間:2018-08-05 16:41
【摘要】:隨著各種網(wǎng)絡(luò)安全問題的頻頻發(fā)生,入侵檢測能夠積極主動(dòng)的防御各種攻擊而逐漸成為安全研究領(lǐng)域的熱點(diǎn)。由于入侵者在攻擊系統(tǒng)時(shí)大都采用的是攻擊特權(quán)進(jìn)程的方式,特權(quán)進(jìn)程完成某些特定的行為,因此在其正常執(zhí)行時(shí)的行為軌跡相對(duì)穩(wěn)定,一旦發(fā)生入侵就很容易捕捉到。在此基礎(chǔ)上,本文提出了基于Linux進(jìn)程行為的入侵檢測,通過監(jiān)控Linux系統(tǒng)中的某些特權(quán)進(jìn)程對(duì)主機(jī)實(shí)施安全防護(hù),經(jīng)過實(shí)驗(yàn)證明該方法對(duì)針對(duì)主機(jī)的入侵活動(dòng)具有較好的檢測效果。訓(xùn)練數(shù)據(jù)的收集以及建模方法的選擇是決定入侵檢測效率的兩個(gè)重要因素。首先是訓(xùn)練數(shù)據(jù)的收集,我們分析了由于攻擊可能造成的正常行為和入侵行為之間的差異,提出利用系統(tǒng)調(diào)用序列作為入侵檢測的數(shù)據(jù)源。利用可加載內(nèi)核模塊(LKM)機(jī)制在內(nèi)核收集數(shù)據(jù),而把數(shù)據(jù)的分析處理放在用戶層進(jìn)行,并利用ioctl的方式實(shí)現(xiàn)數(shù)據(jù)共享。訓(xùn)練數(shù)據(jù)收集完備以后,需要構(gòu)建入侵檢測的模型。我們研究了幾種現(xiàn)有的基于系統(tǒng)調(diào)用序列的異常檢測算法,分析和比較它們各自的優(yōu)缺點(diǎn),并提出了基于系統(tǒng)調(diào)用宏的馬爾科夫鏈異常檢測模型(Macro MCM)。在建模時(shí),提取程序正常行為跡中大量重復(fù)出現(xiàn)的有規(guī)律的系統(tǒng)調(diào)用短序列作為獨(dú)立的基本單位(宏),并以宏為基本單位構(gòu)建Marco MCM。檢測時(shí)逐一讀取系統(tǒng)調(diào)用數(shù)據(jù)并將其與宏進(jìn)行匹配,然后利用宏序列連續(xù)出現(xiàn)的概率判斷是否發(fā)生入侵。為了驗(yàn)證提出的模型是否可行,在Linux系統(tǒng)中設(shè)計(jì)并實(shí)現(xiàn)了系統(tǒng)調(diào)用采集模塊、預(yù)處理模塊、Marco MCM的訓(xùn)練模塊以及檢測模塊。實(shí)驗(yàn)結(jié)果表明,該模型檢測性能要好于基于系統(tǒng)調(diào)用的一階與二階馬爾科夫鏈模型,在誤報(bào)率不明顯增大的情況下,檢測效率高于HMM,與DBCPIDS相當(dāng),但計(jì)算復(fù)雜度要明顯好于這兩者。最后,針對(duì)本文實(shí)現(xiàn)的模型,提出了幾種適用的入侵響應(yīng)辦法,并分析了它們各自適應(yīng)的情況。
[Abstract]:With the frequent occurrence of various network security problems, intrusion detection has become a hot topic in the field of security research. Because the intruder mostly uses the way of attacking the privilege process when attacking the system, the privileged process accomplishes some specific behaviors, so the behavior trajectory is relatively stable when it is executed normally, and it is easy to catch once the intrusion occurs. On this basis, this paper proposes intrusion detection based on Linux process behavior, which can protect the host by monitoring some privileged processes in Linux system. Experiments show that this method has a good detection effect on the intrusion activity of host computer. The collection of training data and the selection of modeling methods are two important factors that determine the efficiency of intrusion detection. The first is the collection of training data. We analyze the difference between normal behavior and intrusion behavior caused by attack, and propose to use system call sequence as the data source of intrusion detection. The loadable kernel module (LKM) is used to collect data in the kernel, and the analysis and processing of the data is carried out in the user layer, and the data sharing is realized by means of ioctl. After the training data collection is complete, it is necessary to construct the intrusion detection model. We study several existing anomaly detection algorithms based on system call sequence, analyze and compare their advantages and disadvantages, and propose a Markov chain anomaly detection model based on system call macro (Macro MCM). In modeling, a large number of recurring regular system call sequences in the normal behavior trace of the program are extracted as the independent basic units (macros), and the Marco MCMs are constructed using macros as the basic units. The system call data is read one by one and matched with the macro, and then the probability of the successive occurrence of the macro sequence is used to judge whether the intrusion occurs or not. In order to verify the feasibility of the proposed model, the system call acquisition module, the preprocessing module and the training module and the detection module of Marco MCM are designed and implemented in the Linux system. The experimental results show that the detection performance of this model is better than that of the first and second order Markov chain models based on system call, and the detection efficiency is higher than that of DBCPIDS when the false alarm rate is not obviously increased. But the computational complexity is obviously better than both. Finally, according to the model implemented in this paper, several suitable intrusion response methods are proposed, and their adaptive conditions are analyzed.
【學(xué)位授予單位】:電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08;TP316.81
本文編號(hào):2166371
[Abstract]:With the frequent occurrence of various network security problems, intrusion detection has become a hot topic in the field of security research. Because the intruder mostly uses the way of attacking the privilege process when attacking the system, the privileged process accomplishes some specific behaviors, so the behavior trajectory is relatively stable when it is executed normally, and it is easy to catch once the intrusion occurs. On this basis, this paper proposes intrusion detection based on Linux process behavior, which can protect the host by monitoring some privileged processes in Linux system. Experiments show that this method has a good detection effect on the intrusion activity of host computer. The collection of training data and the selection of modeling methods are two important factors that determine the efficiency of intrusion detection. The first is the collection of training data. We analyze the difference between normal behavior and intrusion behavior caused by attack, and propose to use system call sequence as the data source of intrusion detection. The loadable kernel module (LKM) is used to collect data in the kernel, and the analysis and processing of the data is carried out in the user layer, and the data sharing is realized by means of ioctl. After the training data collection is complete, it is necessary to construct the intrusion detection model. We study several existing anomaly detection algorithms based on system call sequence, analyze and compare their advantages and disadvantages, and propose a Markov chain anomaly detection model based on system call macro (Macro MCM). In modeling, a large number of recurring regular system call sequences in the normal behavior trace of the program are extracted as the independent basic units (macros), and the Marco MCMs are constructed using macros as the basic units. The system call data is read one by one and matched with the macro, and then the probability of the successive occurrence of the macro sequence is used to judge whether the intrusion occurs or not. In order to verify the feasibility of the proposed model, the system call acquisition module, the preprocessing module and the training module and the detection module of Marco MCM are designed and implemented in the Linux system. The experimental results show that the detection performance of this model is better than that of the first and second order Markov chain models based on system call, and the detection efficiency is higher than that of DBCPIDS when the false alarm rate is not obviously increased. But the computational complexity is obviously better than both. Finally, according to the model implemented in this paper, several suitable intrusion response methods are proposed, and their adaptive conditions are analyzed.
【學(xué)位授予單位】:電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08;TP316.81
【參考文獻(xiàn)】
相關(guān)期刊論文 前1條
1 吳玉;陸曉君;;基于進(jìn)程行為的入侵檢測系統(tǒng)的設(shè)計(jì)[J];計(jì)算機(jī)工程;2007年03期
相關(guān)博士學(xué)位論文 前1條
1 滕少華;基于對(duì)象監(jiān)控的分布式協(xié)同入侵檢測[D];廣東工業(yè)大學(xué);2008年
,本文編號(hào):2166371
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2166371.html
最近更新
教材專著
