《基于变长系统调用序列入侵检测的研究与实现》由会员分享,可在线阅读,更多相关《基于变长系统调用序列入侵检测的研究与实现(74页珍藏版)》请在金锄头文库上搜索。
1、南京航空航天大学 硕士学位论文 基于变长系统调用序列入侵检测的研究与实现 姓名:金涛 申请学位级别:硕士 专业:计算机应用技术 指导教师:李俊 20081201 南京航空航天大学硕士学位论文 i 摘 要 入侵检测技术是一种主动的信息安全保障措施,已成为现代计算机系统安全技术中的研究 热点。它的主要任务是按照一定的策略,对网络的运行状况进行监视,尽可能发现各种攻击行 为,以保证网络系统资源的机密性、完整性和可用性。 本文首先陈述了入侵检测的研究背景和发展, 以及入侵检测系统(IDS)的概念、 原理和分类。 其次,重点分析了基于系统调用的入侵检测方法。本文针对目前各种基于系统调用的入侵检测 技术进
2、行了研究与比较,指出现有算法的不足之处:采用固定长度的系统调用序列。为克服不 足之处,本文采用变长的系统调用序列检测方法,将 Teiresias 组合模式发现算法,这一典型的 变长模式生成算法应用到系统调用入侵检测中。 高效的模式匹配算法能够显著提高入侵检测效率。本文在分析了几个常用多模式匹配算法 的基础上, 根据理论32指导对 Wu-Manber 算法进行了改进, 结合了 Quick-Search 匹配算法的思 想,在预处理阶段构造了一个 Head 表,增加了 WM 算法的跳转距离,实验表明改进算法可以 有效地减小匹配步数,提高匹配效率。 最后, 在 Unix 环境中构建了一个基于变长系统调
3、用序列模式的入侵检测模型, 设计并实现 了数据收集模块、正常行为模式建立模块、检测模块。在数据收集模块中,采用 LKM 技术收 集程序执行的系统调用序列。模式抽取模块采用基于 Teiresias 算法的变长模式抽取方法构建程 序正常行为模式库。检测模块采用改进的 WM 算法进行入侵判断。利用新墨西哥大学提供的仿 真数据进行了实验测试,实验表明,本文提出的入侵检测模型能够有效降低模式库规模,提高 入侵判断效率。 关键词:关键词:入侵检测,系统调用序列,变长模式,Teiresias 算法,改进的 Wu-Manber 算法 基于变长系统调用序列入侵检测的研究与实现 ii ABSTRACT Intru
4、sion Detection is a hot topic in network security in recent years, and is a kind of active measure of information assurance. The task of an Intrusion Detection System (IDS) is to monitor the running of the networks according to some pre-specified policy and try to find the intrusive activities. This
5、 thesis firstly introduces the background and development of the research of Intrusion Detection, details the concept and theory of Intrusion Detection System. In this foundation, this thesis analyzes the technique of Intrusion Detection based on sequence of host system call. After research and comp
6、are these techniques of Intrusion Detection based on sequence of host system call, we point out that there biggest common shortcoming is to using fix-length system call sequence. To eliminate this drawback, we can use variable-length pattern method. In this thesis, Teiresias compound-pattern discove
7、r algorithm is used to find meaningful variable-length patterns in Intrusion Detection. The high-performance pattern-matching algorithms can significantly improve the efficiency of intrusion detection. Based on the analysis of several more common pattern-matching algorithms, this thesis improves the
8、 multi-pattern matching algorithm of Wu-Manber (WM) using the thesis of Quick Search Algorithm (QS). In WM algorithms preprocess step, a Head table is newly added and this table can increase the shift distance of WM algorithm. Experiment shows that the improved WM algorithm can effectively reduce th
9、e number of matching step to improve the efficiency of pattern matching. We design a host-based intrusion detection model under UNIX OS using variable-length system call patterns. In the model, data collection module, pattern extraction module and detection module are designed and implemented. In da
10、ta collection module, the technique of LKM is used to collect the system call sequence invoked by process. A variable-length patterns extracting approach based on Teiresias algorithm is adopted to model the normal program behavior. In detection module, the improved WM algorithm is applied to impleme
11、nt variable-length pattern matching. In the paper, we make an experiment using the emulational data provided by the University of New Mexico. The result of the experiment indicates that the intrusion detection module can effectively reduce the size of normal program behavior patterns and improve the
12、 efficiency of the intrusion detection. Key words: Intrusion detection, system call sequence, variable-length pattern, Teiresias algorithm, improved Wu-Manber algorithm 基于变长系统调用序列入侵检测的研究与实现 vi 图表清单 图 2.1 入侵检测系统的基本构成.4 图 2.2 误用入侵检测模型.9 图 2.3 异常入侵检测模型.10 图 3.1 操作系统分层图.12 图 3.2 Unix 进程的虚拟空间.13 图 3.3 系统调用以及对应的编号.14 图 3.4 系统调用的实现流程图.14 图 3.5 基于系统调用序列检测的通用模型.20 图 4.1 Aho-Corasick 算法状态自动机 .25 图 4.2Aho-Corasick 算法匹配过程.26 图 4.3Commentz-Walter 算法状态自动机.27 图 4.4Commentz-Walter 匹配过
