【作者】 金涛；

【导师】 李俊；

【作者基本信息】 南京航空航天大学 ， 计算机应用技术， 2009， 硕士

【摘要】 入侵检测技术是一种主动的信息安全保障措施,已成为现代计算机系统安全技术中的研究热点。它的主要任务是按照一定的策略,对网络的运行状况进行监视,尽可能发现各种攻击行为,以保证网络系统资源的机密性、完整性和可用性。本文首先陈述了入侵检测的研究背景和发展,以及入侵检测系统(IDS)的概念、原理和分类。其次,重点分析了基于系统调用的入侵检测方法。本文针对目前各种基于系统调用的入侵检测技术进行了研究与比较,指出现有算法的不足之处:采用固定长度的系统调用序列。为克服不足之处,本文采用变长的系统调用序列检测方法,将Teiresias组合模式发现算法,这一典型的变长模式生成算法应用到系统调用入侵检测中。高效的模式匹配算法能够显著提高入侵检测效率。本文在分析了几个常用多模式匹配算法的基础上,根据理论[32]指导对Wu-Manber算法进行了改进,结合了Quick-Search匹配算法的思想,在预处理阶段构造了一个Head表,增加了WM算法的跳转距离,实验表明改进算法可以有效地减小匹配步数,提高匹配效率。最后,在Unix环境中构建了一个基于变长系统调用序列模式的入侵检测模型,设计并实现了数据收集模块、正常行为模式建立模块、检测模块。在数据收集模块中,采用LKM技术收集程序执行的系统调用序列。模式抽取模块采用基于Teiresias算法的变长模式抽取方法构建程序正常行为模式库。检测模块采用改进的WM算法进行入侵判断。利用新墨西哥大学提供的仿真数据进行了实验测试,实验表明,本文提出的入侵检测模型能够有效降低模式库规模,提高入侵判断效率。更多还原

【Abstract】 Intrusion Detection is a hot topic in network security in recent years, and is a kind of active measure of information assurance. The task of an Intrusion Detection System (IDS) is to monitor the running of the networks according to some pre-specified policy and try to find the intrusive activities.This thesis firstly introduces the background and development of the research of Intrusion Detection, details the concept and theory of Intrusion Detection System. In this foundation, this thesis analyzes the technique of Intrusion Detection based on sequence of host system call. After research and compare these techniques of Intrusion Detection based on sequence of host system call, we point out that there biggest common shortcoming is to using fix-length system call sequence. To eliminate this drawback, we can use variable-length pattern method. In this thesis, Teiresias compound-pattern discover algorithm is used to find meaningful variable-length patterns in Intrusion Detection.The high-performance pattern-matching algorithms can significantly improve the efficiency of intrusion detection. Based on the analysis of several more common pattern-matching algorithms, this thesis improves the multi-pattern matching algorithm of Wu-Manber (WM) using the thesis of Quick Search Algorithm (QS). In WM algorithm’s preprocess step, a Head table is newly added and this table can increase the shift distance of WM algorithm. Experiment shows that the improved WM algorithm can effectively reduce the number of matching step to improve the efficiency of pattern matching.We design a host-based intrusion detection model under UNIX OS using variable-length system call patterns. In the model, data collection module, pattern extraction module and detection module are designed and implemented. In data collection module, the technique of LKM is used to collect the system call sequence invoked by process. A variable-length patterns extracting approach based on Teiresias algorithm is adopted to model the normal program behavior. In detection module, the improved WM algorithm is applied to implement variable-length pattern matching. In the paper, we make an experiment using the emulational data provided by the University of New Mexico. The result of the experiment indicates that the intrusion detection module can effectively reduce the size of normal program behavior patterns and improve the efficiency of the intrusion detection.更多还原