基于Linux进程行为的入侵检测技术研究

发布时间：2018-08-05 16:41

【摘要】：随着各种网络安全问题的频频发生,入侵检测能够积极主动的防御各种攻击而逐渐成为安全研究领域的热点。由于入侵者在攻击系统时大都采用的是攻击特权进程的方式,特权进程完成某些特定的行为,因此在其正常执行时的行为轨迹相对稳定,一旦发生入侵就很容易捕捉到。在此基础上,本文提出了基于Linux进程行为的入侵检测,通过监控Linux系统中的某些特权进程对主机实施安全防护,经过实验证明该方法对针对主机的入侵活动具有较好的检测效果。训练数据的收集以及建模方法的选择是决定入侵检测效率的两个重要因素。首先是训练数据的收集,我们分析了由于攻击可能造成的正常行为和入侵行为之间的差异,提出利用系统调用序列作为入侵检测的数据源。利用可加载内核模块(LKM)机制在内核收集数据,而把数据的分析处理放在用户层进行,并利用ioctl的方式实现数据共享。训练数据收集完备以后,需要构建入侵检测的模型。我们研究了几种现有的基于系统调用序列的异常检测算法,分析和比较它们各自的优缺点,并提出了基于系统调用宏的马尔科夫链异常检测模型(Macro MCM)。在建模时,提取程序正常行为迹中大量重复出现的有规律的系统调用短序列作为独立的基本单位(宏),并以宏为基本单位构建Marco MCM。检测时逐一读取系统调用数据并将其与宏进行匹配,然后利用宏序列连续出现的概率判断是否发生入侵。为了验证提出的模型是否可行,在Linux系统中设计并实现了系统调用采集模块、预处理模块、Marco MCM的训练模块以及检测模块。实验结果表明,该模型检测性能要好于基于系统调用的一阶与二阶马尔科夫链模型,在误报率不明显增大的情况下,检测效率高于HMM,与DBCPIDS相当,但计算复杂度要明显好于这两者。最后,针对本文实现的模型,提出了几种适用的入侵响应办法,并分析了它们各自适应的情况。
[Abstract]:With the frequent occurrence of various network security problems, intrusion detection has become a hot topic in the field of security research. Because the intruder mostly uses the way of attacking the privilege process when attacking the system, the privileged process accomplishes some specific behaviors, so the behavior trajectory is relatively stable when it is executed normally, and it is easy to catch once the intrusion occurs. On this basis, this paper proposes intrusion detection based on Linux process behavior, which can protect the host by monitoring some privileged processes in Linux system. Experiments show that this method has a good detection effect on the intrusion activity of host computer. The collection of training data and the selection of modeling methods are two important factors that determine the efficiency of intrusion detection. The first is the collection of training data. We analyze the difference between normal behavior and intrusion behavior caused by attack, and propose to use system call sequence as the data source of intrusion detection. The loadable kernel module (LKM) is used to collect data in the kernel, and the analysis and processing of the data is carried out in the user layer, and the data sharing is realized by means of ioctl. After the training data collection is complete, it is necessary to construct the intrusion detection model. We study several existing anomaly detection algorithms based on system call sequence, analyze and compare their advantages and disadvantages, and propose a Markov chain anomaly detection model based on system call macro (Macro MCM). In modeling, a large number of recurring regular system call sequences in the normal behavior trace of the program are extracted as the independent basic units (macros), and the Marco MCMs are constructed using macros as the basic units. The system call data is read one by one and matched with the macro, and then the probability of the successive occurrence of the macro sequence is used to judge whether the intrusion occurs or not. In order to verify the feasibility of the proposed model, the system call acquisition module, the preprocessing module and the training module and the detection module of Marco MCM are designed and implemented in the Linux system. The experimental results show that the detection performance of this model is better than that of the first and second order Markov chain models based on system call, and the detection efficiency is higher than that of DBCPIDS when the false alarm rate is not obviously increased. But the computational complexity is obviously better than both. Finally, according to the model implemented in this paper, several suitable intrusion response methods are proposed, and their adaptive conditions are analyzed.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08;TP316.81

【参考文献】