The Research And Design Of Behavior-based Host Intrusion Prevention System

With the popularity of network applications, network security is getting respected by people. Today, the firewall, IDS and anti-virus software have become the main security defensive solutions. Because of some limitations of those, shortages of initiatively reaction to all kinds of new attack ways in time, we eagerly need a new kind of initiative intrusion defense solution. Therefor, we begin to make researches on host-based intrusion prevention system (HIPS),In this thesis, we study some key technology problems on design and development of behavior-based HIPS from theory and practice aspects. We have got seven principal achievements. 1. By way of analyzing a lot of network attack instances, we conclude the lifecycle and behavior of malware attack, and explain how the behavior-based HIPS work. 2. Because of the shortage of achieving technology of current behavior-based HIPS, we apply filter driver technology to check up user behavior in windows 2000. 3. By the analysis of the working mechanism and course on malware, we generalize the meaning of behavior-based HIPS from OS access control aspect. 4. We design an integrated security model based on DTE and BLP, which can describe the confidentiality and integrality requirement of system security policy. By means of using DTEL policy language, we can diminish the complexities of policy definition and conflict among the policies. 5. We apply the security policy model that we have defined to Windows2000 OS. We define the classes, attributes and permits in security policy model. And, map the classes to kernel variables, the permits to some system call. 6. For the support of multi security policies, we apply the Flask security architecture to the design of system. 7. Using filter driver and system call hook technology, we implement all system components.According to Windows2000 startup steps, we decide all system components loading time and order. In lab environment, we test the performance and the ability to keep up attack for prototype system. In a word, the achievements presented in this thesis will provide some technologies and experiences to research and design of host-based intrusion prevention system.