Research On Hybrid Intrusion Prevention System Based On The Kernel Of Host Operation System

"Firewall and IDS (Intrusion Detection System)"is one of important solutions to network security currently. The firewall that only provides the security of the network boundary can't replace the function of the whole security system; IDS based on the signs of attacks can only find very specific and acute signs of attacks, but to unknown intrusion its ability is a dint. To security system linked intrusion detection system with firewall that appeared later, there isn't a standard interface and become more difficult to maintain them. At the same time their passivity and lagging are not solved yet. More and more people begin to study a new active system--IPS (Intrusion Prevention System) in recent years. IPS is divided into the host-based IPS and net-based IPS. One of them has some advantages that the other hasn't. One can find some intrusion behaviors that the other can't. The hybrid system who integrates them together will provide a more secure network. This paper has analyzed the advantage and disadvantage of the firewall and intrusion detection system in detail. Then it presents a hybrid IPS based on the kernel of host operation system. It has studied the architecture and some key technique such as blocking network packet, protocol decoding, process protecting and file protecting. This paper has designed a hybrid IPS that will protect host from three major aspects: network, important process and important file resource. At last some relevant experiments upon this system were made. Because this system has both network monitoring and host monitoring, the system can provide proper countermeasures to the attacks from extranet to intranet and from the keyboard of the host computer. The system also can execute defensive actions without human intervention and can block the packet in real time. This system works on the kernel of the goal host computer using the kernel mode driver. It has active protection capability for information security of personal user by using access control technology to key resource based on strong authentication. The system can also protect application system and database system while it works on the network server and database server. The research results of this paper have certain theory and practical value to the information security of the network.