Research On Anomaly Detection Of Program Behavior Based On Linux Security Module

Posted on:2009-02-14

Degree:Master

Type:Thesis

Country:China

Candidate:S L Ling

Full Text:PDF

GTID:2178360278964056

Subject:Information security

Abstract/Summary:

PDF Full Text Request

Due to the prevailing of computer security problem, intrusion detection has been recognized as an important direction of research. Especially anomaly detection, which has the capability to detect unknown attacks, has been paid more and more attention to. The existing approaches to host-based anomaly detection mainly focus on utilizing system calls as data source and then modeling.On the basis of analysis to various anomaly detection methods, a new approach, which adopts the Linux kernel 2.6.9 supported LSM (Linux Security Module) data as data source, and then builds a Hidden Markov model to detect intrusion, is designed. Because LSM is specially designed for Linux security; its data extract points are located in system calls or kernel functions, analysis shows that LSM data provides more detailed information than system calls, and have more information about security. How to extract LSM sequence from application programs and then pre-process is well researched; and how to train the captured LSM sequences before detection for constructing Hidden Markov model is analyzed. A new detection algorithm is used to detect the monitored program's LSM sequences real-time. For the purpose of validating LSM data source and the detect ability, an anomaly detection prototype system-HIDS, which extracts LSM data from the monitored program and then constructs Hidden Markov model, is designed and realized. The HIDS system uses netlink and other technologies, and it is composed of 4 modules: the LSM monitor module, the kernel and the user space communication module, the HMM event analysis module, the detect record and response module. The first two modules works in kernel space, the last two works in user space.HIDS load performance, training experiment and simulation attacks are tested. The test result shows that, it's efficient that LSM is used as the anomaly detection data source. The method, which adopts LSM data under Linux and then builds a Hidden Markov Model to detect anomaly, is feasible. It produces good detection results.

Keywords/Search Tags:

Anomaly detection, Linux Security Module (LSM), Hidden Markov Model (HMM), Program behavior control

PDF Full Text Request

Related items

1	Research And Implementation Of Program Behavior-based Anomaly Detection Technology
2	Anomaly Detection Method Based On The Statistics Of The Web Client Behavior Research
3	Network Security Monitoring System Based On Security Object And Behavior Analysis
4	Study On Program-Based Anomaly Detection
5	Studied The Visual Behavior Of The Hidden Markov Model-based Analysis And Anomaly Detection
6	Study Of Anomaly Detection Based On Hidden Markov Model
7	A Study On Hidden Markov Model Based Empty-Nest Home Security Monitoring
8	Anomaly Detection Methods For Host-Based Intrusion Detection Systems
9	Research On Detection Of Resources Abusing Behavior Based On Abnormal Probability And Hidden Markov Model
10	Study On Intrusion Detection Technology Based On Hidden Semi-Markov Model