Research And Implementation Of A Host Intrusion Prevention System

With the rapid development of computer, network technology, the real world is increasingly dependent on computer systems. On one hand, people enjoy the information technology which brought about the tremendous progress; On the other hand, have to face the growing information security threats, especially caused by malicious code (viruses, Trojans, worms, etc.).We propose a host intrusion prevention system called HIPS based on Windows that controls, entirely in kernel mode, the invocation of the critical system calls for the Windows OS security. WinHIPS is implemented as a kernel driver, by using kernel structures of the Windows OS. It is integrated without requiring changes to either the kernel data structures or to the kernel algorithms, and WinHIPS is also transparent to the application processes that continue to work correctly without source code changes or recompilation.The working prototype is applicable to all the Windows NT family OS, e.g. Windows 2000/XP/2003.In this thesis, we study some key technology problems on design and development of behavior-based WinHIPS from theory and practice aspects: 1.The WinHIPS's first contribution is to apply the system call interposition technique to the Windows OS, which is not open source. It is not straight forward to apply this technique to Windows OS, also because Windows kernel structures are hidden from the developer, and furthermore, its kernel documentation is poor, so it is so difficult to implement. 2.Because of the shortage of achieving technology of current behavior-based HIPS,we apply filter driver technology to check up user behavior in Windows. 3. Using filter driver and system can hook technology, we implement all system. 4.We apply the security policy model that we have defined to Windows,and map the classes to kernel variables,the permits to some system call. 5.By the analysis of the working mechanism and course on malware,we generalize the ACB(Access Control Base) of behavior-based WinHIPS from OS access control aspect.At last we test the performance and ability of the system to keep up attack for system, and hope to provide some technologies and experiences to the research and design of HIPS.