Research On Analysis Model Of Process Behavior

This thesis introduces the current security situation and current research situationon process behavior analysis, emphasizes the importance of intrusion detection based onprocess behavior monitoring. The purpose of the thesis is to propose a process behavioranalysis model based on system call parameters information.In the phase of process data acquisition, the thesis analyzes four major kernel-levelsystem call interception methods and their shortcomings. Then, proposes a method tointercept system calls based on interrupt descriptor table modifying and realizes it withLKM technology.In order to put forward a better detection model, we make experimentson clsssic model based on sequence of system calls such as STIDE, KNN and HMM.Through analyzing the experimental results, we summary the advantages anddisadvantages of these models. The thesis presents a process behavior analysis modelwhich is called A-LERAD, based on system call parameters information.The A-LERADmodel extracts arguments, return value and error status of system calls,and characterizesprocess behavior with these attributes. In order to get normal process behavior database,a rule learning algorithm named LERAD is proposed. LERAD agorithm adds systemcall attributes to the rules which describe process behavior and generates normalbehavior rule set. In training phase,the model generates minimal set of normal behaviorrules with LERAD algorithm and detect process behavior with it in testing phase. Ifanomaly score is larger than the preset threshold, the behavior is considered abnormal.To prove the validation of the A-LERAD model, the thesis proposed another threemodels based on LERAD algorithm. They are sequence of system calls based LERADmodel, merging sequence of system calls and argument information of current systemcall based LERAD model and merging sequence of system calls and argumentinformation for all system calls in the sequence based LERAD model. Finally, we provethat the A-LERAD model is the best in these models in experiments.It can effectivelydetects unkown attacks and abnormal behaviors with high accuracy and low false alarmrate. At the end, the thesis discusses how to improve the system call parametersinformation based behavior analysis model, and put forward a method that using better rule learning algorithm to improve efficiency of A-LERAD model.