The Research On The Intrusion Detection Model Based On Actions’ Hierarchical Relation Analysis

The survivability of application system is under thread from security vulnerabilities,malicious code, illegal insider attacks, misuse and others, but the traditional intrusiondetection method is difficult to play a protective role. The system calls is the interfaceaccess to system resources, to some extent, which reflect the software behaviorcharacteristics. Software system running in normal shows that the system call sequencekeep the stability, and the relationship between the system call arguments are predictable.The technology research based on the system call is a way to solve the above problems.This thesis has studied on the intrusion detection model based on the system calls. Thespecific content is as follows.Firstly, from the research about the existing behavior model based on system call andthe intrusion detection techniques, it is presented that the theory of modeling softwarebehavior and technology are feasibility. The method that intercepting system call byHOOK technology based on the system calls can provide data for analyzing the softwarebehavior.Secondly, to solve the problem that the poor application of the current softwarebehavior model concerning a single aspect or multiple aspects, by analyzing therelationship of system calls and system calls, the software behavior model of which thehierarchical relation is the basic elements is proposed. By introducing the concept ofhierarchical relationships to identify the action sequence, context, action attribute, therelation of the arguments of the different action, the sequence of actions in the some tasks,the constructing algorithm based on hierarchy analysis is proposed, thus the essence ofsoftware behavior is presented by the formalizing description.What’s more, the detection method which is used for software behavior model basedon hierarchy analysis is implemented and the detection algorithm and the detectioncapability of the algorithm are expounded. At the same time, introducing the idea ofranking which strengthens the target nature of the behavior detectionFinally, the intrusion detection prototype system the core of which is the softwarebehavior model based on hierarchical analysis is implemented. The architecture of the intrusion detection model is expounded. The experimental platform is set up for theintrusion detection and the experiment is to evaluate the detecting ability of model and thecost of time and space. The results of the experiments and analysis show that the modelhas good accuracy and efficiency.