| With the rapid development of information technology and computer network, at the same time, the security of network draws more and more attention of people. And how to find intrusion on activities quickly and efficiently has become important and difficult to the security of system and network resource, Intrusion Detection System has been a new direction, which can initiatively and dynamically provide security safeguard.Intrusion detection supply a strong complement to the traditional static network security technologies such as the firewall and data encryption The main goal of intrusion detection is to detect unauthorized use, misuse and abuse of computer systems by both system insiders and external intruders or attack behaviors. Host-based intrusion detection system by monitoring the key system processes to achieve the protection of the host, as most of the attacks achieve the goal by change the system call through illegal measures.therefore,by monitoring the system call sequence of privileged processes to promptly detect and prevent intrusion to achieve the protection of computer systems.Firstly, a brief introduction about the intrusion detection technology research status and development trend, and analysis the intrusion detection system architecture, detection principles and evaluation criteria.Secondly,the theories of System Call, the execution of System Call, the common method of intercepting System Calls. and emphasis research the common algorithms of intrusion detection based on System Calls, analysis and comparison algorithms of intrusion detection based on System Calls. As the Hidden Markov Model (HMM) have the advantages about algorithms mature, efficient, effective and easy to training. The paper presents host intrusion detection model based on Hidden Markov Model, and design and implementation of the system data acquisition module, data preprocessing module,HMM training module and detection module. Data acquisition module capture the system call sequence by LKM method, the improved of LKM mechanism can efficient collection system call sequences by access to the kernel system. Contrary to the training time of algorithm is too long, the data preprocessing algorithm is improved, with the system call sequences generated by the sliding window feature weighted sequences as a model of training data, the model significantly reduced the amount of training data, as the same time, improvements the training algorithm of the HMM.reduce the time of normal behavior modeling. Detection model determine the invasion by the output probability thresholds.Finally, the paper done some simulation experiments for this model, through analysis the result of simulation experiments, proving that the improved model and method can effectively reduce the size of the pattern database, and the model has less training-time and higher detecting rate than the traditional model and method. |
PDF Full Text Request