Research And Implement Of The Intrusion Detection System Based On Program Behavior Analysis

By presenting the background, research hotspots of Information Security and the root of vulnerability, this paper analyzes the intrusion detection technology nowadays and concludes it's limitation. This paper concludes that the traditional misuse detection technology has a low rate of detection and cannot detect the unknown attacks, while the traditional anomalous detection technology shows a high false positive rate.Intrusion detection technology based on program behavior analysis presented in this paper for the above reasons. Intrusion detection system based on program behavior analysis finished in LKM(linux kernel module).It intercept and captures the system calls by the modification of interrupt vector tables and program behavior profile composed of short sequences of system call is formed. During the program exercising every system call argument is analyzed and arguments length pattern, character characteristic distribution pattern of argument, special system call arguments based on the rule pattern are formed. Analyze program behavior accurately from program behavior profile and argument patterns can find anomaly immediately and stop the intrusions. Experience shows that the technology can detect intrusions in a high rate of detection and a low rate of false positive. Finally some improvements of the technology are forecasted inthis paper.