Anomaly Detection Based On System Call On Windows System

With the rapid development of computer and Internet technology, network intrusion is becoming a serious problem, and intrusion detection becomes a critical component of network security administration.Intrusion detection system is a combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred.An intrusion detection system based on Windows server operating system with an abnormal detection method was designed by using Windows system call.Trying perspective, to improve the performance of the intrusion detection process from all the different approaches are presented in this paper as follows:(1) An anomaly detection model based on Native API sequences was proposed to realize the detection of the anomaly intrusions from kernel space in Windows operating system. The IPS first contribution is to apply the system call interposition technique to the Windows OS, which is not open source. It is not straightforward to apply this technique to Windows OS, also because Windows kernel structures are hidden from the developer, and furthermore, its kernel documentation is poor.The system service dispatch table is captured by designing a virtual device so as to get the Native API information in real time. Models are built by the captured normal Native API data to describe the normal behavior of processes.(2) In the detection, a system call parameters was introduced, which enhanced the IDS'detection scope. By analyzing critical system file's system call sequences, program behavior profile can find anomaly immediately and stop the intrusions. Experience shows that the technology can detect intrusions in a high rate of detection and a low rate of false positive. (3) In the detection, a method called locality frame count was introduced to improve the detection accuracy. This method improves the detection rate and the ability of detecting attacks, reduces the false positive and false negative rate.Finally, some problems to be further studied are discussed and the further development of intrusion detection is discussed.