Research Of Intrusion Detection Based On System Call

Because all the key operation that process carried out must transfer from user mode to the kernel mode through system call, we can search the activity of process basically through looking over system call sequence. The system call is so accurate that it is very hard to revise by the intruders, that's why this field is so active at present.To address the high false negative rate of short sequence model of system call, a finite-state automaton model is proposed. Each distinct value of the program counter corresponds to a different state of the FSA, the system calls correspond to transitions in the FSA. After the advantages of the finite-state automata model and the problems in building FSA are discussed, the structure of the FSA is detailed. Finally, finite-state automaton model is improved. A state machine for each function which is correlative to system call is constructed. Transferable condition in our state machine is return address in function stack, while general state (except begin state and end state) has no meaning. By this way, the problem that the program counter can not describe the state accurately has been solved, and accuracy of intrusion detection is enhanced.After working principle of system call in Linux and finite-state automaton model are discussed, the intrusion detection model for applications that is based on system call is proposed, PIDS inserts each system call site in the program with its associated system call stub name and its return address, so that each system call is uniquely labeled, and inserts each call in the application call graph to a function having multiple call sites with the function's call graph, thus eliminating the non-determinism associated with the exit point of such functions, and introduces the notify system call, thus eliminating the non-determinism that cannot be resolved through system call stub name and its return address inlining and graph inlining, finally, analyzes safety performance and specifies the shortcomings of the model.In addition, the system call arguments are analyzed from the length distribution of character string, characteristic distribution of character string and special system call arguments, which rich the technique to analyze the program behavior and improve the exactness of detection of program anomalism.