| Intrusion detection is a technology which can protect our information. It can monitor our systems or networks, and find the intrusions. The intrusion detection method based on system call sequence is an important technology in the current intrusion detection research field. As the intrusion detection method based on system call sequence using the system call sequence to describe the normal behavior of application, only considering the relationship between the sequences, so some attacks can bypass detection with the method of inserting attack codes into the system call parameters. Thus detection accuracy and efficiency of the system is cut down.First, after analyzing the anomaly detection method based on system call sequence depthly, parameters of system call are extracted, and string length patterns of system call parameters, parameter characters distribution patterns and parameter string configuration patterns are established according to the characteristics of the system call to give detection response for some potential attacks, such as the long string in the parameters , characters appeared in high-frequency and unauthorized accessed file.Secondly, for the shortcomings of the extraction method of program behavior, the method of modifying the interrupt vector table to intercept system calls parameter are adopted to achieve system call parameter extraction. And on this basis, the LKM technology is used to extract the system call behavior information real-timely and to monitor user behavior by loading test module, which overcomes the shorts with traditional offline method to analyze user behavior.Finally, in the above study, the simulation analysis methods are given, which verify the intrusion detection method based on system call arguments to detect spoofing attacks effectively and the low false alarm rate of improved integrate classification method. |
PDF Full Text Request