Research On Program Behavior Detection Of Trusted Network Connection

With the rapid development of cyber technology and network communication, the intension and extention of information security change constantly, which makes the related field develop increasingly. The government, enterprises and institutions, all kinds of organizations and individuals depend on the computer more and more. The applications of computer and network have been infiltrated various fields sueh as politics, economy,soeiety, edueation and military affairs. At the same time, the attacks caused by computer virus, Trojan Programs and hackers make us realize that the present computer network system is very vulnerable, and we may suffer from the immeasurable losses because of the vulnerability.The traditional technology of network security such as facilities of firewall, IDS, Antivirus Software which build to a high walls and barrier around the protected network in order to from being attacking is mainly passive prevention. But the traditional technology of network security aims at the share resource and prevent the lawless users from accessing or attaek coming form outside. The solutions don't control the source console accessing the share resource and there are some security hole in the application system, so that the solutions can't resolve the security problems of network security system. Therefore,we must solve the problems from another different angle. We resolve the problems from the source that it is the endpoint which tries to access the protected resource.Recently, the rising of trusted computing shows that the idea abroad approved. The Trusted Network Connection(TNC) working group of the Trusted Computing Group(TCG) has created an open, standard architecture. The TCG combine conventional access control technology with trusted computing technology and start from the terminal to build the trusted network. The TNC architecture build a trusted network by checking that each endpoint attempting to access the network, and trustless access operation is controlled in the source.The TNC architecture is focused on the security of the each endpoint attempting to access the protected network. The TNC architecture protect a network by each endpoint being authenticated and authorized access the protected network and checking that each endpoint attempting to access the protected network complies with an organization's security policies. Based on the security policy of organization, trusted endpoints gain access to the protected network, and trustless endpoints will be refused or isolated, and vulnerable endpoint are repaired. This ensures that all endpoints attempting to connect the protected network always have the most up-to-date and properly configured security software, as defined by the organization.However, TNC working group only defines a series of regulations about hosts'integrity and reliability, but not about users'behaviors at present. It makes TNC not control programs'behaviors. So we need do some research about related behaviors to improve the system's security and reliability.Because of the existing problems about TNC we design the model of program behavior detection in this thesis. The technique of behavior detection based on host system mainly focuss on the data set of host system call. The sequence of host system call which is beneficial to extract feature of the system and detect behavior of the system reflects the of an operating system kernel. So it can authenticate the behavior which is law or not without care of differentiation of user in order to improve the security of the system.Enumerating sequences model divids the character mode into two classes to identify the behavior of user as normal and abnormal ones. On that basis, the short sequence, whose frequencies are lower, and whose class character is not obvious, and which is unstable is divided from class space. It will divide the feature class space into three categories of normal, abnormal and small probability ones. The information hided in the sequence of system call short sequence on time was picked out to adjust the character of a short sequence at its position, whose behavior was more reliable to its environment. The neighbor algorithm was constructed to meet the need of the idea above. We can determine the class character of a single short sequence by the corresponding neighbor algorithm, so that we can identify the programs'behavior character more accurately.