Research Of Host-based Intrusion Prevention System Based On Process Behavior

The topic is a expansion of Central China Power Grid's project named"Computer Terminal Protection System", which mainly for the situation of the week of the current computer security system protection to the end and passive defensive-oriented, studied and implemented a Host Intrusion Prevention System which compensate for this short coming and could be more effective and active. It is based on active controllability defense theory, using a variety of security technologies and a App-Sys model, implement security defense by collecting information and managing and maintaining this information.The computer terminal, whether the host or server, which's activity is achieved by the process, while the process runs inseparable from the operating system. And the application of more current operating system comes as Windows, that is, even when the attack occurred around the installation of the operating system on top of security software, it can not do without the support of the operating system service routine. Host Intrusion Prevention System, as a last defense line of security protection, the operation of the process, including file operations, registry operations, etc. closely monitor the implementation of each action will be to follow-up analysis to ensure the security of the host.It has researched on the mechanism of Windows kernel-model system application, the use of SSDT HOOK technology, which achieved the interception of the system application, develop the code on the kernel layer more than on the application layer is not easy for malicious code to avoid.Intrusion prevention system make the defense in the system level, using the kernel API HOOK against a variety of attacks of unknown viruses. It uses the access control policies that come from users, makes the projection of registry, file.tec the truth. Ensuring process's safe operation by prevent itself from killing. Through the control of program execution, not only can prevent unknown program is running, you can prevent malicious code attacks. Through these protection, upgrading the operating system's security.System simulation test results show that the system from the process monitor, registry monitor, file monitor multiple aspects, through secure access on the system behavior rules of effective control and protection system behavior monitoring module takes less system resources in the case of Efficient implementation of the process, file, registry protection, pre-design to achieve the goal, to a good defense against unknown viruses.