| The information security connotation has been extending continually, from confidentiality to integrality, usability, controllability and non-repudiation, then to attack, defense, detection, management and evaluation. On the other hand, with computer and network technology developing, the intrusion and attack happen continually. Moreover, the method and means become wiser and wiser. Intrusion detection technology, therefore, has been indispensability field in information security. Intrusion detection technology also is an address hotspot at recently. In this dissertation, three fields were addressed, i.e. the new anomaly detection model based on system call, the digital evidence function of IDS, and the correlation analysis of security events, which appeared in alarms and logs of IDS. The main contents are as follows:1. A new anomaly detection model based on system call macro was presented. The consistently repeated system call sequences in normal process trace were regarded as macros, and then an anomaly detection model based on system call macros Markov chain was created. The conclusions were drawn by comparing the performance metrics of our model with the First-order and Second-order Markov chain models: at detection performance (hit rate and false alarm rate), our model is better than other two models; at memory demand, our model is more than the First model, but less than the Second-order model; at speed, the training speed of our model is slower than other two models, but the detection speed is quicker. These results clearly demonstrate the effectiveness of our model.2. A new two-layer Markov chains anomaly detection model that operated on system call traces was presented. A server process's activity was viewed as being composed of a high layer Markov chain in terms of the different states the server process entered (reflecting different requests/commands received by the server process), and then within each of those states, another low layer Markov chain reflected the series of system calls in that particular state. In fact, this could be regarded that the dynamic activity of process depended on not only code but also current input. These two-layer Markov chains were used to construct the normal profiles of server process's activity, and then to detect anomaly. The experiment results clearly demonstrate that the detection performance of two-layer Markov chains detection model is better than the traditional Markov chain model's. Moreover, the detected anomaly can be localized in the place where anomaly happens, i.e. be limited in the corresponding request sections, not in an entire trace.3. A new anomaly detection model based on system call classification was presented. A detailed classification of the Linux system calls according to their function and level of threat was presented. The detection model only aimed at critical calls (i.e. the threat level 1 calls). On learning process, thedetection model dynamically processed every critical call, but did not use data mining or statistics from static data. Therefore the increment learning could be implemented. Based on some simple predefined rules and refining, the number of rules in rule database could be reduced dramatically, so that the rule match time could be reduced effectively during detection processing. The experiment results clearly demonstrate that detection model can effectively detect R2L, R2R and L2R attacks. Moreover the detected anomaly will be limited in the corresponding requests, but not in entire trace. The detection model is fit for privileged processes, especially for these based on request-response.4. In cryptology technology, which can be used to create digital evidence, we addressed three problems: a encryption scheme integrated fault tolerance and digital signature, a identification protocol based on zero-knowledge interactive proof, digital signature included single digital signature, multiple digital signature and (N,T) threshold digital signature.5. The SK protocol was improved and s...
|
PDF Full Text Request