| With the development of Internet, people's lives have more and more deeply depended on computer networks. And then computer networks should become more and more secure. The technology of Intrusion Detection is one of the important measures to protect the networks. Host-based intrusion detection is used to protect the key hosts, and has better detection efficiency and detection accuracy. Privileged processes are the main object of the intruders. In this paper, attack methods on privileged process and the abnormities of processes' behavior caused by attacks both have been analyzed. Both anomaly and misuse detection methods for the abnormities are brought forward. And some research results are also described in the paper.The contributions of the paper are as following: 1) Analyzing and comparing normal processes and abnormal processes, the different detection methods for different abnormities have been brought forward;2) A novel detection model has been provided, which integrates misuse and abnormal two detection methods to make up disadvantages each other;3) In abnormal intrusion detection, many detection methods have been studied, and three novel detection models, PGBQ ESC, and UNC have been brought forward. UNC decreases the requirements for training data, and generates better profiles.4) The algorithm for updating process's profile has been brought forward firstly, which is helpful for keeping the profile consistent with the real environment.5) In the detection, the noise filtering function was introduced, which decreased the false positive.6) A new misuse detection method has been introduced, and a set of rules have been provided to describe the characters of process abnormities.7) Many special response methods for privileged process monitoring have been introduced and their advantages and disadvantages have been analyzed.8)Inspired natural immune system, an artificial immune system(SAIMUS) has been designed, which could recognized self and none-self, and has the ability of self-learning. It could steeply improve itself and increase the detection accuracy.
|
PDF Full Text Request