The Research Of Software Behavior Modeling Based On Structure Fingerprint And Taint Analysis

Along with the rapid development of information technology and information industry,a series of events such as information warfare, infiltration by hostile forces,computer crime,all kinds of malicious software,hacking, system security risk, etc.have caused great damage of network and even economy.Therefore, information security is related to national security,social stability and economic development.Intrusion detection technology is an important method to protect the safety of information network. One of intrusion detection technology is host-based intrusion detection which applies the security protection on key host with high detection efficiency and detection accuracy. But the early host intrusion detection systems (HIDS) are mainly based on the system log at user level,they do not involve the analysis of software behavior. However, the software is the real carrier of application and Internet service;it is really subject to malicious attacks. Therefore,only the depth analysis of software behavior and behavior modeling can solve the shortcoming of existing host intrusion detection system.Three issues are worth to research in the field of software behavior. There is numerous number of software with rapid updating speed, so the first issue is how to analyze software as more as possible in order to reduce negative rate of intrusion detection system.The second issue is how to choose suitable software behavior in the context of diversity of behavior and serving the following purpose: (1)The chosen behavior should be significant, it is important to improve the reliability of HIDS;(2) Considering the real-time capability of HIDS,it should be not high time complexity to acquire the chosen behavior. The third issue is how to choose suitable method of behavior analysis and intrusion detection, because there are different methods of behavior analysis and intrusion detection with different advantages and disadvantages. In response to the above issues, this paper proposes a practical method that classifies the software to three classes with different security attributes (blacklist, whitelist and graylist) at first, and then takes a stratified behabbior analysis and hierarchical detection on different software.Specifically,in the case of behavior analysis:first, the static analysis is taken on blacklist, whitelist and graylist software in order to abstract structure fingerprint; then dynamic analysis is taken on whitelist and graylist software to build the model of normal dynamic behavior. In the case of real-time intrusion detection:at first,misuse detection method is used to quickly detect blacklist software and abnormal function call sequence of whitelist and graylist software based on the matching of structure fingerprint; then, abnormal detection method is used to detect the convert attacks such as non-control-data attacks based on the comparison of the real behavior of process and the trained normal model of whitelist and graylist software.In a word, research fruits of this thesis are as follow:1.The concept of structural fingerprint and the way how to acquire this fingerprint is proposed in this paper.The existing image processing methods and matrix theory are used to analysis the disassemble call graph to gain structural properties such as color moments which satisfy the fingerprint feature (uniqueness,invariance and sensitivity).The time performance is better than the traditional methods such as subgraph isomorphism or instruction sequence alignment. The backlist, whitelist and graylist software is divided into different classes based on structure fingerprint and BSVM technology. One class represents that the programs are from the same source, at the same time, the maximum fingerprint distance of this class is calculated and viewed as the threshold for judging whether a new program is belong to this class or not.According to the threshold, we can find the new program from the same source in the famous software database to extend the software list, and use this extended list to solve the problem of huge software number and time-complexity of intrusion detection.2.Dynamic taint analysis is leveraged to track the internal data of whitelist and graylist software.Dynamic taint analysis can help us to capture more low-level information such as taint propagation between different system call arguments.The information can be used to build normal behavior model with more completeness.3.The technology architecture and prototype system SFTA (Structural Fingerprint and Taint Analysis) are given in order to achieve software behavior modeling and hierarchical intrusion detection based on structural fingerprint and taint tracing.The concept of structural fingerprint, taint propagation of system call arguments, software behavior model and etc are defined. The construction algorithm and detection algorithm of behavior model are proposed. The behavior model constructed by the prototype system SFTA can detect many attacks, especially,non-control-data attack, with low false rate and negative rate.Through research, we have established preliminary hierarchy of software behavior modeling based on structural fingerprint and taint tracking, which afford theoretical and technical basis to assure software security.Further research not only has important theoretical significance,but also has important applications significance.