Research On And Implementation Of Desktop Security Defense System Key Technologies

The security of Windows OS is becoming more and more crucial to most desktop users, due to its larger share of the global market, coupled with its own weaknesses. The blocking way of traditional anti-virus softwares based on the single point with characteristic fragment is farly beyond the requirements of better security and high real-time capability, which can not identify the unknown attacks. Additionally, updating and maintaining the larger characteristic database are always over exhausting. This paper does some researches on intrusion detection and security blocking of desktop security defense systems. Finally, designing and implementing a pro-active intrusion detection defense system based on process behavior but not to virus database. Some contributions of the paper can be concluded as follows:(1) Design and implementation of the Desktop Security Active Defense System(DSADS). The DSADS locates and intercepts the System Service Dispatch Table to observe the process behavior by building a virtual driver in Windows kernel, then carrying up intrusion detection and taking some necessary blocking measures against inbreaks. The software is loaded to the system by the way of loading kernel drivers, which can trail the processes behavior more directly, wholly and fastly.(2) An algorithm of improved ERDA approach is presented with sliding Windows. It calculates the normal exponent of the real-time system calls generated by process, and compares it with the setting threshold to verify anomaly. The improved algorithm can change the step of sliding window dynamically. Therefore, the controllability of intrusion course will be enhanced greatly.(3) An adaptive security blocking mechanisms based on sliding window is put forward. Most existing security blocking mechanisms cannot deal with the response effectiveness and the caused load to the system well. The paper develops two indices named as Normal-Density and Abnormal-Density to describe the process'security state, when to change the length of sliding window and the calculate method of change range is determined by network entropy theory. Changing the blocking measure dynamically according to the system status will lead to high effectiveness as well as low load to the system.Summarily, the experiments under Windows platform show that the improved algorithm and the adaptive security blocking mechanisms in this paper can do well in working against the unknown attacks, and can be well applied to the Windows desktop system.