| Along with the computer network technology development, the network security becomes one of the concerned issues. Nowadays, the hacker's intrusion method changed with each passing day. Intrusion detection becomes more and more difficult. In the multitudinous intrusion event, the hacker often gain control of the target computer through exploiting essential system process, and leaves Trojan horse or back door in the system after a successful intrusion, which provides a shortcut for next access. Therefore the process detection for the exploited system process and the Trojan horse is important topics in the intrusion detection field.The intrusion detection system divides into two categories according to the detection technique: anomaly-based detection system and misuse-based detection system. The process detection system belongs to anomaly-based detection system branch. At present, the domestic and foreign scholars mainly concentrate on the process detection research on the process behavior. In behavior-based process detection technique, the process is regarded as a series of system call, and the process'normal behaviors are presented by the partial system call sequences in series. This technique has its own insufficiency.Along with the carrying on of process behavior, the process state will change correspondingly. Process behavior and process state have some kind of intrinsic relations. This paper discusses the relation based on the category and integrated deterministic finite automaton. This paper established a process detection model based on category (CPDM), and proposed a state-based process detection technique. In state-based process detection technique, the process is described by the process state sequence, and the process'normal state is described by the process state pattern (PSP). Compared with the already known techniques, it has remarkable superiority. First, the normal state pattern length was fixed, which eliminated the negative influence brought by the uncertainty length of the partial system call sequence. Second, process state shift is irrelevant to concrete operating system, so the process state sequence may be used across platforms. Third, the model has a wide detection scope. This technique not only may detect the system's essential processes which were exploited, but also may detect malicious software. In final part, the author has completed the design of process detection tool and the test. The test result indicated that state-based process detection... |
PDF Full Text Request