| By imitating natural immune system we have designed a general computer immune system model (GECISM), which consists of some agents, and every agent imitates the function and mechanism of different immune cells. The agents as a whole can protect the host by cooperation. It is designed with the functions of immune detection, immune response and immune adjustment. Imitate MC Agent detects "nonself", which realizes the function of immune detection; and imitate TH Agent classifies the "nonself detected by imitate MC Agent, which is the joint of immune detection and immune response.In this paper, system calls related to security are defined in Linux, and a model of imitate MC Agent and imitate TH Agent is designed on the base of expounding computer immune theory. The research of "nonself detection and classification is concentrated on the several aspects listed hereinafter: Linux loadable kernel module using sys_call_table is selected to collect system calls related to security by analysis of some methods of collecting system calls; the generation of rule library and realization of "nonself detection and classification; The feasibility and efficiency of system call related to security being used as data source of "nonself classification is validated by the way of comparing the ability of distinguishing different kinds of programs; The experiment is used to distinguish different kinds of "nonself programs and shows the distribution of "nonself; Applying these research results, an experiment system of imitate MC Agent and imitate TH Agent based on system call related to security is implemented in this paper. |
PDF Full Text Request