Research And Implementation On Host-based Active Intrusion Prevention System

The project is a branch of "network active intrusion prevention system" funded by the Science and Technology Department of Zhengzhou. Aiming at the flaws of present security product, the thesis studies and designs a more efficient and perfect host-based intrusion prevention system. Organically amalgamating multiple security techniques, it puts deep defense in practice centered on the key resources in the host/servers.Firstly, the thesis analyzes the security position of the host system currently, introduces the research situation and existing questions in the field, expatiates on the system's design thought, establishes its design goals, introduces key technology principle that is used in the system design.All activities on a host or server must use operation system, even if attackers of the future discover ways to circumvent other defenses, they must still use the operation system. Host intrusion prevention system is the last line of defense from network level and operation system level against system compromise. By using network interceptor and system call interceptor, it resists all kinds of protocol attacks, operation system attacks and application attacks. Host intrusion prevention system uses this protection technology, which runs at the operation system level, forms a strong and proven last line defense against system compromise. It uses access control policies of user definition, examines system activities and user behavior according to the factors of who, what time, where , what process and what rights etc, and provides finer granularity access control than the operation system. By locking down the operation system critical files and key registries, it achieves file and registry protection; using process hide and process termination protection for critical process running on the operation system, it implements process attack protection; using kernel module hide technology, it implements important kernel module protection; by providing kernel module load and unload protection, it can block malicious and unauthorized driver which is loaded and unloaded; it can also block Rootkits and backdoor in the kernel to run on the operation system; by controlling application execution, it can block unknown or unauthorized application run on the operation system. Through various defendable functions, host intrusion prevention system extends operation system security performance.Finally, the thesis concludes the finished work and the existing drawbacks, and puts forward with some suggestions to future development.