The New Method Of The State-transition Detection Based On Sequences Of System Calls

With the rapid development of computer and network technologies, computer system has been developed from unattached host computers to a complicated and interconnected opening system, which results in more important state in the computer and network security. As one of the core security model technologies, intrusion detection technology has been a significant domain in the security research, and continuously monitors the characteristics of network or computer system to determine if a lawless intrusion or behavior that disobeys security strategy has occurred.We chose sequences of system calls as the data source. Considering the status of present intrusion detection researches based on system calls, the short-sequence method only preserves the time-order relativities in one short sequence, and the state-transition method can preserve the whole information among system calls that space in long distant, but can't detect the system call sequences of the unknown intrusion. Basing on the past researches, a new type of state transition intrusion detection, which added statistical analysis technique, was presented. As the sequences of the system calls produced when the system normally run exist some fixed modes, majority statistical methods can hold this character. The advantage of statistical analysis methods was the high efficiency and usability. We used multivariate statistical analysis techniques which were better in reflecting the relativities between the sequential system calls. We classified the critical calls according to the function and threat level of system calls, quantifying and providing datum to statistics, which reduced the detection range, increased the efficiency. In this paper, state-transition detection based on STAT mechanism, and we made several improvements in definition of the state space and transition rules in order to calculate the statistics parameters of the sequences of system calls, which were accumulated as anomalous level to identify whether the intrusion is occurring.Firstly, the thesis introduced the archetype of this model architecture. Secondly, the key technologies, the definitions of the rule and experiment datum were presented. Finally, contrasted the experiment results among two group of training datum and different classifications of the system calls, and analyzed the feasibility and got the valuation of the effectiveness. The experimental results showed that the proposed detection method based on sequences of the system calls was more powerful and moreefficient than the classical one, because of analysis and disposal the anomalous and high threat level behaviors with the multivariate statistical method. Both anomaly intrusion detection and misuse intrusion detection technique have been implemented in this system. Integration of different methods and technologies offsets the shortages of each single technique.