| Because the data source of the Host-based Intrusion Detection System (HIDS) comes from the feedback of the operating system, it has good efficiency of detection and good credibility of the data source. But the past method to design a HIDS was taken more care about how to prevent the intruder from the intrusion (so-called"before intrusion"actions) instead of how to keep the security of the HIDS when the intruder had already gain the access control on this host (so-called"after intrusion"actions). If the intruder had already broken the defenses on the host and terminated those processes of the protection software, such as HIDS, the HIDS could not protect the host anymore. In order to solve this problem, the author, after reading a large number of documents, proposed a so-called"Hotel model"among the entities to analyze the technology about visiting redirection. After this, the author analyzed the malware (so-called"rootkit") base on the"Hotel"model and uses the technology of visiting redirection to improve the security of HIDS. In detail, the author use the technology of visiting redirection to hide the process of protection software, add some restriction on the important file of the HIDS, and monitor the system-call functions to prevent the malware from destroying it. Finally, the author design a new covert channel based on the packet length to transport the information between the host and the administrator. It made the HIDS more security due to those functions. |
PDF Full Text Request