| Nowadays, network security has gradually been a severe trouble of networksystems. Among numerous security problems, intranet security threat owns a largepart, including menacing damage by inners, confidential information spying, andinner intrusion. Actually, it is rather unchallegeble to fetch the right of the computersystems from the inner. Furthermore, the administrators may also be neglect aboutthe inner attacks. Hence, now more and more security agencies, academic researchinstitutes and governments are becoming to focus their attention on the issue ofintranet securities.Up to the present, the main technical approaches tackling with network securityare firewall, IDS, etc. Though they are relatively effective for the exterior intrusion,they cannot wholly prohibit the hacker's attack, especially for inner security problem,which is obviously the week link.Therefore, intranet audit system(IAS) breeds under such circustances. In thispaper, the issue of constructing an IAS according to TCSEC and CC standards hasbeen thoroughly investigated. Firstly, theories of secutiry audit have been mentioned,including the proposition of audit mechanism, several domestic and internationalstandards of security audit, and the details have also been generally reviewed. Then,exhaustive design focused on IAS under Windows, including a kind of audit dataformat and audit event set which is suitable for user's behavoir record, and a generalframe suitable for IAS, have been detailed conceived. Moreover, the paper discusseson the main functions of IAS, and adopts API Hook and GINA techniques to acquireaudit data.Data mining is such an intellect discovery technique which gleans useful modesfrom bulk of historical data, and then differentiates the current modes with thehistorical modes by classifying arithmetic. In the paper, it proposes a kind ofabnormal behavior detection model by applying data mining into IAS. In this mode, itfirstly establish nomal user's behavoir database using relation rules and sequencemodes. Then, it judges whether the current mode is abonomal by similarity arithmetic(whole-sequence arithmetic and corelevant function arithmetic). Finally, the model was confirmed by experimental data, indicating the feasibility and suitibility inabomal behavoir detecting of intranet users. |
PDF Full Text Request