Research And Design Of Adaptive Intrusion Prevention System

The appearance of the intrusion detection systems shows more advantages on the conventional firewall. But intrusion detection systems are fundamentally passive and fail-open. Because their primary task is classification, they do nothing to prevent an attack from succeeding. An intrusion prevention system (IPS) adds protection mechanisms that provide fail-safe, automatic response and enhanced adaptive capabilities.An Adaptive IPS (Adaptive Intrusion Prevention System), a hybrid active approach to server or host security that prevents binary code injection attacks was designs in this paper. Two major components are incorporated in it: a proxy that integrates an anomaly-based detector and a signature-based filtering scheme, and a supervision framework that employs Hetero-Instruction Set (HIS). Since a proxy fundamentally includes signature-matching function, a Markov Chain-based anomaly-detector is added into it to implement the proxy.We implement the supervision framework by employing parallel Master-Slave application server to process requests and rewriting the source code of DAISY to emulate the Code Morphing Software of Crusoe to uphold HIS. Since HIS prevents code injection attacks and can also precisely identify the injected code, the system can tune the classifier and the filter via a learning mechanism based on this feedback. Capturing the injected code allows Adaptive IPS to construct attacking signatures for zero-day exploits. The filter and classifier can match known malicious input or release anomalous input that is not malicious, effectively protecting the application from additional instances of an attack - even zero-day attacks or attacks that are completely metamorphic in nature without lots of false positives.The fact is approved from the results of experiment that the anomaly-detector of system can classify anomaly stream efficiently, and the Master-Slave application server can not only be adapted zero-day attacks, but also new normal network stream. If appropriate functions are selected to parallel processing, the Slave Server affects the performance of system faintly, even can enhance the efficiency of application. Adaptive IPS can be deployed transparently to clients or servers with minimal impact on their performance. The paper describes a prototype that protects HTTP servers, but Adaptive IPS can be applied to a variety of server and client applications.