The Research And Design Of Double Filter Based Intrusion Prevention System

With the rapid development and wide using of computer technologies, the demands for information security are increasing highly. Due to different attacking means, the traditional passive defense technology would not be sufficient to protect the security of the entire system. As a new study result,the Intrusion Prevention System is an initiative detection and corresponding technology. Its good protection capability can meet the security requirement of individuals, corporations, governments and other organizations.Threats come from all kinds of attacks. By analyzing the attacking mechanism and threaten model, designed the Double-Filter based Intrusion Prevention System (DF-IPS), which can solve the problem that viruses and Trojan disable the protection mechanism of common secure software by reverse engineering. DF-IPS does access checking in both application layer and kernel layer. To precisely describe the program caption, behavior restriction applied.The design of DF-IPS is based on the idea of keeping host coherence, which is mean the current behavior match the normal behavior and the upper layer operation match the lower layer interrupt request. To assurance behavior coherence, formal language used to describe the potential association rules between actor,operate tool,target and operation type, and deduced a behavior restriction access control policies which has higher accuracy and can be implement easily. Reference abnormal detection method in Intrusion Detection System, safety assessment is designed to monitor the host state.By hooking Network Driver Interface Standard (NDIS) and using File Filter technology, interrupt requests are being intercepted in the kernel mode and checked for operation coherence. The additional filter in kernel mode can resist attack generated in kernel mode. As a normal request has been checked twice, the host performance will be depressed. For security enforcement the performance decline is worthwhile. The final analysis shows the system has good security capability.