Intrusion Detection Based On Program's Legal Function

With the development and ever widening application of network technology, information processing tends to be more dependent on networks. With the network attacking instruments and techniques becoming more and more complicating and diversifying, the traditional network security alert techniques can hardly satisfy the network security requirement. Faced huge and diversity network attacks, it is a hard and challengeable task to establish an effective and flexible network security facility.Intrusion Detection System (IDS) is a rapidly developed security technique in recent years. Nowadays host-based IDS, no matter which detection technique involved, always put their emphasis on the course of the attack. Although it can prevent malicious attacks from further spoiling the system to study and analyze the attack pattern when it is going on, which indeed influence the detection accuracy when classifying a certain system activity.The paper first introduces the concept and basic types of IDS, and then some popular intrusion detection techniques. Finally, by analyze the basic reason why most anomaly-based IDS always produce false alarms, the paper proposed a new intrusion detection model based on application's Legal Function Area (LFA) by analyze the system calls of a running process. The method catches the basic distinction between the legal user performance and malicious attack activities so that it can classify the system operation correctly. With the high detection accuracy and low false-positive alarms, system administrators can put more emphasis on attack detection and will no longer be disturbed by false alarms.Because all the key operation that process carried out must transfer from user mode to the kernel mode through system call, we can search the activity of process basically through looking over system call sequence. The system call is so accurate that it is very hard to revise by the intruders. The LFA is established according to system call information, and modeled by using FSA. Every LFA is represented by one state which includes the effective user id and effective group id of the running process. A preliminary experiment shows that the new method can detect various attacks towards code vulnerabilities, and has a low false positive.