Research And Implementation Of Host-based Active Intrusion Prevention System

The project is a branch of "network active intrusion prevention system" funded by the Science and Technology Department of ZhengZhou. Aiming at the flaws of present passive prevention, the thesis researches and designs a more efficient and perfect host-based active intrusion prevention system, which organically joins various security techniques, and put deep defense in practice with the key resources on the host/server for center.Firstly, the thesis analyzes the defects of the traditional passive prevention products, introduces the research actuality and existing questions in the fields, expatiates on the system's design thought and policy, establishes its design principles and goals, designs its architecture and researches the key technologies the system adopts.The interception of Windows system call is the core technology of the prevention system. There're good documents and it's easy to implement the interception methods in user level, but because of working at the upper of operating system, its control capability is weaker and its efficiency is lower. The interception methods in kernel level goes deep into the internal of operating system, so it can completely intercept all system calls in a centralized place and its control capability is very more powerful. However, for the operating system kernel is not opening, there will be many problems which are very difficult to predict, solve and implement. So, we go deep researches into the Windows kernel, particularly analyze the mechanism of Windows system call, take apart the different interception methods in kernel level and compare their virtues and flaws, implement the interception and control on system calls in the kernel level by intercepting system service dispatch table using device driver.The system access control is the most core function of the prevention system. It implements the powerful access control by intercepting relative system calls, limit the rights of system administrator, upgrade the Windows security from the level C2 to level Bl. So, we go deep researches into the present popular access control technologies and models, determine to adopt access control list model to implement the stronger protection against files and registry according to the factors of who, what time, where, what process and what rights etc, implement the protection against processes by process hiding and preventing process termination, implement the self-protection from deleting, modifying and stopping by the kernel modules hiding and kernel modules loading/unloading protection.Finally, the thesis concludes the finished work and the existing drawbacks, and put forward with some suggestions of future development.