Implementation And Evaluation Of Intrusion Detection Based On System Calls

With the development and application of internet, the problems of network security are becoming more serious. The technology of intrusion detection is a new developing technology in network security field. At the same time, the research of intrusion detection evaluations gets much attention as the result of the widely using of IDS.The system call is an interface between operating system and user program. Most of evades generally destroy computer systems by using the weakness of privileged processes to get super user authority. So, monitoring system calls produced by privileged processes can be well used to detect intrusion. According to the idea mentioned above, this paper makes a deep analysis on the technology of intrusion detection and the intrusion detection based on system calls.First of all, this paper describes the basic theory of intrusion detection, classifies the existed detection technologies and makes a comparison between them. It chooses intrusion detection systems based on system calls to implement and brings forward the conception of intrusion detection evaluations. Secondly, this paper adopts the method of a function named "ptrace()" to implement the gathering of the sequences of systems call numbers which are used as intrusion detection's data source. Ideally, we can detect intrusion by comparing the sequences of system calls made by normal user's behaviors with the sequences made by abnormal user's behaviors. Because of the complexity of these behaviors, we need adopt a certain method to build up mathematic model on the sequences mentioned above and analyze them. So, this paper summarizes the detection algorithms based on the system calls. We choose an algorithm named "STIDE" to make a deep analysis and put forward some improvements. Then, we design and implement this algorithm. After implementation of intrusion detection system, this paper analyzes the actualities and difficulties of intrusion detection evaluations. At the same time, we hope our research can provide references for future work by studying the progress of evaluation that aims at the actual intrusion detection system implemented by us.Finally, this paper summarizes some problems and weaknesses that arose in the course of our research and brings forward the focuses and directions for our further research.