| With the rapid development of Internet, the application of network is becoming more versatile and deeper. At the same time, malware is also progressing a lot, threatening the privacy and property of individuals, hence the Internet security problem is in focus. Traditional anti-virus software depends on the predefined binary signature to detect an un-known file, which is useless against the vast variations. What is worse, the extraction of binary signature require the specimen, hence a lot of time, the new virus may break out before the anti-virus signature base been updated. To defeat these defects, the Host Intrusion Prevention System(HIPS) has been proposed, with more and more adoption.HIPS is an pro-active intrusion prevention system based on run-time behavior monitoring, which is installed on top of the Operating System(OS), connecting tightly with the OS, monitoring various behaviors, blocking any intrusion to the OS. It will block the operation which break the safety policy in real time, protecting the user from known and new threat, thus greatly improve the system's immunity to compromise. Although many advantage it has, it got high false-alarm rate, requires fussy operation and knowledge of OS, which hampered its prevalence.Several critical technologies are discussed in this paper, both design and implementation of HIPS on Windows platform is also presented, in order to improve the application of HIPS.The capture, analysis and disposal of behavior are discussed, which include various schemes to implement these technologies and the advantage and disadvantage for each. We proposed three new ideas to construct the rule base. At last, we described the general design, interface design and detailed design of HIPS. Some concepts of Windows kernel is introduced for reader's convenience.In this project, the author took part in the research of the subject, and took charge of the design of system architecture, the process, registry, network behavior monitoring. |
PDF Full Text Request