| With the development and widespread use of computer technology, computer security issues become more and more severe than before. Now, traditional security techniques cannot meet the needs of host security, such as host-firewall, virus detection etc. Intrusion prevention system as an on-line deployment and rapid response security system has become a hot research spot.Windows operating system as the most widely used operating system, their safety issue is becoming a matter of concern for more and more people. An intrusion prevention model based on Windows Native API is proposed by researching about Windows kernel, variable-length sequence dividing and combining rough set theory. The model introduces the embedded assembly language to simplify the monitoring of Windows Native API, and divides the data set into a table of independent variable-length patterns, and applies rough set theory to reduce the size of each pattern. With this method, a prevention model is built on smaller Native API short sequence and used to detect call sequence of sendmail program. A series of off-line experiments show that this model's detection rate reaches to 96.08%, and false alarm rate falls to 1.93%. Compared with other detection models, the result demonstrates that this model has better performance on detection efficiency, ability of real-time detecting and intelligence.An on-line intrusion prevention system is built on the basis of the proposed prevention model. Some key technologies in on-line system implementation are analyzed in detail, including attack data generation based on buffer overflow, ANSI text stream generation and system response technology. Under real-time attack environment, system's detection experiments show all attacks through the buffer overflow to change program execution flow can be detected, and detection time is about 1 second. The experimental result indicates that system has good detection capabilities and real-time performance. |
PDF Full Text Request