An Improved LIDS Based On LSM

In recent years, along with the rapid development of computer technology, computer network has been used widely in the daily life. But everything has its two sides, the network is a double-edged sword:on the one hand, the network makes human society rapid developing, but at the same time it also provides a more broad and convenient place for illegal people. Nowadays, more and more attacks are happening on the computers, and it has become a sufficient problem causing people to focus on. Linux system is the most serious one among these systems, according to this problem more and more security access control model and the framework has been developed, they are used to strengthen the security for the Linux system, such as security enhanced Linux (SELinux), domain and type enhancement (DTE), Linux intrusion detection systems (LIDS), etc. But even so, these models and the frameworks are more or less in all kinds of loopholes, and because of open source attackers also will find out these loopholes, which can be used to attack and destroy the system.This paper proposed an improved LIDS based on LSM. Fist the article summarizes the existing Linux security research, and introduces the concept of the intrusion detection system and the related technical knowledge, then based on this proposes the improved LIDS of LSM. According to the file protection function insufficient of LIDS, the paper realizes a new file intrusion detection model, and this model uses negative selection algorithm to realize the intrusion detection. It can identify invasion or not, and the key files have been damaged or statisticians. It implements a file recovery strategy, which using a Protect library for the file can be quickly and accurately restored and recovered. To hide an Important library within high-risk files and LIDS configuration files, it uses kernel-level Rootkit to hide them up. This paper realizes Rootkit through modifying system calls and VFS layer to achieve the purpose of protection.Through strict experiments shows that the improved LIDS can be greatly enhanced to the file protection ability, it can resist the vast majority of the malicious attacks. It can protect high-risk files and LIDS core configuration file, and use the backup to make system recover in time to avoid the attacker using the modified files for further damage. Finally we propose the deficiencies of system, and indicate the direction of following work.