Research On Intrusion Detection Based On Linux Process Behaviors

Along with the frequent occurrence of network attacks, intrusion detection gradually become a hotspot in the field of security research since it defends the system from all kinds of attacks. The intruder mostly attacks the system by the method of attack process of privilege, which is easy to identify in the case of invasion, because it usually completes some specific behavior and its normal execution is relatively stable. On this basis, this thesis puts forward the intrusion detection based on Linux process behavior, protecting the host by monitoring certain privileged process in the Linux system. It is proved in the experiment that the method has good detection effect in host intrusion activities.The two decisive factors of intrusion detection efficiency are the training data collection and modeling method. As for the collection of training data, the differences between normal behavior and intrusion behavior caused by attack are analyzed, and the system call sequence is used as the data sources of intrusion detection. Data is collected by loadable kernel module(LKM) in the kernel, analyzed in the user space, and shared by using ioctl.After the completion of training data collection, an intrusion detection model is built. We test several existing anomaly detection algorithms based on the system call sequence, compare the respective advantages and disadvantages, and put forward the Markov Chains Model based-on system call Macro. In the process, we extract the consistently repeating system call sequences in the normal process traces as independent and basic unit(macros) to build Marco MCM, use the system calls in program trace to match Marcos, and then judge whether an invasion has occurred by measuring the probability of macros continuous appearance.In order to verify the feasibility of the proposed model, we designed and implemented the system call module, preprocessing module, Marco MCM training module and detecting module in Linux. The experimental results show that the detection performance of the model used is better than the First-Order and Second-Order Markov chain model based on system calls. In the case that false positives do not increase obviously, the detection efficiency of the model is higher than that of HMM and the same as that of DBCPIDS while the computational complexity is significantly less than those two models. Finally, we put forward several intrusion response methods and point out their appropriate situation for the model respectively in this thesis.