Research On Anomaly Detection Based On Linux Process Behavior

China Education and Research Network(CERNET)is a national academic computer internet network invested by the state and managed by the Ministry of Education.In order to realize the network monitoring and security incident response work of the Northeast China Education Network,and to ensure the safety of the education network,the network operation management and security assurance system of the Northeast China Network Center integrates multiple security assurance subsystems.However,the current network management and security assurance system for the network center is still in its infancy,lacking an abnormal detection function for the host,and cannot guarantee the security of the network center.A process is an execution instance of an application program.It is the basic unit for the operating system to allocate resources.Most of the functions of the operating system must be implemented through processes,whether it is a malicious program in the host,an infected program,or a program with a configuration error.As long as it wants to perform a specific function,it must be achieved through the process.Therefore,this thesis analyzes the behavior of the process to detect whether the host is abnormal from the perspective of the process.First of all,this thesis analyzes the behavior information generated when the Linux process is running and the log information recorded by default in the Linux system.After finding that the system log provides less process behavior information,we collect process resource usage information by using a custom script,and use Linux audit to record system call information of privileged processes,and designs a log collection and storage solution based on Elastic Stack to collect logs from the host in real time,and save the collected logs in a unified log information platform for use by the anomaly detection system.Secondly,this thesis proposes a process whitelist creation and update algorithm.According to the popularity of the process in the network center,two types of process whitelists are created,namely the main process whitelist and the child process whitelist.The main process whitelist is applicable to all hosts in the network center,while the child process whitelist is only applicable to one host corresponding to it.By using the process whitelist and sensitive resource detection,unfamiliar malicious processes in the host can be detected in time,and when abnormal processes are detected,they can also be alerted in time and analyze the sensitive resources used.Then,this thesis establishes the normal behavior model of the privileged process based on the first-order homogeneous Markov chain model by using the system call information when the privileged process is running,and uses the established model to detect the abnormality of the privileged process.Use the process resource usage information to establish the normal behavior model of the process based on the improved isolated forest algorithm,without manually setting resource alarm thresholds.This method can automatically and real-time detect whether the process' s resource usage is abnormal.Automatically lock resource usage indicators that cause the process to be abnormal.Use historical system logs to build a log event template library with annotations,and analyze the cause of abnormal processes by matching the latest system logs.Finally,in order to verify the correctness of the process anomaly detection method based on process behavior proposed in this thesis,this thesis systematically verifies each method through design experiments.Experimental results show that the various process anomaly detection methods proposed in this thesis can detect abnormal processes in the host in a timely and accurate manner.