基于LSM的程序行为控制研究
作者:
基金项目:

Supported by the National High-Tech Research and Development Plan of China under Grant No.2002AAl41090(国家高技术研究发展计划(863))

  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [26]
  • |
  • 相似文献 [20]
  • |
  • 引证文献
  • | |
  • 文章评论
    摘要:

    程序行为控制作为一种主动检测机制,主要在4个方面进行研究:审计数据源选择、行为描述、正常行为模式的建立与行为匹配.对事件序列模型作了深入研究,提出了采用另外一种与系统调用完全不同的数据源--LSM(Linux securyty modules,简称Linux安全模块)截获点,并从理论和实践两个方面来验证LSM数据源的有效性,即基于信息理论的数据质量分析和实际系统的运行结果分析.结果表明,由于LSM数据源的粒度更细以及和安全更相关,使得它更适合作为事件序列模型的审计事件.

    Abstract:

    Program behavior control is an active detection mechanism. The research of program behavior contro mainly focuses on four aspects: audit data selection, behavior description, the establishment of normal behavior and behavior matching. This paper investigates the event sequence model and proposes the use of LSM(Linux security modules) as an alternative data source to system calls. Based on the data quality analysis and execution results from real systems, the efficiency of the LSM data source is verified from both theoretical and practical points of view Results show that, because of its more refined granularity and its better security relevance, LSM data source is more suitable for the audit events used in event sequence models.

    参考文献
    [1]Lian YF. Research of distributed intrusion detection [Ph.D. Thesis]. Hefei: University of Science and Technology of China, 2002(in Chinese with English abstract).
    [2]Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self for UNIX processes. In: Proc. of the 1996 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1996. 120-128.
    [3]Hofmeyr SA, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998,6(3):151-180.
    [4]Liu HF, Qing SH, Meng Y, Liu WQ. A new audit-based intrusion detection model and its implement mechanism. Acta Electronica Sinica, 2002,30(8): 1167-1171 (in Chinese with English abstract).
    [5]Jones A, Li S. Temporal signatures for intrusion detection. In: IEEE Computer Society, ed. Proc. of the 17th Annual Computer Security Applications Conf. New Orleans: IEEE Computer Society Press, 2001. 252-264.
    [6]Wagner DA. Static analysis and computer security: New techniques for software assurance [Ph.D. Thesis]. Berkley: University of California, 2000.
    [7]Ilgun K, Kemmerer RA, Porras PA. State transition analysis: A rule-based intrusion detection approach. IEEE Trans. on Software Engineering, 1995,21(3):181-199.
    [8]Ko C, Fink G, Levitt K. Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proc. of the 10th Annual Computer Security Applications Conf. Orlando: IEEE Computer Society Press, 1994. 134-144.
    [9]Ko C, Ruschitzka M, Levitt K. Execution monitoring of security-critical programs in distributed systems: A specification-based appoach, In: Los Alamitos, ed. Proc. of the 1997 Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1997.175-187.
    [10]Sekar R, Bowen T, Segal M. On preventing intrusions by process behavior monitoring. In: Proc. of the USENIX Intrusion Detection Workshop. Santa Clara: USENIX, 1999. 29-40.
    [11]Ye N. A markov chains model of temporal behavior for anomaly detection. In: Proc. of the 2000 IEEE Workshop on Information Assurance and Security. United States Military Academy, West Point: IEEE Press, 2000. 171-174.
    [12]Ye N, Xu MM, Emran SM. Probabilistic networks with undirected links for anomaly detection. In: Proc. of the 2000 IEEE Workshop on Information Assurance and Security United States Military Academy. West Point: IEEE Press, 2000. 175-179.
    [13]Guo JL, Zhang WM, Cao Y, Xu L. Constructing an expert system rule of intrusion dtection using machine learning. Computer Engineering, 2002,28(7):69-71 (in Chinese with English abstract).
    [14]Li X, Ye N. Decision tree classifiers for computer intrusion detection. Journal of Parallel and Distributed Computing Practices,2001,4(2): 179-190.
    [15]Lee W, Stolfo SJ. Data mining approaches for intrusion detection. In: Proc. of the 7th USENIX Security Symp. San Antonio:USENIX, 1998.6-9.
    [16]Lee W. A data mining framework for constructing features and models for intrusion detection systems [Ph.D. Thesis]. New York:Columbia University, 1999.
    [17]Lane T. Hidden Markov models for human/computer interface modeling. In: Proc. of the Int'l AI Society, ed. Proc. of the IJCAI-99Workshop on Learning about Users. Stockholm: International AI Society, 1999.35--44.
    [18]Forrest S, Hofmeyr SA. Immunology as information processing. In: Segel LA, Cohen I, eds. Design Principles for the Immune System and Other Distributed Autonomous Systems. New York: Oxford University Press, 2000. 361-387.
    [19]Warrender C, Forrest S, Pearlmutter B. Detection intrusion using system calls: Alternative data models. In: Gong L, Reiter MK, eds.Proc. of the 1999 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1999. 133-145.
    [20]Sekar R, Uppuluri P. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In: Proc. of the 8th USENIX Security Symposium. Washington: USENIX, 1999.63-78.
    [21]Somayaji A. Operating system stability and security through process homeostasis [Ph.D. Thesis]. Albuquerque: University of New Mexico, 2002.
    [22]Wright C, Cowan C, Morris J, et al. Linux security modules: General security support for the Linux kernel. In: Proc. of the 11th USENIX Security Symp. San Francisco, 2002. 17-31. http://www.usenix.org/events/sec02/full_papers/wright/wright_html
    [23]Lee W, Dong X. Information-Theoretic measures for anomaly detection. In: Needham R, Abadi M, eds. Proc. of the 2001 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 2001. 130-143.
    [24]连一峰.分布式入侵检测系统研究[博士学位论文].合肥:中国科学技术大学,2002.
    [25]刘海峰,卿斯汗,蒙杨,刘文清.一种基于审计的入侵检测模型及其实现机制.电子学报,2002,30(8):1167-1171.
    [26]郭建龙,张维明,曹阳,徐磊.应用机器学习制定的入侵检测专家系统规则集.计算机工程,2002,28(7):69-71.
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

张衡,卞洪流,吴礼发,张毓森,崔明伟,曾庆凯.基于LSM的程序行为控制研究.软件学报,2005,16(6):1151-1158

复制
分享
文章指标
  • 点击次数:4143
  • 下载次数: 5990
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2003-09-09
  • 最后修改日期:2004-06-10
文章二维码
您是第19788084位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号