基于LSM的程序行为控制研究

微信服务号

微信订阅号

2025年4月4日 23:54 星期五

首页 > 过刊浏览>2005年第16卷第6期 >1151-1158

基于LSM的程序行为控制研究
DOI:
                        
                    
CSTR:
                        
                    
作者:
                        张衡张衡
解放军理工大学,通信工程学院,江苏,南京,210007
在期刊界中查找
在百度中查找
在本站中查找
卞洪流卞洪流
解放军理工大学,通信工程学院,江苏,南京,210007
在期刊界中查找
在百度中查找
在本站中查找
吴礼发吴礼发
解放军理工大学,指挥自动化学院,江苏,南京,210007
在期刊界中查找
在百度中查找
在本站中查找
张毓森张毓森
解放军理工大学,指挥自动化学院,江苏,南京,210007
在期刊界中查找
在百度中查找
在本站中查找
崔明伟崔明伟
解放军理工大学,通信工程学院,江苏,南京,210007
在期刊界中查找
在百度中查找
在本站中查找
曾庆凯曾庆凯
南京大学,计算机科学与技术系,江苏,南京,210093
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:Supported by the National High-Tech Research and Development Plan of China under Grant No.2002AAl41090(国家高技术研究发展计划(863))

Study on Program Behavior Control Based on LSM

Author:

ZHANG Heng
ZHANG Heng

在期刊界中查找
在百度中查找
在本站中查找
BIAN Hong-Liu
BIAN Hong-Liu

在期刊界中查找
在百度中查找
在本站中查找
WU Li-Fa
WU Li-Fa

在期刊界中查找
在百度中查找
在本站中查找
ZHANG Yu-Sen
ZHANG Yu-Sen

在期刊界中查找
在百度中查找
在本站中查找
CUI Ming-Wei
CUI Ming-Wei

在期刊界中查找
在百度中查找
在本站中查找
ZENG Qing-Kai
ZENG Qing-Kai

在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [26]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

程序行为控制作为一种主动检测机制,主要在4个方面进行研究:审计数据源选择、行为描述、正常行为模式的建立与行为匹配.对事件序列模型作了深入研究,提出了采用另外一种与系统调用完全不同的数据源--LSM(Linux securyty modules,简称Linux安全模块)截获点,并从理论和实践两个方面来验证LSM数据源的有效性,即基于信息理论的数据质量分析和实际系统的运行结果分析.结果表明,由于LSM数据源的粒度更细以及和安全更相关,使得它更适合作为事件序列模型的审计事件.

关键词:程序行为控制;短序列模型;Linux安全模块(LSM)

Abstract:

Program behavior control is an active detection mechanism. The research of program behavior contro mainly focuses on four aspects: audit data selection, behavior description, the establishment of normal behavior and behavior matching. This paper investigates the event sequence model and proposes the use of LSM(Linux security modules) as an alternative data source to system calls. Based on the data quality analysis and execution results from real systems, the efficiency of the LSM data source is verified from both theoretical and practical points of view Results show that, because of its more refined granularity and its better security relevance, LSM data source is more suitable for the audit events used in event sequence models.

Key words:program behavior control;model of short sequence;LSM(Linux security modules)

参考文献

[1]Lian YF. Research of distributed intrusion detection [Ph.D. Thesis]. Hefei: University of Science and Technology of China, 2002(in Chinese with English abstract).

[2]Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self for UNIX processes. In: Proc. of the 1996 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1996. 120-128.

[3]Hofmeyr SA, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998,6(3):151-180.

[4]Liu HF, Qing SH, Meng Y, Liu WQ. A new audit-based intrusion detection model and its implement mechanism. Acta Electronica Sinica, 2002,30(8): 1167-1171 (in Chinese with English abstract).

[5]Jones A, Li S. Temporal signatures for intrusion detection. In: IEEE Computer Society, ed. Proc. of the 17th Annual Computer Security Applications Conf. New Orleans: IEEE Computer Society Press, 2001. 252-264.

[6]Wagner DA. Static analysis and computer security: New techniques for software assurance [Ph.D. Thesis]. Berkley: University of California, 2000.

[7]Ilgun K, Kemmerer RA, Porras PA. State transition analysis: A rule-based intrusion detection approach. IEEE Trans. on Software Engineering, 1995,21(3):181-199.

[8]Ko C, Fink G, Levitt K. Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proc. of the 10th Annual Computer Security Applications Conf. Orlando: IEEE Computer Society Press, 1994. 134-144.

[9]Ko C, Ruschitzka M, Levitt K. Execution monitoring of security-critical programs in distributed systems: A specification-based appoach, In: Los Alamitos, ed. Proc. of the 1997 Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1997.175-187.

[10]Sekar R, Bowen T, Segal M. On preventing intrusions by process behavior monitoring. In: Proc. of the USENIX Intrusion Detection Workshop. Santa Clara: USENIX, 1999. 29-40.

[11]Ye N. A markov chains model of temporal behavior for anomaly detection. In: Proc. of the 2000 IEEE Workshop on Information Assurance and Security. United States Military Academy, West Point: IEEE Press, 2000. 171-174.

[12]Ye N, Xu MM, Emran SM. Probabilistic networks with undirected links for anomaly detection. In: Proc. of the 2000 IEEE Workshop on Information Assurance and Security United States Military Academy. West Point: IEEE Press, 2000. 175-179.

[13]Guo JL, Zhang WM, Cao Y, Xu L. Constructing an expert system rule of intrusion dtection using machine learning. Computer Engineering, 2002,28(7):69-71 (in Chinese with English abstract).

[14]Li X, Ye N. Decision tree classifiers for computer intrusion detection. Journal of Parallel and Distributed Computing Practices,2001,4(2): 179-190.

[15]Lee W, Stolfo SJ. Data mining approaches for intrusion detection. In: Proc. of the 7th USENIX Security Symp. San Antonio:USENIX, 1998.6-9.

[16]Lee W. A data mining framework for constructing features and models for intrusion detection systems [Ph.D. Thesis]. New York:Columbia University, 1999.

[17]Lane T. Hidden Markov models for human/computer interface modeling. In: Proc. of the Int'l AI Society, ed. Proc. of the IJCAI-99Workshop on Learning about Users. Stockholm: International AI Society, 1999.35--44.

[18]Forrest S, Hofmeyr SA. Immunology as information processing. In: Segel LA, Cohen I, eds. Design Principles for the Immune System and Other Distributed Autonomous Systems. New York: Oxford University Press, 2000. 361-387.

[19]Warrender C, Forrest S, Pearlmutter B. Detection intrusion using system calls: Alternative data models. In: Gong L, Reiter MK, eds.Proc. of the 1999 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1999. 133-145.

[20]Sekar R, Uppuluri P. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In: Proc. of the 8th USENIX Security Symposium. Washington: USENIX, 1999.63-78.

[21]Somayaji A. Operating system stability and security through process homeostasis [Ph.D. Thesis]. Albuquerque: University of New Mexico, 2002.

[22]Wright C, Cowan C, Morris J, et al. Linux security modules: General security support for the Linux kernel. In: Proc. of the 11th USENIX Security Symp. San Francisco, 2002. 17-31. http://www.usenix.org/events/sec02/full_papers/wright/wright_html

[23]Lee W, Dong X. Information-Theoretic measures for anomaly detection. In: Needham R, Abadi M, eds. Proc. of the 2001 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 2001. 130-143.

[24]连一峰.分布式入侵检测系统研究[博士学位论文].合肥:中国科学技术大学,2002.

[25]刘海峰,卿斯汗,蒙杨,刘文清.一种基于审计的入侵检测模型及其实现机制.电子学报,2002,30(8):1167-1171.

[26]郭建龙,张维明,曹阳,徐磊.应用机器学习制定的入侵检测专家系统规则集.计算机工程,2002,28(7):69-71.

引用本文

张衡,卞洪流,吴礼发,张毓森,崔明伟,曾庆凯.基于LSM的程序行为控制研究.软件学报,2005,16(6):1151-1158

复制

文章指标

点击次数:4143
下载次数: 5990
HTML阅读次数: 0
引用次数: 0

历史

收稿日期:2003-09-09
最后修改日期:2004-06-10
录用日期:
在线发布日期:
出版日期:

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码