摘要
主机入侵检测的关键是监测进程的运行是否正常.现有的基于静态分析建模的方法具有零虚警的优良特性,但是,由于缺乏精确性或者效率的问题仍然不能实际使用,先前的工作试图在这两者之间寻找平衡点.基于NFA(nondeterministic finite automaton)的方法高效但是不够精确,基于PDA(push down automaton)的方法比较精确但却由于无限的资源消耗而不能应用.其他模型,例如Dyck模型、VPStatic模型和IMA模型使用一些巧妙的方法提高了精确性又不过分降低可用性,但是都回避了静态分析中遇到的间接函数调用/跳转问题.提出一种静态分析-动态绑定的混杂模型(hybrid finite automaton,简称HFA)可以获得更好的精确性并且解决了这一问题.形式化地与典型的上下文相关模型作比较并且证明HFA更为精确,而且HFA更适合应用于动态链接的程序.还给出了基于Linux的原型系统的一些实现细节和实验结果.
A key function of a host-based intrusion detection system is to monitor program execution. Models constructed based on static analysis have the advantage of not producing false alarms; still, they can not be put into practice due to imprecision or inefficiency of the model. The prior work has shown a trade-off between efficiency and precision. In particular, models based upon non-deterministic finite state automaton (DFA) are efficient but lack precision. More accurate models based upon pushdown automaton (PDA) are very inefficient to operate due to non-determinism in stack activity. DYCK model, VPStatic model and IMA use some subtle approaches to achieve more determinism by extracting information about stack activity of the program or inserting code to expose program state or just inline the local automaton but still can not solve the problem of indirect call/JMP. This paper presents a new training-free model (hybrid finite automaton, HFA) to gain more determinism and resolves indirect call/JMP through static-dynamic hybrid approach. The results show that in run-time, these models slowed the execution of the test programs by 5% to 10%. This paper also formally compares HFA with some typical models and proves that HFA is more accurate than others and it is more suitable for dynamic linked applications. Some technical details of the protocol type system on Linux and experimental results are also presented in the paper.
出处
《软件学报》
EI
CSCD
北大核心
2009年第1期138-151,共14页
Journal of Software
基金
国家自然科学基金 Nos.60403006
60503046~~
