基于系统调用的计算机免疫系统研究
|
摘要
人类从自然界获得解决科学难题的灵感,借鉴自然界自身的规律,解决人类面临的科学问题已经成为现代科学研究中的一个非常新的研究思路。
本文就是在认识生物免疫系统运行机理的基础上,通过参考国内外计算机免疫系统的研究成果提出基于系统调用的计算机免疫系统模型的。在该模型中借鉴了生物免疫系统的一些特点来完成识别“自我”与“非我”,进而消除“非我”,为进行自身反应强度的调节提供了一个完善的框架基础。并在此基础上,构建一个自治、自适应的信息安全防护系统,使它能通过动态分析机制实时监测进程的异常情况,及时发出警报,有效弥补了其他静态防御工具的不足。
本文提出了一种简单实用的采集系统调用序列的方法并对分析机制中所采用的“先行对”(lookahead pairs)方法和沙盒主机中所采用的马尔可夫链的方法进行了详细分析;通过在不同的检测阶段采用这两种不同的方法,以提高系统的性能和检测效率;同时给出了该模型的实现方法和部分程序流程。
It becomes a very new method in research field that people get inspiration from the natural to solve the science problem, research the rules of the natural and in the end solve the problem that people faced.
After studying the mechanism of the biologic immune system and referring the returns of computer immune system at home and abroad, the computer immune system model based on system call is put forward. In this model, some traits of the biologic immune system are utilizing to distinguish non-self from self, eliminate non-self and provide a frame for adjusting the intensity of self-response. And based on this, an autonomic and self-adapting information safety system is constructed. It can monitor the processes real-time by dynamic analytic mechanism and give the alarm in good time, which effectively compensates the shortage of the other static tools.
This paper gives a simple and applied method of collecting the sequence of system calls. Lookahead pairs in analysis mechanism and Markov Chain in sand box are discussed in detail. In different detected stage ,two methods are adopted to improve the efficiency and performance of the system. In the end the implement method and program flow of this model are introduced.
本文就是在认识生物免疫系统运行机理的基础上,通过参考国内外计算机免疫系统的研究成果提出基于系统调用的计算机免疫系统模型的。在该模型中借鉴了生物免疫系统的一些特点来完成识别“自我”与“非我”,进而消除“非我”,为进行自身反应强度的调节提供了一个完善的框架基础。并在此基础上,构建一个自治、自适应的信息安全防护系统,使它能通过动态分析机制实时监测进程的异常情况,及时发出警报,有效弥补了其他静态防御工具的不足。
本文提出了一种简单实用的采集系统调用序列的方法并对分析机制中所采用的“先行对”(lookahead pairs)方法和沙盒主机中所采用的马尔可夫链的方法进行了详细分析;通过在不同的检测阶段采用这两种不同的方法,以提高系统的性能和检测效率;同时给出了该模型的实现方法和部分程序流程。
It becomes a very new method in research field that people get inspiration from the natural to solve the science problem, research the rules of the natural and in the end solve the problem that people faced.
After studying the mechanism of the biologic immune system and referring the returns of computer immune system at home and abroad, the computer immune system model based on system call is put forward. In this model, some traits of the biologic immune system are utilizing to distinguish non-self from self, eliminate non-self and provide a frame for adjusting the intensity of self-response. And based on this, an autonomic and self-adapting information safety system is constructed. It can monitor the processes real-time by dynamic analytic mechanism and give the alarm in good time, which effectively compensates the shortage of the other static tools.
This paper gives a simple and applied method of collecting the sequence of system calls. Lookahead pairs in analysis mechanism and Markov Chain in sand box are discussed in detail. In different detected stage ,two methods are adopted to improve the efficiency and performance of the system. In the end the implement method and program flow of this model are introduced.
引文
[1] Forrest S, Perelson A, Allen L, et al. Self-Nonself Discrimination in a Computer[A].In: Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy[C]. Los Alamitos, CA:IEEE Computer Society Press, 1994, 202-212
[2] Forrest S, Hofmeyr S, Somayaji A. Computer Immunology [J]. Communications of the ACM. 1997,40(10):88-96
[3] Somayaji A, Hofmeyr S, Forrest S. Principles of a Computer Immune System. New Security Paradigms Workshop,1998
[4] Hofmeyr A, Forrest S. Architecture for an Artificial Immune System[J]. Evolutionary Computation.2000,7(1):45-68
[5] Dasgupta D, Forrest S. Artificial Immune Systems in Industrial Applications. In Accepted for presentation at the International conference on Intelligent Processing and Manufacturing Material. Honolulu,HI,1999
[6] Forrest S,Hofmeyr S,Somayaji A,et al.A Sense of Self for Unix Processes. In Proceedings of 1996 IEEE Symposium on Computer Security and Pricacy,1996
[7] D.L.Chao,S.Forrest.Information Immune Systems. In Proceedings of the First International Conference on Artificial Immune Systems (ICARIS), 2002
[8] J. Balthrop, F. Esponda, S. Forrest,etc. Coverage and Generalization in an Artificial Immune System. Proceedings of the Genetic and Evolutionary Computation Conference (GECCO 2002), Morgan Kaufrnann. New York, 2002
[9] 李欢,梁意文.一个基于Multi-Agent的计算机安全免疫系统模型.计算机科学.2001,(8)
[10] 梁意文,康立山.一种基于用户行为的Self集构造和演化方法.计算机应用研究.2001,(9)
[11] 代文,梁意文,张海峰.计算机免疫识别规则的演化挖掘.计算机工程.2001(11)
[12] 戴志锋,何军.一种基于主机分布式安全扫描的计算机免疫系统模型.计算机应用.2001(10)
[13] 姜梅,丁秋林.一种基于生物免疫系统的计算机抗病毒新技术.计算机应用研究.2001(6)
[14] 梁意文,汪朝霞,刘冬梅.基于食物链的计算机免疫多识别器协同识别模型.计算机工程与应用.2002(5)
[15] 梁意文,潘海军,康立山.免疫识别器构造的多级演化.小型微型计算机系统.2002(4)
[16] 张慧敏,何军,黄厚宽.一个基于免疫的网络入侵检测模型.计算机工程与应用.2002(6)
[17] 白晓冰,曹阳,张维明等.基于人工免疫模型的网络入侵检测系统.计算机工程与应用.2002(9)
[18] 侯朝桢,张雅静.基于multi-agent的仿生物免疫:计算机抗病毒研究新思路.北京理工大学学报.2002(3)
[19] 张彦超,阙喜戎,王文东.一种基于免疫原理的网络入侵检测模型.计算机工程与应用.2002(10)
[20] 王凤先,常胜,刘振鹏等.2002年全国开放式分布与并行计算学术会议论文集[C].武汉:华中科技大学出版社,2002.72-76
[21] 刘振鹏,李继民,田俊峰等.2002年全国开放式分布与并行计算学术会议论文集[C].武汉:华中科技大学出版社,2002.77-80
[22] Wu J.分布式系统设计[M].高传善译.北京:机械工业出版社,2001
[23] 李晓莺.个人入侵检测系统的研究与实现[D].中国工程物理研究院,2002
[24] Kephart J.O.A biologically inspired immune system for computer, in R.A.Brooks and P.Maes,eds., Artificial Life IV.Proc.of the 4th International Workshop on the Synthesis and Simulation of Living Systems,130-139.MIT Press 1994.
[25] Kephart J.O. et al. Biologically inspired defense against computer viruses, proceedings of IJCAI' 95,1995.
[26] Trustix AS. Trustix secure linux, http://www.trustix.net, January 2002.
[27] 励晓健,黄勇,黄厚宽.基于Poisson过程和Rough包含的计算免疫模型.计算机学报.2003(1)
[28] 杨向荣,沈钧毅,罗浩.人工免疫原理在网络入侵检测中的应用.计算机工程.2003.4
[29] 张雅静,侯朝桢.一种基于生物免疫原理的计算机抗病毒策略.计算机工程.2003.4
[30] Hofmeyr SA, Forrest S, and Somayaji A. Lightweight Intrusion Detection for Networked Operating Systems
http://www.cs.unm.edu/~immsec/publications/ids.pdf
[31] Somayaji A, and Forrest S. Automated Response Using System-Call Delays[C]. In Proceedings of the 9th USENIX Security Symposium, 2000
[32] Lee W, Stolfo SJ, Chart PK. Learning Patterns from Unix Process Execution Traces for Intrusion Detection [J] In Proceedings of the AAAI97 workshop on AI Approaches to Fraud Detection and Risk Management.1997
[33] Lee W, Stolfo SJ. Data mining approaches for intrusion detection[C]. In Proceedings of the 7th USENIX Security Symposium, 1998
[34] Wang Fengxian, Changsheng. FICSEM: A LEARNING METHOD FROM ONE-CASE FITTED IN COMPLEX ADAPTIVE SYSTEM, The First International Conference on Machine Learning and Cybernetics, Beijing, 2002.11.4-5
[35] http://ly-www.sd.cninfo.net/anetroom/Aos/3-5-3.htm
[36] http://linux.ustc.edu.cn/~ltguo/linux/kemel/6.html
[37] Anil Buntwal Somayaji. Operating System Stability and Security through Process Homeostasis. The University of New Mexico.2002
[38] 姜梅.基于生物免疫系统的计算机入侵检测技术研究.南京航空航天大学,2001
[39] 谭小彬,王卫平,奚宏生等.系统调用序列的Markov模型及其在异常检测中的应用.计算机工程.2002.28.(12):189-191
[40] 周荫清.随机过程导论.北京:北京航空学院出版社,1987
[41] 黄嘉佑.气象统计分析与预报方法.气象出版社,1990:335—348
[42] 朱伯承.统计天气预报.上海科学技术出版社,1981:154—175
[43] 谭冠日.气象站数理统计预报方法.科学出版社,1980:279—296
[44] 刘嘉煜.应用随机过程.北京:科学出版社,2002
[2] Forrest S, Hofmeyr S, Somayaji A. Computer Immunology [J]. Communications of the ACM. 1997,40(10):88-96
[3] Somayaji A, Hofmeyr S, Forrest S. Principles of a Computer Immune System. New Security Paradigms Workshop,1998
[4] Hofmeyr A, Forrest S. Architecture for an Artificial Immune System[J]. Evolutionary Computation.2000,7(1):45-68
[5] Dasgupta D, Forrest S. Artificial Immune Systems in Industrial Applications. In Accepted for presentation at the International conference on Intelligent Processing and Manufacturing Material. Honolulu,HI,1999
[6] Forrest S,Hofmeyr S,Somayaji A,et al.A Sense of Self for Unix Processes. In Proceedings of 1996 IEEE Symposium on Computer Security and Pricacy,1996
[7] D.L.Chao,S.Forrest.Information Immune Systems. In Proceedings of the First International Conference on Artificial Immune Systems (ICARIS), 2002
[8] J. Balthrop, F. Esponda, S. Forrest,etc. Coverage and Generalization in an Artificial Immune System. Proceedings of the Genetic and Evolutionary Computation Conference (GECCO 2002), Morgan Kaufrnann. New York, 2002
[9] 李欢,梁意文.一个基于Multi-Agent的计算机安全免疫系统模型.计算机科学.2001,(8)
[10] 梁意文,康立山.一种基于用户行为的Self集构造和演化方法.计算机应用研究.2001,(9)
[11] 代文,梁意文,张海峰.计算机免疫识别规则的演化挖掘.计算机工程.2001(11)
[12] 戴志锋,何军.一种基于主机分布式安全扫描的计算机免疫系统模型.计算机应用.2001(10)
[13] 姜梅,丁秋林.一种基于生物免疫系统的计算机抗病毒新技术.计算机应用研究.2001(6)
[14] 梁意文,汪朝霞,刘冬梅.基于食物链的计算机免疫多识别器协同识别模型.计算机工程与应用.2002(5)
[15] 梁意文,潘海军,康立山.免疫识别器构造的多级演化.小型微型计算机系统.2002(4)
[16] 张慧敏,何军,黄厚宽.一个基于免疫的网络入侵检测模型.计算机工程与应用.2002(6)
[17] 白晓冰,曹阳,张维明等.基于人工免疫模型的网络入侵检测系统.计算机工程与应用.2002(9)
[18] 侯朝桢,张雅静.基于multi-agent的仿生物免疫:计算机抗病毒研究新思路.北京理工大学学报.2002(3)
[19] 张彦超,阙喜戎,王文东.一种基于免疫原理的网络入侵检测模型.计算机工程与应用.2002(10)
[20] 王凤先,常胜,刘振鹏等.2002年全国开放式分布与并行计算学术会议论文集[C].武汉:华中科技大学出版社,2002.72-76
[21] 刘振鹏,李继民,田俊峰等.2002年全国开放式分布与并行计算学术会议论文集[C].武汉:华中科技大学出版社,2002.77-80
[22] Wu J.分布式系统设计[M].高传善译.北京:机械工业出版社,2001
[23] 李晓莺.个人入侵检测系统的研究与实现[D].中国工程物理研究院,2002
[24] Kephart J.O.A biologically inspired immune system for computer, in R.A.Brooks and P.Maes,eds., Artificial Life IV.Proc.of the 4th International Workshop on the Synthesis and Simulation of Living Systems,130-139.MIT Press 1994.
[25] Kephart J.O. et al. Biologically inspired defense against computer viruses, proceedings of IJCAI' 95,1995.
[26] Trustix AS. Trustix secure linux, http://www.trustix.net, January 2002.
[27] 励晓健,黄勇,黄厚宽.基于Poisson过程和Rough包含的计算免疫模型.计算机学报.2003(1)
[28] 杨向荣,沈钧毅,罗浩.人工免疫原理在网络入侵检测中的应用.计算机工程.2003.4
[29] 张雅静,侯朝桢.一种基于生物免疫原理的计算机抗病毒策略.计算机工程.2003.4
[30] Hofmeyr SA, Forrest S, and Somayaji A. Lightweight Intrusion Detection for Networked Operating Systems
http://www.cs.unm.edu/~immsec/publications/ids.pdf
[31] Somayaji A, and Forrest S. Automated Response Using System-Call Delays[C]. In Proceedings of the 9th USENIX Security Symposium, 2000
[32] Lee W, Stolfo SJ, Chart PK. Learning Patterns from Unix Process Execution Traces for Intrusion Detection [J] In Proceedings of the AAAI97 workshop on AI Approaches to Fraud Detection and Risk Management.1997
[33] Lee W, Stolfo SJ. Data mining approaches for intrusion detection[C]. In Proceedings of the 7th USENIX Security Symposium, 1998
[34] Wang Fengxian, Changsheng. FICSEM: A LEARNING METHOD FROM ONE-CASE FITTED IN COMPLEX ADAPTIVE SYSTEM, The First International Conference on Machine Learning and Cybernetics, Beijing, 2002.11.4-5
[35] http://ly-www.sd.cninfo.net/anetroom/Aos/3-5-3.htm
[36] http://linux.ustc.edu.cn/~ltguo/linux/kemel/6.html
[37] Anil Buntwal Somayaji. Operating System Stability and Security through Process Homeostasis. The University of New Mexico.2002
[38] 姜梅.基于生物免疫系统的计算机入侵检测技术研究.南京航空航天大学,2001
[39] 谭小彬,王卫平,奚宏生等.系统调用序列的Markov模型及其在异常检测中的应用.计算机工程.2002.28.(12):189-191
[40] 周荫清.随机过程导论.北京:北京航空学院出版社,1987
[41] 黄嘉佑.气象统计分析与预报方法.气象出版社,1990:335—348
[42] 朱伯承.统计天气预报.上海科学技术出版社,1981:154—175
[43] 谭冠日.气象站数理统计预报方法.科学出版社,1980:279—296
[44] 刘嘉煜.应用随机过程.北京:科学出版社,2002