计算机工程与应用 ›› 2010, Vol. 46 ›› Issue (33): 108-111.DOI: 10.3778/j.issn.1002-8331.2010.33.030

• 网络、通信、安全 • 上一篇    下一篇

面向Windows Native API调用的入侵防御模型

刘卫国,罗站城   

  1. 中南大学 信息科学与工程学院,长沙 410083
  • 收稿日期:2010-03-02 修回日期:2010-05-27 出版日期:2010-11-21 发布日期:2010-11-21
  • 通讯作者: 刘卫国

Windows Native API oriented intrusion prevention model

LIU Wei-guo,LUO Zhan-cheng   

  1. School of Information Science and Engineering,Central South University,Changsha 410083,China
  • Received:2010-03-02 Revised:2010-05-27 Online:2010-11-21 Published:2010-11-21
  • Contact: LIU Wei-guo

摘要: 为了提高基于Windows操作系统的入侵防御系统的检测效率、实时性和智能性,引入嵌入式汇编语言来简化对Windows Native API的监控,将数据集划分为一组基本相对独立的变长序列模式,利用粗糙集理论对每种长度的序列集进行简约,建立了较小规模的Native API短序列的防御模型,并应用于sendmail调用序列检测。实验结果表明,模型的检测率达到96.08%,误报率降低到1.93%。与其他检测模型的比较结果表明,模型在检测率、实时性和智能性方面有更优的性能。

关键词: 入侵防御, Native API序列, 粗糙集, 变长序列

Abstract: To improve the detection rate,ability of real-time detecting and intelligence of the intrusion prevention system on the Windows operating system,this paper introduces the embedded assembly language to simplify the monitoring of Windows Native API,and divides the data set into a table of independent variable-length patterns,and applies rough set theory to reduce the size of each pattern.With this method,a prevention model is built on short core API sequence and used to detect call sequence of sendmail program.A series of experiments show that this model’s detection rate reaches to 96.08%,and false alarm rate falls to 1.93%.Compared with other detection models,the result demonstrates that this model has better performance on detection efficiency,ability of real-time detecting and intelligence.

Key words: intrusion prevention, Native API sequence, rough set, variable-length sequence

中图分类号: