摘要
针对现有系统调用过滤方法的局限性,对如何有效准确地精简系统调用日志进行研究,分析系统调用日志中涉及网络攻击的重要系统调用信息,提出一种基于属性数据的系统调用过滤方法。通过追踪和分析系统调用的属性数据,引入系统调用依赖规则,在确保准确性的前提下,对系统调用日志进行合理有效地精简、过滤;在此基础上,实现一个名为"系统调用分离器"的过滤工具。通过实验验证了该方法及工具的有效性和适用性。
Due to the limitations of the existing methods for system call filtering,an issue that how to filter system call logs more efficiently was studied,and the important information of system calls relating to network attacks was analyzed.Therefore an attribute-based method for system call filtering was proposed.Through tracing and analyzing all the needed attributes of system calls,system call dependency rules were used.The huge system call logs were filtered in a more efficient and effective way on the premise of ensuring the filtering accuracy.Based on this,a system call filtering tool called Separator was implemented and tested in experiments.
引文
[1]TAO Fen,YIN Zhiyi,FU Jianming.Software behavior model based on system calls[J].Computer Science,2010,37(4):151-157(in Chinese).[陶芬,尹芷仪,傅建明.基于系统调用的软件行为模型[J].计算机科学,2010,37(4):151-157.]
[2]HUANG Guoyan,GAO Jianpei,CHANG Xuliang.Intrusion detection method based on parameters of system call[J].Computer Engineering,2010,36(12):153-156(in Chinese).[黄国言,高建培,常旭亮.基于系统调用参数的入侵检测方法[J].计算机工程,2010,36(12):153-156.]
[3]FAN Enkui,CHEN Yajun.Analysis of system call based on Linux operating system[J].Journal of Chongqing University of Science and Technology,2008,10(6):124-126(in Chinese).[范恩魁,陈亚军.基于Linux操作系统的系统调用分析[J].重庆科技学院学报,2008,10(6):124-126.]
[4]SUN Xiaoyan,ZHU Yuefei,HUANG Qian,et al.Generation of system malicious behavior specification based on system call trace[J].Journal of Computer Applications,2010,30(7):1767-1770(in Chinese).[孙晓妍,祝跃飞,黄茜,等.基于系统调用踪迹的恶意行为规范生成[J].计算机应用,2010,30(7):1767-1770.]
[5]TIAN Xinguang,QIU Zhiming,LI Wenfa.Anomaly detection of program behavior based on system call and data mining[J].Computer Engineering,2008,34(2):1-3(in Chinese).[田新广,邱志明,李文法,等.基于系统调用和数据挖掘的程序行为异常检测[J].计算机工程,2008,34(2):1-3.]
[6]WANG Qiong,NI Guiqiang,PAN Zhisong,et al.Anomaly detection of program behavior based on improved hidden Markov model(HMM)[J].Journal of Data Acquisition&Processing,2009,24(4):508-513(in Chinese).[王琼,倪桂强,潘志松,等.基于改进隐马尔可夫模型的系统调用异常检测[J].数据采集与处理,2009,24(4):508-513.]
[7]LIU Zhu,CHEN Jing,FANG Liang.Anomaly detection on system call trace based on support vector data description[J].Computer Acquisition and Software,2012,29(1):291-293(in Chinese).[刘竹,陈晶,方良.基于支持向量数据描述的系统调用轨迹异常检测[J].计算机应用与软件,2012,29(1):291-293.]
[8]SHI Jingxiang,CHEN Shuyu,HUANG Hanhui.Research on kernel level Rootkit technology based on Linux system call[J].Computer Technology and Development,2010,20(4):175-178(in Chinese).[石晶翔,陈蜀宇,黄晗辉.基于Linux系统调用的内核级Rootkit技术研究[J].计算机技术与发展,2010,20(4):175-178.]
[9]Xiong X,Jia X,Liu P.Shelf:Preserving business continuity and availability in an intrusion recovery system[C]//In ACSAC,2009.
[10]Dai Jun,Sun Xiaoyan,Liu Peng.Patrol:Revealing zero-day attack paths through network-wide system object dependencies[C]//In ESORICS,2013.