摘要
以传统有限自动机(finite state automata,简称FSA)为基础,从系统调用参数中解析出系统对象,提出了一种基于系统对象的软件行为模型(model of software behavior based on system objects,简称SBO).该模型的行为状态由软件所关联的所有系统对象表示,从而赋予状态的语义信息,解决了不同行为迹中PC(program counter)值的语义不相关问题;同时,该模型可以对抗系统调用参数的直接和间接修改,从而可以检测基于数据语义的攻击.最后,实现了基于SBO的软件异常检测原型工具(intrusion detection prototype system based on SBO,简称SBOIDS),其实验和分析结果表明,该模型可以有效地检测基于控制流的攻击、模仿攻击以及针对数据语义的攻击,并给出了该工具的性能开销.
On the basis of traditional FSA(finite state automaton),system objects can be resolved from the parameters of system call,and a Software Behavior model based on system object(SBO) is presented.This model defines the software state as all states of system objects,which are owned by the software,and then each state in the model has been assigned semantic information.Therefore,SBO can solve a problem of irrelevant semantics between different traces using the semantic information,and it can detect data semantic attacks,which directly or indirectly modifies system call parameters.Finally,a software anomaly intrusion detection prototype system based on SBO(SBOIDS) is implemented.The experimental and analysis results show that SBO can effectively detect data semantic attack and control the flow-based and mimicry attacks
出处
《软件学报》
EI
CSCD
北大核心
2011年第11期2716-2728,共13页
Journal of Software
基金
国家自然科学基金(90718005)
国家高技术研究发展计划(863)(2007AA01Z411)
关键词
入侵检测
软件行为
有限状态自动机
系统对象
系统调用
intrusion detection
software behavior
finite state automaton
system object
system call
