以狀態轉換為基礎之入侵偵測與預防技術

Abstract

隨著硬體技術的進步以及電子商務的興起，網路上充斥著惡意的攻擊者、企業競爭者甚至是危害國家安全的軍事間諜。除此之外，基於日益複雜的軟體功能與架構，軟體開發人員常需要使用現有的、他人已開發的模組來完成更複雜的應用程式，這類模組一般稱為 Commercial Off-The-Shelf (COTS)。不管是COTS模組，還是龐大、程式碼不公開的應用程式，都會有一個安全上的疑慮：即這些軟體是否私底下藉由後門執行不為人知的竊取行為或破壞行為。 身處在這樣一個險惡的網路環境以及錯綜複雜的應用軟體中，本篇論文以攔截系統呼叫(System Call)之技術為基礎，設計出一套即時的入侵偵測與預防系統。這套系統攔截所有應用程式所請求的系統呼叫，在使用者所定義的攻擊樣版中持續追蹤可疑的應用程式，於攻擊動作尚未成功前就終止其進行，以提供準確、即時、有效率的防護網。

Over the past several years, the Internet environment has become more complex and untrusted. There are always crackers and business competitors trying to penetrate security system and then steal confidential information. Some of them would also spread malicious software or files to attack our computer system, making our system paralyzed, unable to provide service. Even more, attacker may gain full access to our system without any trace. Based on system call interception technique, we develop a real-time intrusion detection and prevention system, STBIPW (State-Transition-Based Intrusion Prevention using Wrapper). This system intercepts every system call invoked by application and tries to match any penetration scenarios. Once there is evidence showing some penetration is undertaking, the system can terminate the penetration process before injury. This wrapper system can also wrap COTS components to provide robustness and security.