預防擬態攻擊之入侵偵測防禦系統

Abstract

隨著硬體與網際網路技術的發達，各種資訊領域之應用紛紛在網路上出現，然而在這開放的網路環境中，卻充斥著許多惡意的攻擊者。許多學者專家設計出不同的入侵偵測技術，然而攻擊者則是針對這些技術的弱點加以攻擊、或是規避其偵測，更增加了設計入侵偵測防禦技術的難度。我們分析比較各種入侵偵測防禦技術和其弱點，並提出解決一部份問題的方法。 本篇論文以攔截系統呼叫(System Call)技術為基礎，設計出一套即時的入侵偵測與防禦系統，AMA-IPS(An Intrusion Prevention System against Mimicry Attacks)。使用者可以圖形介面，狀態轉換之方式描述攻擊樣板。我們針對傳統入侵偵測技術上的弱點進行改進，提高了入侵偵測防禦的準確度。另外，我們以人體免疫系統模型(Immunity Model)來檢驗攻擊樣板的精確性，以減少誤判。本系統可攔截所有應用程式所請求的系統呼叫，基於使用者所定義之攻擊樣板，持續追蹤可疑的應用程式，於攻擊動作尚未成功前就終止其執行，以提供精確，即時，有效的防護網。

With the development of the hardware and Internet technologies, there are lots of applications available on the Internet. However, there are always hostile assailants in the open network environment. Though many different intrusion detection techniques had been developed, assailants can always attack against the weakness on these techniques, and try to evade from IDS detection. Based on system call interception technique, we develop a real-time intrusion detection and prevention system, called AMA-IPS (An Intrusion Prevention System against Mimicry Attacks). In this system, users can describe the model of attacking, through a GUI interface, in the form of state changes. We integrated the immunity-based techniques into the state-based IPS to detect mimicry attacks and thus improve the detection accuracy of the IPS. In addition, we examine penetration pattern's accuracy with the human immune system model, and thus reduce false positive. This system intercepts every system call invoked by an application program and tries to match any penetration pattern. Once there is an evidence showing some penetration is undertaking, the system can terminate the penetration process before injury.