近年來,網路安全事件頻傳,使用誤用入侵偵測技術可以有效偵測出已知攻擊,然而對於新型態的攻擊便無法偵測出。此時,異常入侵偵測正好提供了另外一個思考觀點,亦即對應用程式建立正常行為的資料庫,若有異於正常的行為則視為攻擊。Forrest (1996)發現程式所產生的系統呼叫可用來表示程式的行為,之後,陸陸續續有許多相關研究發表,本論文基於迴圈簡化演算法所造成的缺點來進行改良,且進一步可以判斷是否為攻擊者的偽造系統呼叫。此外,針對系統呼叫截取所造成的效能下降,亦提供了一項核心修改解決方案。透過本論文所提出的方式可以更具體地描述程式的行為,且為作業系統本身提供一個更加安全的防護。 In recent years, network security events have undergone a major renaissance. Using misuse intrusion detection technology can detect attacks effectively, however, it cannot detect new kind of attacks. At this time, anomaly intrusion detection techniques provide another viewpoint that the database of normal behavior can be constructed according to application program, and it will detect deviations from this norm as attacks. Forrest (1996) shows the novel idea that system calls derived from application program can describe the behavior of program. Afterwards, a body of research has been published continually. In this paper, we modify the main drawbacks of loop reduction algorithm and determine whether the faked system calls made by attackers or not. Furthermore, we also put up a modified kernel approach to improve the declined effectiveness caused by system call interception. Therefore, in this paper we provide a method to describe the program behavior concretely, and afford a safer protection to operating systems.
