Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Intrusion detection method for host under Windows environment

A technology of intrusion detection and host, applied in the direction of instruments, electrical digital data processing, digital data processing components, etc., can solve the problem of inability to effectively judge abnormal intrusion of the system

Inactive Publication Date: 2006-02-08
苏州赛博网垠信息科技发展有限公司
View PDF0 Cites 18 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the WHIPS model proposed by Roberto et al. is essentially based on the rule base. In the process of access control, only the rules in the rule base are matched, so simple controls such as allowing execution and disallowing execution are simply adopted. It cannot effectively Judging the occurrence of abnormal intrusion in the system

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Intrusion detection method for host under Windows environment
  • Intrusion detection method for host under Windows environment
  • Intrusion detection method for host under Windows environment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0059] The present invention will be described in further detail below in conjunction with the accompanying drawings.

[0060] see figure 1 , when the application program in user mode, namely Application, is run, it will call the encapsulation function Win32 API in the dynamic link library Kernel32.dll, and the encapsulation function Win32 API in the dynamic link library Kernel32.dll will call the dynamic link library Ntdll The function encapsulated in the .dll actually calls the corresponding system service, and then calls the function KiSystemSerivce () to execute the interrupt INT 2E instruction to turn the processor CPU to the kernel mode and execute the handle specified in the interrupt description table. This handle will copy the parameter from the user-mode stack to the kernel-mode stack, and point the contents of the register EDX to the base address of the stack frame passed in the parameter. When the encapsulation function Win32 API called in the application program ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for detecting the host machine inbreak on windows environment, which analyzes and establishes the designed multistage Native API module and the relative of the Native API sequences to find out the abnormal inbreak. It collects the Native APIs data of the designed routine and stores it into the database on real practice stage. The data initial analysis comprises a first stage analysis and a second stage analysis, it analyzes and processes the change of the first stage and the second stage conditions of the data gather to establish the first module and the second module; it computes the normal value of the first and the second Native APIs by index iteration detecting algorithm on measuring stage.

Description

technical field [0001] The invention relates to the technical field of computer network security, in particular to a host intrusion detection method under the Windows environment. Background technique [0002] As the world's mainstream desktop operating system, Windows has a very large impact after being attacked. From the global outbreak of the "Code Red" worm on August 5, 2001, to the large-scale outbreak of the "Blast worm" on August 12, 2003, the threats brought by Windows operating system vulnerabilities on the Internet are spreading to every network user. Approaching. The following are the economic losses caused by various worm attacks caused by Windows system vulnerabilities. [0003] the worm Economic losses Introduction to Worms Code Red $2.62 billion Exploitation of IDA / IDQ ISAPI Extended Buffer Overflow Vulnerability (MS01-33) Nimdar $640 million Use the backdoor left by MS00-78, MS01-20, MS01-21 and Code Red ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F1/00
Inventor 管晓宏冯力孙杰杨力伟
Owner 苏州赛博网垠信息科技发展有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products