目前電腦系統普遍以使用者代號與密碼來確認使用者身份。然而使用者常會將這兩項資訊告知內部同事或被駭客破解,造成了系統安全的弱點以及最難防範的內部攻擊。在這篇論文中我們提出即時內部入侵偵測與保護系統(Internal Real-Time Intrusion Detection and Protection System (IIDPS)),它從作業系統呼叫層級(System Call Level) 透過資料探勘技術建立使用者之個人化特徵(User Profile)和惡意程式之攻擊特徵(Attack Profile),並持續追蹤使用者及分析惡意程式之數位行為紀錄,及擴充這些特徵。IIDPS使用叢集運算即時比對線上使用者之數位行為與系統所建立之使用者個人化特徵及攻擊特徵,分析線上使用者是否為本人或執行惡意程式,當偵測到入侵或是攻擊行為時,系統會將線上使用者自系統中隔離,發出警訊並記錄數位鑑識稽核證據。針對既有特徵的實驗結果顯示,IIDPS之使用者辨識率為94%,惡意程式辨識率高達97%,反應時間少於0.45秒,可快速有效偵測阻止系統內部攻擊。 Currently, most computer systems use user IDs and passwords as the login patterns to authenticate their users. However, many users often share the ID and password with their coworkers or crack by hacker, thereby making the two patterns as one of the weakest points of computer security. Also, internal hackers, the legal users of a system who attack the system internally, are hard to detect since most intrusion detection systems and firewalls often only identify and isolate malicious behaviors launched from outside world of the system. Therefore, in this paper, we propose a security system, named the Internal Real-Time Intrusion Detection and Protection System (IIDPS for short) which detects attacks at system call level. The IIDPS employs data mining techniques to mine users' and attackers' usage behaviors as their computer forensic features, and then establish users' personal profiles and an attacker profile to keep track of these features. The IIDPS uses a local computational grid to determine whether or not a legally login user is the account holder or an attacker by comparing his/her current computer usage behaviors with the computer forensic features collected in the account holder's personal profiles and attacker profile in a real-time manner. Once an internal hacker is discovered, the IIDPS isolates the user, alerts system manager, records digital forensic audit evidence and analyzes his/her malicious behaviors to improve its future detection capability. Our experimental results show that the IIDPS's user identification accuracy is 94%, the accuracy on detecting internal malicious attempts is up to 97% and the response time is less than 0.45 sec, implying that it can prevent a protected system from internal attacks effectively and efficiently.
