Abstract: This paper researches Linux security audit technology and proposes a security audit method based on double spaces security audit. The operating system kernel space system call and user space library function call are merged to enhance the identified ability against the operating system kernel attacks and user’s malicious behaviors, an extended LSM(Linux Security Modules) framework is designed for audit data hook module to improve the audit granularity, security and flexibility of security audit model. In order to improve the real-time efficiency, a typical set method is introduced to compress the normal signature database.

Key words: security audit, system call, typical set

摘要： 在研究Linux安全审计技术的基础上，提出一种基于双空间审计迹的安全审计方法，融合操作系统内核空间的系统调用和用户空间的库函数调用，提高对操作系统内核层攻击和恶意用户行为的识别能力。对LSM框架进行审计扩展，用于设计审计模型的数据获取模块，增强了模型的审计粒度、安全性和灵活性。为了提高安全审计的实时性，引入典型集方法压缩正常行为特征库。

关键词: 安全审计, 系统调用, 典型集

CLC Number: 

• TP316