Detecting Intrusions through System Call Sequence and Argument Analysis

Authors

Federico Maggi, Matteo Matteucci, Stefano Zanero

Venue

IEEE Transactions on Dependable and Secure Computing (T (Volume 7, Issue 4), November 2008

Abstract

We describe an unsupervised host-based intrusion detection system based on system calls arguments and sequences. We define a set of anomaly detection models for the individual parameters of the call. We then describe a clustering process which helps to better fit models to system call arguments, and creates inter-relations among different arguments of a system call. Finally, we add a behavioral Markov model in order to capture time correlations and abnormal behaviors. The whole system needs no prior knowledge input; it has a good signal to noise ratio, and it is also able to correctly contextualize alarms, giving the user more information to understand whether a true or false positive happened, and to detect variations over the entire execution flow, as opposed to punctual variations over individual instances.

BibTeX

@article{Maggi2008Detecting_Intrusions,
  title   = {{Detecting Intrusions through System Call Sequence and Argument Analysis}},
  author  = {Maggi, Federico and Matteucci, Matteo and Zanero, Stefano},
  month   = {November},
  year    = {2008},
  issn    = {1545-5971},
  journal = {IEEE Transactions on Dependable and Secure Computing (T},
  number  = {4},
  pages   = {381--395},
  volume  = {7}
}