Anomaly Detection Based on System Call Classification

The aim of this paper is to create a new anomaly detection model based on rules. A detailed classification of the LINUX system calls according to their function and level of threat is presented. The detection model only aims at critical calls (i.e. the threat level 1 calls). In the learning process, the detection model dynamically processes every critical call, but does not use data mining or statistics from static data. Therefore, the increment learning could be implemented. Based on some simple predefined rules and refining, the number of rules in the rule database could be reduced dramatically, so that the rule match time can be reduced effectively during detection processing. The experimental results clearly demonstrate that the detection model can effectively detect R2L, R2R and L2R attacks. Moreover the detected anomaly is limited in the corresponding requests, but not in the entire trace. The detection model is fit for the privileged processes, especially for those based on request-responses.

[1]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[2]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[3]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[4]  Daniel F. Sterne,et al.  Confining Root Programs with Domain and Type Enforcement , 1996, USENIX Security Symposium.

[5]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[6]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[7]  Massimo Bernaschi,et al.  Remus: a security-enhanced operating system , 2002, TSEC.

[8]  Qiang Chen,et al.  Probabilistic techniques for intrusion detection based on computer audit data , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[9]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[10]  Susan C. Lee,et al.  Training a neural-network based intrusion detector to recognize novel attacks , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[11]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[12]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[13]  Shigeki Goto,et al.  A new intrusion detection method based on process profiling , 2002, Proceedings 2002 Symposium on Applications and the Internet (SAINT 2002).

[14]  R. Sekar,et al.  On Preventing Intrusions by Process Behavior Monitoring , 1999, Workshop on Intrusion Detection and Network Monitoring.

[15]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[16]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.