Intrusion Detection via System Call Traces

Unusual behavior in computer systems can be detected by monitoring the system calls being executed by programs. Analysis of the temporal ordering of these calls reveals that such anomalies are localized within traces and that normal program behavior can be described compactly using deterministic finite automata. This article presents preliminary work in analyzing system call traces, particularly their structure during normal and anomalous behavior.

[1]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[2]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Gunar E. Liepins,et al.  Intrusion detection: Its role and validation , 1992, Comput. Secur..

[4]  H. S. Teng,et al.  Security audit trail analysis using inductively generated predictive rules , 1990, Sixth Conference on Artificial Intelligence for Applications.

[5]  Sandeep Kumar,et al.  A Software Architecture to Support Misuse Intrusion Detection , 1995 .

[6]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[7]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[8]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .