Title :
Detecting Intrusions through System Call Sequence and Argument Analysis
Author :
Maggi, Federico ; Matteucci, Matteo ; Zanero, Stefano
Author_Institution :
Dipt. di Elettron. e Inf., Politec. di Milano, Milano, Italy
Abstract :
We describe an unsupervised host-based intrusion detection system based on system call arguments and sequences. We define a set of anomaly detection models for the individual parameters of the call. We then describe a clustering process that helps to better fit models to system call arguments and creates interrelations among different arguments of a system call. Finally, we add a behavioral Markov model in order to capture time correlations and abnormal behaviors. The whole system needs no prior knowledge input; it has a good signal-to-noise ratio, and it is also able to correctly contextualize alarms, giving the user more information to understand whether a true or false positive happened, and to detect global variations over the entire execution flow, as opposed to punctual ones over individual instances.
Keywords :
Markov processes; pattern clustering; security of data; unsupervised learning; alarm contextualization; anomaly detection model; argument analysis; behavioral Markov model; clustering process; execution flow; signal-to-noise ratio; system call sequence; time correlation; unsupervised host based intrusion detection system; Automatic testing; Context modeling; Event detection; Intrusion detection; Noise measurement; Performance evaluation; Prototypes; Signal to noise ratio; System testing; Intrusion detection; Invasive software (viruses; Markov models.; Network-level security and protection; Security; Trojan horses); Unauthorized access (hacking; anomaly detection; behavior detection; phreaking); worms;
Journal_Title :
Dependable and Secure Computing, IEEE Transactions on
DOI :
10.1109/TDSC.2008.69
