Detecting Intrusions through System Call Sequence and Argument Analysis

Author

Maggi, Federico ; Matteucci, Matteo ; Zanero, Stefano

Author_Institution

Dipt. di Elettron. e Inf., Politec. di Milano, Milano, Italy

Volume

7

Issue

4

fYear

2010

Firstpage

381

Lastpage

395

Abstract

We describe an unsupervised host-based intrusion detection system based on system call arguments and sequences. We define a set of anomaly detection models for the individual parameters of the call. We then describe a clustering process that helps to better fit models to system call arguments and creates interrelations among different arguments of a system call. Finally, we add a behavioral Markov model in order to capture time correlations and abnormal behaviors. The whole system needs no prior knowledge input; it has a good signal-to-noise ratio, and it is also able to correctly contextualize alarms, giving the user more information to understand whether a true or false positive happened, and to detect global variations over the entire execution flow, as opposed to punctual ones over individual instances.

Keywords

Markov processes; pattern clustering; security of data; unsupervised learning; alarm contextualization; anomaly detection model; argument analysis; behavioral Markov model; clustering process; execution flow; signal-to-noise ratio; system call sequence; time correlation; unsupervised host based intrusion detection system; Automatic testing; Context modeling; Event detection; Intrusion detection; Noise measurement; Performance evaluation; Prototypes; Signal to noise ratio; System testing; Intrusion detection; Invasive software (viruses; Markov models.; Network-level security and protection; Security; Trojan horses); Unauthorized access (hacking; anomaly detection; behavior detection; phreaking); worms;

fLanguage

English

Journal_Title

Dependable and Secure Computing, IEEE Transactions on

Publisher

ieee

ISSN

1545-5971

Type

jour

DOI

10.1109/TDSC.2008.69

Filename

4674371