Przemysław Maciołek, Paweł Król, Jarosław Koźlak


We present an application of probabilistic approach to the anomaly detection (PAD). Byanalyzing selected system calls (and their arguments), the chosen applications are monitoredin the Linux environment. This allows us to estimate “(ab)normality” of their behavior (bycomparison to previously collected profiles). We’ve attached results of threat detection ina typical computer environment.


anomaly detection; IDS; system calls; Linux

Full Text:



Sekar E., Bendre M., Dhurjati D., Bollineni P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. Proc. of the 2001 IEEE Symposium on Security and Privacy, 2001

Feng H.H., Kolesnikov O. M., Fogla P., Lee W., Gong W.: Anomaly Detection Using Call Stack Information. Proc. of the 2003 IEEE Symposium on Security and Privacy, 2003

Apache webserver 2.0.52 DOS vulnerability – CAN-2004-0942.

Cdrdao Insecure File Handling.

Warrender Ch., Forrest S., Pearlmutter B.: Detecting Intrusions Using System Calls: Alternative Data Models. Proc. of the 1999 IEEE Symposium on Security and Privacy, 1999

Burdach M.: Detecting Kernel-level Compromises With gdb.

Apap F., Honig A., Hershkop S., Eskin E., Stolfo S.: Detecting Malicious Software by Monitoring Anomalous Windows Registry Access. Proc. of Fifth International Symposium of Recent Advances in Intrusion Detection (RAID), 2002

Friedman N., Singer Y.: Efficient bayesian parameter estimation in large discrete domains. Neural Information Processing Systems (NIPS 98), 1998

Hershkop S., Bui L. H., Ferster R., Stolfo S. J.: Host-based Anomaly Detection Using Wrapping File Systems. Columbia University Tech Report April 2004

Hofmeyera S. A., Forrest S., Somayaji A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security, August 18th, 1998

Eschenauer L. et al.: ImSafe – Host Based Anomaly Detection.

Love R.: Kernel Locking Techniques.

Lee W., Stolfo S. J., Chan P. K.: Learning patterns from UNIX process execution traces for intrusion detection. AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, 1997

Heller K. A., Svore K. M., Keromytis A. D., Stolfo S. J.: One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses. Proc. of the ICDM Workshop on Data Mining for Computer Security (DMSEC), 2003

Eskin E.: Probabilistic anomaly detection over discrete records using inconsistency checks. Columbia University, Computer Science Technical Report, 2002


Akpolat S.: Remote Buffer Overflow in Prozilla., October 25th, 2004

SANS Institute: The Twenty Most Critical Internet Security Vulnerabilities,

Linux Kernel Documentation – SpinLocks.


Dąbrowski P.: Systemy wykrywające naruszenie bezpieczeństwa w systemie operacyjnym w oparciu o analizę ciągów odwołań systemowych. Kraków, Katedra

Informatyki AGH, September 2004

Mitnick K.: The Art of Deception: Controlling the Human Element of Security. 1st edition, John Wiley & Sons, 2001, ISBN 978-0471237129

Bovet D.P., Cesati M.: Understanding the Linux Kernel. 2nd Edition, O’Reilly Media, Inc., 2002, ISBN 978-0596002138



  • There are currently no refbacks.