PROBABILISTIC ANOMALY DETECTION BASED ON SYSTEM CALLS ANALYSIS

Przemysław Maciołek, Paweł Król, Jarosław Koźlak

Abstract


We present an application of probabilistic approach to the anomaly detection (PAD). Byanalyzing selected system calls (and their arguments), the chosen applications are monitoredin the Linux environment. This allows us to estimate “(ab)normality” of their behavior (bycomparison to previously collected profiles). We’ve attached results of threat detection ina typical computer environment.

Keywords


anomaly detection; IDS; system calls; Linux

Full Text:

PDF

References


Sekar E., Bendre M., Dhurjati D., Bollineni P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. Proc. of the 2001 IEEE Symposium on Security and Privacy, 2001

Feng H.H., Kolesnikov O. M., Fogla P., Lee W., Gong W.: Anomaly Detection Using Call Stack Information. Proc. of the 2003 IEEE Symposium on Security and Privacy, 2003

Apache webserver 2.0.52 DOS vulnerability – CAN-2004-0942.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

Cdrdao Insecure File Handling.

http://www.securiteam.com/unixfocus/5PP0F1P61I.html

Warrender Ch., Forrest S., Pearlmutter B.: Detecting Intrusions Using System Calls: Alternative Data Models. Proc. of the 1999 IEEE Symposium on Security and Privacy, 1999

Burdach M.: Detecting Kernel-level Compromises With gdb.

http://www.securityfocus.com/infocus/1811

Apap F., Honig A., Hershkop S., Eskin E., Stolfo S.: Detecting Malicious Software by Monitoring Anomalous Windows Registry Access. Proc. of Fifth International Symposium of Recent Advances in Intrusion Detection (RAID), 2002

Friedman N., Singer Y.: Efficient bayesian parameter estimation in large discrete domains. Neural Information Processing Systems (NIPS 98), 1998

Hershkop S., Bui L. H., Ferster R., Stolfo S. J.: Host-based Anomaly Detection Using Wrapping File Systems. Columbia University Tech Report April 2004

Hofmeyera S. A., Forrest S., Somayaji A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security, August 18th, 1998

Eschenauer L. et al.: ImSafe – Host Based Anomaly Detection.

http://imsafe.sourceforge.net/

Love R.: Kernel Locking Techniques.

http://www.linuxjournal.com/article/5833

Lee W., Stolfo S. J., Chan P. K.: Learning patterns from UNIX process execution traces for intrusion detection. AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, 1997

Heller K. A., Svore K. M., Keromytis A. D., Stolfo S. J.: One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses. Proc. of the ICDM Workshop on Data Mining for Computer Security (DMSEC), 2003

Eskin E.: Probabilistic anomaly detection over discrete records using inconsistency checks. Columbia University, Computer Science Technical Report, 2002

Prozilla, http://prozilla.genesys.ro/

Akpolat S.: Remote Buffer Overflow in Prozilla.

http://www.securiteam.com/exploits/6W00O2ABPM.html, October 25th, 2004

SANS Institute: The Twenty Most Critical Internet Security Vulnerabilities, http://www.sans.org/top20

Linux Kernel Documentation – SpinLocks. http://kernel.org

SQLite, http://www.sqlite.org

Dąbrowski P.: Systemy wykrywające naruszenie bezpieczeństwa w systemie operacyjnym w oparciu o analizę ciągów odwołań systemowych. Kraków, Katedra

Informatyki AGH, September 2004

Mitnick K.: The Art of Deception: Controlling the Human Element of Security. 1st edition, John Wiley & Sons, 2001, ISBN 978-0471237129

Bovet D.P., Cesati M.: Understanding the Linux Kernel. 2nd Edition, O’Reilly Media, Inc., 2002, ISBN 978-0596002138




DOI: https://doi.org/10.7494/csci.2007.8.3.93

Refbacks

  • There are currently no refbacks.