PROBABILISTIC ANOMALY DETECTION BASED ON SYSTEM CALLS ANALYSIS
DOI:
https://doi.org/10.7494/csci.2007.8.3.93Keywords:
anomaly detection, IDS, system calls, LinuxAbstract
We present an application of probabilistic approach to the anomaly detection (PAD). Byanalyzing selected system calls (and their arguments), the chosen applications are monitoredin the Linux environment. This allows us to estimate “(ab)normality” of their behavior (bycomparison to previously collected profiles). We’ve attached results of threat detection ina typical computer environment.Downloads
References
Sekar E., Bendre M., Dhurjati D., Bollineni P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. Proc. of the 2001 IEEE Symposium on Security and Privacy, 2001
Feng H.H., Kolesnikov O. M., Fogla P., Lee W., Gong W.: Anomaly Detection Using Call Stack Information. Proc. of the 2003 IEEE Symposium on Security and Privacy, 2003
Apache webserver 2.0.52 DOS vulnerability – CAN-2004-0942.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
Cdrdao Insecure File Handling.
http://www.securiteam.com/unixfocus/5PP0F1P61I.html
Warrender Ch., Forrest S., Pearlmutter B.: Detecting Intrusions Using System Calls: Alternative Data Models. Proc. of the 1999 IEEE Symposium on Security and Privacy, 1999
Burdach M.: Detecting Kernel-level Compromises With gdb.
http://www.securityfocus.com/infocus/1811
Apap F., Honig A., Hershkop S., Eskin E., Stolfo S.: Detecting Malicious Software by Monitoring Anomalous Windows Registry Access. Proc. of Fifth International Symposium of Recent Advances in Intrusion Detection (RAID), 2002
Friedman N., Singer Y.: Efficient bayesian parameter estimation in large discrete domains. Neural Information Processing Systems (NIPS 98), 1998
Hershkop S., Bui L. H., Ferster R., Stolfo S. J.: Host-based Anomaly Detection Using Wrapping File Systems. Columbia University Tech Report April 2004
Hofmeyera S. A., Forrest S., Somayaji A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security, August 18th, 1998
Eschenauer L. et al.: ImSafe – Host Based Anomaly Detection.
http://imsafe.sourceforge.net/
Love R.: Kernel Locking Techniques.
http://www.linuxjournal.com/article/5833
Lee W., Stolfo S. J., Chan P. K.: Learning patterns from UNIX process execution traces for intrusion detection. AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, 1997
Heller K. A., Svore K. M., Keromytis A. D., Stolfo S. J.: One Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses. Proc. of the ICDM Workshop on Data Mining for Computer Security (DMSEC), 2003
Eskin E.: Probabilistic anomaly detection over discrete records using inconsistency checks. Columbia University, Computer Science Technical Report, 2002
Prozilla, http://prozilla.genesys.ro/
Akpolat S.: Remote Buffer Overflow in Prozilla.
http://www.securiteam.com/exploits/6W00O2ABPM.html, October 25th, 2004
SANS Institute: The Twenty Most Critical Internet Security Vulnerabilities, http://www.sans.org/top20
Linux Kernel Documentation – SpinLocks. http://kernel.org
SQLite, http://www.sqlite.org
Dąbrowski P.: Systemy wykrywające naruszenie bezpieczeństwa w systemie operacyjnym w oparciu o analizę ciągów odwołań systemowych. Kraków, Katedra
Informatyki AGH, September 2004
Mitnick K.: The Art of Deception: Controlling the Human Element of Security. 1st edition, John Wiley & Sons, 2001, ISBN 978-0471237129
Bovet D.P., Cesati M.: Understanding the Linux Kernel. 2nd Edition, O’Reilly Media, Inc., 2002, ISBN 978-0596002138
