CSDL Home IEEE Transactions on Dependable and Secure Computing 2010 vol.7 Issue No.04 - October-December
Issue No.04 - October-December (2010 vol.7)
Federico Maggi , Politecnico di Milano, Milano
Matteo Matteucci , Politecnico di Milano, Milano
Stefano Zanero , Politecnico di Milano, Milano
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2008.69
We describe an unsupervised host-based intrusion detection system based on system call arguments and sequences. We define a set of anomaly detection models for the individual parameters of the call. We then describe a clustering process that helps to better fit models to system call arguments and creates interrelations among different arguments of a system call. Finally, we add a behavioral Markov model in order to capture time correlations and abnormal behaviors. The whole system needs no prior knowledge input; it has a good signal-to-noise ratio, and it is also able to correctly contextualize alarms, giving the user more information to understand whether a true or false positive happened, and to detect global variations over the entire execution flow, as opposed to punctual ones over individual instances.
Intrusion detection, anomaly detection, behavior detection, Markov models.
Federico Maggi, Matteo Matteucci, Stefano Zanero, "Detecting Intrusions through System Call Sequence and Argument Analysis", IEEE Transactions on Dependable and Secure Computing, vol.7, no. 4, pp. 381-395, October-December 2010, doi:10.1109/TDSC.2008.69