Issue No. 05 - September/October (1997 vol. 14)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/52.605929
Computer use leaves trails of activity that can reveal signatures of misuse as well as of legitimate activity. Depending on the audit method used, one can record a user's keystrokes, the system resources used, or the system calls made by some collection of processes. The authors have done preliminary work on the analysis of system call traces, particularly their structure during normal and anomalous behavior, and have found the anomalies to be temporally localized. These techniques could eventually lead to an effective, automatic analysis and monitoring system, and might even be extensible to handle other kinds of anomalous behavior.
Steven A. Hofmeyr, Andrew P. Kosoresow, "Intrusion Detection via System Call Traces", IEEE Software, vol. 14, no. , pp. 35-42, September/October 1997, doi:10.1109/52.605929