Skip to main content
SpringerLink
Log in

Black-Box Extraction of Functional Structures from System Call Traces for Intrusion Detection

  • Conference paper
Book cover Advanced Intelligent Computing Theories and Applications. With Aspects of Contemporary Intelligent Computing Techniques (ICIC 2007)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 2))

Included in the following conference series:

  • 1329 Accesses

Abstract

Many intrusion detection systems monitor process behavior by tracing system calls. Frequent patterns or inherent rules are extracted as features from system call traces of normal process to model the behavior, and any significant deviation from the model is diagnosed as intrusive. Current approaches suffer from heavy modeling complexity in extracting essential features to reduce false alarms. In this paper, we propose a novel approach, which analyzes property of individual system call and its context at semantic level to discover function structures from system call traces efficiently without any static analysis of source code or runtime information. We monitor process behaviors by perceiving such structures as preconditions, which is effective and consistent with mechanism of process execution. Experiments are conducted on two sets of intrusion detection data and the results show that our approach is feasible and effective.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cabrera, J.B.D., Lewis, L., Mehra, R.K.: Detection and Classification of Intrusions and Faults Using Sequences of System Calls. ACM SIGMOD Record 30(4), 25–34 (2001)

    Article  Google Scholar 

  2. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos, CA (1996)

    Chapter  Google Scholar 

  3. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)

    Google Scholar 

  4. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, IEEE Computer Society, pp. 133–145. IEEE Computer Society Press, Los Alamitos (1999)

    Google Scholar 

  5. Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, pp. 62–75. IEEE Computer Society Press, Los Alamitos (2003)

    Google Scholar 

  6. Liao, Y., Venuri, V.R.: Using Text Categorization Techniques for Intrusion Detection. In: Proceedings of 11th USENIX Security Symposium, USENIX Association, pp. 51–59 (2002)

    Google Scholar 

  7. Wespi, A., Dacier, M., Debar, H.: Intrusion Detection Using Variable-Length Audit Trail Patterns. In: Recent Advances in Intrusion Detection. Proceedings of the Third International Workshop, Toulouse, France, pp. 110–129. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  8. Gao, D., Reiter, M.K., Song, D.: Gray-Box Extraction of Execution Graphs for Anomaly Detection. In: Proceedings of the ACM Conference on Computer and Communications Security, Washington, DC, pp. 318–329. ACM Press, New York (2004)

    Google Scholar 

  9. Eskin, E., Lee, W., Stolfo, S.J.: Modeling System Calls for Intrusion Detection with Dynamic Window Sizes. In: Proceedings of DISCEX II, Anaheim, CA, pp. 165–175. IEEE Computer Society Press, Los Alamitos (2001)

    Google Scholar 

  10. Jiang, N., Hua, K., Sheu, S.: Considering Both Intra-Pattern and Inter-Pattern Anomalies for Intrusion Detection. In: Proceedings of the 2002 IEEE International Conference on Data Mining (ICDM’02), Washington, DC, pp. 637–640. IEEE Computer Society Press, Los Alamitos (2002)

    Chapter  Google Scholar 

  11. Giffin, J., Jha, S., Miller, B.: Efficient Context-sensitive Intrusion Detection. In: 11th Annual Network and Distributed Systems Security Symposium (NDSS), San Diego, California (2004)

    Google Scholar 

  12. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 156–168. IEEE Computer Society Press, Los Alamitos (2001)

    Chapter  Google Scholar 

  13. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 144–155. IEEE Computer Society Press, Los Alamitos (2001)

    Chapter  Google Scholar 

  14. Feng, H., Giffin, J., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing Sensitivity in Static Analysis for Intrusion Detection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, pp. 194–208. IEEE Computer Society Press, Los Alamitos (2004)

    Chapter  Google Scholar 

  15. MIT Lincoln Laboratory, http://www.ll.mit.edu/IST/ideval

  16. Xu, M., Chen, C., Ying, J.: Anomaly Detection Based on System Call Classification. Journal of Software 15(3), 391–403 (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. MOE-Microsoft Key Laboratory of Multimedia Computing & Communication, University of Science & Technology of China, Hefei 230026, P.R. China

    Xianghua Zhang, Jiwei Li, Zhaohui Jiang & Huanqing Feng

Authors
  1. Xianghua Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiwei Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhaohui Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Huanqing Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

De-Shuang Huang Laurent Heutte Marco Loog

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhang, X., Li, J., Jiang, Z., Feng, H. (2007). Black-Box Extraction of Functional Structures from System Call Traces for Intrusion Detection. In: Huang, DS., Heutte, L., Loog, M. (eds) Advanced Intelligent Computing Theories and Applications. With Aspects of Contemporary Intelligent Computing Techniques. ICIC 2007. Communications in Computer and Information Science, vol 2. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74282-1_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74282-1_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74281-4

  • Online ISBN: 978-3-540-74282-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation