Intrusion detection by monitoring system calls with POSIX capabilities

Takahiro Haruyama, Hidenori Nakazato, Hideyoshi Tominaga

    Research output: Contribution to journalArticle

    Abstract

    Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

    Original languageEnglish
    Pages (from-to)2646-2654
    Number of pages9
    JournalIEICE Transactions on Communications
    VolumeE90-B
    Issue number10
    DOIs
    Publication statusPublished - 2007

    Fingerprint

    Intrusion detection
    Monitoring

    Keywords

    • Anomaly detection
    • Posix capability
    • System call

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Computer Networks and Communications
    • Software

    Cite this

    Intrusion detection by monitoring system calls with POSIX capabilities. / Haruyama, Takahiro; Nakazato, Hidenori; Tominaga, Hideyoshi.

    In: IEICE Transactions on Communications, Vol. E90-B, No. 10, 2007, p. 2646-2654.

    Research output: Contribution to journalArticle

    Haruyama, Takahiro ; Nakazato, Hidenori ; Tominaga, Hideyoshi. / Intrusion detection by monitoring system calls with POSIX capabilities. In: IEICE Transactions on Communications. 2007 ; Vol. E90-B, No. 10. pp. 2646-2654.
    @article{2f47626acf5a49728917f48c0ddc5e88,
    title = "Intrusion detection by monitoring system calls with POSIX capabilities",
    abstract = "Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called {"}Callchains.{"} Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.",
    keywords = "Anomaly detection, Posix capability, System call",
    author = "Takahiro Haruyama and Hidenori Nakazato and Hideyoshi Tominaga",
    year = "2007",
    doi = "10.1093/ietcom/e90-b.l0.2646",
    language = "English",
    volume = "E90-B",
    pages = "2646--2654",
    journal = "IEICE Transactions on Communications",
    issn = "0916-8516",
    publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
    number = "10",

    }

    TY - JOUR

    T1 - Intrusion detection by monitoring system calls with POSIX capabilities

    AU - Haruyama, Takahiro

    AU - Nakazato, Hidenori

    AU - Tominaga, Hideyoshi

    PY - 2007

    Y1 - 2007

    N2 - Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

    AB - Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

    KW - Anomaly detection

    KW - Posix capability

    KW - System call

    UR - http://www.scopus.com/inward/record.url?scp=67651017737&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=67651017737&partnerID=8YFLogxK

    U2 - 10.1093/ietcom/e90-b.l0.2646

    DO - 10.1093/ietcom/e90-b.l0.2646

    M3 - Article

    AN - SCOPUS:67651017737

    VL - E90-B

    SP - 2646

    EP - 2654

    JO - IEICE Transactions on Communications

    JF - IEICE Transactions on Communications

    SN - 0916-8516

    IS - 10

    ER -