Intrusion detection by monitoring system calls with POSIX capabilities

Takahiro Haruyama, Hidenori Nakazato, Hideyoshi Tominaga

Research output: Contribution to journalArticle

Abstract

Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

Original languageEnglish
Pages (from-to)2646-2654
Number of pages9
JournalIEICE Transactions on Communications
VolumeE90-B
Issue number10
DOIs
Publication statusPublished - 2007 Jan 1

    Fingerprint

Keywords

  • Anomaly detection
  • Posix capability
  • System call

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Cite this