Intrusion detection by monitoring system calls with POSIX capabilities

Takahiro Haruyama*, Hidenori Nakazato, Hideyoshi Tominaga

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

Original languageEnglish
Pages (from-to)2646-2654
Number of pages9
JournalIEICE Transactions on Communications
Issue number10
Publication statusPublished - 2007


  • Anomaly detection
  • Posix capability
  • System call

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Electrical and Electronic Engineering


Dive into the research topics of 'Intrusion detection by monitoring system calls with POSIX capabilities'. Together they form a unique fingerprint.

Cite this