Intrusion detection by monitoring system calls with POSIX capabilities

Takahiro Haruyama; Hidenori Nakazato; Hideyoshi Tominaga

doi:10.1093/ietcom/e90-b.10.2646

Intrusion detection by monitoring system calls with POSIX capabilities

Takahiro Haruyama^*, Hidenori Nakazato, Hideyoshi Tominaga

^*Corresponding author for this work

School of Fundamental Science and Engineering

Research output: Contribution to journal › Article › peer-review

Abstract

Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

Original language	English
Pages (from-to)	2646-2654
Number of pages	9
Journal	IEICE Transactions on Communications
Volume	E90-B
Issue number	10
DOIs	https://doi.org/10.1093/ietcom/e90-b.10.2646
Publication status	Published - 2007

Keywords

Anomaly detection
Posix capability
System call

ASJC Scopus subject areas

Software
Computer Networks and Communications
Electrical and Electronic Engineering

Access to Document

10.1093/ietcom/e90-b.10.2646

Cite this

@article{2f47626acf5a49728917f48c0ddc5e88,

title = "Intrusion detection by monitoring system calls with POSIX capabilities",

abstract = "Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called {"}Callchains.{"} Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.",

keywords = "Anomaly detection, Posix capability, System call",

author = "Takahiro Haruyama and Hidenori Nakazato and Hideyoshi Tominaga",

year = "2007",

doi = "10.1093/ietcom/e90-b.10.2646",

language = "English",

volume = "E90-B",

pages = "2646--2654",

journal = "IEICE Transactions on Communications",

issn = "0916-8516",

publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",

number = "10",

}

TY - JOUR

T1 - Intrusion detection by monitoring system calls with POSIX capabilities

AU - Haruyama, Takahiro

AU - Nakazato, Hidenori

AU - Tominaga, Hideyoshi

PY - 2007

Y1 - 2007

N2 - Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

AB - Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.

KW - Anomaly detection

KW - Posix capability

KW - System call

UR - http://www.scopus.com/inward/record.url?scp=67651017737&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=67651017737&partnerID=8YFLogxK

U2 - 10.1093/ietcom/e90-b.10.2646

DO - 10.1093/ietcom/e90-b.10.2646

M3 - Article

AN - SCOPUS:67651017737

SN - 0916-8516

VL - E90-B

SP - 2646

EP - 2654

JO - IEICE Transactions on Communications

JF - IEICE Transactions on Communications

IS - 10

ER -

Intrusion detection by monitoring system calls with POSIX capabilities

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this