Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

Yong-mei GAO,Ji-yi WU,Ling-di PING

DOI: https://doi.org/10.3969/j.issn.1673-629X.2009.08.039

2009-01-01

Abstract:Owing to many new characteristics such as central-less control and multi-hop communication,the security situation is more rigorous than that in the traditional Ad hoc network.Especially,when the number of nodes increase,the difficulty of building network,network availability and network security will be influenced badly.After the particular analysis of Sergio Marti's Watchdog and Pathrater arithmetic,intrusion detection system called SuperWatchdog,as the improved solution,was introduced to overcome the weakness of Watchdog.The main feature of the proposed system is its ability to discover malicious nodes which can partition the network by falsely reporting other nodes as misbehaving and then proceeds to protect the network.Simulation results show that our system decrease the overhead greatly,though it does not increase the throughput obviously.

LU Lianhao,PING Lingdi,PAN Xuezeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.21.054

2006-01-01

Abstract:The research of covert channel analysis on Tuling SecOS2.0/4 is reported.A new covert channel identification method--modified semantic information flow method is proposed.It has less workload,can directly analyze the source code and exclude the false result,also helps the covert channel handling.It uses this method to identify the cover channels of the Tuling SecOS,computes the bandwidths accurately,and handles the covert channels according to different security policies.The result shows conform to the requirement of Level 4 security operating system in relevant national standards.

Xi Xiao,Zhenlong Wang,Qing Li,Shutao Xia,Yong Jiang

DOI: https://doi.org/10.1049/iet-ifs.2015.0211

2016-01-01

IET Information Security

Abstract:Android has become the most prevalent mobile system, but in the meanwhile malware on this platform is widespread. System call sequences are studied to detect malware. However, malware detection with these approaches relies on common system-call-subsequences. It is not so efficient because it is difficult to decide the appropriate length of the common subsequences. To address this issue, the authors propose a new approach, back-propagation neural network on Markov chains from system call sequences (BMSCS). It treats one system call sequence as a homogeneous stationary Markov chain and applies back-propagation neural network (BPNN) to detect malware by comparing transition probabilities in the chain. Since transition probabilities from one system call to another in malware are significantly different from those in benign applications, BMSCS can efficiently detect malware by capturing the anomaly in state transitions with the help of BPNN. The authors evaluate the performance of BMSCS by experiments with real application samples. The experiment results show that the F-score of BMSCS achieves up to 0.982773, which is higher than the other methods in the literature.

L Feng,XH Guan,SG Guo,Y Gao,PN Liu

DOI: https://doi.org/10.1016/j.cose.2004.01.016

IF: 5.105

2004-01-01

Computers & Security

Abstract:Identifying the intentions or attempts of the monitored agents through observations is very vital in computer network security. In this paper, a plan recognition method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. The probability of the goal state for a system call sequence is defined as the prediction index to determine if the intention is normal. An efficient algorithm based on the dynamic Bayesian network theory with parameter compensation is derived and then applied to update the index recursively. Extensive empirical testing is performed on the data sets published in the literature and those collected in an actual computer system at our lab. The testing results showed that this method can identify the intrusion behaviors from the observed system call sequences with good accuracy.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/ICIC.2009.43

2009-01-01

Abstract:Sequences of system call have become an important data resource of anomaly detection. Considering the large overhead of existing methods to construct normal profile using system call traces, an efficient algorithm is proposed based on STIDE in order to reduce the computing cost. The axis system calls which could represent the characteristics of normal behaviors are extracted by a sequences extracting factor. The improved algorithm measures the interestingness of sequences of system calls by involving the axis system calls, then train and tests the relevant sequences which we are concerned about. Experimental results demonstrate that the computing cost of training and testing in the new way has a reduction of 70% than the standard algorithm.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Tolvinas Vyšniūnas,Dainius Čeponis,Nikolaj Goranin,Antanas Čenys

DOI: https://doi.org/10.3390/electronics13010206

IF: 2.9

2024-01-03

Electronics

Abstract:Malware intrusion is a serious threat to cybersecurity; that is why new and innovative methods are constantly being developed to detect and prevent it. This research focuses on malware intrusion detection through the usage of system calls and machine learning. An effective and clearly described system-call grouping method could increase the various metrics of machine learning methods, thereby improving the malware detection rate in host-based intrusion-detection systems. In this article, a risk-based system-call sequence grouping method is proposed that assigns riskiness values from low to high based on function risk value. The application of the newly proposed grouping method improved classification accuracy by 23.4% and 7.6% with the SVM and DT methods, respectively, compared to previous results obtained on the same methods and data. The results suggest the use of lightweight machine learning methods for malware attack can ensure detection accuracy comparable to deep learning methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

徐明,陈纯,应晶

2004-01-01

Journal of Software

Abstract:The aim of this paper is to create a new anomaly detection model based on rules. A detailed classification of the LINUX system calls according to their function and level of threat is presented. The detection model only aims at critical calls (I.e. The threat level 1 calls). In the learning process, the etection model dynamically processes every critical call, but does not use data mining or statistics from static data. Therefore, the increment learning could be implemented. Based on some simple predefined rules and refining, the number of rules in the rule database could be reduced dramatically, so that the rule match time can be reduced effectively during detection processing. The experimental results clearly demonstrate that the detection model can effectively detect R2L, R2R and L2R attacks. Moreover the detected anomaly is limited in the corresponding requests, but not in the entire trace. The detection model is fit for the privileged processes, especially for those based on request-responses.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

冯力,管晓宏,郭三刚,高艳,刘培妮

DOI: https://doi.org/10.3321/j.issn:0254-4164.2004.08.010

2004-01-01

Chinese Journal of Computers

Abstract:Plan recognition is a prediction theory for identifying and determining the intentions or the attempts of the agents monitored through observation data. In this paper, a plan recognition based method is presented to predict the anomaly events and intensions of potential intruders to a computer system using the system call sequences as observation data. The method is established on a dynamic Bayesian network with parameter compensation and an algorithm is developed to update this network. The experimental results show that this method has a good accuracy in predicting the intrusion intensions from the system call sequences.

Xiao-zhe LI,Mei-jun ZANG,Yi-qi DAI

DOI: https://doi.org/10.3969/j.issn.1672-464X.2008.04.015

2008-01-01

Abstract:Nowadays,Windows operating system is the most prevalent OS,and its security problem is widely concerned by users.System call interception is an efficient way to control accesses to the Windows system resource.This paper introduces and implements an API HOOK method to intercept Windows system calls,and exploits it to control host behaviors.By experiments,we prove that this system call interception method can control host access to system resources,which improves the security level of Windows OS.

ZHAO Yu-ming,ZHANG Wei,teng SH

2007-01-01

Abstract:The technique of intrusion detection has become a focus in the field ofnetwork security. This paper introduced the categories of intrusion detection and the methods of data mining applied in abnormal detection. It also described the design and implementation of the abnormal IDS based on system call and data mining algorithms.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Shuai Wang,Aiqun Hu,Tao Li,Shaofan Lin

DOI: https://doi.org/10.3390/sym16020249

2024-02-17

Symmetry

Abstract:Industrial control terminals play an important role in industrial control scenarios. Due to the special nature of industrial control networks, industrial control terminal systems are vulnerable to malicious attacks, which can greatly threaten the stability and security of industrial production environments. Traditional security protection methods for industrial control terminals have coarse detection granularity, and are unable to effectively detect and prevent attacks, lacking real-time responsiveness to attack events. Therefore, this paper proposes a real-time dynamic credibility evaluation mechanism based on program behavior, which integrates the matching and symmetry ideas of credibility evaluation. By conducting a real-time dynamic credibility evaluation of function call sequences and system call sequences during program execution, the credibility of industrial control terminal application program behavior can be judged. To solve the problem that the system calls generated during program execution are unstable and difficult to measure, this paper proposes a partition-based dynamic credibility evaluation method, dividing program behavior during runtime into function call behavior and system call behavior within function intervals. For function call behavior, a sliding window-based function call sequence benchmark library construction method is proposed, which matches and evaluates real-time measurement results based on the benchmark library, thereby achieving symmetry between the benchmark library and the measured data. For system call behavior, a maximum entropy system call model is constructed, which is used to evaluate the credibility of system call sequences. Experiment results demonstrate that our method performs better in both detection success rate and detection speed compared to the existing methods.

multidisciplinary sciences

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/IAS.2009.100

2009-01-01

Abstract:Rapid increase of information resources speeds the development of network storage. And security of network storage satisfies the demands of privacy and safety of the information. Data encryption and personal identity authentication which are based on cryptography can protect the storage against non-authorized access, while they are ineffective for malicious authorized users and inherent attacks. Also heavy performances affect the control of storage. This paper demonstrates an efficient intrusion detection system model for network-attached storage based on system calls and improves the Process Homeostasis to realize the implementation. The experimental results demonstrate high detection rate and low false detection rate. The total performance is about 3% additions when the detection system is running normally.

Moses Garuba,Chunmei Liu,Duane Fraites

DOI: https://doi.org/10.1109/itng.2008.231

2008-04-01

Abstract:Organizations require security systems that are flexible and adaptable in order to combat increasing threats from software vulnerabilities, virus attacks and other malicious code, in addition to internal attacks. Network intrusion detection systems, which are part of the layered defense scheme, must be able to meet these organizational objectives in order to be effective. Although signature based network intrusion detection systems meet several organizational security objectives, heuristic based network intrusion detection systems are able to fully meet the objectives of the organization. Through a comparative theoretical study, this paper analyzes several organizational security objectives in order to determine the network intrusion detection system that effectively meets these objectives. Through conclusive analysis of the study, heuristic based systems are better served to meet the organizational objectives than signature based systems. The analysis was based on which system provided definitive security objectives and offered the flexibility, adaptability, and reduced vulnerability that an organization requires.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Zhang Xiaojun,Li Yingcai,Zhang Fuqiang,Zhang Qian,Han Li

DOI: https://doi.org/10.1145/3469213.3471388

2021-05-28

Abstract:With the continuous development of network technology, global informatization has become a reality. While the openness and interconnection of IP network protocols bring convenience to data communication, it also provides space for network intruders to enter the void. In particular, the terminal system design is fragile, the software running on the terminal is becoming more and more complicated, and its various components are interdependent, and vulnerabilities are prone to occur in the process of development and maintenance. 0day vulnerabilities emerge endlessly, and static protection methods have exposed deficiencies.