Selecting and Improving System Call Models for Anomaly Detection

Authors: Alessandro Frossi, Federico Maggi, Gian Luigi Rizzo, Stefano Zanero

July 2009

Proceedings of the International Conference on Detection of Intrusions and …

Journal Article

Abstract

We propose a syscall-based anomaly detection system that incorporates both deterministic and stochastic models. We analyze in detail two alternative approaches for anomaly detection over system call sequences and arguments, and propose a number of modifications that significantly improve their performance. We begin by comparing them and analyzing their respective performance in terms of detection accuracy. Then, we outline their major shortcomings, and propose various changes in the models that can address them: we show how targeted modifications of their anomaly models, as opposed to the redesign of the global system, can noticeably improve the overall detection accuracy. Finally, the impact of these modifications are discussed by comparing the performance of the two original implementations with two modified versions complemented with our models.

PDF Cite

@InProceedings{	  frossi_hybridsyscalls_2009,
  abstract	= {We propose a syscall-based anomaly detection system that
		  incorporates both deterministic and stochastic models. We
		  analyze in detail two alternative approaches for anomaly
		  detection over system call sequences and arguments, and
		  propose a number of modifications that significantly
		  improve their performance. We begin by comparing them and
		  analyzing their respective performance in terms of
		  detection accuracy. Then, we outline their major
		  shortcomings, and propose various changes in the models
		  that can address them: we show how targeted modifications
		  of their anomaly models, as opposed to the redesign of the
		  global system, can noticeably improve the overall detection
		  accuracy. Finally, the impact of these modifications are
		  discussed by comparing the performance of the two original
		  implementations with two modified versions complemented
		  with our models.},
  author	= {Frossi, Alessandro and Maggi, Federico and Rizzo, Gian
		  Luigi and Zanero, Stefano},
  booktitle	= {Proceedings of the International Conference on Detection
		  of Intrusions and Malware, and Vulnerability Assessment
		  (DIMVA)},
  date		= {2009-07-09},
  doi		= {10.1007/978-3-642-02918-9_13},
  file		= {files/papers/conference-papers/frossi_hybridsyscalls_2009.pdf},
  shorttitle	= {HybridSyscalls},
  title		= {Selecting and Improving System Call Models for Anomaly
		  Detection}
}

Back to Publications