For Full-Text PDF, please login, if you are a member of IEICE,|
or go to Pay Per View on menu list, if you are a nonmember of IEICE.
Intrusion Detection by Monitoring System Calls with POSIX Capabilities
Takahiro HARUYAMA Hidenori NAKAZATO Hideyoshi TOMINAGA
IEICE TRANSACTIONS on Communications
Publication Date: 2007/10/01
Online ISSN: 1745-1345
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Section on New Challenge for Internet Technology and its Architecture)
anomaly detection, system call, POSIX capability,
Full Text: PDF>>
Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.