Intrusion Detection by Monitoring System Calls with POSIX Capabilities

Takahiro HARUYAMA  Hidenori NAKAZATO  Hideyoshi TOMINAGA  

IEICE TRANSACTIONS on Communications   Vol.E90-B   No.10   pp.2646-2654
Publication Date: 2007/10/01
Online ISSN: 1745-1345
DOI: 10.1093/ietcom/e90-b.10.2646
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Section on New Challenge for Internet Technology and its Architecture)
anomaly detection,  system call,  POSIX capability,  

Full Text: PDF(358.7KB)>>
Buy this Article

Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.