Monitoring System Calls for Anomaly Detection in Modern Operating Systems

PDF

Authors
  1. Eskandari, S.
  2. Khreich, W.
  3. Murtaza, S.S.
  4. Hmou-Lhadj, A.
  5. Couture, M.
Corporate Authors
Defence Research and Development Canada, Valcartier Research Centre, Quebec QC (CAN);Concordia Univ, Montreal QUE (CAN) Dept of Electrical and Computer Engineering
Abstract
Host-based intrusion detection systems monitor systems in operation for significant deviations from normal (and healthy) behaviour. Many approaches have been proposed in the literature. Most of them, however, do not consider even the basic attack prevention mechanisms that are activated by default on today’s many operating systems. Examples of such mechanisms include Address Space Layout Randomization and Data Execution Prevention. With such security methods in place, attackers are forced to perform additional actions to circumvent them. In this research, we conjecture that some of these actions may require the use of additional system calls. If so, one can trace such attacks to discover attack patterns that can later be used to enhance the detection power of anomaly detection systems. The purpose of this short paper is to motivate the need to investigate the impact of attack on system calls while trying to overcome these prevention mechanisms.
Keywords
anomaly detection;cyber-threat;execution trace;system call;kernel module
Report Number
DRDC-RDDC-2016-N022 — External Literature
Date of publication
04 Oct 2016
Number of Pages
2
DSTKIM No
CA043188
CANDIS No
804483
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: