Abstract
A method is introduced for detecting intrusions at the level of privileged processes. Evidence is given that short sequences of system calls executed by running processes are a good discriminator between normal and abnormal operating characteristics of several common UNIX programs. Normal behavior is collected in two ways: Synthetically, by exercising as many normal modes of usage of a program as possible, and in a live user environment by tracing the actual execution of the program. In the former case several types of intrusive behavior were studied; in the latter case, results were analyzed for false positives.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 151-180 |
| Number of pages | 30 |
| Journal | Journal of Computer Security |
| Volume | 6 |
| Issue number | 3 |
| DOIs | |
| State | Published - 1998 |
| Externally published | Yes |
ASJC Scopus subject areas
- Software
- Safety, Risk, Reliability and Quality
- Hardware and Architecture
- Computer Networks and Communications