Intrusion detection using sequences of system calls

Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji

Research output: Contribution to journalArticlepeer-review

472 Scopus citations


A method is introduced for detecting intrusions at the level of privileged processes. Evidence is given that short sequences of system calls executed by running processes are a good discriminator between normal and abnormal operating characteristics of several common UNIX programs. Normal behavior is collected in two ways: Synthetically, by exercising as many normal modes of usage of a program as possible, and in a live user environment by tracing the actual execution of the program. In the former case several types of intrusive behavior were studied; in the latter case, results were analyzed for false positives.

Original languageEnglish (US)
Pages (from-to)151-180
Number of pages30
JournalJournal of Computer Security
Issue number3
StatePublished - 1998
Externally publishedYes

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Computer Networks and Communications


Dive into the research topics of 'Intrusion detection using sequences of system calls'. Together they form a unique fingerprint.

Cite this