The evolution of system-call monitoring

Stephanie Forrest, Steven Hofmeyr, Anil Somayaji

Research output: Contribution to journalConference articlepeer-review

99 Scopus citations

Abstract

Computer security systems protect computers and networks from unauthorized use by external agents and insiders. The similarities between computer security and the problem of protecting a body against damage from externally and internally generated threats are compelling and were recognized as early as 1972 when the term computer virus was coined. The connection to immunology was made explicit in the mid 1990s, leading to a variety of prototypes, commercial products, attacks, and analyses. The paper reviews one thread of this active research area, focusing on system-call monitoring and its application to anomaly intrusion detection and response. The paper discusses the biological principles illustrated by the method, followed by a brief review of how system call monitoring was used in anomaly intrusion detection and the results that were obtained. Proposed attacks against the method are discussed, along with several important branches of research that have arisen since the original papers were published. These include other data modeling methods, extensions to the original system call method, and rate limiting responses. Finally, the significance of this body of work and areas of possible future investigation are outlined in the conclusion.

Original languageEnglish (US)
Article number4721577
Pages (from-to)418-430
Number of pages13
JournalProceedings - Annual Computer Security Applications Conference, ACSAC
DOIs
StatePublished - 2008
Externally publishedYes
Event24th Annual Computer Security Applications Conference, ACSAC 2008 - Anaheim, CA, United States
Duration: Dec 8 2008Dec 12 2008

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'The evolution of system-call monitoring'. Together they form a unique fingerprint.

Cite this