We describe an unsupervised host-based intrusion detection system based on system calls arguments and sequences. We define a set of anomaly detection models for the individual parameters of the call. We then describe a clustering process which helps to better fit models to system call arguments, and creates inter-relations among different arguments of a system call. Finally, we add a behavioral Markov model in order to capture time correlations and abnormal behaviors. The whole system needs no prior knowledge input; it has a good signal to noise ratio, and it is also able to correctly contextualize alarms, giving the user more information to understand whether a true or false positive happened, and to detect variations over the entire execution flow, as opposed to punctual variations over individual instances.
@article{Maggi2008Detecting_Intrusions,
title = {{Detecting Intrusions through System Call Sequence and Argument Analysis}},
author = {Maggi, Federico and Matteucci, Matteo and Zanero, Stefano},
month = {November},
year = {2008},
issn = {1545-5971},
journal = {IEEE Transactions on Dependable and Secure Computing (T},
number = {4},
pages = {381--395},
volume = {7}
}