Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Takahiro HARUYAMA, Hidenori NAKAZATO, Hideyoshi TOMINAGA, "Intrusion Detection by Monitoring System Calls with POSIX Capabilities" in IEICE TRANSACTIONS on Communications,
vol. E90-B, no. 10, pp. 2646-2654, October 2007, doi: 10.1093/ietcom/e90-b.10.2646.
Abstract: Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.
URL: https://global.ieice.org/en_transactions/communications/10.1093/ietcom/e90-b.10.2646/_p
Copy
@ARTICLE{e90-b_10_2646,
author={Takahiro HARUYAMA, Hidenori NAKAZATO, Hideyoshi TOMINAGA, },
journal={IEICE TRANSACTIONS on Communications},
title={Intrusion Detection by Monitoring System Calls with POSIX Capabilities},
year={2007},
volume={E90-B},
number={10},
pages={2646-2654},
abstract={Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.},
keywords={},
doi={10.1093/ietcom/e90-b.10.2646},
ISSN={1745-1345},
month={October},}
Copy
TY - JOUR
TI - Intrusion Detection by Monitoring System Calls with POSIX Capabilities
T2 - IEICE TRANSACTIONS on Communications
SP - 2646
EP - 2654
AU - Takahiro HARUYAMA
AU - Hidenori NAKAZATO
AU - Hideyoshi TOMINAGA
PY - 2007
DO - 10.1093/ietcom/e90-b.10.2646
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E90-B
IS - 10
JA - IEICE TRANSACTIONS on Communications
Y1 - October 2007
AB - Existing anomaly intrusion detection that monitors system calls has two problems: vast false positives and lack of risk information on detection. In order to solve the two problems, we propose an intrusion detection method called "Callchains." Callchains reduces the false positives of existing anomaly intrusion detection by restricting monitoring to the activities with process capabilities prescribed by POSIX 1003.1e. Additionally, Callchains provides an administrator information of used POSIX capabilities in sytem call execution as an indicator of risk. This paper shows Callchains' design, its implementation, and experimental results comparing Callchains with existing approaches.
ER -