Intrusion Detection via System Call Traces C .

Unusual behavior in computer systems can be detected by monitoring the system calls being executed by programs. Analysis of the temporal ordering of these calls reveals that such anomalies are localized within traces and that normal program behavior can be described compactly using deterministic finite automata. omputer use leaves trails of activity that can reveal signatures of misuse as well as of legitimate activity. Depending on the audit method used, the data recorded can range from a given user’s keystrokes or commands, to the system resources used or the system calls made by some collection of processes. Once a security system has collected an audit trail, it can use that information in a variety of ways. (See the boxed text on page 41 for an overview of intrusion detection techniques.) In the ideal case, the system can analyze the trail online as it is created, flag any unusual, anomalous, or prohibited behavior immediately, and then initiate a response. If it must examine the trail off line, this can take place routinely during off-peak hours or when unusual behavior has been detected by some other means. There is a chance, in this case, that a particularly successful intruder could corrupt the trail and hide the intrusion. For this reason, a computationally fast online method is useful.