A study of host-based IDS using system calls

Yasin, Muhammad Mehboob; Awan, Ali Afzal

doi:10.1109/incc.2004.1366573

Cited by 15 publications

(6 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A program must interact with the operating system to utilize system's resources through libraries that directly or indirectly use a standard library, such as allocating memory and sending a packet over the network to communicate with other computers. By obtaining system and/or library call traces over time, it is possible to identify which state the computing unit was operating on by analyzing the call list [12]. In other words, a computing unit responds to an event by a series of computation of which leaves a deterministic trace of system and library calls.…”

Section: B Characterization Of Smart Grid Device Processesmentioning

confidence: 99%

Detection of Compromised Smart Grid Devices with Machine Learning and Convolution Techniques

Kaygusuz

Babun

Aksu

et al. 2018

2018 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

The smart grid concept has transformed the traditional power grid into a massive cyber-physical system that depends on advanced two-way communication infrastructure to integrate a myriad of different smart devices. While the introduction of the cyber component has made the grid much more flexible and efficient with so many smart devices, it also broadened the attack surface of the power grid. Particularly, compromised devices pose great danger to the healthy operations of the smart-grid. For instance, the attackers can control the devices to change the behaviour of the grid and can impact the measurements. In this paper, to detect such misbehaving malicious smart grid devices, we propose a machine learning and convolution-based classification framework. Our framework specifically utilizes system and library call lists at the kernel level of the operating system on both resourcelimited and resource-rich smart grid devices such as RTUs, PLCs, PMUs, and IEDs. Focusing on the types and other valuable features extracted from the system calls, the framework can successfully identify malicious smart-grid devices. In order to test the efficacy of the proposed framework, we built a representative testbed conforming to the IEC-61850 protocol suite and evaluated its performance with different system calls. The proposed framework in different evaluation scenarios yields very high accuracy (avg. 91%) which reveals that the framework is effective to overcome compromised smart grid devices problem.

show abstract

Section: B Characterization Of Smart Grid Device Processesmentioning

confidence: 99%

Detection of Compromised Smart Grid Devices with Machine Learning and Convolution Techniques

Kaygusuz

Babun

Aksu

et al. 2018

2018 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

show abstract

“…Host-based systems [12], [13], base their decisions on information obtained from a single host (usually log files, network traffic to and from the host, or information on processes running on the host), while network-based systems [20] obtain data by monitoring network traffic between hosts, and are usually run on a separate machine. Most current IDS technology still suffers from three main problems which limit their detection ability: low detection accuracy (registering high False Positive alarms and False Negative); low real-time performance (processing large amounts of traffic data in real time); and limited scalability (storing a large number of user profiles and attack signatures).…”

Section: Problem Statementmentioning

confidence: 99%

An Approach for Collaborative Decision in Distributed Intrusion Detection System

Sharma¹,

Singh²

2016

IJCA

View full text Add to dashboard Cite

Computers have virtually changed every aspect of our life. The rapid growth in the development of computers was focused on making the computer easy to use for all. The rapid growth did not give as much importance on the security of the computer system thereby leaving system as vulnerable to attacks. As internet and its applications are increasing, complex and hybrid networks are being used for communication. So many loopholes are being explored to intrude into other systems. There are many tools and techniques available for securing networks like Firewalls, IDS etc. and until now they are used very frequently by nearly all the organizations to safeguard information and other critical data but these are not sufficient for implementing complete security because the intruders have become smarter.Higher security being the priority of many organizations has led to the importance and promoting active research on efficient Intrusion Detection Systems. To deal with various types of attacks we need to have information of attacks from other sources as well. This can be done by sharing intrusion information with all. As hackers are becoming more intelligent we need to have collaborative decision making system where intrusion activity is decided by knowing other's opinion as well. We have proposed an approach to enhance the collaborative decision making by conducting polls between registered intrusion detection systems in the network. Intrusion activity for new packets and false positives is decided based on all opinions gathered from registered intrusion detection systems.

show abstract

“…Kingsly Leung [2] introduced grid based and density based cluster approach for separating frequent item sets from non frequent item sets and they used their density based support mechanism for identifying unseen attack in anomaly detection. [1,8] introduced sequence based anomaly detection approach. Jiawei Han [6] Developed frequent pattern tree as a data structure for storing data in compact form and quick access of frequent item.…”

Section: Related Work and Related Stuffsmentioning

confidence: 99%

Intrusion Detection Using Graph Support: A Hybrid Approach of Supervised and Unsupervised Techniques

Pal¹,

Jain²,

Goyal³

et al. 2010

IJACT

View full text Add to dashboard Cite

At present it is almost impossible to detect zero day attack with help of supervised anomaly detection methods. Unsupervised techniques also have the drawback of low detection rate in spite of detection of zero day attacks. Using combination of both unsupervised and supervised methods, promising detection results can be produced. In this paper we present a new sequence based graph support technique which is suitable for both supervised and unsupervised anomaly detection. Based on the system call interception technique, we present a intrusion detection system using Graph Support. This system intercepts every system call invoked by application programs and design graph to calculate the support. Once there are evidences showing certain deviation (graph support is less than threshold) is happening, the system can terminate the malicious process before it hurts the system. With help of graph support we could detect the malicious attack in the system.

show abstract

A study of host-based IDS using system calls

Cited by 15 publications

References 6 publications

Detection of Compromised Smart Grid Devices with Machine Learning and Convolution Techniques

Detection of Compromised Smart Grid Devices with Machine Learning and Convolution Techniques

An Approach for Collaborative Decision in Distributed Intrusion Detection System

Intrusion Detection Using Graph Support: A Hybrid Approach of Supervised and Unsupervised Techniques

Contact Info

Product

Resources

About