Anomaly Detection Through System Call Argument Analysis presented at Blackhat Europe 2006

by Stefano Zanero,

Tags: Security Analysis

Summary : Traditionally, host based anomaly detection has dealt with system calls sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a markovian model of the sequence, which is then used to trace and flag anomalies.