Host-Based Anomaly Detection on System Call Arguments presented at BlackhatUSA 2006

by Stefano Zanero,

Summary : Traditionally, host-based anomaly detection has dealt with system call sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a Markovian model of the sequence, which is then used to trace and flag anomalies.