INTRUSION DETECTION VIA SYSTEM CALL TRACES

Computer use leaves trails of activity that can reveal signatures of m isuse as well as of legitimate activity. Depending on the audit method used, one can record a user's keystrokes, the system resources used, or the system calls made by some collection of processes. The authors have done preliminary work on the analysis of system call traces, part icularly their structure during normal and anomalous behavior, and hav e found the anomalies to be temporally localized. These techniques cou ld eventually lead to an effective, automatic analysis and monitoring system, and might even be extensible to handle other kinds of anomalou s behavior.