{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:53:07Z","timestamp":1772041987382,"version":"3.50.1"},"reference-count":38,"publisher":"Association for Computing Machinery (ACM)","issue":"1","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2006,2]]},"abstract":"<jats:p>Intrusion detection systems (IDSs) are used to detect traces of malicious activities targeted against the network and its resources. Anomaly-based IDSs build models of the expected behavior of applications by analyzing events that are generated during the applications' normal operation. Once these models have been established, subsequent events are analyzed to identify deviations, on the assumption that anomalies represent evidence of an attack. Host-based anomaly detection systems often rely on system call sequences to characterize the normal behavior of applications. Recently, it has been shown how these systems can be evaded by launching attacks that execute legitimate system call sequences. The evasion is possible because existing techniques do not take into account all available features of system calls. In particular, system call arguments are not considered. We propose two primary improvements upon existing host-based anomaly detectors. First, we apply multiple detection models to system call arguments. Multiple models allow the arguments of each system call invocation to be evaluated from several different perspectives. Second, we introduce a sophisticated method of combining the anomaly scores from each model into an overall aggregate score. The combined anomaly score determines whether an event is part of an attack. Individual anomaly scores are often contradicting and, therefore, a simple weighted sum cannot deliver reliable results. To address this problem, we propose a technique that uses Bayesian networks to perform system call classification. We show that the analysis of system call arguments and the use of Bayesian classification improves detection accuracy and resilience against evasion attempts. In addition, the paper describes a tool based on our approach and provides a quantitative evaluation of its performance in terms of both detection effectiveness and overhead. A comparison with four related approaches is also presented.<\/jats:p>","DOI":"10.1145\/1127345.1127348","type":"journal-article","created":{"date-parts":[[2006,5,8]],"date-time":"2006-05-08T16:09:20Z","timestamp":1147104560000},"page":"61-93","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":160,"title":["Anomalous system call detection"],"prefix":"10.1145","volume":"9","author":[{"given":"Darren","family":"Mutz","sequence":"first","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA"}]},{"given":"Fredrik","family":"Valeur","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA"}]},{"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, Santa Barbara, CA"}]},{"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[{"name":"Technical University of Vienna, Vienna"}]}],"member":"320","published-online":{"date-parts":[[2006,2]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"advisory-ftpd 2000. Advisory: Input validation problems in wuftpd. http:\/\/www.cert.org\/advisories\/CA-2000-13.html.]]  advisory-ftpd 2000. Advisory: Input validation problems in wuftpd. http:\/\/www.cert.org\/advisories\/CA-2000-13.html.]]"},{"key":"e_1_2_1_2_1","volume-title":"Proc. 21st NIST-NCSC National Information Systems Security Conference.]]","author":"Axelsson S.","year":"1998"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/504909.504911"},{"key":"e_1_2_1_4_1","unstructured":"Billingsley P. 1995. Probability and Measure 3rd ed. Wiley-Interscience New York.]]  Billingsley P. 1995. Probability and Measure 3rd ed. Wiley-Interscience New York.]]"},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 33rd Southeastern Symposium on System Theory.]]","author":"Bykova M."},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the 2002 ISOC Symposium on Network and Distributed System Security (NDSS'02)","author":"Chari S. N."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1987.232894"},{"key":"e_1_2_1_8_1","unstructured":"Devore J. 1982. Probability and Statistics for Engineering and the Sciences 1st ed. Brooks\/Cole.]]  Devore J. 1982. Probability and Statistics for Engineering and the Sciences 1st ed. Brooks\/Cole.]]"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the 2003 IEEE Symposium on Security and Privacy.]]","author":"Feng H.","year":"2003"},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Forrest S.","year":"1996"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the Annual Computer Security Application Conference (ACSAC'98)","author":"Ghosh A."},{"key":"e_1_2_1_12_1","volume-title":"proceedings of 11th Network an Distributed System Security Symposium","author":"Giffin J."},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the 6th Usenix Security Symposium","author":"Goldberg I.","year":"1996"},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.]]","author":"Javitz H. S."},{"key":"e_1_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Jensen F. V. 2001. Bayesian Networks and Decision Graphs. Springer-Verlag New York.]]   Jensen F. V. 2001. Bayesian Networks and Decision Graphs. Springer-Verlag New York.]]","DOI":"10.1007\/978-1-4757-3502-4"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of 6th IEEE Systems Man and Cybernetics Information Assurance Workshop (IAW).]]","author":"Kang D.-K."},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the 1997 IEEE Symposium on Security and Privacy. 175--187","author":"Ko C."},{"key":"e_1_2_1_18_1","volume-title":"7th European Symposium on Research in Computer Security (ESORICS).]]","author":"Lee S. Y."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the AAAI Workshop: AI Approaches to Fraud Detection and Risk Management.]]","author":"Lee W."},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '99)","author":"Lee W."},{"key":"e_1_2_1_21_1","volume-title":"IEEE Symposium on Security and Privacy","author":"Lindqvist U."},{"key":"e_1_2_1_22_1","unstructured":"linuxconf 2002. Advisory: Buffer overflow in linuxconf. http:\/\/www.idefense.com\/advisory\/08.28.02.txt.]]  linuxconf 2002. Advisory: Buffer overflow in linuxconf. http:\/\/www.idefense.com\/advisory\/08.28.02.txt.]]"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of Recent Advances in Intrusion Detection. LNCS. Springer","author":"Lippmann R.","year":"2000"},{"key":"e_1_2_1_24_1","volume-title":"1st USENIX Workshop on Intrusion Detection and Network Monitoring Santa Clara, CA.]]","author":"Neumann P."},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 7th USENIX Security Symposium","author":"Paxson V.","year":"1998"},{"key":"e_1_2_1_26_1","volume-title":"National Information Systems Security Conference.]]","author":"Porras P."},{"key":"e_1_2_1_27_1","volume-title":"ACM CSS Workshop on Data Mining Applied to Security (DMSA).]]","author":"Portnoy L."},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 12th Usenix Security Symposium","author":"Provos N.","year":"2003"},{"key":"e_1_2_1_29_1","unstructured":"Snare 2003. SNARE---System iNtrusion Analysis and Reporting Environment. http:\/\/www.intersectalliance.com\/projects\/Snare.]]  Snare 2003. SNARE---System iNtrusion Analysis and Reporting Environment. http:\/\/www.intersectalliance.com\/projects\/Snare.]]"},{"key":"e_1_2_1_30_1","volume-title":"Proceedings of the IDS Workshop of the 7th Computer and Communications Security Conference. Athens.]]","author":"Staniford S.","year":"2000"},{"key":"e_1_2_1_31_1","unstructured":"Stolcke A. and Omohundro S. 1993. Hidden Markov Model Induction by Bayesian Model Merging. Advances in Neural Information Processing Systems.]]   Stolcke A. and Omohundro S. 1993. Hidden Markov Model Induction by Bayesian Model Merging. Advances in Neural Information Processing Systems.]]"},{"key":"e_1_2_1_32_1","volume-title":"Conference on Grammatical Inference.]]","author":"Stolcke A."},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Tan K."},{"key":"e_1_2_1_34_1","volume-title":"Proceedings of RAID","author":"Tan K.","year":"2002"},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the 9th European Software Engineering Conference","author":"Vigna G."},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Press","author":"Wagner D."},{"key":"e_1_2_1_37_1","volume-title":"Proceedings of the 9th ACM Conference on Computer and Communications Security. Washington DC. 255--264","author":"Wagner D."},{"key":"e_1_2_1_38_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy.]]","author":"Warrender C."}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1127345.1127348","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,28]],"date-time":"2022-12-28T19:39:07Z","timestamp":1672256347000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1127345.1127348"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,2]]},"references-count":38,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2006,2]]}},"alternative-id":["10.1145\/1127345.1127348"],"URL":"https:\/\/doi.org\/10.1145\/1127345.1127348","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2006,2]]},"assertion":[{"value":"2006-02-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}