{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,3]],"date-time":"2026-04-03T01:27:22Z","timestamp":1775179642227,"version":"3.50.1"},"reference-count":37,"publisher":"SAGE Publications","issue":"3","license":[{"start":{"date-parts":[[1998,7,1]],"date-time":"1998-07-01T00:00:00Z","timestamp":899251200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[1998,7,1]]},"abstract":"<jats:p> A method is introduced for detecting intrusions at the level of privileged processes. Evidence is given that short sequences of system calls executed by running processes are a good discriminator between normal and abnormal operating characteristics of several common UNIX programs. Normal behavior is collected in two ways: Synthetically, by exercising as many normal modes of usage of a program as possible, and in a live user environment by tracing the actual execution of the program. In the former case several types of intrusive behavior were studied; in the latter case, results were analyzed for false positives. <\/jats:p>","DOI":"10.3233\/jcs-980109","type":"journal-article","created":{"date-parts":[[2016,5,18]],"date-time":"2016-05-18T07:25:09Z","timestamp":1463556309000},"page":"151-180","source":"Crossref","is-referenced-by-count":744,"title":["Intrusion detection using sequences of system calls"],"prefix":"10.1177","volume":"6","author":[{"given":"Steven A.","family":"Hofmeyr","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of New Mexico, Albuquerque, NM\u00a087131-1386, USA. E-mail:\u00a0,\u00a0,\u00a0"}]},{"given":"Stephanie","family":"Forrest","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of New Mexico, Albuquerque, NM\u00a087131-1386, USA. E-mail:\u00a0,\u00a0,\u00a0"}]},{"given":"Anil","family":"Somayaji","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of New Mexico, Albuquerque, NM\u00a087131-1386, USA. E-mail:\u00a0,\u00a0,\u00a0"}]}],"member":"179","published-online":{"date-parts":[[1998,7,1]]},"reference":[{"key":"ref001","unstructured":"[8LGM]. [8lgm]-advisory-16.unix.sendmail-6-dec-1994, http:\/\/www.8lgm.org\/advisories.html."},{"key":"ref002","unstructured":"[8LGM]. [8lgm]-advisory-22.unix.syslog. 2-aug-1995, http:\/\/www.8lgm.org\/advisories.html."},{"key":"ref003","unstructured":"[8LGM]. [8lgm]-advisory-3.unix.lpr. 19-aug-1991, http:\/\/www.8lgm.org\/advisories.html."},{"key":"ref004","unstructured":"D.\u00a0Anderson, T.\u00a0Frivold and A.\u00a0Valdes, Next-generation intrusion detection expert system (NIDES): A summary. Technical Report SRI\u2013CSL\u201395\u201307, Computer Science Laboratory, SRI International, May 1995."},{"key":"ref005","unstructured":"CERT, wuarchive.ftpd vulnerability. ftp:\/\/info.cert.org\/pub\/cert_advisories\/CA-93:53.wuarchive.ftpd.vulnerability, 1993."},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"CERT, Sendmail v.5 vulnerability. ftp:\/\/info.cert.org\/pub\/cert_advisories\/CA-95:05.sendmail.vulnerabilities, February 22 1995.","DOI":"10.1016\/1353-4858(95)90081-0"},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"CERT, Sendmail v.5 vulnerability. ftp:\/\/info.cert.org\/pub\/cert_advisories\/CA-95:08.sendmail.v.5.vulnerability, August 17 1995.","DOI":"10.1016\/1353-4858(95)90081-0"},{"key":"ref008","doi-asserted-by":"crossref","unstructured":"CERT, Syslog vulnerability \u2013 a workaround for sendmail. ftp:\/\/info.cert.org\/pub\/cert_advisories\/CA-95:13.syslog.vul, October 19 1995.","DOI":"10.1016\/1353-4858(95)90258-9"},{"key":"ref009","unstructured":"CERT, swinstall vulnerability. ftp:\/\/info.cert.org\/pub\/cert_advisories\/CA-96:27, December 1996."},{"key":"ref010","unstructured":"M.\u00a0Crosbie and G.\u00a0Spafford, Defending a computer system using autonomous agents, in: Proceedings of the 18th National Information Security Systems Conference, 1995."},{"key":"ref011","doi-asserted-by":"crossref","unstructured":"D.E.\u00a0Denning, An intrusion detection model, in: IEEE Transactions on Software Engineering, Los Alamos, CA, IEEE Computer Society Press, 1987.","DOI":"10.1109\/TSE.1987.232894"},{"key":"ref012","unstructured":"D.E.\u00a0Denning, Cryptography and Data Security, Addison-Wesley Inc., 1992."},{"key":"ref013","doi-asserted-by":"crossref","unstructured":"B.\u00a0Efron and R.J.\u00a0Tibshirani, An Introduction to the Bootstrap, Chapman & Hall, New York, 1993.","DOI":"10.1007\/978-1-4899-4541-9"},{"key":"ref014","unstructured":"D.\u00a0Farmer and W.\u00a0Venema, Improving the security of your site by breaking into it, 1995, ftp:\/\/ftp.win.tue.nl\/pub\/security\/admin-guide-to-cracking.101.Z, 1995."},{"key":"ref015","unstructured":"D.\u00a0Farmer and E.H.\u00a0Spafford, The COPS security checker system, in: Proceedings of the Summer Usenix Conference, June 1990, pp.\u00a0165\u2013170."},{"key":"ref016","unstructured":"S.\u00a0Forrest, S.A.\u00a0Hofmeyr and A.\u00a0Somayaji, A sense of self for unix processes, in: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA, IEEE Computer Society Press, 1996."},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1145\/262793.262811"},{"key":"ref018","unstructured":"S.\u00a0Forrest, A.\u00a0Somayaji and D.\u00a0Ackley, Building diverse computer systems, in: Proceedings of the 6th Workshop on Hot Topics in Operating System, Los Alamitos, CA, IEEE Computer Society Press, 1997."},{"key":"ref019","unstructured":"K.L.\u00a0Fox, R.R.\u00a0Henning, J.H.\u00a0Reed and R.\u00a0Simonian, A neural network approach towards intrusion detection, in: Proceedings of the 13th National Computer Security Conference, Washington, DC, October 1990, pp.\u00a0125\u2013134."},{"key":"ref020","unstructured":"J.\u00a0Frank, Artificial intelligence and intrusion detection: Current and future directions, in: Proceedings of the 17th National Computer Security Conference, October 1994."},{"key":"ref021","doi-asserted-by":"crossref","unstructured":"R.\u00a0Heady, G.\u00a0Luger, A.\u00a0Maccabe and M.\u00a0Servilla, The architecture of a network level intrusion detection system. Technical report, Department of Computer Science, University of New Mexico, August 1990.","DOI":"10.2172\/425295"},{"key":"ref022","doi-asserted-by":"crossref","unstructured":"L.T.\u00a0Heberlein, G.V.\u00a0Dias, K.N.\u00a0Levitt, B.\u00a0Mukherjee, J.\u00a0Wood and D.\u00a0Wolber, A network security monitor, in: Proceedings of the IEEE Symposium on Security and Privacy, IEEE Press, 1990.","DOI":"10.2172\/6223037"},{"key":"ref023","unstructured":"L.T.\u00a0Heberlein, B.\u00a0Mukherjee and K.N.\u00a0Levitt, Internet security monitor: An intrusion detection system for large scale networks, in: Proceedings of the 15th National Computer Security Conference, 1992."},{"key":"ref024","doi-asserted-by":"publisher","DOI":"10.1016\/0167-4048(93)90110-Q"},{"key":"ref025","doi-asserted-by":"crossref","unstructured":"K.\u00a0Illgun, R.A.\u00a0Kemmerer and P.A.\u00a0Porras, State transition analysis: A rule-based intrusion detection approach, IEEE Transactions on Software Engineering 3 (1995).","DOI":"10.1109\/32.372146"},{"key":"ref026","doi-asserted-by":"crossref","unstructured":"J.O.\u00a0Kephart, A biologically inspired immune system for computers, in: Artificial Life IV, MIT Press, 1994.","DOI":"10.7551\/mitpress\/1428.003.0017"},{"key":"ref027","doi-asserted-by":"crossref","unstructured":"G.H.\u00a0Kim and E.H.\u00a0Spafford, The design and implementation of tripwire: A file system integrity checker, in: Proceedings of the 2nd ACM Conference on Computer and Communications Security, 1994.","DOI":"10.1145\/191177.191183"},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"C.\u00a0Ko, G.\u00a0Fink and K.\u00a0Levitt, Automated detection of vulnerabilities in privileged programs by execution monitoring, in: Proceedings of the 10th Annual Computer Security Applications Conference, 5\u20139 December 1994, pp.\u00a0134\u2013144.","DOI":"10.1109\/CSAC.1994.367313"},{"key":"ref029","unstructured":"S.\u00a0Kumar, Classification and detection of computer intrusions, PhD thesis, Department of Computer Sciences, Purdue University, August 1995."},{"key":"ref030","unstructured":"S.\u00a0Kumar and E.H.\u00a0Spafford, A pattern matching model for misuse intrusion detection, in: Proceedings of the National Computer Security Conference, Baltimore, MD, 1994, pp.\u00a011\u201321."},{"key":"ref031","doi-asserted-by":"crossref","first-page":"247","DOI":"10.1016\/0167-4048(92)90203-4","volume":"11","author":"Liepins G.","year":"1992","journal-title":"Computeres and Security"},{"key":"ref032","unstructured":"T.F.\u00a0Lunt, Detecting intruders in computer systems, in: Conference on Auditing and Computer Technology, 1993."},{"key":"ref033","unstructured":"T.F.\u00a0Lunt, A.\u00a0Tamaru, F.\u00a0Gilham, R.\u00a0Jagannathan, P.G.\u00a0Neumann, H.S.\u00a0Javitz, A.\u00a0Valdes and T.D.\u00a0Garvey, A real-time intrusion detection expert system (IDES). Final Technical Report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992."},{"key":"ref034","unstructured":"C.L.\u00a0Schuba and E.H.\u00a0Spafford, Countering abuse of name-based authentication, in: 22cnd Annual Telecommunications Policy Research Conference, 1996."},{"issue":"1","key":"ref035","first-page":"39","volume":"10","author":"Smaha S.E.","year":"1994","journal-title":"Journal of Computer Security"},{"key":"ref036","doi-asserted-by":"crossref","unstructured":"A.\u00a0Somayaji, S.A.\u00a0Hofmeyr and S.\u00a0Forrest, Principles of a computer immune system, in: Proceedings of the Second New Security Paradigms Workshop, 1997.","DOI":"10.1145\/283699.283742"},{"key":"ref037","doi-asserted-by":"crossref","unstructured":"H.S.\u00a0Teng, K.\u00a0Chen and S.C.\u00a0Lu, Security audit trail analysis using inductively generated predictive rules, in: Proceedings of the Sixth Conference on Artificial Intelligence Applications, Piscataway, NJ, IEEE, March 1990, pp.\u00a024\u201329.","DOI":"10.1109\/CAIA.1990.89167"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-980109","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-980109","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-980109","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,11]],"date-time":"2025-03-11T03:56:17Z","timestamp":1741665377000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-980109"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[1998,7,1]]},"references-count":37,"journal-issue":{"issue":"3","published-print":{"date-parts":[[1998,7,1]]}},"alternative-id":["10.3233\/JCS-980109"],"URL":"https:\/\/doi.org\/10.3233\/jcs-980109","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[1998,7,1]]}}}