Many approaches have been suggested and various systems have been modeled to detect intrusions from anomalous behavior of systems calls as a result of an attack. Though these techniques have been shown to be quite effective, a key element seems to be missing -- the inclusion and utilization of the system call arguments to create a richer, more valuable signature and to use this information to model the intrusion detection system more accurately. We put forth the idea of adopting a rule learning approach that mobilizes rules based upon system calls and models the system for normal traffic using system call arguments and other key attributes. We present variations of our techniques and compare the results with those from some of the well known techniques based upon system call sequences. The results show that system call argument information is crucial and assists to successfully detect U2R, R2L and Data attacks generating lesser false alarms.
Tandon, G., Chan, P.K. (2003). Learning rules from system call arguments and sequences for anomaly detection (CS-2003-20) Melbourne, FL. Florida Institute of Technology.