ADREM: System Call Based Intrusion Detection Framework
ADREM: System Call Based Intrusion Detection Framework
Author(s): Jan-Alexandru VĂDUVA, Radu-Emanuel CHIȘCARIU, Ioana CULIC, Iulia-Maria Florea, Razvan RUGHINISSubject(s): Social Sciences, Education, Higher Education
Published by: Carol I National Defence University Publishing House
Keywords: intrusion detection; supervised machine learning; system call;
Summary/Abstract: We are living in an era where computers govern the educational process. The market is flooded with puzzles, games, quizzes or other kinds of applications destined to help teachers explain different concepts and to enable students to practice their skills and test the knowledge. For all these systems, be them computers, server or embedded devices, the internet connection is the essential aspect. As a result, we have children and students working with devices that are exposed to the highest degree of security issues and threats. Attacks are continuously evolving, becoming more flexible, adaptable and hard to detect, and leaving children and students vulnerable to malicious software that can either collect sensitive information about them or expose them to inappropriate content. Because of this, it is only natural that security solutions became of significant importance for the tech educational industry. Computers, servers and embedded devices are exposed to the highest degree of security issues and threats since the internet became an essential need. Attacks are continuously evolving, becoming more flexible, adaptable and hard to detect. This made only natural the shift towards adaptive security oriented solutions. One of the security those solutions is represented by anomaly based intrusion detection techniques. Anomaly based intrusion detection systems build a baseline of normal behavior. For a Linux based operating system, which represents a great percent of the platforms used in education, this is accomplished by monitoring a given process or sets of processes. Any significant deviation from the baseline model is flagged as malicious activity. This paper proposes a framework for intrusion detection using system call traces captured from services running on a container. The work done is based on The Australian Defence Force Academy Linux Dataset, better known as ADFA-LD. The analysis is done taking into consideration the temporal allocation of the system calls. The classification module is based on supervised machine learning techniques. To test the accuracy of the framework, a case study involving a database application running under a Linux container is analyzed. The results together with the proposed framework implementation are described in details.
Journal: Conference proceedings of »eLearning and Software for Education« (eLSE)
- Issue Year: 15/2019
- Issue No: 01
- Page Range: 159-164
- Page Count: 6
- Language: English