Research on Syscall-based Intrusion Detection Technology for Linux System
基于系统调用的Linux系统入侵检测技术研究*

A process-orientated intrusion detection method based on system call for Linux system was proposed: The LKM(Loadable Kernel Modules) technology running in the kernel space was used to obtain the system calls of a process,and the Markov model based on the maximum likelihood syscall short sequences was used to describe the normal profile and to detect the anomaly of a process.Experiments show good feasibility and validity of this scheme.Some key problems of the implementation for the scheme were discussed.