Program Behavior Monitoring Based on System Call Attributes
-
Graphical Abstract
-
Abstract
The automaton of program behavior based on system call is often used to model program behavior. The automaton of program behavior based on system call attributes is proposed, which overcomes some drawbacks of traditional automaton of program behavior, such as low accuracy of program behavior trace modeled by control flow and data flow of system calls, high time overhead of capturing the system call context, and inability to monitor the program behavior between adjacent system calls. First of all, several system call attributes are introduced and the program behavior trace modeled by system call sequence can be monitored more accurately by considering the deviation degrees of system call attributes comprehensively. Secondly, system call arguments policies based on context are proposed to monitor the program behavior aiming at control flow or data flow. Thirdly, the time interval attribute of system call is presented and the program behavior trace between adjacent system calls, which cannot be monitored by system call and its arguments policies, can be monitored to some extent. The experimental results show that the automaton of program behavior based on system call attributes can model the program behavior more accurately and has better deviation detection ability of program behavior than traditional models of program behavior.
-
-