Gaurav Tandon and Philip K. Chan, Florida Institute of Technology
Traditional host-based anomaly detection systems model normal behavior of applications by analyzing system call sequences. The current audit sequence is then examined (using the model for anomalous behavior, which could correspond to attacks. Though these techniques have been shown to be quite effective, a key element seems to be missing ’ the inclusion and utilization of the system call arguments. Recent research also shows that sequence-based systems are prone to evasion. We propose an idea of learning different representations for system call arguments. Results indicate that argument information can be effectively used for detecting more attacks with reasonable space and time overhead.