Skip to content

EthanJamesLew/syscall-anomaly

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Syscall Anomaly Detector

This is a project aimed at exploring anomaly detection of system calls. Just think of it as strace, but with a twist of machine learning.

What's in it?

Currently, I have developed an strace-like utility that records system calls in a structured format and saves this data to disk. It's not just a passive listener, but an active observer that converts the system calls into a structured format that can be consumed by a machine learning algorithm and used to kill the execution of a child process.

In other words, it's a keen-eyed observer at a masquerade ball, diligently noting down each masked guest's (system call's) unique quirks and eccentricities (parameters and properties) for a mysterious unknown purpose (anomaly detection).

How to Run It

Running our Syscall Anomaly Detector with no prior syscall trace information is as simple as:

cargo run -- -- <command>

Where is the program you wish to monitor the system calls of.

This will cause the anomaly detector to see everything as an anomaly as it has never seen any of the syscall sequences before. To pass in "nominal" set of traces, include a json file of syscall integers

cargo run -- syscall_numbers.json -- <command>

The detector will create the syscall_numbers.json at the end of every run.

About

exploring anomaly detection of syscalls

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages