Anomaly detection using sequences of system calls
First Claim
1. A method of detecting a call sequence anomaly, the method comprising:
- receiving a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier;
generating an invocation hash based on at least a portion of the message;
translating the invocation hash to an invocation identifier;
including the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations;
determining that the translated call sequence is not included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes;
identifying the translated call sequence as an anomaly based on the determining; and
as a result the translated call sequence being identified as an anomaly, causing an action.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods of detecting a call sequence anomaly in a message-based operating system are provided. A message may be received that indicates a programmatic procedure of an operating system was invoked. The message may include a programmatic procedure identifier, a sender process identifier, and a receiver process identifier. An invocation hash may be generated based on the message. The invocation hash may be translated to a smaller invocation identifier. The invocation identifier may be included in a translated call sequence that comprises invocation identifiers for a series of invocations. Depending on whether the translated call sequence is included in previously generated predetermined call sequences, the translated call sequence may be determined as an anomaly or not an anomaly.
26 Citations
20 Claims
-
1. A method of detecting a call sequence anomaly, the method comprising:
-
receiving a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier; generating an invocation hash based on at least a portion of the message; translating the invocation hash to an invocation identifier; including the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations; determining that the translated call sequence is not included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes; identifying the translated call sequence as an anomaly based on the determining; and as a result the translated call sequence being identified as an anomaly, causing an action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer readable storage medium comprising computer executable instructions, the computer executable instructions executable by a processor, the computer executable instructions comprising:
-
instructions executable to receive a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier; instructions executable to generate an invocation hash based on at least a portion of the message; instructions executable to translate the invocation hash to an invocation identifier; instructions executable to include the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations; instructions executable to determine whether the translated call sequence is included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes; instructions executable to identify the translated call sequence as an anomaly if the translated call sequence is not included in the predetermined call sequences and, otherwise, to determine the translated call sequence is not an anomaly; and instructions executable to, when the translated call sequence is identified as an anomaly, cause an action. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A system to detect a call sequence anomaly, the system comprising:
-
a processor configured to; receive a message indicating an invocation of a programmatic procedure of an operating system, the message including a programmatic procedure identifier, a sender process identifier, and a receiver process identifier, wherein the invocation of the programmatic procedure is one invocation in a series of invocations of operating system programmatic procedures made from a process identified by the sender process identifier; generate an invocation hash based on at least a portion of the message; translate the invocation hash to an invocation identifier; include the invocation identifier in a translated call sequence that comprises invocation identifiers for the series of invocations; determine whether the translated call sequence is included in a plurality of predetermined call sequences, each of the predetermined call sequences comprising corresponding invocation identifiers, wherein each of the corresponding invocation identifiers is mapped to invocation hashes; identify the translated call sequence as an anomaly if the translated call sequence is not included in the predetermined call sequences and, otherwise, to determine the translated call sequence is not an anomaly; and when the translated call sequence is identified as an anomaly, cause an action. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification