Anomaly Detection Using System Call Sequence Sets.

This paper discusses our research in developing a generalized and systematic method for anomaly detection. The key ideas are to represent normal program behaviour using system call frequencies and to incorporate probabilistic techniques for classification to detect anomalies and intrusions. Using experiments on the sendmail system call data, we demonstrate that concise and accurate classifiers can be constructed to detect anomalies. An overview of the approach that we have implemented is provided.

An Alternative Approach To Computer System Security Monitoring And Enhancement Through System Call Sequence Analysis

Modern computer systems are plagued with stability and security problems: applications lose data, web servers are hacked, and systems crash under heavy load. Many of these problems or anomalies arise from rare program behavior caused by attacks or errors. A substantial percentage of the web-based attacks are due to buffer overflows. Many methods have been devised to detect and prevent anomalous situations that arise from buffer overflows. The current state-of-art of anomaly detection systems is relatively primitive and mainly depend on static code checking to take care of buffer overflow attacks. For protection, Stack Guards and I-leap Guards are also used in wide varieties.This dissertation proposes an anomaly detection system, based on frequencies of system calls in the system call trace. System call traces represented as frequency sequences are profiled using sequence sets. A sequence set is identified by the starting sequence and frequencies of specific system calls. The deviations of the current input sequence from the corresponding normal profile in the frequency pattern of system calls is computed and expressed as an anomaly score. A simple Bayesian model is used for an accurate detection.Experimental results are reported which show that frequency of system calls represented using sequence sets, captures the normal behavior of programs under normal conditions of usage. This captured behavior allows the system to detect anomalies with a low rate of false positives. Data are presented which show that Bayesian Network on frequency variations responds effectively to induced buffer overflows. It can also help administrators to detect deviations in program flow introduced due to errors.

Process profiling using frequencies of system calls

In this paper we discuss our research in developing general and systematic method for anomaly detection. The key ideas are to represent normal program behaviour using system call frequencies and to incorporate probabilistic techniques for classification to detect anomalies and intrusions. Using experiments on the sendmail system call data, we demonstrate that we can construct concise and accurate classifiers to detect anomalies. We provide an overview of the approach that we have implemented

Detecting Motifs in System Call Sequences

The search for patterns or motifs in data represents an area of key interest to many researchers. In this paper we present the Motif Tracking Algorithm, a novel immune inspired pattern identification tool that is able to identify unknown motifs which repeat within time series data. The power of the algorithm is derived from its use of a small number of parameters with minimal assumptions. The algorithm searches from a completely neutral perspective that is independent of the data being analysed and the underlying motifs. In this paper the motif tracking algorithm is applied to the search for patterns within sequences of low level system calls between the Linux kernel and the operating system’s user space. The MTA is able to compress data found in large system call data sets to a limited number of motifs which summarise that data. The motifs provide a resource from which a profile of executed processes can be built. The potential for these profiles and new implications for security research are highlighted. A higher level system call language for measuring similarity between patterns of such calls is also suggested.

Low-pass filters and differential tympanal tuning in a paleotropical bushcricket with an unusually low frequency call

Low-frequency sounds are advantageous for long-range acoustic signal transmission, but for small animals they constitute a challenge for signal detection and localization. The efficient detection of sound in insects is enhanced by mechanical resonance either in the tracheal or tympanal system before subsequent neuronal amplification. Making small structures resonant at low sound frequencies poses challenges for insects and has not been adequately studied. Similarly, detecting the direction of long-wavelength sound using interaural signal amplitude and/or phase differences is difficult for small animals. Pseudophylline bushcrickets predominantly call at high, often ultrasonic frequencies, but a few paleotropical species use lower frequencies. We investigated the mechanical frequency tuning of the tympana of one such species, Onomarchus uninotatus, a large bushcricket that produces a narrow bandwidth call at an unusually low carrier frequency of 3.2. kHz. Onomarchus uninotatus, like most bushcrickets, has two large tympanal membranes on each fore-tibia. We found that both these membranes vibrate like hinged flaps anchored at the dorsal wall and do not show higher modes of vibration in the frequency range investigated (1.5-20. kHz). The anterior tympanal membrane acts as a low-pass filter, attenuating sounds at frequencies above 3.5. kHz, in contrast to the high-pass filter characteristic of other bushcricket tympana. Responses to higher frequencies are partitioned to the posterior tympanal membrane, which shows maximal sensitivity at several broad frequency ranges, peaking at 3.1, 7.4 and 14.4. kHz. This partitioning between the two tympanal membranes constitutes an unusual feature of peripheral auditory processing in insects. The complex tracheal shape of O. uninotatus also deviates from the known tube or horn shapes associated with simple band-pass or high-pass amplification of tracheal input to the tympana. Interestingly, while the anterior tympanal membrane shows directional sensitivity at conspecific call frequencies, the posterior tympanal membrane is not directional at conspecific frequencies and instead shows directionality at higher frequencies.

The ensemble statistics of the energy of a random system subjected to harmonic excitation

This paper is concerned with the ensemble statistics of the response to harmonic excitation of a single dynamic system such as a plate or an acoustic volume. Random point process theory is employed, and various statistical assumptions regarding the system natural frequencies are compared, namely: (i) Poisson natural frequency spacings, (ii) statistically independent Rayleigh natural frequency spacings, and (iii) natural frequency spacings conforming to the Gaussian orthogonal ensemble (GOE). The GOE is found to be the most realistic assumption, and simple formulae are derived for the variance of the energy of the system under either point loading or rain-on-the-roof excitation. The theoretical results are compared favourably with numerical simulations and experimental data for the case of a mass loaded plate. © 2003 Elsevier Ltd. All rights reserved.

Program-level support for protecting an application from untrustworthy components

Many software applications extend their functionality by dynamically loading executable components into their allocated address space. Such components, exemplified by browser plugins and other software add-ons, not only enable reusability, but also promote programming simplicity, as they reside in the same address space as their host application, supporting easy sharing of complex data structures and pointers. However, such components are also often of unknown provenance and quality and may be riddled with accidental bugs or, in some cases, deliberately malicious code. Statistics show that such component failures account for a high percentage of software crashes and vulnerabilities. Enabling isolation of such fine-grained components is therefore necessary to increase the stability, security and resilience of computer programs. This thesis addresses this issue by showing how host applications can create isolation domains for individual components, while preserving the benefits of a single address space, via a new architecture for software isolation called LibVM. Towards this end, we define a specification which outlines the functional requirements for LibVM, identify the conditions under which these functional requirements can be met, define an abstract Application Programming Interface (API) that encompasses the general problem of isolating shared libraries, thus separating policy from mechanism, and prove its practicality with two concrete implementations based on hardware virtualization and system call interpositioning, respectively. The results demonstrate that hardware isolation minimises the difficulties encountered with software based approaches, while also reducing the size of the trusted computing base, thus increasing confidence in the solution’s correctness. This thesis concludes that, not only is it feasible to create such isolation domains for individual components, but that it should also be a fundamental operating system supported abstraction, which would lead to more stable and secure applications.

Recent surveys of bats (Mammalia: Chiroptera) from China. I. Rhinolophidae and Hipposideridae

We conducted surveys of bats in China between 1999 and 2007, resulting in the identification of at least 62 species. In this paper we present data on 19 species, comprising 12 species from the family Rhinolophidae and seven from the Hipposideridae. Rhinolophids captured were Rhinolophus affinis, R. ferrumequinum, R. lepidus, R. luctus, R. macrotis, R. siamensis, R. marshalli, R. rex, R. pearsonii, R. pusillus, R. sinicus and R. stheno. Because of extensive morphological similarities we question the species distinctiveness of R. osgoodi (may be conspecific with R. lepidus), R. paradoxolophus (which may best be treated as a subspecies of R. rex), R. huananus (probably synonymous with R. siamensis), and we are skeptical as to whether R. sinicus is distinct from R. thomasi. Hipposiderids captured were Hipposideros armiger, H. cineraceus, H. larvatus, H. pomona, H. pratti, Aselliscus stoliczkanus and Coelops frithii. Of these species, two rhinolophids (Rhinolophus marshalli and R. stheno) and one hipposiderid (Hipposideros cineraceus) represent new species records for China. We present data on species' ranges, morphology and echolocation call frequencies, as well as some notes on ecology and conservation status. China hosts a considerable diversity of rhinolophid and hipposiderid bats, yet threats to their habitats and populations are substantial.

Morphology, echolocation and foraging behaviour in two sympatric sibling species of bat (Tylonycteris pachypus and Tylonycteris robustula) (Chiroptera : Vespertilionidae)

We studied the wing morphology, echolocation calls, foraging behaviour and flight speed of Tylonycteris pachypus and Tylonycteris robustula in Longzhou County, South China during the summer (June–August) of 2005. The wingspan, wing loading and aspect ratio of the two species were relatively low, and those of T. pachypus were lower compared with T. robustula. The echolocation calls of T. pachypus and T. robustula consist of a broadband frequency modulated (FM) sweep followed by a short narrowband FM sweep. The dominant frequency of calls of T. pachypus was 65.1 kHz, whereas that of T. robustula was 57.7 kHz. The call frequencies (including highest frequency of the call, lowest frequency of the call and frequency of the call that contained most energy) of T. pachypus were higher than those of T. robustula, and the pulse duration of the former was longer than that of the latter. The inter-pulse interval and bandwidth of the calls were not significantly different between the two species. Tylonycteris pachypus foraged in more complex environments than T. robustula, although the two species were both netted in edge habitats (around trees or houses), along pathways and in the tops of trees. Tylonycteris pachypus flew slower (straight level flight speed, 4.3 m s−1) than T. robustula (straight level flight speed, 4.8 m s−1). We discuss the relationship between wing morphology, echolocation calls, foraging behaviour and flight speed, and demonstrate resource partitioning between these two species in terms of morphological and behavioural factors.

Phylogenetics of small horseshoe bats from east Asia based on mitochondrial DNA sequence variation

We undertook analyses of mitochondrial DNA gene sequences and echolocation calls to resolve phylogenetic relationships among the related bat taxa Rhinolophus pusillus (sampled across China), R. monoceros (Taiwan), R. cornutus (main islands of Japan), and R. c. pumilus (Okinawa, Japan), Phylogenetic trees and genetic divergence analyses were constructed by combining new complete mitochondrial cytochrome-b gene sequences and partial mitochondrial control region sequences with published sequences. Our work showed that these 4 taxa formed monophyletic groups in the phylogenetic tree. However, low levels of sequence divergence among the taxa, together with similarities in body size and overlapping echolocation call frequencies, point to a lack of taxonomic distinctiveness. We therefore suggest that these taxa are better considered as geographical subspecies rather than distinct species, although this should not diminish the conservation importance of these island populations, which are important evolutionarily significant units. Based on our findings, we suggest that the similarities in body size and echolocation call frequency in these rhinolophids result from their recent common ancestry, whereas similarities in body size and call frequency with R. hipposideros of Europe are the result of convergent evolution.

LibVM: An architecture for shared library sandboxing

Many software applications extend their functionality by dynamically loading libraries into their allocated address space. However, shared libraries are also often of unknown provenance and quality and may contain accidental bugs or, in some cases, deliberately malicious code. Most sandboxing techniques which address these issues require recompilation of the libraries using custom tool chains, require significant modifications to the libraries, do not retain the benefits of single address-space programming, do not completely isolate guest code, or incur substantial performance overheads. In this paper we present LibVM, a sandboxing architecture for isolating libraries within a host application without requiring any modifications to the shared libraries themselves, while still retaining the benefits of a single address space and also introducing a system call inter-positioning layer that allows complete arbitration over a shared library’s functionality. We show how to utilize contemporary hardware virtualization support towards this end with reasonable performance overheads and, in the absence of such hardware support, our model can also be implemented using a software-based mechanism. We ensure that our implementation conforms as closely as possible to existing shared library manipulation functions, minimizing the amount of effort needed to apply such isolation to existing programs. Our experimental results show that it is easy to gain immediate benefits in scenarios where the goal is to guard the host application against unintentional programming errors when using shared libraries, as well as in more complex scenarios, where a shared library is suspected of being actively hostile. In both cases, no changes are required to the shared libraries themselves.

Data mining approaches to software fault diagnosis

Automatic identification of software faults has enormous practical significance. This requires characterizing program execution behavior and the use of appropriate data mining techniques on the chosen representation. In this paper, we use the sequence of system calls to characterize program execution. The data mining tasks addressed are learning to map system call streams to fault labels and automatic identification of fault causes. Spectrum kernels and SVM are used for the former while latent semantic analysis is used for the latter The techniques are demonstrated for the intrusion dataset containing system call traces. The results show that kernel techniques are as accurate as the best available results but are faster by orders of magnitude. We also show that latent semantic indexing is capable of revealing fault-specific features.

Influência da Velocidade, do Espaçamento e do Número de Veículos sobre a Resposta Dinâmica de Pontes Rodoviárias de Concreto Armado.

Nesta dissertação são avaliados os efeitos dinâmicos provenientes da travessia de comboios de veículos sobre o tabuleiro irregular de obras de arte rodoviárias de concreto armado. O modelo matemático empregado para simular o comportamento do sistema veículo-ponte considera a participação da massa e da rigidez das viaturas na definição das freqüências do sistema e, conseqüentemente, a força de interação entre os veículos e a ponte é afetada pela flexibilidade desta. A ponte é modelada a partir do emprego de elementos finitos de barra unidimensionais e discretizado com massas concentradas e flexibilidade distribuída. O modelo de veículo empregado baseia-se no veículo TB-12 preconizado pela norma brasileira NBR 7188. Este veículo é simulado por sistemas de massas, molas e amortecedores sendo descrito por graus de liberdade à translação e rotação no plano. As irregularidades da pista são definidas por um modelo não-determinístico com base na densidade espectral do pavimento. O carregamento sobre a ponte é constituído por sucessões de veículos deslocando-se com velocidade constante sobre a obra. Devido à própria natureza das irregularidades da pista e do comboio de veículos, atenção especial é concentrada na fase permanente da resposta do sistema. São estudadas as respostas de dois modelos estruturais existentes, com base em tabuleiros isostáticos, em concreto armado, com e sem balanços, em seção do tipo T e duplo T, respectivamente, em termos de deslocamentos e esforços nas seções onde ocorrem os efeitos máximos. As conclusões do trabalho versam sobre a influência da velocidade, espaçamento e do número de veículos, referentes a situações distintas de carregamento, no que tange a resposta dinâmica das pontes rodoviárias de concreto armado. A magnitude dos efeitos dinâmicos associados à interação dos veículos com o pavimento irregular também é investigada.

T-Kernel在Blackfin处理器上的移植分析

T-Kernel是日本T-Engine组织推出的开源免费的嵌入式实时操作系统(RTOS),以其强实时小体积内核著称。本文针对T-Kernel在Blackfin处理器(BF533)上的移植过程进行了分析,给出了中断管理,任务切换和系统调用入口的实现方法,并进行了稳定性和实时性测试,保证了移植系统的性能。

Minimizing Residual Vibrations in Flexible Systems

Residual vibrations degrade the performance of many systems. Due to the lightweight and flexible nature of space structures, controlling residual vibrations is especially difficult. Also, systems such as the Space Shuttle remote Manipulator System have frequencies that vary significantly based upon configuration and loading. Recently, a technique of minimizing vibrations in flexible structures by command input shaping was developed. This document presents research completed in developing a simple, closed- form method of calculating input shaping sequences for two-mode systems and a system to adapt the command input shaping technique to known changes in system frequency about the workspace. The new techniques were tested on a three-link, flexible manipulator.