Part of this lab is used in the 2016 ACM Conference on Computer and Communications Security (CCS) Tutorial:
- Program Anomaly Detection: Methodology and Practices
- 10:00 AM - 11:30 AM
- Oct 25, 2016
- Hofburg Palace, Vienna, Austria
- Lab tasks in the tutorial
- n-gram/shingle model: the script will generate n-grams to construct the model
- deterministic finite automaton (DFA) model: the script will generate DFA vertices/edges for Neo4J visualization
- Generate training traces
strace -o ls.trace ls .
- Extract pure syscall lists from traces
tr '[:upper:]' '[:lower:]' < ls.trace | sed '/^[^a-z_]/d' | sed 's/(.*//' > sys.list
- Build the profile using scripts in
src
./shingling.sh sys.list 4
- Merge multiple training profiles to construct the normal behaivor model
cat profiles | sort -u > modelfile
- Generate testing traces and detect anomalies
comm -13 training testing