"An Intrusion Detection System Design and Implementation of Analysis System Call Sequence" 1. There is a certain deficiencies in the detection method proposed byforrest, etc.:,,,,,,,,,,,,,,,, Rate, etc. 2. Duplicate system calls: Multiple continuously identical duplicate system calls can occur when running, in most cases, the number of repetition statements in the program is generated, and the number of repetitions does not constitute the characteristics of the program. In some cases, such repetitive system calls may not be generated by the loop, but only by changing the number of repetitions calls in the same system, it cannot be invaded, and therefore in the actual processing, multiple continuously identical system calls are seen as one. 3. The correlation of the system call: It is understood by the local principles of the program. The larger the spacing of the system call, the smaller the correlation degree. Set the current system call location is 0, define the correlation of the i-th system call in front of it is Ri = R (i). "A Sense of Self for Unix Process" Distinguishing between process: Table 2 in this paper compares normal traces of several common processes with those of sendmail These processes have a significant number of abnormal sequences, approximately, 5-32% for sequences of length. 6, Because The Actions Theey Perform, The consults suggest That The Behavior of Different Processes Is Easily Distinguishable Using Sequency Information Alone.
