Extracting the system call identifier from within VFS: a kernel stack parsing-based approach

Authors:
Suvrojit Das;Debayan Chatterjee;D. Ghosh;Narayan C. Debnath
Affiliations:
Department of Computer Applications, National Institute of Technology, Durgapur-713209, India;Department of Computer Applications, National Institute of Technology, Durgapur-713209, India;Department of Computer Science and Engineering, National Institute of Technology, Durgapur-713209, India;Winona State University, Watkins Hall, Room: 108 E, Winona, MN 55987, USA
Venue:
International Journal of Information and Computer Security
Year:
2014

Citing 9
Cited 0

Understanding The Linux Kernel

Understanding The Linux Kernel
Kernel korner: intro to inotify

Linux Journal
Accurate and Automated System Call Policy-Based Intrusion Prevention

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
System Call Monitoring Using Authenticated System Calls

IEEE Transactions on Dependable and Secure Computing
Intrusion detection using sequences of system calls

Journal of Computer Security
Application Sandbox Model Based on System Call Context

CMC '10 Proceedings of the 2010 International Conference on Communications and Mobile Computing - Volume 01
Intrusion Detection Based on Variable Prefix of System Call

NSWCTC '10 Proceedings of the 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing - Volume 01
A gray-box DPDA-based intrusion detection technique using system-call monitoring

Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
System Call Interception Framework for Data Leak Prevention

EDOC '11 Proceedings of the 2011 IEEE 15th International Enterprise Distributed Object Computing Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

System call information has been one of the most important candidates for intrusion detection and forensic analysis research during the last several years. This paper focuses on extraction of system call information in terms of system call identifier from within the VFS layer of the Linux kernel. Treating the kernel as a trusted computing base, issues of accurate, authentic extraction of file timestamp metadata has been addressed in Das et al. 2012. In this research, we propose a method to extract the system call identifier from the kernel stack with an intention to strengthen the file timestamp metadata log with the system call identifier of the system call 'for which' the file timestamp metadata log is taken. This ensures a tight coupling based correlation between file timestamp extraction and identification of the event responsible for such an access, from within the kernel.