Performance Comparison for Anomaly Detection Using System Level Traces on Dynamic Utilities

Performance Comparison for Anomaly Detection Using System Level Traces on Dynamic Utilities
  IJETT-book-cover           
  
© 2025 by IJETT Journal
Volume-73 Issue-11
Year of Publication : 2025
Author : Goverdhan Reddy Jidiga, Rambabu Bandi, Malla Reddy Adudhodla
DOI : 10.14445/22315381/IJETT-V73I11P120

How to Cite?
Goverdhan Reddy Jidiga, Rambabu Bandi, Malla Reddy Adudhodla,"Performance Comparison for Anomaly Detection Using System Level Traces on Dynamic Utilities", International Journal of Engineering Trends and Technology, vol. 73, no. 11, pp.280-294, 2025. Crossref, https://doi.org/10.14445/22315381/IJETT-V73I11P120

Abstract
The adaptive information security combines a wide range of system security approaches and network security methods to create a robust defense strategy. This approach integrates various system models to protect delicate, secretive, and unrestricted information from unlawful admission, misappropriation, alteration, disclosure, interference, and devastation. Anomaly detection is a focused process that investigates the system’s data while applications are running. This one suggests utilizing open-source Linux log data for tracing, aimed at enhancing system performance. This innovative method leverages tracing techniques available on the Linux environment, virtually drawing attention to promote performance in live mode. The Key tools like BACKTRACE (bt), LTRACE, PTRACE, and STRACE enable tracing vital system data, including introspection of function calls, investigation of library calls, signals, and a massive quantity of system calls from the stack memory for effective anomaly detection. It is provided that an advocate for the application of adaptive anomaly detection techniques at the data level, particularly through command-level tracing with modern tracing tools. The use of STRACE with LTTng gives better results, and performance is reached beyond threshold levels due to the speed of LTTng (Linux Trace Toolkit Next Generation) compared to other tracing possibilities on system utilities. The overall DR is marked as 99% in all combinations with low FPR compared to individual process tracing tools, and also disclosed the ratio of performance stability about system profiling with dynamic (for live user space) vs. static probes.

Keywords
Anomaly Detection, Stack, System Call, Strace, LTTng, Relative Difference, Return Address.

References
[1] H.H. Feng et al., “Anomaly Detection Using Call Stack Information,” 2003 Symposium on Security and Privacy, Berkeley, CA, USA, pp. 62-75, 2003.
[CrossRef] [Google Scholar] [Publisher Link]
[2] R. Sekar et al., “A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors,” Proceedings 2001 IEEE Symposium on Security and Privacy. S&P, Oakland, CA, USA, pp. 144-155, 2001.
[CrossRef] [Google Scholar] [Publisher Link]
[3] D. Wagner, and R. Dean, “Intrusion Detection via Static Analysis,” Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001, Oakland, CA, USA, pp. 156-168, 2001.
[CrossRef] [Google Scholar] [Publisher Link]
[4] Debra Anderson, Thane Frivold, and Alfonso Valdes, “Next Generation Intrusion Detection Expert System (NIDES): A Summary,” SRI International is an Independent, Nonprofit Corporation, pp. 1-47, 1995.
[Google Scholar] [Publisher Link]
[5] Stephanie Forrest et al., “A Sense of Self for Unix Processes,” Proceedings 1996 IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 120-128, 1996.
[CrossRef] [Google Scholar] [Publisher Link]
[6] Eleazar Eskin, Salvatore Stolfo, and Wenke Lee, “Modeling System Calls for Intrusion Detection with Dynamic Window Sizes,” Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01, Anaheim, CA, USA, pp. 165-175, 2001.
[CrossRef] [Google Scholar] [Publisher Link]
[7] Surekha Mariam Varghese, and K. Poulose Jacob, “Anomaly Detection Using System Call Sequence Sets” Journal of Software, vol. 2, no. 6, pp 14-21, 2007.
[Google Scholar] [Publisher Link]
[8] Sean Peisert et al., “Analysis of Computer Intrusions Using Sequences of Function Calls,” IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 2, pp. 137-150, 2007.
[CrossRef] [Google Scholar] [Publisher Link]
[9] Darren Mutz et al., “Anomalous System Call Detection,” ACM Transactions on Information and System Security, vol. 9, no. 1, pp. 61-93, 2006.
[CrossRef] [Google Scholar] [Publisher Link]
[10] Syed Shariyar Murtaza et al., “A Host Based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules,” 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE), Pasadena, CA, USA, pp. 431-440, 2013.
[CrossRef] [Google Scholar] [Publisher Link]
[11] C. Warrender, Stephanie Forrest, and Barak A. Pearlmutter, “Detecting Intrusions Using System Calls: Alternative Data Models” Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344), Oakland, CA, USA, pp. 133-145, 1999.
[CrossRef] [Google Scholar] [Publisher Link]
[12] Varun Chandola, Arindam Banerjee, and Vipin Kumar, “Anomaly Detection: A Survey,” ACM Computing Surveys (CSUR), vol. 41, no. 3, pp. 1-58, 2009.
[CrossRef] [Google Scholar] [Publisher Link]
[13] Aleksandar Lazarevic, Vipin Kumar, and Jaideep Srivastava, Intrusion Detection: A Survey, Managing Cyber Threats, Springer, Boston, MA, pp 19-78, 2005.
[CrossRef] [Google Scholar] [Publisher Link]
[14] Iman Kohyarnejadfard et al., “A Framework for Detecting System Performance Anomalies Using Tracing Data Analysis,” Entropy, vol. 23, no. 8, pp. 1-24, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[15] Thanh Nguyen, Meni Orenbach, and Ahmad Atamli, “Live System Call Trace Reconstruction on Linux,” Forensic Science International: Digital Investigation, vol. 42, pp. 1-10, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[16] Philippe Proulx, Tracing Bare-Metal Systems: A Multi-Core Story, The LTTng Project, 2014. [Online]. Available: https://lttng.org/blog/2014/11/25/tracing-bare-metal-systems/
[17] Mathieu Desnoyers, and Michel Dagenais, “Lttng: Tracing Across Execution Layers, from the Hypervisor to User-Space,” Linux Symposium, Ottawa, Ontario Canada, vol. 1, pp. 101-106, 2008.
[Google Scholar] [Publisher Link]
[18] Florian Wininger, Naser Ezzati-Jivan, and Michel R. Dagenais, “A Declarative Framework for Stateful Analysis of Execution Traces,” Software Quality Journal, vol. 25, no. 1, pp. 201-229, 2016.
[CrossRef] [Google Scholar] [Publisher Link]
[19] Thomas Bertauld, and Michel R. Dagenais, “Low-Level Trace Correlation on Heterogeneous Embedded Systems,” EURASIP Journal on Embedded Systems, vol. 2017, no. 1, pp. 1-14, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[20] Madeline Janecek, Naser Ezzati-Jivan, and Abdelwahab Hamou-Lhadj, “Performance Anomaly Detection through Sequence Alignment of System-Level Traces,” Proceedings of the 30th IEEE/ACM International Conference on Program Comprehension, New York, NY, United States, pp. 264-274, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[21] Quentin Fournier et al., “Automatic Cause Detection of Performance Problems in Web Applications,” 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), Berlin, Germany, pp. 398-405, 2019.
[CrossRef] [Google Scholar] [Publisher Link]