Extracting the system call identifier from within VFS: a kernel stack parsing-based approach Online publication date: Wed, 02-Jul-2014
by Suvrojit Das; Debayan Chatterjee; D. Ghosh; Narayan C. Debnath
International Journal of Information and Computer Security (IJICS), Vol. 6, No. 1, 2014
Abstract: System call information has been one of the most important candidates for intrusion detection and forensic analysis research during the last several years. This paper focuses on extraction of system call information in terms of system call identifier from within the VFS layer of the Linux kernel. Treating the kernel as a trusted computing base, issues of accurate, authentic extraction of file timestamp metadata has been addressed in Das et al. (2012). In this research, we propose a method to extract the system call identifier from the kernel stack with an intention to strengthen the file timestamp metadata log with the system call identifier of the system call 'for which' the file timestamp metadata log is taken. This ensures a tight coupling based correlation between file timestamp extraction and identification of the event responsible for such an access, from within the kernel.
Online publication date: Wed, 02-Jul-2014
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Information and Computer Security (IJICS):
Login with your Inderscience username and password:
Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.
If you still need assistance, please email email@example.com