Log In Sign Up

A Planning Approach to Monitoring Behavior of Computer Programs

We describe a novel approach to monitoring high level behaviors using concepts from AI planning. Our goal is to understand what a program is doing based on its system call trace. This ability is particularly important for detecting malware. We approach this problem by building an abstract model of the operating system using the STRIPS planning language, casting system calls as planning operators. Given a system call trace, we simulate the corresponding operators on our model and by observing the properties of the state reached, we learn about the nature of the original program and its behavior. Thus, unlike most statistical detection methods that focus on syntactic features, our approach is semantic in nature. Therefore, it is more robust against obfuscation techniques used by malware that change the outward appearance of the trace but not its effect. We demonstrate the efficacy of our approach by evaluating it on actual system call traces.


page 1

page 2

page 3

page 4


MAIL: Malware Analysis Intermediate Language

This paper introduces and presents a new language named MAIL (Malware An...

HeNet: A Deep Learning Approach on Intel^ Processor Trace for Effective Exploit Detection

This paper presents HeNet, a hierarchical ensemble neural network, appli...

Trace Refinement in B and Event-B

Traces are used to show whether a model complies with the intended behav...

SMART: Semantic Malware Attribute Relevance Tagging

With the rapid proliferation and increased sophistication of malicious s...

Learning Test Traces

Modern software projects include automated tests written to check the pr...

NtMalDetect: A Machine Learning Approach to Malware Detection Using Native API System Calls

As computing systems become increasingly advanced and as users increasin...

Classroom Technology Deployment Matrix: A Planning, Monitoring, Evaluating and Reporting Tool

We present the Classroom Technology Deployment Matrix (CTDM), a tool for...

1 Introduction

Malware is a serious threat for computer and Internet security for both individuals and entities. 430 million new unique pieces of malware were detected by Symantec in 2015, and 94.1 millions of malware variants during only the month of February 2017. Not surprisingly, to counter this threat, many techniques for malware detection have been proposed. In this paper we are interested in the more general problem of understanding the behaviors taking place in the system. Given this information, one can determine whether they are malicious or not, and if malicious, provide an informed response.

The standard approach to this problem is to use pattern-recognition methods, which are syntactic in nature. Roughly speaking, they view the input, whether code or events, as a long string of symbols, and seek properties of these strings that help classify them. To fool these methods, malware attempts to obfuscate its behavior by changing the sequence’s properties 

[You and Yim2010]. Semantic methods, instead, try to model the underlying system, seeking to understand the input’s meaning, where in this paper, the input used is the system-call trace.111A system call is a mechanism used by a program to request from the operating system services it cannot perform directly, such access to hardware, files, network or memory. Therefore, they have the potential to be more robust to obfuscation attempts.

The most extreme and most accurate semantic approach is a faithful simulation of every trace followed by careful analysis of the resulting system state. This is impractical: the analysis of the state of a computer following each trace is a non-trivial time consuming task that requires deducing high-level insights from the low level state and can only be conducted by experts.

Instead, we propose a methodology that uses an abstract system model based on AI-planning languages and models. It requires a one-time, off-line effort by an expert, and can be used automatically to analyze each trace: An expert that understands the semantics of system calls generates a planning operator for every system call. Each operator describes how the state of the system changes in response to the application of some system call. Each operator is an abstraction that attempts to capture the system call’s relevant effects. The abstraction process also involves the generation of a set of propositions describing the system state. Now, given a system call trace, instead of simulating it on the real system, we simulate the corresponding planning operators on the abstract state. The propositions true in the resulting state give us the needed information about what behaviors were carried out by this code. This approach is fast and difficult to fool: obfuscation techniques that do not impact the actual behavior will not impact relevant aspects of the state.

In what follows we describe this methodology using examples, and demonstrate its advantages by comparing it to statistical methods on actual system calls related to a mail application.

2 Related work

[Forrest et al.1996] is considered the seminal work which pushed forward research on methods and representations of operating system process monitoring based on system calls. [Warrender, Forrest, and Pearlmutter1999]

provides an early comparison of machine learning methods for modeling process behavior.

[Gao, Reiter, and Song2004] introduces the model of execution graph, and behavior similarity-measure based on the execution graph. [Mutz et al.2006]

combines multiple models into an ensemble to improve anomaly detection.

[Xu and Shelton2010]

applies continuous time Bayesian network (CTBN) to system call processes to account for time-dependent features and address high variability of system call streams over time.

[Kim et al.2016] applies a deep LSTM-based architecture to sequences of individual system calls, treating system calls as a language model.

Initially, only system call indices were used as features [Forrest et al.1996, Warrender, Forrest, and Pearlmutter1999]. [Liu et al.2005] compares three different representations of system calls: -grams of system call names, histograms of system call names, and individual system calls with associated parameters. [Poulose Jacob and Surekha2007] proposes the use of system call sequences of varying length as features. [Liu et al.2005, Tandon and Chan2006] investigate extracting features for machine learning from arguments of system calls. [Wressnegger et al.2013] studies novel techniques of anomaly detection and classification using -grams of system calls. [Canzanese, Mancoridis, and Kam2015] conducts a case study of

-gram based feature selection for system-call based monitoring, and analyses the influence of the size of the

-gram set and the maximum -gram length on detection accuracy.

Other work attempted to detect behaviors in a semantic way, using abstract representations of behaviors based on low level events and various techniques for detection. They all carry the notion of state, keeping track of effects of previous events. [Christodorescu et al.2005] is the first to introduce semantics to characterize malicious behaviors. It builds behavior templates from binaries using formal semantics, which is used through a semantics-aware algorithm for detection. [Martignoni et al.2008] builds multi-layered behavior graphs from low level events used through a behavior matcher. [Jacob, Debar, and Filiol2009] uses attribute grammars for abstraction and specification, using parallel automata for parsing and detection. [Tokhtabayev, Skormin, and Dolgikh2010] specifies behaviors through UML activity diagrams from which one generates colored Petri Nets for detection. [Beaucamps, Gnaedig, and Marion2012] uses first-order linear temporal logic to specify behaviors and model checking techniques for detection. [Ezzati-Jivan and Dagenais2012] offers an advanced state-full approach where behaviors are specified as finite state machines. Our approach is more fine-grained and general. We model the actual operators, not the target behaviors, although the model is informed by the behaviors. We illustrate this using the reverse shell example in the next section.

Behavior recognition is closely related to plan and goal recognition [Sukthankar et al.2014]. Given a sequence of observed actions, the goal is to try to infer the actor’s intentions. Typically, the output is a ranked list of hypothesized goals. Most work assumes a library of possible behavior instances, i.e., plans, an approach limited in its ability to go beyond known instances. Probabilistic techniques, such as [Baker, Tenenbaum, and Saxe2005]

use Bayesian methods to assess the probability of various goals based on the actions involved. An influential recent approach is plan-recognition as planning 

[Ramírez and Geffner2009], where the authors do away with the assumption of an explicit plan library. The plan library is replaced by a model of the domain (which implicitly defines the set of possible plans), and the goal is to compute a good plan that is closest to the observed behavior. This line of work is appropriate when the observations are a subset of the actual actions taken, or when we attempt to recognize the goal before plan completion. We attempt to recognize malicious behavior off-line given a complete trace, although extensions for the online setting are natural.

3 Background

3.1 AI Planning

AI Planning is a decision making technique used to find sequences of actions that can transform a system from some initial state into a goal state. Formally, a classical planning problem is a tuple: . where: is a set of primitive propositions describing properties of interest of the system; is the action set. Each action transforms the state of the system in some way; is the start state; and is the goal condition — usually a conjunction of primitive propositions. A state of the world, , assigns truth values to all . Recall that a literal is simply a primitive proposition or its negation.

An action is a pair, {pre(), effects()}, where pre() is a conjunction of literals, and effects() is a set of pairs denoting conditional effects. We use to denote the state that is obtained when is executed in state . If does not satisfy all literals in pre(), then is undefined. Otherwise, assigns to each proposition the same value as , unless there exists a pair effects() such that and assigns a different value than . We assume that is well defined, that is, if then pre() is consistent, and that if both effects() and for some state , then is consistent.

The classical planning problem is defined as follows: given a planning problem , find a sequence of actions (a.k.a. a plan) such that .

To illustrate this model, consider a simplified domain with three action types: socket, listen, and accept. These actions model the effect of system calls that create a socket, listen for an incoming connection, and accept a connection. For the sake of this example, we ignore various parameters of these system calls, and assume that system calls do not fail.

The set contains: {(opened socket-descriptor), (listening socket-descriptor), (connected socket-descriptor)}, where socket-descriptor is a parameter that we abbreviate as sd. The set of actions is:

  • socket(returned-sd) with precondition: (opened returned-sd), and the effect: (opened returned-sd)222A more faithful model will use conditional effects instead, and will also consider their return value.

  • listen(sd) has no precondition and the conditional effect: (listening sd) when (opened sd) (listening sd)

  • accept(sd, returned-sd) has the preconditions: (listening sd) and the effects: (opened returned-sd) and (connected returned-sd)

The plan socket(sd1), listen(sd1), accept(sd1, sd2) is a legal plan. Initially, all propositions are false. Because (opened sd1) is false, we can apply socket(sd1). Once applied, (opened sd1), the precondition of listen, becomes true. This results in (listening sd1) becoming true. Finally, accept needs a socket descriptor in the state listening (sd1) and another having opened false (sd2). It now sets sd2 to opened and connected. Given the resulting state, we recognize that a host connected itself to our local server.

On the other hand, the plan: socket(sd1), accept(sd1, sd2) is invalid because the preconditions of accept are not all sastified: (listening sd2) is not set to true.

Typically, planning models are used for generating plans. Thus, in the above example, a planning algorithm could find the (abstracted) sequence of system calls required to achieve various goals. Our focus in this paper is on the planning model itself — the propositions and the operators, as an abstraction of the operating system. The acting agent is a running process, the OS is the environment in which it is acting, and its system-call trace defines the plan, via our mapping. To determine what the process is doing, we simply observe the abstract state of the OS. For the purpose of this paper, we consider that the OS abstraction has a unique running and single thread process.

4 Our approach

We propose to build an abstract system model and simulate an abstraction of the system call trace on it.

The manual part of our approach is the construction of the abstraction. We associate an action with each system call, with preconditions (typically empty) and effects (typically conditional). The set of propositions that we use to describe the system is informed by the type of behaviors we want to capture. For example, whether channels were opened, files accessed, information transmitted over a channel, etc. An action describes what new facts will become true following the execution of the system call it models, possibly conditional on other facts being true prior to its execution.

We illustrate this using the example of a remote shell: a command line interface controlled by a remote host often used by attackers to execute system commands. We focus on the reverse shell, where a host connects itself to a remote server. Starting a reverse shell requires a few steps: (1) Create a socket. (2) Independently connect the socket to an endpoint and duplicate the socket descriptor to the standard input and output (so that the input and output streams go through the socket). (3) Execute a shell.

We use system calls socket, connect, dup, fcntl, close and execve that, respectively, create a socket, connect a socket to a remote host, duplicate a socket, set properties to a socket, close a socket, and execute a program.

Propositions. The propositions are: (opened fd), (is-socket fd), (equal-fds fd1 fd2), (close-on-exec fd), (connected sd), (is-shell path), (remote-shell-started)

Initial state. The initial state initiates the resources used by a process when it starts, and taints the ones that have targeted properties:

  • Propositions (opened fd0), (opened fd1), (opened fd2) are set to true, as fd0/1/2 denote standard input/output/error, respectively, and these files are open.

  • Shell executable paths are tainted. We assume that we know all of those presents on the operating system. We handle two of them in this example: /bin/sh and /bin/bash that we name respectively sh and bash. Thus, (is-shell sh) and (is-shell bash) are set to true.

Actions. Planning operators are a simplified abstraction of the system calls. Since system calls called with wrong arguments do not make programs crash, and have no effect, the corresponding actions use conditional effects only – i.e., they are always executable but change the state only if their conditions are met.

  • socket(returned-sd, cloexec) has the effects:
    The flag FD_CLOEXEC is represented by the boolean cloexec.

    • (opened returned-sd)(is-socket returned-sd) if (opened returned-sd)

    • (close-on-exec returned-sd) if (opened returned-sd)(= cloexec True)

  • connect(sd) has the effects:

    • (connected sd) if (opened sd)(is-socket sd)(connected sd)

    • (connected fd) if (equal-fds sd fd)(opened sd)(is-socket sd)(connected sd)

  • dup(sd, returned-sd) has the effects:

    • (opened returned-sd)(equal-fds sd returned-sd)(equal-fds returned-sd sd) if (opened sd)(opened returned-sd)

    • (is-socket returned-sd) if (is-socket sd)(opened sd)(opened returned-sd)

    • (connected returned-sd) if (connected sd)(opened sd)(opened returned-sd)

    • (equal-fds fd returned-sd)(equal-fds returned-sd fd) if (equal-fds fd sd)(opened returned-sd)

  • fcntl(sd, command, returned-sd, cloexec) has the effects:
    returned-sd is the argument of the command F_DUPFD and cloexec is the argument of the command F_SETFD. F_DUPFD_CLOEXEC uses both.
    The flag FD_CLOEXEC is represented by the boolean cloexec.

    • same effects as dup(sd, returned-sd) if (= command F_DUPFD)(= command F_DUPFD_CLOEXEC)

    • (close-on-exec sd) if [[(= command F_SETFD)(= cloexec True)](= command F_DUPFD_CLOEXEC)](opened sd)(opened returned-sd)

    • (close-on-exec sd) if (= command F_SETFD)(= cloexec False)(opened sd)(opened returned-sd)

  • close(sd) has the effects:

    • (opened sd)(is-socket sd) (connected sd)(close-on-exec sd)

    • (equal-fds sd fd)(equal-fds fd sd)

  • execve(path) has the effect:

    • (remote-shell-started) if (is-shell path) (connected fd)(close-on-exec fd)[(= fd fd0)(equal-fds fd fd0)][(= fd fd1)(equal-fds fd fd1)]

4.0.1 Valid plans

Figure 1: Valid Plans for the Reverse Shell domain

The five different valid plans shown in Figure 1 show how diverse the plans are even for such a simple example. Plan 1 is the standard sequence performed to establish a reverse shell, which appears in most shellcode databases. Plan 2 uses the fact that we know that system call socket allocates the lowest file descriptor available. Calling close(fd0) before socket avoids the duplication of the socket on the file descriptor 0. Plan 3 replaces one system call by an equivalent one: dup is replaced by fcntl called with the command F_DUPFD. Plan 4 demonstrates that planning captures and updates correctly properties set by flags and through different system calls. The flag FD_CLOEXEC is first set through system call socket, and reset later by fcntl called on F_SETFD. Plan 5 shows that planning is able to follow complex flow of operation on file descriptors. The key point is that, despite major differences in appearance, which are likely to fool syntactic methods (certainly, if some of the plans were not available previously), our semantic approach recognizes the behavior they implement.

The main effort required by our approach is building an appropriate model for each system call. This model is informed by the basic set of low-level behaviors one would like to model. Once completed, we can simulate any sequence of system calls by applying them to an initial state of the abstract system using any planning simulator/validator. By examining the final state of the system, we can recognize which behaviors took place. Thus, the off-line modeling task is done once, and the resulting model can be used repeatedly, automatically, and very cheaply, to analyze programs.

The (manual) abstraction process is flexible. We can use it to identify simple behaviors, such as create a socket, connect to a remote host, read data from socket, open file for writing, write into file, etc. And we can also recognize complex behaviors by detecting combinations of simple behaviors. For example, downloading a file requires reading data from a connected socket and writing it to an opened file. Thus, once we have the low-level behaviors, it is easy to capture the higher level ones. We can do this by either modifying the action model or by adding axioms, which are a method of adding a simple form of inference to planning. With such a layered approach, basic behaviors can be reused to identify multiple high level behaviors.

As this model is an abstraction, some information is lost in this model, and the method cannot be 100% correct and capture every nuance. Much can be captured by building a more elaborate model, but some aspects, such as accurate modeling of system resources, are not likely to be practical.

5 Empirical evaluation

In the previous section we demonstrated the capabilities of our approach to recognize behaviors on the reverse shell domain, where our planning model is able to recognize the same behavior generated in different ways. We now want to highlight our ability to recognize complex, higher level behaviors that are built from lower level behaviors, compared to statistical methods that are quite popular in this area. To do this, we consider the behavior of real processes involved in a mail service. Given the system call trace logs of several processes, we attempt to recognize which behavior is realized by each of the processes, such as sending an email via SMTP, collecting an email from a remote server via IMAP, and so on. The code and data set used for the empirical evaluation can be obtained from a Git repository at

5.1 Data Collection

Figure 2: A mail service setup for evaluation of planning approach on mail delivery activities

We generate system call traces of processes running in a mail service (Figure 2). The setup consists of two hosts: the client and the server, and involves a number of processes, denoted in what follows in italic. The hosts collect emails from an external server. In order to provide sufficient volume and diversity of the data processed, we opened a dedicated email account with a web-based email service, and subscribed to multiple promotion and notification mailing lists. On the client, fetchmail is used to retrieve emails from a web-based email provider via the IMAP protocol. Then, procmail dispatches received emails, which are then sent by postfix to the server via SMTP protocol. The server’s postfix process receives the emails, passes them through the amavis antivirus and stores in the local filesystem. The dovecot process serves emails via the IMAP protocol. The emails are retrieved by the client’s fetchmail, and stored in the filesystem. We use Docker [Hykes2013 2017] to run containers encapsulating the mail server and mail client hosts, and sysdig [Draios, Inc.2012 2016] to record the system calls.

We analyze system call traces of the following processes: smtpd, fetchmail on the client, fetchmail on the server, imap-login, all other processes.

These processes realize the following behaviors:

  • receiving an email over the SMTP protocol;

  • receiving an email over IMAP protocol;

  • forwarding an email from the client to the server;

  • IMAP connection setup and authentication;

  • other behaviours not tracked by the system.

We use 440 samples for each process (including other). Data is split into training and test sets as 66%/33%.

Statistical Classification.

 We compare our goal-tracking approach to a baseline, commonly used statistical classification of processes based on system call sequences. We train a statistical classifier (random forest) on the collected system call traces. This classification approach is similar to approaches used in system call monitoring literature 

[Canali et al.2012],  [Firdausi et al.2010]

. We use bi-gram vectorization of the system call names. Our vocabulary contains 100 most recurrent bi-grams in the corpus. Thus, each sample is represented by a vector of 100 elements, where each element in the vector represents one of the bi-grams in the vocabulary and the values represent the

number of times a specific bi-gram appeared in that sample. For example, if the first 4 elements in the vector correspond to bi-grams (open, read), (read, write), (write, read), and (write, close), a system call trace

open, read, write, read, write, close

will produce a bi-gram vector:

We proceed with the empirical evaluation as follows:

  1. We train a classifier that classifies each of the behaviors based on non-obfuscated system call sequences. The classifier achieves 97% accuracy.

  2. We create obfuscated samples in a way that ‘breaks’ the bi-grams by inserting a system call that has no effect on the process behavior (for example, sleep with a sufficiently small argument) in between each couple of system calls in the sequence. This method is called adding semantic no-ops and is the focus of [Rosenberg and Gudes2017]. When testing the statistical model on the obfuscated data we get 0% accuracy (all samples in the test set are classified as ‘other’).

  3. We retrain our model on both obfuscated and non-obfuscated data. It now achieves accuracy.

Planning-based Classification  Information contained in the system logs and manual inspection of system call traces in the training set are used to specify the planning domain and the goal for each of the behaviors. Then, the VAL plan validation system [Long2014] is used to classify system call traces in the test set. The planning-based classifier based on the domain built for the original, non-obfuscated system call logs is applied to both non-obfuscated and obfuscated system call traces. In both cases, the planning based classifier reaches over 98% accuracy. Manual inspection of the misclassified samples suggests that the samples correspond to failed communication between components of the mail service.

Random forest Planning-based
Original 97% 98%
Obfuscated 0% 98%
Re-trained 66% 98%
Table 1: Classification accuracy on real system logs

Table 1 summarizes the results. Our goal-tracking approach successfully classifies processes. Statistical methods are able to distinguish between different processes, but are prone to obfuscation. The obfuscation technique we used in this case study is particularly challenging for statistical classification, and with other obfuscation techniques the difference in accuracy might not be as sharp. However, the planning-based approach is inherently more robust in the face of obfuscation, as it captures semantic behavior, which must remain intact, rather than just statistical manifestations, which can be easily altered.

6 Discussion and future work

We presented an approach for monitoring computer programs using an abstract model of the system state and the basic ”actions” that operate on this state — system calls, in our case. The method is semantic in nature, and hence not prone to the weaknesses of syntactic methods that consider the command sequences form rather than their meaning. Unlike statistical methods that, in principle, can be fully automated, our approach has a non-trivial, one-time manual modeling step. But once the model is constructed, it can be used automatically and with little cost.

We demonstrated the effectiveness of our method by first showing how we capture a simple low level behavior that has diverse implementations using a simple model. Syntactically, each implementation is quite different, yet the common semantics can be captured by modeling just a few system calls. Then, we showed how we detect more complex, higher level behavior with almost perfect accuracy, without being affected by obfuscation techniques that easily fool state-of-the-art statistical methods. The approach used here can be used for other applications beyond system-call logs, such as analysis of transactions, HTTP logs, and more. Moreover, we believe that it could complement statistical methods by allowing us to run statistical analysis on the higher level features generated by our abstract state.


  • [Baker, Tenenbaum, and Saxe2005] Baker, C. L.; Tenenbaum, J. B.; and Saxe, R. 2005. Bayesian models of human action understanding. In NIPS’05, 99–106.
  • [Beaucamps, Gnaedig, and Marion2012] Beaucamps, P.; Gnaedig, I.; and Marion, J.-Y. 2012. Abstraction-Based Malware Analysis Using Rewriting and Model Checking. Springer. 806–823.
  • [Canali et al.2012] Canali, D.; Lanzi, A.; Balzarotti, D.; Kruegel, C.; Christodorescu, M.; and Kirda, E. 2012. A quantitative study of accuracy in system call-based malware detection. In ISSTA 2012, 122–132.
  • [Canzanese, Mancoridis, and Kam2015] Canzanese, R.; Mancoridis, S.; and Kam, M. 2015. System call-based detection of malicious processes. In Int. Conf. on Software Quality, Reliability and Security, QRS ’15, 119–124.
  • [Christodorescu et al.2005] Christodorescu, M.; Jha, S.; Seshia, S. A.; Song, D.; and Bryant, R. E. 2005. Semantics-aware malware detection. In SP ’05, 32–46.
  • [Draios, Inc.2012 2016] Draios, Inc. 2012–2016. Sysdig.
  • [Ezzati-Jivan and Dagenais2012] Ezzati-Jivan, N., and Dagenais, M. R. 2012. A stateful approach to generate synthetic events from kernel traces. Adv. Soft. Eng. 2012:6:6–6:6.
  • [Firdausi et al.2010] Firdausi, I.; lim, C.; Erwin, A.; and Nugroho, A. S. 2010. Analysis of machine learning techniques used in behavior-based malware detection. In ACT ’10, 201–203.
  • [Forrest et al.1996] Forrest, S.; Hofmeyr, S. A.; Somayaji, A.; and Longstaff, T. A. 1996. A sense of self for unix processes. In IEEE Sym. on Security and Privacy, 120–128.
  • [Gao, Reiter, and Song2004] Gao, D.; Reiter, M. K.; and Song, D. 2004. Gray-box extraction of execution graphs for anomaly detection. In CCS’04, 318–329. ACM.
  • [Hykes2013 2017] Hykes, S. 2013–2017. Docker.
  • [Jacob, Debar, and Filiol2009] Jacob, G.; Debar, H.; and Filiol, E. 2009. Malware behavioral detection by attribute-automata using abstraction from platform and language. In RAID ’09, 81–100.
  • [Kim et al.2016] Kim, G.; Yi, H.; Lee, J.; Paek, Y.; and Yoon, S. 2016. Lstm-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems. arXiv preprint arXiv:1611.01726.
  • [Liu et al.2005] Liu, A.; Martin, C.; Hetherington, T.; and Matzner, S. 2005. A comparison of system call feature representations for insider threat detection. In Information Assurance Workshop ’05, 340–347. IEEE.
  • [Long2014] Long, D. 2014. VAL: The plan validation system.
  • [Martignoni et al.2008] Martignoni, L.; Stinson, E.; Fredrikson, M.; Jha, S.; and Mitchell, J. C. 2008. A layered architecture for detecting malicious behaviors. In RAID’08, 78–97.
  • [Mutz et al.2006] Mutz, D.; Valeur, F.; Vigna, G.; and Kruegel, C. 2006. Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1):61–93.
  • [Poulose Jacob and Surekha2007] Poulose Jacob, K., and Surekha, M. V. 2007. Anomaly detection using system call sequence sets. Journal of Software 2(6).
  • [Ramírez and Geffner2009] Ramírez, M., and Geffner, H. 2009. Plan recognition as planning. In IJCAI’09, 1778–1783.
  • [Rosenberg and Gudes2017] Rosenberg, I., and Gudes, E. 2017. Bypassing system calls-based intrusion detection systems. Concurrency and Computation: Practice and Experience 29(16).
  • [Sukthankar et al.2014] Sukthankar, G.; Geib, C.; Bui, H.; Pynadath, D.; and Goldman, R. P., eds. 2014. Plan, Activity, and Intent Recognition. Elsevier.
  • [Tandon and Chan2006] Tandon, G., and Chan, P. K. 2006. On the learning of system call attributes for host-based anomaly detection. Int. J. of AI Tools 15(06):875–892.
  • [Tokhtabayev, Skormin, and Dolgikh2010] Tokhtabayev, A.; Skormin, V.; and Dolgikh, A. 2010. Dynamic, resilient detection of complex malicious functionalities in the system call domain. In MILCOM’10, 1349–1356.
  • [Warrender, Forrest, and Pearlmutter1999] Warrender, C.; Forrest, S.; and Pearlmutter, B. 1999. Detecting intrusions using system calls: Alternative data models. In IEEE Sym. on Security and Privacy, 133–145.
  • [Wressnegger et al.2013] Wressnegger, C.; Schwenk, G.; Arp, D.; and Rieck, K. 2013.

    A close look on n-grams in intrusion detection: Anomaly detection vs. classification.

    In ACM WS on AI and Security, 67–76. New York, NY, USA: ACM.
  • [Xu and Shelton2010] Xu, J., and Shelton, C. R. 2010. Intrusion detection using continuous time bayesian networks. JAIR 39:745–774.
  • [You and Yim2010] You, I., and Yim, K. 2010. Malware obfuscation techniques: A brief survey. In BWCCA ’10, 297–300.