Application Sandbox Model Based on System Call Context

Abstract

An application sandbox model based on system call context is proposed and applied to intrusion detection. It overcomes some drawbacks of traditional special-purpose sandboxes: inconvenience for selecting sandbox with user involvement and inaccuracy of intrusion detection for different applications of the same class. The application sandbox, modeling for an application, introduces the improved program behavioral automaton, focuses on both control flow and data flow information involving system call arguments, and uses a new approach for presentation of system call context by context value. The experimental results show that our model can capture the system call context accurately with low time overhead and can well detect intrusions based on control flow and data flow.