A Dynamic Filtering Technique for Sebek System Monitoring

Abstract

In this paper we investigate the performance limits of system call based monitoring tools using the Linux version of Sebek as a focal point. We quantify the amount of uninteresting data that it collects and illustrate the problems that this creates: detection of Sebek, amount of work to analyze data, and data privacy. To mitigate these problems we propose a dynamic filtering technique. Finally we evaluate the performance of an implementation of this technique