{"id":21241519,"url":"https://github.com/shayanb/taf","last_synced_at":"2025-03-15T04:10:22.968Z","repository":{"id":12020125,"uuid":"14603362","full_name":"shayanb/TAF","owner":"shayanb","description":"Trace Analysis Framework","archived":false,"fork":false,"pushed_at":"2013-11-23T23:40:57.000Z","size":1744,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-21T19:45:22.700Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shayanb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-11-21T23:34:09.000Z","updated_at":"2020-02-17T16:50:42.000Z","dependencies_parsed_at":"2022-09-06T23:10:30.483Z","dependency_job_id":null,"html_url":"https://github.com/shayanb/TAF","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shayanb%2FTAF","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shayanb%2FTAF/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shayanb%2FTAF/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shayanb%2FTAF/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shayanb","download_url":"https://codeload.github.com/shayanb/TAF/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243681078,"owners_count":20330156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-21T00:55:58.361Z","updated_at":"2025-03-15T04:10:22.945Z","avatar_url":"https://github.com/shayanb.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"TAF\n===\n\nTrace Analysis Framework (Version 0.2)\n\n* Parser and tools to extract system call sequences from strace trace of an application.\n\n* exports CSV of system calls: (Process ID, System Call Name/Number, Arguments, Return Values)\n\n* windows the system call sequence to W sized windows (default=6)\n\n* Use STIDE technique to check two databases (Normal, Malicious) to flag the anomaly system call sequence windows in the final file\n\n* outputs flagged system call sequence windows and converts the anomalies to system call name sequences\n\n(Support for default switches with following the forks: strace -o trace.txt -C -f file)\n\n![TAF](/docs/TAF.png)\n\nfor more information see the readme in /docs/\n\nTODO\n-----\n* Add support for adding fields in the trace (time, relative time, ...)\n\n* Automate the whole process (not sure if this is needed, cause personally I needed every output of each python file so that would be one run for all the outputs.)\n\n\n\nSTIDE technique Readings:\n------------------------\nForrest et al. employed a methodology motivated by immune systems. \nThis characterizes the problem as distinguishing ‘self’ from ‘non-self’ (normal and abnormal behaviors respectively). An event horizon is built from a sliding window applied to the sequence of system calls made by an application during normal use. The sequences formed by the sliding window are stored in a table that establishes the normal behavior model. During the deployment (detection) phase, if the pattern from the sliding window is not in the normal behavior database it is considered a mismatch.\nInput to the Stide detector takes the form of system call traces of an application for which the detector is trained. Specifically, Stide builds a “normal database” by segmenting the training data (of system call traces) into fixed length sequences . To do so, a sliding window of N is employed over the training dataset and the resulting system call patterns are stored in the “normal database”. During testing, the same sliding window size is employed on the data. Resulting patterns are compared against the “normal database” and if there is no match, a mismatch is recorded. Given a window size of N and system call trace length M, anomaly rate for the trace is calculated by dividing the number of mismatches by the number of sliding window patterns (i.e. M – N + 1).\n[4]\n\n\n1- S. Forrest, S. Hofmeyr, A. SoMayaji, and T. Longstaff, “A sense of self for Unix processes,” in Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on, May. 1996, pp. 120–128.\n\n2- S. Forrest, S. A. Hofmeyr, and A. SoMayaji, “Computer immunology,” Commun. ACM, vol. 40, no. 10, pp. 88–96, Oct. 1997.[Online]. Available: http://doi.acm.org/10.1145/262793.262811 \n\n3- S. A. Hofmeyr, S. Forrest, and A. SoMayaji, “Intrusion detection using sequences of system calls.” Journal of Computer Security, vol. 6, no. 3, p. 151, 1998. [Online]. Available: http://search.ebscohost.com/login.aspx?\ndirect=true\u0026db=tsh\u0026AN=1531432\u0026site=ehost- live\n\n4- Kayacık, H. G., \u0026 Zincir-Heywood, A. N. (2008). Mimicry Attacks Demystified: What Can Attackers Do To Evade Detection? (A. N. Zincir-Heywood, Ed.), 1–11.\n\n\n\nThe MIT License (MIT)\n----------------------\n\nCopyright (c) [2013] [Shayan Eskandari] [Shayan [ a t ] theshayan.com]\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshayanb%2Ftaf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshayanb%2Ftaf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshayanb%2Ftaf/lists"}