{"id":19199554,"url":"https://github.com/subconsciouscompute/syscall-ids","last_synced_at":"2026-02-09T04:06:48.787Z","repository":{"id":243309109,"uuid":"812065803","full_name":"SubconsciousCompute/SysCall-IDS","owner":"SubconsciousCompute","description":"Intrusion detection pipeline leveraging statistical syscall sequence modeling techniques","archived":false,"fork":false,"pushed_at":"2024-07-30T23:12:11.000Z","size":25287,"stargazers_count":3,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-30T01:59:32.469Z","etag":null,"topics":["host-based-intrusion-detection-system","machine-learning","statistical-inference"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SubconsciousCompute.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-07T22:07:27.000Z","updated_at":"2025-03-28T09:54:44.000Z","dependencies_parsed_at":"2024-11-09T12:38:37.465Z","dependency_job_id":null,"html_url":"https://github.com/SubconsciousCompute/SysCall-IDS","commit_stats":null,"previous_names":["vismay-dev/syscall-ids"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SubconsciousCompute/SysCall-IDS","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2FSysCall-IDS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2FSysCall-IDS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2FSysCall-IDS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2FSysCall-IDS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SubconsciousCompute","download_url":"https://codeload.github.com/SubconsciousCompute/SysCall-IDS/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SubconsciousCompute%2FSysCall-IDS/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29256021,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-09T03:07:45.136Z","status":"ssl_error","status_checked_at":"2026-02-09T03:07:24.123Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["host-based-intrusion-detection-system","machine-learning","statistical-inference"],"created_at":"2024-11-09T12:27:48.700Z","updated_at":"2026-02-09T04:06:48.764Z","avatar_url":"https://github.com/SubconsciousCompute.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Syscall-IDS\n\nHost-based Intrusion Detection System (HIDS) that identifies anomalies in system call traces by leveraging a combination of statistical and machine learning techniques to distinguish between normal (clean) and potentially malicious (infected) behaviors.\n\nThis pipeline is currently run offline / post-hoc; it therefore serves to be a practical bound on accuracy and a guide for future research efforts.\n\nView pipeline [here](https://github.com/Vismay-dev/SysCall-IDS/blob/main/notebooks/pipeline.ipynb).\n\n### 🌟 Key Developments\n\n| Technique/Feature                   | Description                                                                       |\n|-------------------------------------|-----------------------------------------------------------------------------------|\n| Feature Engineering                 | Conversion of syscall info into high-dimensional feature vectors.                 |\n| Probabilistic Syscall Subclustering | Gaussian mixture models for granular syscall behavior understanding.              |\n| Temporal Dependency Modeling        | Markov chains capture transitions between syscall states as a function of time.   |\n| Buffer Overflow Detection           | Gaussian interval of string argument lengths to catch overflow attempts.          |\n| Pathname Similarity Analysis        | Self-organizing maps to visualize and detect anomalies in syscall pathnames.      |\n| DoS Attack Detection                | Markov chain edge frequency analysis per-trace for DoS detection.                 |\n| Segmentation                        | Suffix-tree based longest repeating substring is used as a segmentation sequence. |\n\n### 📊 Results\n\nBelow are the confusion matrices showing the performance of the HIDS pipeline on the Twindroid dataset:\n\na) **Average-Case Confusion Matrix:**\n\n\u003cimg src=\"results/average-case.png\" alt=\"Confusion Matrix 1\" width=\"400\"\u003e\n\nb) **Best-Case Confusion Matrix:**\n\n\u003cimg src=\"results/best-case.png\" alt=\"Confusion Matrix 1\" width=\"400\"\u003e\n\n### 🎓 References:\n\n- [Liao et al. \"Anomaly Detection of System Call Sequence Based on Dynamic\nFeatures and Relaxed-SVM\"](https://typeset.io/papers/anomaly-detection-of-system-call-sequence-based-on-dynamic-1oukdqgy)\n- [Shamim et al. \"Efficient Approach for Anomaly Detection in IoT Using System Calls\"](https://www.mdpi.com/1424-8220/23/2/652)\n- [Frossi et al. \"Selecting and Improving System Call Models for Anomaly Detection\"](https://maggi.cc/publication/frossi_hybridsyscalls_2009/frossi_hybridsyscalls_2009.pdf)\n- [Android Dataset](https://ieeexplore.ieee.org/document/9796248)\n\n### 🙏 Acknowledgments:\n\n- [Cosma Shalizi's Notes on Markov Chains and Prediction Processes](http://bactra.org/notebooks/prediction-process.html)\n- [Columbia CS Dept's Intrusion Detection Pipeline](http://ids.cs.columbia.edu/sites/default/files/smt-syscall-discex01.pdf)\n\n## 📝 License\n\nThis project is licensed under the [MIT License](https://opensource.org/licenses/MIT).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubconsciouscompute%2Fsyscall-ids","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsubconsciouscompute%2Fsyscall-ids","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubconsciouscompute%2Fsyscall-ids/lists"}