Abstract: Anomaly detection is an important method for protecting program Traditionally a program is protected by means of monitoring system call, but the invoked address is often ignored. This paper presented a new audit event named as L-Call to describe the program behavior, which is the system call with invoked address in nature. A Chebyshev inequality-based method was also presented to evaluate the deviation of program behavior from normal. The deviation degree that we named as anomaly degree is based on the likelihood of L-Call sequence occurred under the unknown distribution. Finally a Markov-based prototype was constructed to evaluate the experiment,which is named as LC-ADS (i.e. L-Call based Anomaly Detection System). The experimental results show that LC-ADS acquires the better true posi- five rate and lower false alarm rate.

Key words: L-Call,Chebyshev inequality,Anomaly degree,LC-ADS