隨著技術快速更新，為了滿足各式各樣使用需求，系統程式碼行數快速增加，系統變得更加複雜，使得系統的行為變得更加難以分析。
在本研究中，我們提出了一種偵測系統呼叫函數序列異常的流程。 硬體和平行化技術日益提升，系統在執行時將生成大量的紀錄資料，這些大量的資料潛藏了許多系統訊息，但是很難透過人工的方式進行分析。 為了有效地分析大量的紀錄資料，我們將系統呼叫使用紀錄轉換成系統呼叫序列，使用遞歸神經網絡（RNN）來處理長序列問題，並將LSTM（長期短期記憶）模型引入到我們的異常檢測工作中。
這樣的方法能夠根據不同的使用環境，建立屬於自己的異常偵測模型，由實驗結果可以看出，不同系統調用序列長度對準確性的影響，以及這樣異常偵測方法能夠有效地，從系統追蹤資訊中分析出系統異常行為。

As the technology is updated quickly. In order to meet a variety of usage requirements, the number of system code lines increases rapidly. The system has become more complex, making the system's behavior more difficult to analyze.
In this study, we present a procedure for detecting sequence anomalies in system call functions. Hardware and parallelization technologies are increasing, and the system will generate a large amount of recorded data when it is executed. This large amount of data has many system information hidden, but it is difficult to analyze it manually. In order to efficiently analyze a large amount of recorded data, we converted the system call usage record into a system call sequence. Recursive neural networks (RNN) are used to process long sequence problems and LSTM (long-term short-term memory) models are introduced into our anomaly detection work.
Such an approach can establish its own anomaly detection model according to different usage environments. It can be seen from the experimental results that the length of different system call sequences affects the accuracy. And such an anomaly detection method can effectively analyze the abnormal behavior of the system from the system trace information.

[1] Hermine N Akouemo and Richard J Povinelli. Probabilistic anomaly detection in natural gas time series data. International Journal of Forecasting, 32(3):948–956, 2016.
[2] Tim Bird. Measuring function duration with ftrace. In Proceedings of the Linux Symposium, pages 47–54. Citeseer, 2009.
[3] Varun Chandola, Arindam Banerjee, and Vipin Kumar. Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3):15, 2009.
[4] Kyunghyun Cho, Bart van Merrienboer, Çaglar Gülçehre, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. Learning phrase representations using RNN encoderdecoder for statistical machine translation. CoRR, abs/1406.1078, 2014.
[5] Ronan Collobert, Jason Weston, Léon Bottou, Michael Karlen, Koray Kavukcuoglu, and Pavel Kuksa. Natural language processing (almost) from scratch. Journal of machine learning research, 12(Aug):2493–2537, 2011.
[6] Linux linux kernel : CVE security vulnerabilities, versions and detailed reports. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html.
[7] S. Forrest, S. Hofmeyr, and A. Somayaji. The evolution of system-call monitoring. In 2008 Annual Computer Security Applications Conference (ACSAC), pages 418–430, Dec 2008.
[8] Brian S. Freeman, Graham Taylor, Bahram Gharabaghi, and Jesse Thé. Forecasting air quality time series using deep learning. Journal of the Air & Waste Management Association, 68(8):866–886, 2018. PMID: 29652217.
[9] Function tracer design. https://www.kernel.org/doc/Documentation/trace/ftrace-design.txt.
[10] Mohamad Gebai and Michel R. Dagenais. Survey and analysis of kernel and userspace tracers on linux: Design, implementation, and overhead. ACM Comput. Surv., 51(2):26:1–26:33, March 2018.
[11] Tarrah R. Glass-Vanderlan, Michael D. Iannacone, Maria S. Vincent, Qian Chen, and Robert A. Bridges. A survey of intrusion detection systems leveraging host data. CoRR, abs/1805.06070, 2018.
[12] Alex Graves. Generating sequences with recurrent neural networks. arXiv preprint arXiv:1308.0850, 2013.
[13] Alex Graves, Abdel-rahman Mohamed, and Geoffrey Hinton. Speech recognition with deep recurrent neural networks. In 2013 IEEE international conference on acoustics, speech and signal processing, pages 6645–6649. IEEE, 2013.
[14] Sepp Hochreiter and Jürgen Schmidhuber. Long short-term memory. Neural computation, 9(8):1735–1780, 1997.
[15] Jiankun Hu, Xinghuo Yu, Dong Qiu, and Hsiao-Hwa Chen. A simple and efficient hidden markov model scheme for host-based anomaly intrusion detection. IEEE network, 23(1):42–47, 2009.
[16] Anikender Kumar and P Goyal. Forecasting of air quality index in delhi using neural network based on principal component analysis. Pure and Applied Geophysics, 170(4):711–722, 2013.
[17] Sandeep Kumar and Eugene H. Spafford. A pattern matching model for misuse intrusion detection.
[18] Giovanni Vigna and Richard A Kemmerer. Netstat: A network-based intrusion detection system. Journal of computer security, 7(1):37–71, 1999.
[19] M. Xie, J. Hu, and J. Slay. Evaluating host-based anomaly detection systems: Application of the one-class svm algorithm to adfa-ld. In 2014 11th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD), pages 978–982, Aug 2014.