ANOMALY DETECTION USING SEQUENCES OF SYSTEM CALLS

Systems and methods of detecting a call sequence anomaly in a message-based operating system are provided. A message may be received that indicates a programmatic procedure of an operating system wasinvoked. The message may include a programmatic procedure identifier, a sender process identifier, and a receiver process identifier. An invocation hash may be generated based on the message. The invocation hash may be translated to a smaller invocation identifier. The invocation identifier may be included in a translated call sequence that comprises invocation identifiers for a series of invocations. Depending on whether the translated call sequence is included in previously generated predetermined call sequences, the translated call sequence may be determined as an anomaly or not an anomaly. 提供了在基于消息的操作系统中检测调用序列异常的系统和方法。可以接收指示调取操作系统的编程流程的消息。该消息可以包括编程流程标识符、发送方进程标识符和接收方进程标识符。可以基于该消息生成调取散列。可以将调取散列翻译为较小的调取标识符。调取标识符可以包括在已翻译的调用序列中，该已翻译的调用序列包括系列调取的调取标识符。取决于已翻译的调用序列是否包括在先前生成的预定的调用序列中，该已翻译的调用序列可以被确定为异常或非异常。