On the Comparison of User Space and Kernel Space Traces in Identification of Software Anomalies

Corrective software maintenance consumes 30-60% time of software maintenance activities. Automated failure reporting has been introduced to facilitate developers in debugging failures during corrective maintenance. However, reports of software with large user bases overwhelm developers in identification of the origins of faults, and in many cases it is not known whether reports of failures contain information about faults. Prior techniques employ different classification or anomaly detection algorithms on user space traces (e.g., function calls) or kernel space traces (e.g., system calls) to detect anomalies in software behaviour. Each algorithm and type of tracing (user space or kernel space) has its advantages and disadvantages. For example, user space tracing is useful in detailed analysis of anomalous (faulty) behaviour of a program whereas kernel space tracing is useful in identifying system intrusions, program intrusions, or malicious programs even if source program code is different. If one type of tracing or algorithm is infeasible to implement then it is important to know whether we can substitute another type of tracing and algorithm. In this paper, we compare user space and kernel space tracing by employing different types of classification algorithms on the traces of various programs. Our results show that kernel space tracing can be used to identify software anomalies with better accuracy than user space tracing. In fact, the majority of software anomalies (approximately 90%) in a software application can be best identified by using a classification algorithm on kernel space traces.

Tuesday, March 27, 2012
Publication authors (members): 
Abdelwahab Hamou-Lhadj
Afroza Sultana
Mario Couture
Shariyar Murtaza
IEEE Computer Society
@inproceedings{conf/csmr/MurtazaSHC12, added-at = {2012-04-18T00:00:00.000+0200}, author = {Murtaza, Syed Shariyar and Sultana, Afroza and Hamou-Lhadj, Abdelwahab and Couture, Mario}, biburl = {http://www.bibsonomy.org/bibtex/27f254e83c28b46d7d2408190c499b0e4/dblp}, booktitle = {CSMR}, crossref = {conf/csmr/2012}, editor = {Mens, Tom and Cleve, Anthony and Ferenc, Rudolf}, ee = {http://doi.ieeecomputersociety.org/10.1109/CSMR.2012.23}, interhash = {138c1f753f39123c1c5611adf82d7299}, intrahash = {7f254e83c28b46d7d2408190c499b0e4}, isbn = {978-1-4673-0984-4}, keywords = {dblp}, pages = {127-136}, publisher = {IEEE}, timestamp = {2012-04-18T00:00:00.000+0200}, title = {On the Comparison of User Space and Kernel Space Traces in Identification of Software Anomalies.}, url = {http://dblp.uni-trier.de/db/conf/csmr/csmr2012.html#MurtazaSHC12}, year = 2012 }
Publication status: 

Tracks concerned: