Host Based IDS with syscall monitoring

Question

Hey Guys I am a newbie in security stuff and now I am working on my final project about host based IDS. I have some questions to you guys

1. Can a rootkit be classified as an intrusion or is it a malware or both of them ? What's the difference between intrusion and malware then?
2. Can a systemcall sequence determine that there is an intrusion in the system? Or invalid syscall sequence only can detect malware.
3. If I would like to monitor syscall, Can I do it at the userspace for example using systrace or it only can be done in kernel space ? What's the best method possible?

Answer 1

Can a rootkit be classified as an intrusion or is it a malware or both of them ? What's the difference between intrusion and malware then?

A malware by itself is not an intrusion. But if the malware has infected the system then you have an intrusion. But there can be intrusions without malware, i.e. logging in with stolen credentials. And a rootkit is just a special kind of malware.

Can a systemcall sequence determine that there is an intrusion in the system? Or invalid syscall sequence only can detect malware.

Usually not fully determine, but only suggest. If the sequence looks similar to known malware or if specific files are accessed, if the registry is changed... then these might all be indicators of potential malware. But it might also be non-malicious software.

I would like to monitor syscall, Can I do it at the userspace for example using systrace or it only can be done in kernel space ? What's the best method possible?

In Linux you can use the ptrace syscall to trace other processes owned by you (and only these). Or use the strace command or similar command in other UNIXes like truss or ktrace.