Artifact 3 focuses on extracting behavioral patterns from system telemetry data generated through syscall monitoring. Building upon previous artifacts here we will be evaluating how execution mode (single vs multi) alters the sequence-based behavioral metrics.
Two modes of execution were considered:
- Multiple Rapid(M.R): multiple commands executed concurrently or in quick succession
- Multiple Sequential (M.S): commands executed one at a time in sequence
This artifact highlights that behavioral signatures are influenced not only by activity type but also by execution dynamics.
- Analyze the effect of execution context on behavioral patterns
- Process structured syscall telemetry datasets.
- Identify behavioral patterns within execution traces.
- Compare behavioral characteristics across multiple scenarios such as M.S and M.R.
- Generate visual representations of telemetry-derived behavioral signals.
Environment
- Linux (Ubuntu)
- Python 3
- strace for telemetry collection
Tools Used
- Python – telemetry parsing and behavioral analysis.
- Matplotlib – visualization of telemetry-derived metrics.
Telemetry was obtained by capturing system calls during program execution using strace.
- In M.R, multiple commands are submitted to the scheduler simultaneously, leading to concurrent execution.
- In M.S, commands are executed sequentially, resulting in isolated process execution
Each record captures aspects of system interaction such as:
- system call type
- execution sequence
- interaction frequency
- timing behavior
Telemetry data was processed through the following steps:
- Parse raw syscall traces.
- Convert traces into structured CSV datasets.
- Aggregate behavioral attributes from execution traces.
- Prepare datasets for visualization and pattern analysis.
- In M.R execution, syscall sequences from different processes become interleaved due to scheduler-driven context switching, disrupting expected syscall adjacency
- In M.S execution, syscall sequences remain structured and consistent, preserving temporal locality of operations.
This demonstrates that syscall-based behavioral signatures are sensitive not only to the type of activity but also to the execution context in which they occur.
This indicates that behavioral metrics capture both structural patterns and execution dynamics.
These patterns provide insight into how programs interact with the operating system at runtime.
Two visualization approaches were used:
Coverage Graph - Proportion of syscall sequences matching baseline behavior
Behavioral Mismatch Graph - Highlights deviations between different behavioral profiles. These plots provide an intuitive way to observe behavioral differences in execution patterns.
- The M.R in privilege commands resemble the normal way of execution(mismatch- 0.02 and coverage- 0.97) because privilege commands follow structured system flow, hence even when multiple they resemble normal execution patterns.
- The recon M.R looks messy(mismatch - 0.4 -> 0.6) in the syscall sequence tracing cause the exploratory commands vary a lot due to no stable sequence and hence they partially overlap with normal.
- Execution context introduces interleaving effects that alter syscall sequence structure, directly impacting behavioral metrics such as mismatch and coverage.
Steps to reproduce the experiment:
- Run monitored programs under strace.
- Process generated logs using the provided Python scripts.
- Generate structured telemetry datasets.
- Produce visual analysis graphs.
- Execution mode significantly influences behavioral metrics such as mismatch and coverage, highlighting the importance of temporal execution context in syscall-based analysis
This artifact demonstrates how low-level system telemetry can be transformed into behavioral security signals.