The inetd program was traced on
a UNM computer running a modified Linux 2.0.35 kernel
which allows us to collect system call traces.
These data were used in experiments
reported in the
Alternative Data Models paper.
The inetd program is typically started as a foreground process,
which initiates a daemon process to run in the background and then exits.
The daemon process initiates child processes to perform a fixed set of
initialization steps before executing some other program. Child processes
are, therefore, very nearly identical. The normal data for inetd
include a trace of the startup process, a daemon process, and a representative
child process, included here in one
The intrusion we ran against the inetd program is a denial-of-service
a ttack that ties up network connection resources. As the attack progresses,
more of the system calls requesting resources return abnormally and are
re-issued. The intrusion data collected include a startup process, a
daemon process, and several child processes, but only the daemon process
is expected to show any deviation from normal behavior. All traces
are included in a single
Use the linux 4.2 mapping file for these traces.