SMAD: A Configurable and Extensible Low-Level System Monitoring and Anomaly Detection Framework

  • Basel Sababa
  • Karlen Avogian
  • Ioanna DionysiouEmail author
  • Harald Gjermundrod


The proliferation of technology has dramatically changed the security threat landscape, and preventing security breaches in such heterogeneous and diverse environments is nontrivial as the attack surface is simply too broad. The frequency of cyber attacks is increasing dramatically and organizations from both public and private sectors are struggling to identify and respond to security breaches. One should expect that a number of security parameter penetration attempts as well as insider attacks will be successful, and the bet will be on how quickly the security breach is detected. This chapter presents System Monitoring and Anomaly Detection (SMAD), a novel framework that monitors kernel and system resources data (e.g., system calls, network connections, process info) based on user-defined configurations that initiate nonintrusive actions when alerts are triggered. SMAD is a security monitoring tool using Sysdig as its foundation building block. Unlike existing Sysdig commercial tools, the proposed system is open source in its entirety, welcoming new contributions to the existing source repository.


System monitoring Kernel Sysdig System commands Open source Monitors Alerts Postmortem attack analysis Attack visualization User-centric 


  1. 1.
    IBM Security and Ponemon Institute LLC, Cost of a Data Breach Report 2019. Accessed Jan 2020
  2. 2.
    N. Ye, S. Vilbert, Q. Chen, Computer intrusion detection through EWMA for autocorrelated and uncorrelated data. IEEE Trans. Reliab. 52(1), 75–82 (2003)CrossRefGoogle Scholar
  3. 3.
    J.R. Harrow, F.P. Messinger, System Monitoring Method and Device Including a Graphical User Interface to View and Manipulate System Information. US Patent 5,375,199, 20 Dec 1994Google Scholar
  4. 4.
    Swatchdog, Simple Log Watcher. Accessed Jan 2020
  5. 5.
    S.E. Hansen, E.T. Atkins, Automated system monitoring and notification with swatch, in Proceedings of the 7th USENIX Conference on System Administration, USENIX Association, Monterey, CA, USA, 1993, pp. 145–152Google Scholar
  6. 6.
    S.E. Smaha, Haystack: an intrusion detection system, in Proceeding of Fourth Aerospace Computer Security Applications, Orlando, FL, USA, 1988, pp. 37–44Google Scholar
  7. 7.
    S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle, Grids—a graph based intrusion detection system for large networks, in Proceedings of the 19th National Information Systems Security Conference, Baltimore, MD, USA, 1996, pp. 361–370Google Scholar
  8. 8.
    L. Benini, A. Bogliolo, S. Cavallucci, B. Ricco, Monitoring system activity for OS-directed dynamic power management, in Proceedings of the 1998 International Symposium on Low Power Electronics and Design (IEEE Cat. No. 98TH8379), Monterey, CA, USA, 1998, pp. 185–190Google Scholar
  9. 9.
    Nagios, Nagios Enterprises Log Monitoring with Swatchdog. Accessed Jan 2020
  10. 10.
    IBM, IBM Cloud Monitoring with Sysdig. Accessed Jan 2020
  11. 11.
    Sysdig, Sysdig Open Source. Accessed Jan 2020
  12. 12.
    Sysdig, Sysdig Monitor Dashboards. Accessed Jan 2020
  13. 13.
    BlueMatador, Alert Automation for your Cloud Infrastructure. Accessed Jan 2020
  14. 14.
    B. Sababa, System monitoring and anomaly detection application. Final Year Project Report, Department of Computer Science, University of Nicosia, 2020Google Scholar
  15. 15.
    Qt, Qt Open Source Widget Toolkit for GUI and Cross-platform Applications. Accessed Jan 2020
  16. 16.
    Sysdig, Sysdig Falco. Accessed Jan 2020

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Basel Sababa
    • 1
  • Karlen Avogian
    • 1
  • Ioanna Dionysiou
    • 1
    Email author
  • Harald Gjermundrod
    • 1
  1. 1.Department of Computer Science, School of Sciences and EngineeringUniversity of NicosiaNicosiaCyprus

Personalised recommendations