Computer Immune Systems
Data Sets
Synthetic Sendmail
Synthetic ftp
Synthetic lpr
Live lpr
Live named
Data Sets and Software

General information

UNM login and ps data

The Linux root kit includes Trojan code for login and ps that allow an intruder to login through a "back door" and hide their activities from system administrators. We have traced use of this Trojan code as well as normal versions of login and ps. One complication in comparing the two is that the Trojan code with the Linux root kit is fairly old (last edit date in 1993 for login, 1994 for ps). So there are significant differences between the normal code these Trojan programs were based on and the normal code that we use today, in addition to the changes made to break in to a system. In an effort to test more rigorously our ability to recognize Trojan programs, we have created Trojan versions of login and ps based on current versions, but including the modifications used in the Linux root kit. We call these our "homegrown" Trojan programs for login and ps to distinguish them from the versions "recovered" from installations of the Linux root kit.

Data were collected on a single machine running a version of the 2.0.35 Linux kernel which we have modified to collect system call traces. The version of login used for normal data and modified for our homegrown Trojan code is from Red Hat util-linux-2.5.38. The version of ps used for login and modified for our homegrown Trojan code is from Red Hat procps v.1.01.

Use the Linux 4.2 mapping file for these traces.

There are 24 normal traces each for login and ps. However, half of the login traces consist of a single system call each. These are not very useful traces, but are included for completeness.

login normal data (08/28/98 - 09/18/98 and 09/22/98 - 09/25/98)

ps normal data

A number of traces have been collected from each version of the Trojan code. Only some of these traces actually correspond to use of the back door to break into the system, while others are from ordinary users logging in in the usual fashion. However, ideally we would like to detect the presence of such code as soon as possible, whether or not it is being used in an actual intrusion at the time.

recovered Trojan login data (09/22/98)

homegrown Trojan login data (09/18/98)

recovered Trojan ps data

homegrown Trojan ps data

Computer Science Department, Farris Engineering Building,
University of New Mexico, Albuquerque, NM 87131
Phone: (505) 277-3112 Fax: (505) 277-6927