SMAD: A configurable and extensible low-level system monitoring and anomaly detection framework

Basel Sababa, Karlen Avogian, Ioanna Dionysiou, Harald Gjermundrod

Research output: Chapter in Book/Report/Conference proceedingChapterpeer-review


The proliferation of technology has dramatically changed the security threat landscape, and preventing security breaches in such heterogeneous and diverse environments is nontrivial as the attack surface is simply too broad. The frequency of cyber attacks is increasing dramatically and organizations from both public and private sectors are struggling to identify and respond to security breaches. One should expect that a number of security parameter penetration attempts as well as insider attacks will be successful, and the bet will be on how quickly the security breach is detected. This chapter presents System Monitoring and Anomaly Detection (SMAD), a novel framework that monitors kernel and system resources data (e.g., system calls, network connections, process info) based on user-defined configurations that initiate nonintrusive actions when alerts are triggered. SMAD is a security monitoring tool using Sysdig as its foundation building block. Unlike existing Sysdig commercial tools, the proposed system is open source in its entirety, welcoming new contributions to the existing source repository.

Original languageEnglish
Title of host publicationInnovations in Cybersecurity Education
PublisherSpringer International Publishing
Number of pages20
ISBN (Electronic)9783030502447
ISBN (Print)9783030502430
Publication statusPublished - 21 Nov 2020


  • Alerts
  • Attack visualization
  • Kernel
  • Monitors
  • Open source
  • Postmortem attack analysis
  • Sysdig
  • System commands
  • System monitoring
  • User-centric


Dive into the research topics of 'SMAD: A configurable and extensible low-level system monitoring and anomaly detection framework'. Together they form a unique fingerprint.

Cite this