pH: Process Homeostasis

About pH

From the source: pH is a Linux kernel extension which detects and exponentially slows down unusual program behavior. It detects such behavior by automatically creating profiles of the pattern of system calls made by different programs. It takes some time for pH to capture a stable profile of a given program's behavior; once it has done so, though, pH will automatically respond to unusual behavior through exponential delays.


2008/08/04: Added the Publications section to this document.

2008/07/22: pH 0.30.1 has been released. It corrects the attribution of an NFS patch added until it hits the tree.

2008/07/20: pH 0.30 has been released. It works on the 2.6.26 kernel.


The pH package is composed of two files:

  • The git diff output, based off the 2.6.26 kernel: pH-0.30.1.diff
  • The pH-utils package, containing the admin tools necessary to start, stop, and examine the status of pH: pH-utils-0.30.tgz


This is the Works on my my machine edition of pH. It comes with NO WARRANTY whatsoever. In particular, pH reads and writes files from within the kernel. Please make a backup, or work within a virtualized environment.

Works on my machine, stamped

The upstream git tree is Linus' kernel tree. You can apply the patches directly to the git tree by typing git apply pH-0.30.1.diff.

This adds a configuration option, CONFIG_SECURITY_PH. Setting it to Y will probably be a good idea. A basic configuration file that I use during development with Qemu is config.pH. It provides a minimal kernel, with no modules, that can be used as a PXE-boot kernel with Qemu.

Untarring the pH-utils package will give you the tools necessary to start pH. A quick outline is:

  • # pH-admin start
  • # pH-admin status
  • # # run some various commands
  • # pH-admin stop
  • # pH-admin write-profiles # make sure that the profiles are sync'ed to disk
  • # pH-print-profile /var/lib/pH/profiles/path/to/interesting/command


Refereed Journal Publications

S. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion detection using sequences of system calls."  Journal of Computer Security, Vol. 6, No. 3, pp. 151-180 (1998). [PS] [PDF]

Refereed Conference Publications

H. Inoue and A. Somayaji, "Lookahead Pairs and Full Sequences: A Tale of Two Anomaly Detection Methods." 2nd Annual Symposium on Information Assurance (academic track of the 10th NYS Cyber Security Conference), Albany, NY. June 2007. Best Paper Award. [PDF]

A. Somayaji and S. Forrest, "Automated Response Using System-Call Delays." Proceedings of the 9th USENIX Security Symposium, The USENIX Association, Berkeley, CA (2000). [PS] [PDF]

S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for Unix processes." Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos, CA, pp. 120-128 (1996). [PS] [PDF]


Anil B. Somayaji,  Operating System Stability and Security through Process Homeostasis.  Ph.D. thesis, University of New Mexico, July 2002.  [1-sided PDF] [2-sided PDF]