• DocumentCode
    1633471
  • Title

    "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector

  • Author

    Tan, K.M.C. ; Maxion, Roy A.

  • Author_Institution
    Dependable Syst. Lab., Carnegie Mellon Univ., Pittsburgh, PA, USA
  • fYear
    2002
  • fDate
    6/24/1905 12:00:00 AM
  • Firstpage
    188
  • Lastpage
    201
  • Abstract
    Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may or may not be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework that maps out stide\´s effective operating space, and identifies the conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide\´s anomaly-detection capabilities with those of a competing detector.
  • Keywords
    security of data; anomaly-based intrusion detector; data sequences; detection blindness; effective operating space; information security; intrusion detection; masquerader detection; novel attack detection; root privileges; stide; Chromium; Detectors; Privacy; Security;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on
  • ISSN
    1081-6011
  • Print_ISBN
    0-7695-1543-6
  • Type

    conf

  • DOI
    10.1109/SECPRI.2002.1004371
  • Filename
    1004371