"Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector

Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may or may not be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework that maps out stide\´s effective operating space, and identifies the conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide\´s anomaly-detection capabilities with those of a competing detector.