Determining the operational limits of an anomaly-based intrusion detector

Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen "stide" in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may (not) be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.