Communications of the ACM - Homeland security
An overview of anomaly detection techniques: Existing solutions and latest technological trends
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hierarchical Graphs for Data Clustering
IWANN '09 Proceedings of the 10th International Work-Conference on Artificial Neural Networks: Part I: Bio-Inspired Systems: Computational and Ambient Intelligence
A comparison of techniques for on-line incremental learning of HMM parameters in anomaly detection
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Network security using growing hierarchical self-organizing maps
ICANNGA'09 Proceedings of the 9th international conference on Adaptive and natural computing algorithms
Combining hidden Markov models for improved anomaly detection
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Incremental Boolean combination of classifiers
MCS'11 Proceedings of the 10th international conference on Multiple classifier systems
Improving host-based IDS with argument abstraction to prevent mimicry attacks
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Efficient modeling of discrete events for anomaly detection using hidden markov models
ISC'05 Proceedings of the 8th international conference on Information Security
Anomaly detector performance evaluation using a parameterized environment
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.07 |
Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen "stide" in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may (not) be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.