Hiding Intrusions: From the Abnormal to the Normal and Beyond
IH '02 Revised Papers from the 5th International Workshop on Information Hiding
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Scatter (and other) plots for visualizing user profiling data and network traffic
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Web tap: detecting covert web traffic
Proceedings of the 11th ACM conference on Computer and communications security
Gray-box extraction of execution graphs for anomaly detection
Proceedings of the 11th ACM conference on Computer and communications security
Anomalous system call detection
ACM Transactions on Information and System Security (TISSEC)
Behavior-based modeling and its application to Email analysis
ACM Transactions on Internet Technology (TOIT)
System Call Monitoring Using Authenticated System Calls
IEEE Transactions on Dependable and Secure Computing
Analyzing and evaluating dynamics in stide performance for intrusion detection
Knowledge-Based Systems
Guest Editorial: From intrusion detection to self-protection
Computer Networks: The International Journal of Computer and Telecommunications Networking
A comparative evaluation of two algorithms for Windows Registry Anomaly Detection
Journal of Computer Security
On gray-box program tracking for anomaly detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Analysis of Computer Intrusions Using Sequences of Function Calls
IEEE Transactions on Dependable and Secure Computing
Trace anomalies as precursors of field failures: an empirical study
Empirical Software Engineering
Data sanitization: improving the forensic utility of anomaly detection systems
HotDep'07 Proceedings of the 3rd workshop on on Hot Topics in System Dependability
Processing of massive audit data streams for real-time anomaly intrusion detection
Computer Communications
Computer forensics in forensis
ACM SIGOPS Operating Systems Review
ICCBR '07 Proceedings of the 7th international conference on Case-Based Reasoning: Case-Based Reasoning Research and Development
Using Artificial Intelligence for Intrusion Detection
Proceedings of the 2007 conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies
ACM Transactions on Autonomous and Adaptive Systems (TAAS)
Automatically Adapting a Trained Anomaly Detector to Software Patches
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Combining hidden Markov models for improved anomaly detection
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Community epidemic detection using time-correlated anomalies
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Anomaly-based network intrusion detection using outlier subspace analysis: a case study
Canadian AI'11 Proceedings of the 24th Canadian conference on Advances in artificial intelligence
On the use of word networks to mimicry attack detection
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Two effective methods to detect anomalies in embedded systems
Microelectronics Journal
Anomaly detection in computer security and an application to file system accesses
ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems
A probabilistic method for detecting anomalous program behavior
WISA'04 Proceedings of the 5th international conference on Information Security Applications
Improving host-based IDS with argument abstraction to prevent mimicry attacks
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
On random-inspection-based intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A brief observation-centric analysis on anomaly-based intrusion detection
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
ISI'05 Proceedings of the 2005 IEEE international conference on Intelligence and Security Informatics
Automated discovery of mimicry attacks
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
A hybrid method to intrusion detection systems using HMM
ICDCIT'05 Proceedings of the Second international conference on Distributed Computing and Internet Technology
A close look on n-grams in intrusion detection: anomaly detection vs. classification
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
| Hi-index | 0.01 |
Anomaly-detection techniques have considerable promise for twodifficult and critical problems in information security and intrusiondetection: detecting novel attacks, and detecting masqueraders.Oneof the best-known anomaly detectors used in intrusion detection isstide.Developed at the University of New Mexico, stide aims todetect attacks that exploit processes that run with root privileges.The original work on stide presented empirical results indicatingthat data sequences of length six and above were required foreffective intrusion detection.This observation has given rise tothe long-standing question, "Why six?" accompanied by relatedquestions regarding the conditions under which six may or may not beappropriate.This paper addresses the "Why Six" issue by presenting anevaluation framework that maps out stide's effective operating space,and identifies the conditions that contribute to detectioncapability, particularly detection blindness.A theoreticaljustification explains the effectiveness of sequence lengths of sixand above, as well as the consequences of using other values.Inaddition, results of an investigation are presented, comparingstide's anomaly-detection capabilities with those of a competingdetector.