Computer Science Department
School of Computer Science, Carnegie Mellon University
"Why 6?" Defining the Operational Limits of Stide,
Kymie M.C. Tan, Roy A. Maxion
One of the best-known anomaly detectors that has been applied to intrusion detection is stide. Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that sequences of length six and above were required for effective intrusion detection.
This paper presents an evaluation framework that maps out stide's effective operating space, and identifies the conditions that contribute to detection strength, blindness or weakness. A theoretical justification for why sequence lengths six and above were effective is given, and the consequences of a different choice on detector performance is explained.
In addition, we give results of our investigation, which characterizes regions of the anomaly space in which stide is capable of anomaly detection and those in which it is not. We believe that relating detector properties of this kind to manifestations of intrusive activities is necessary if effective anomaly-based intrusion detection systems are to be built and deployed.