Computer Science Department
School of Computer Science, Carnegie Mellon University


"Why 6?" Defining the Operational Limits of Stide,
an Anomaly-Based Intrusion Detector

Kymie M.C. Tan, Roy A. Maxion

November 2001

Keywords: Anomaly, anomaly detection, detection coverage, evaluating anomaly detectors, stide

The detection of masqueraders and novel attacks are two of the more difficult problems facing intrusion detection systems. While anomaly-based intrusion detection approaches appear to be among the most promising techniques for dealing with these problems, confidence in the detection results requires precise knowledge of the detector's characteristics. These include identifying conditions under which the detector fails, as well as those in which it works well.

One of the best-known anomaly detectors that has been applied to intrusion detection is stide. Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that sequences of length six and above were required for effective intrusion detection.

This paper presents an evaluation framework that maps out stide's effective operating space, and identifies the conditions that contribute to detection strength, blindness or weakness. A theoretical justification for why sequence lengths six and above were effective is given, and the consequences of a different choice on detector performance is explained.

In addition, we give results of our investigation, which characterizes regions of the anomaly space in which stide is capable of anomaly detection and those in which it is not. We believe that relating detector properties of this kind to manifestations of intrusive activities is necessary if effective anomaly-based intrusion detection systems are to be built and deployed.

26 pages

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by