Determining the operational limits of an anomaly-based intrusion detector

Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen "stide" in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may (not) be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.

[1]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[3]  Carla Marceau,et al.  Intrusion detection for distributed applications , 1999, CACM.

[4]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[5]  Carla Marceau,et al.  Characterizing the behavior of a program using multiple-length N-grams , 2001, NSPW '00.

[6]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[7]  George Marsaglia Note on a Proposed Test for Random Number Generators , 1985, IEEE Transactions on Computers.

[8]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[9]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[10]  Kymie M. C. Tan,et al.  Anomaly Detection in Embedded Systems , 2002, IEEE Trans. Computers.

[11]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.

[12]  Kymie M. C. Tan,et al.  Benchmarking anomaly-based detection systems , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.