Determining the operational limits of an anomaly-based intrusion detector

Determining the operational limits of an anomaly-based intrusion detector

Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Sti...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE journal on selected areas in communications 2003-01, Vol.21 (1), p.96-110
Hauptverfasser: Tan, K.M.C., Maxion, R.A.
Format: Artikel
Sprache:eng
Schlagworte:
Anomalies
Blindness
Change detection algorithms
Computer information security
Computer security
Detectors
Embedded computing
Empirical analysis
Immune system
Information security
Intrusion
Intrusion detection
Kernel
Mapping
Network security
Roots
Solids
Studies
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 110
container_issue 1
container_start_page 96
container_title IEEE journal on selected areas in communications
container_volume 21
creator Tan, K.M.C.
Maxion, R.A.
description Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen "stide" in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may (not) be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.
doi_str_mv 10.1109/JSAC.2002.806130
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_miscellaneous_28277175</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>1159659</ieee_id><sourcerecordid>28277175</sourcerecordid><originalsourceid>FETCH-LOGICAL-c351t-af6359ecda2ee62dc49785c41e2c8f86f71ef968c65a222ed25e6c598f5a471e3</originalsourceid><addsrcrecordid>eNp9kT1PwzAQhi0EEqWwI7FEDDCl2E78NaLyVVSJAZgt45zBVRIX2xn670kpEhID0kk33PO-wz0InRI8IwSrq8fn6_mMYkxnEnNS4T00IYzJEmMs99EEi6oqpSD8EB2ltMKY1LWkE7S4gQyx873v34v8AUVYQzTZh960Res7n1MRXGH6cUJn2k35ZhI0he9zHNKIFc1YYHOIx-jAmTbByc-eote725f5Q7l8ul_Mr5elrRjJpXG8YgpsYygAp42tlZDM1gSolU5yJwg4xaXlzFBKoaEMuGVKOmbq8VZN0eWudx3D5wAp684nC21reghD0goTroSqxUhe_EtSSYUggo3g-R9wFYY4fiBpKWvKJf6G8A6yMaQUwel19J2JG02w3irQWwV6q0DvFIyRs13EA8AvTpjiTFVfW-CCGQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>884268075</pqid></control><display><type>article</type><title>Determining the operational limits of an anomaly-based intrusion detector</title><source>IEEE Electronic Library (IEL)</source><creator>Tan, K.M.C. ; Maxion, R.A.</creator><creatorcontrib>Tan, K.M.C. ; Maxion, R.A.</creatorcontrib><description>Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen "stide" in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may (not) be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.</description><identifier>ISSN: 0733-8716</identifier><identifier>EISSN: 1558-0008</identifier><identifier>DOI: 10.1109/JSAC.2002.806130</identifier><identifier>CODEN: ISACEM</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Anomalies ; Blindness ; Change detection algorithms ; Computer information security ; Computer security ; Detectors ; Embedded computing ; Empirical analysis ; Immune system ; Information security ; Intrusion ; Intrusion detection ; Kernel ; Mapping ; Network security ; Roots ; Solids ; Studies</subject><ispartof>IEEE journal on selected areas in communications, 2003-01, Vol.21 (1), p.96-110</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2003</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c351t-af6359ecda2ee62dc49785c41e2c8f86f71ef968c65a222ed25e6c598f5a471e3</citedby><cites>FETCH-LOGICAL-c351t-af6359ecda2ee62dc49785c41e2c8f86f71ef968c65a222ed25e6c598f5a471e3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/1159659$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27901,27902,54733</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/1159659$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Tan, K.M.C.</creatorcontrib><creatorcontrib>Maxion, R.A.</creatorcontrib><title>Determining the operational limits of an anomaly-based intrusion detector</title><title>IEEE journal on selected areas in communications</title><addtitle>J-SAC</addtitle><description>Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen "stide" in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may (not) be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.</description><subject>Anomalies</subject><subject>Blindness</subject><subject>Change detection algorithms</subject><subject>Computer information security</subject><subject>Computer security</subject><subject>Detectors</subject><subject>Embedded computing</subject><subject>Empirical analysis</subject><subject>Immune system</subject><subject>Information security</subject><subject>Intrusion</subject><subject>Intrusion detection</subject><subject>Kernel</subject><subject>Mapping</subject><subject>Network security</subject><subject>Roots</subject><subject>Solids</subject><subject>Studies</subject><issn>0733-8716</issn><issn>1558-0008</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2003</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNp9kT1PwzAQhi0EEqWwI7FEDDCl2E78NaLyVVSJAZgt45zBVRIX2xn670kpEhID0kk33PO-wz0InRI8IwSrq8fn6_mMYkxnEnNS4T00IYzJEmMs99EEi6oqpSD8EB2ltMKY1LWkE7S4gQyx873v34v8AUVYQzTZh960Res7n1MRXGH6cUJn2k35ZhI0he9zHNKIFc1YYHOIx-jAmTbByc-eote725f5Q7l8ul_Mr5elrRjJpXG8YgpsYygAp42tlZDM1gSolU5yJwg4xaXlzFBKoaEMuGVKOmbq8VZN0eWudx3D5wAp684nC21reghD0goTroSqxUhe_EtSSYUggo3g-R9wFYY4fiBpKWvKJf6G8A6yMaQUwel19J2JG02w3irQWwV6q0DvFIyRs13EA8AvTpjiTFVfW-CCGQ</recordid><startdate>200301</startdate><enddate>200301</enddate><creator>Tan, K.M.C.</creator><creator>Maxion, R.A.</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SP</scope><scope>8FD</scope><scope>L7M</scope><scope>F28</scope><scope>FR3</scope></search><sort><creationdate>200301</creationdate><title>Determining the operational limits of an anomaly-based intrusion detector</title><author>Tan, K.M.C. ; Maxion, R.A.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c351t-af6359ecda2ee62dc49785c41e2c8f86f71ef968c65a222ed25e6c598f5a471e3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2003</creationdate><topic>Anomalies</topic><topic>Blindness</topic><topic>Change detection algorithms</topic><topic>Computer information security</topic><topic>Computer security</topic><topic>Detectors</topic><topic>Embedded computing</topic><topic>Empirical analysis</topic><topic>Immune system</topic><topic>Information security</topic><topic>Intrusion</topic><topic>Intrusion detection</topic><topic>Kernel</topic><topic>Mapping</topic><topic>Network security</topic><topic>Roots</topic><topic>Solids</topic><topic>Studies</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Tan, K.M.C.</creatorcontrib><creatorcontrib>Maxion, R.A.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Technology Research Database</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>ANTE: Abstracts in New Technology &amp; Engineering</collection><collection>Engineering Research Database</collection><jtitle>IEEE journal on selected areas in communications</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Tan, K.M.C.</au><au>Maxion, R.A.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Determining the operational limits of an anomaly-based intrusion detector</atitle><jtitle>IEEE journal on selected areas in communications</jtitle><stitle>J-SAC</stitle><date>2003-01</date><risdate>2003</risdate><volume>21</volume><issue>1</issue><spage>96</spage><epage>110</epage><pages>96-110</pages><issn>0733-8716</issn><eissn>1558-0008</eissn><coden>ISACEM</coden><abstract>Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in intrusion detection is stide. (Rather than STIDE or Stide or s-tide, we have chosen "stide" in keeping with the way the detector was referred to in the paper by Warrender et al., 1999.) Developed at the University of New Mexico, stide aims to detect attacks that exploit processes that run with root privileges. The original work on stide presented empirical results indicating that data sequences of length six and above were required for effective intrusion detection. This observation has given rise to the long-standing question, "why six?" accompanied by related questions regarding the conditions under which six may (not) be appropriate. This paper addresses the "why six" issue by presenting an evaluation framework for mapping out stide's effective operating space and by identifying conditions that contribute to detection capability, particularly detection blindness. A theoretical justification explains the effectiveness of sequence lengths of six and above, as well as the consequences of using other values. In addition, results of an investigation are presented, comparing stide's anomaly-detection capabilities with those of a competing detector.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/JSAC.2002.806130</doi><tpages>15</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 0733-8716
ispartof IEEE journal on selected areas in communications, 2003-01, Vol.21 (1), p.96-110
issn 0733-8716
1558-0008
language eng
recordid cdi_proquest_miscellaneous_28277175
source IEEE Electronic Library (IEL)
subjects Anomalies
Blindness
Change detection algorithms
Computer information security
Computer security
Detectors
Embedded computing
Empirical analysis
Immune system
Information security
Intrusion
Intrusion detection
Kernel
Mapping
Network security
Roots
Solids
Studies
title Determining the operational limits of an anomaly-based intrusion detector
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-07T02%3A55%3A35IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Determining%20the%20operational%20limits%20of%20an%20anomaly-based%20intrusion%20detector&rft.jtitle=IEEE%20journal%20on%20selected%20areas%20in%20communications&rft.au=Tan,%20K.M.C.&rft.date=2003-01&rft.volume=21&rft.issue=1&rft.spage=96&rft.epage=110&rft.pages=96-110&rft.issn=0733-8716&rft.eissn=1558-0008&rft.coden=ISACEM&rft_id=info:doi/10.1109/JSAC.2002.806130&rft_dat=%3Cproquest_RIE%3E28277175%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=884268075&rft_id=info:pmid/&rft_ieee_id=1159659&rfr_iscdi=true