ScienceDirect® Home Skip Main Navigation Links
You have guest access to ScienceDirect. Find out more.
 
Home
Browse
My Settings
Alerts
Help
 Quick Search
 Search tips (Opens new window)
    Clear all fields    
Knowledge-Based Systems
Volume 19, Issue 7, November 2006, Pages 576-591
Creative Systems
 
Font Size: Decrease Font Size  Increase Font Size
 Abstract - selected
Article
Purchase PDF (299 K)

  E-mail Article   
  Add to my Quick Links   
Bookmark and share in 2collab (opens in new window)
Request permission to reuse this article
  Cited By in Scopus (0)
 
 
 
Related Articles in ScienceDirect
View More Related Articles
 
View Record in Scopus
 
doi:10.1016/j.knosys.2006.03.008    How to Cite or Link Using DOI (Opens New Window)
Copyright © 2006 Elsevier B.V. All rights reserved.

Analyzing and evaluating dynamics in stide performance for intrusion detection

Zhuowei LiCorresponding Author Contact Information, a, E-mail The Corresponding Author and Amitabha Dasa, E-mail The Corresponding Author

aSchool of Computer Engineering, Nanyang Technological University, 50, Nanyang Avenue, Singapore 639798, Singapore

Received 18 March 2005; 
accepted 10 March 2006. 
Available online 27 June 2006.

Purchase the full-text article



References and further reading may be available for this article. To view references and further reading you must purchase this article.

Abstract

Anomaly-based intrusion detection (AID) techniques are useful for detecting novel intrusions into computing resources. One of simple but typical AID detectors proposed to date is stide, which is based on analysis of system call sequences. In this paper, we present a detailed formal framework to analyze, understand and improve the performance of stide and similar AID techniques. Several important properties of stide-like detectors are established through formal theorems, and validated by carefully conducted experiments using test datasets. Finally, the framework is utilized to reduce the cost of developing AID detectors by identifying the critical sections in the training dataset.

Keywords: Intrusion detection; Computer security; Framework; Stide; System call

Article Outline

1. Introduction
1.1. Related work
2. Notations and definitions
2.1. Notations
2.1.1. Sequences and sequence sets
2.1.2. Set operations
2.1.3. Supersequence and subsequence
2.2. Definitions
2.2.1. Foreign sequences and self sequences
2.2.2. Relation between MFS and MSS
3. A formal description of stide
4. A formal framework for stide
4.1. A critical look at stide performance
4.1.1. Effectiveness of a stide detector
4.1.2. Completeness of a stide detector
4.1.3. Efficient stide detectors
4.2. Completeness of the training dataset vs. stide efficiency
4.2.1. MSSs in the test dataset
4.2.2. MFSs in the intrusive dataset
4.2.3. Enhancing efficiency of a stide detector
4.3. Interpretation of related work on stide
4.3.1. Mimicry attacks and intrusion information hiding
4.3.2. t-stide and variable length patterns
4.4. The significance of locality frame count
5. An Application of the framework
5.1. Experimental setup and datasets
5.2. The completeness of training dataset vs. stide efficiency
5.2.1. MFS-MSS average curves
5.2.2. MFS-MSS Matrix
5.2.2.1. Effect of the trimming scheme
5.3. Experimental evaluations
5.3.1. Evaluating the completeness of the training dataset
5.3.2. Identifying critical sections using MMM
6. Conclusions and future work
Acknowledgements
Appendix A. Proofs of some Theorems
A.1. Proof of Theorem 2.4
A.2. Proof of Theorem 4.2
A.3. Proof of Theorem 4.5
A.4. Proof of Theorem 4.15
A.5. Proof of Theorem 4.17
References





Knowledge-Based Systems
Volume 19, Issue 7, November 2006, Pages 576-591
Creative Systems
 
Home
Browse
My Settings
Alerts
Help
Elsevier.com (Opens new window)
About ScienceDirect  |  Contact Us  |  Information for Advertisers  |  Terms & Conditions  |  Privacy Policy
Copyright © 2008 Elsevier B.V. All rights reserved. ScienceDirect® is a registered trademark of Elsevier B.V.