Analyzing and evaluating dynamics in stide performance for intrusion detection

Anomaly-based intrusion detection (AID) techniques are useful for detecting novel intrusions into computing resources. One of simple but typical AID detectors proposed to date is stide, which is based on analysis of system call sequences. In this paper, we present a detailed formal framework to analyze, understand and improve the performance of stide and similar AID techniques. Several important properties of stide-like detectors are established through formal theorems, and validated by carefully conducted experiments using test datasets. Finally, the framework is utilized to reduce the cost of developing AID detectors by identifying the critical sections in the training dataset.