In this paper, we aim to determine the significance of different stages of an attack, namely the preamble and the exploit, on an achieved anomaly rate. To this end, we analyze four UNIX applications that have been used by the previous researchers against Stide anomaly detector. Our results show that the effect of the preamble on the anomaly rate is much greater when the size of the preamble component of an attack is greater than the size of the exploit component. Furthermore, we investigate the impact of training set selection and the length of sliding window on detector performance. Keywords Information hiding, anomaly detection, benchmarking
Hilmi Günes Kayacik, A. Nur Zincir-Heywood