Anomaly-based intrusion detection system
An anomaly-based intrusion detection system, is an
In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase).
Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer end points. They allow for fine-tuned, granular protection of end points at the application level.[4]
Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack.[3] Attempts have been made to address these issues through techniques used by PAYL[5] and MCPAD.[5]
See also
- fail2ban
- Cfengine– 'cfenvd' can be utilized to do 'anomaly detection'
- Change detection
- DNS analytics
- Hogzilla IDS – is a free software (GPL) anomaly-based intrusion detection system.
- RRDtool – can be configured to flag anomalies
- Sqrrl – threat hunting based on NetFlow and other collected data[6]
References
- ISBN 978-3-540-23123-3. Archived from the original (PDF) on 2010-06-22. Retrieved 2011-04-22.)
{{cite book}}
:|journal=
ignored (help); Missing or empty|title=
(help - ^ a b Khalkhali, I; Azmi, R; Azimpour-Kivi, M; Khansari, M. "Host-based web anomaly intrusion detection system, an artificial immune system approach" (PDF). ProQuest.
- ^ a b A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle
- ^ Beaver, K. "Host-based IDS vs. network-based IDS: Which is better?". Tech Target, Search Security.
{{cite web}}
: Missing or empty|url=
(help) - ^ .
- ^ Alonso, Samuel. "Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)". Archived from the original on 2021-07-31. Retrieved 2019-08-17.