Anomaly-based intrusion detection system

An anomaly-based intrusion detection system, is an

heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.^[1]

In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase).

Artificial Immune System.^[2]

Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer end points. They allow for fine-tuned, granular protection of end points at the application level.^[4]

Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack.^[3] Attempts have been made to address these issues through techniques used by PAYL^[5] and MCPAD.^[5]

References

ISBN 978-3-540-23123-3. Archived from the original (PDF) on 2010-06-22. Retrieved 2011-04-22. {{cite book}}: |journal= ignored (help); Missing or empty |title= (help
)

^ ^a ^b Khalkhali, I; Azmi, R; Azimpour-Kivi, M; Khansari, M. "Host-based web anomaly intrusion detection system, an artificial immune system approach" (PDF). ProQuest.

^ ^a ^b A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle

^ Beaver, K. "Host-based IDS vs. network-based IDS: Which is better?". Tech Target, Search Security. {{cite web}}: Missing or empty |url= (help)

^
doi:10.1016/j.comnet.2008.11.011
.

^ Alonso, Samuel. "Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)". Archived from the original on 2021-07-31. Retrieved 2019-08-17.

This computer networking article is a stub. You can help Wikipedia by expanding it.
v
t
e

Retrieved from "https://en.wikipedia.org/w/index.php?title=Anomaly-based_intrusion_detection_system&oldid=1201634722"

[Wang2004-1] ISBN 978-3-540-23123-3. Archived from the original (PDF) on 2010-06-22. Retrieved 2011-04-22. {{cite book}}: |journal= ignored (help); Missing or empty |title= (help
)

[Khalkhali,_Azmi,_Azimpour-Kivi,_and_Khansari-2] Khalkhali, I; Azmi, R; Azimpour-Kivi, M; Khansari, M. "Host-based web anomaly intrusion detection system, an artificial immune system approach" (PDF). ProQuest.

[Sasha2000-3] A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle

[Beaver2014-4] Beaver, K. "Host-based IDS vs. network-based IDS: Which is better?". Tech Target, Search Security. {{cite web}}: Missing or empty |url= (help)

[Perdisci2008-5] 
doi:10.1016/j.comnet.2008.11.011
.

[Alonso2017-6] Alonso, Samuel. "Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)". Archived from the original on 2021-07-31. Retrieved 2019-08-17.

[1]

[2]

[4]

[3]

[5]

[6]

See also

References