Anomaly-based intrusion detection system
From Wikipedia, the free encyclopedia
An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls outwith normal system operation. This is as opposed to signature based systems which can only detect attacks for which a signature has previously been created.
In order to determine what is attack traffic, the system must be taught to recognise normal system activity. This can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.
There are very few reliable and trusted commercial Anomaly-based Intrusion Detection systems. One such system, Manhunt, purchased by Symantec in 2001, uses anamoly-based protocol inspection. Another system, StealthWatch by Lancope is a Network Behavior Analysis solution that combines behavior-based anomaly detection with network performance monitoring.
[edit] References
A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle (dead)