Anomaly-based intrusion detection system

From Wikipedia, the free encyclopedia

Jump to: navigation, search

An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls out of normal system operation. This is as opposed to signature based systems which can only detect attacks for which a signature has previously been created.^[1]

In order to determine what is attack traffic, the system must be taught to recognize normal system activity. This can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.^[2]

Anomaly-based Intrusion Detection does have some short-comings, namely a high false positive rate and the ability to be fooled by a correctly delivered attack.^[2] Attempts have been made to address these issues through techniques used by PAYL^[1] and MCPAD.^[3]

[edit] See also

Change detection
Cfengine - 'cfenvd' can be utilized to do anomaly detection
RRDtool - can be configured to flag anomalies

[edit] References

^ ^a ^b Wang, Ke. "Anomalous Payload-Based Network Intrusion Detection". Recent Advances in Intrusion Detection. Springer Berlin. doi:10.1007/978-3-540-30143-1_11.
^ ^a ^b A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle
^ Perdisci, Roberto; Davide Ariu, Prahlad Fogla, Giorgio Giacinto, and Wenke Lee (2009). "McPAD : A Multiple Classiﬁer System for Accurate Payload-based Anomaly Detection". Computer Networks, Special Issue on Traffic Classification and Its Applications to Modern Networks 5 (6): 864–881. http://3407859467364186361-a-1802744773732722657-s-sites.googlegroups.com/site/robertoperdisci/publications/publication-files/McPAD-revision1.pdf?attachauth=ANoY7cracv9VJh1PrdgVG8tSdMRh7AImufRG9pxwHd4gHQuws7RxQXrD4duQNiRXFBPSRouloipzLOAWbDV16ZUkCyICr4RYRsiknMqLos8pM7Ekc9haXLA38Y7kEsAjpeFPzx4_eORchAi_KOu2lExw5x5B6grAAwLpxA_pymGQRChq5CWF70EDv9zuUtIaTUR8oaDd_D2NRE8mJHaP7TYYj0xAG3YJPGQSsRT8HetfDytgojYuo9m4Rnh8lBSqjuCYBueX2pw7&attredirects=0.

This computer networking article is a stub. You can help Wikipedia by expanding it.

[Wang2004-0] Wang, Ke. "Anomalous Payload-Based Network Intrusion Detection". Recent Advances in Intrusion Detection. Springer Berlin. doi:10.1007/978-3-540-30143-1_11.

[Sasha2000-1] A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle

[Perdisci2008-2] Perdisci, Roberto; Davide Ariu, Prahlad Fogla, Giorgio Giacinto, and Wenke Lee (2009). "McPAD : A Multiple Classiﬁer System for Accurate Payload-based Anomaly Detection". Computer Networks, Special Issue on Traffic Classification and Its Applications to Modern Networks 5 (6): 864–881. http://3407859467364186361-a-1802744773732722657-s-sites.googlegroups.com/site/robertoperdisci/publications/publication-files/McPAD-revision1.pdf?attachauth=ANoY7cracv9VJh1PrdgVG8tSdMRh7AImufRG9pxwHd4gHQuws7RxQXrD4duQNiRXFBPSRouloipzLOAWbDV16ZUkCyICr4RYRsiknMqLos8pM7Ekc9haXLA38Y7kEsAjpeFPzx4_eORchAi_KOu2lExw5x5B6grAAwLpxA_pymGQRChq5CWF70EDv9zuUtIaTUR8oaDd_D2NRE8mJHaP7TYYj0xAG3YJPGQSsRT8HetfDytgojYuo9m4Rnh8lBSqjuCYBueX2pw7&attredirects=0.

[1]

[2]

[3]

Anomaly-based intrusion detection system

[edit] See also

[edit] References

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Interaction

Toolbox

Print/export

Languages