|This article needs additional citations for verification. (December 2011)|
Misuse detection is an approach in detecting attacks. In misuse detection approach, we define abnormal system behaviour at first, and then define any other behaviour, as normal behaviour. It stands against anomaly detection approach which utilizes the reverse approach, defining normal system behaviour and defining any other behaviour as abnormal. In other words, anything we don't know is normal. Using attack signatures in IDSes is an example of this approach.
In theory, It assumes that abnormal behaviour and activity has a simple to define model. Its advantage is simplicity of adding known attacks to the model. Its disadvantage is its inability to recognize unknown attacks.
- Helman, Paul, Liepins, Gunar, and Richards, Wynette, "Foundations of Intrusion Detection," The IEEE Computer Security Foundations Workshop V, 1992
For more information on Misuse Detection, including papers written on the subject, consider the following:
- Misuse Detection Concepts and Algorithms - article by the IR Lab at IIT.