Anomaly-based intrusion detection system


Anomaly-based intrusion detection system

An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either "normal" or "anomalous". The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls out of normal system operation. This is as opposed to signature based systems which can only detect attacks for which a signature has previously been created.

In order to determine what is attack traffic, the system must be taught to recognise normal system activity. This can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.

ee also

* Change detection
* Cfengine - 'cfenvd' can be utilized to do anomaly detection
* RRDtool - can be configured to flag anomalies

References

* [ftp://ftp.cerias.purdue.edu/pub/papers/sandeep-kumar/kumar-intdet-phddiss.pdf CLASSIFICATION AND DETECTION OF COMPUTER INTRUSIONS] thesis by Sandeep Kumar for Purdue University August 1995
* [http://artofhacking.com/files/phrack/phrack56/P56-11.TXT A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle]
* [http://www.cfengine.org/docs/cfengine-Anomalies.html Anomaly detection with cfenvd and cfenvgraph]
* [http://cricket.sourceforge.net/aberrant/rrd_hw.htm Notes on RRDTOOL implementation of Aberrant Behavior Detection]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Intrusion detection system — An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[1] Some systems may attempt to stop …   Wikipedia

  • Intrusion prevention system — Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention… …   Wikipedia

  • Intrusion detection — In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human… …   Wikipedia

  • Anomaly detection — Anomaly detection, also referred to as outlier detection[1] refers to detecting patterns in a given data set that do not conform to an established normal behavior.[2] The patterns thus detected are called anomalies and often translate to critical …   Wikipedia

  • Система обнаружения вторжений — (СОВ)  программное или аппаратное средство, предназначенное для выявления фактов неавторизованного доступа в компьютерную систему или сеть либо несанкционированного управления ими в основном через Интернет. Соответствующий английский… …   Википедия

  • CFEngine — Developer(s) Mark Burgess, CFEngine AS Stable release 3.2.3 / October 25, 2011 Pre …   Wikipedia

  • Network security — In the field of networking, the area of network security[1] consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and… …   Wikipedia

  • Cfengine — Infobox Software name = Cfengine caption = developer = Mark Burgess latest release version = 2.2.8 latest release date = Aug 5, 2008 latest preview version = latest preview date = operating system = Cross platform platform = Unix, Linux, Windows… …   Wikipedia

  • OSSIM — For the GIS project, see Open Source Geospatial Foundation. OSSIM OSSIM Web Framework Developer(s) AlienVault Stable release 3.0.0 / September 6, 2 …   Wikipedia

  • Denial-of-service attack — DoS redirects here. For other uses, see DOS (disambiguation). DDoS Stacheldraht Attack diagram. A denial of service attack (DoS attack) or distributed denial of service attack (DDoS attack) is an attempt to make a computer resource unavailable to …   Wikipedia


We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.