Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Anomaly-based intrusion detection system
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
An '''anomaly-based intrusion detection system''', is an [[intrusion detection system]] for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either ''normal'' or ''anomalous''. The classification is based on [[heuristics]] or rules, rather than patterns or [[signature]]s, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.<ref name="Wang2004" /> In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase).<ref name="Khalkhali, Azmi, Azimpour-Kivi, and Khansari" /> Anomalies are detected in several ways, most often with [[artificial intelligence]] type techniques. Systems using [[artificial neural networks]] have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.<ref name = "Sasha2000"/> Other techniques used to detect anomalies include [[data mining]] methods, [[grammar]] based methods, and [[Artificial Immune System]].<ref name="Khalkhali, Azmi, Azimpour-Kivi, and Khansari" /> Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a [[Firewall (computing)|firewall]] or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer end points. They allow for fine-tuned, granular protection of end points at the application level.<ref name="Beaver2014" /> Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high [[False positives and false negatives|false-positive]] rate and the ability to be fooled by a correctly delivered attack.<ref name = "Sasha2000"/> Attempts have been made to address these issues through techniques used by PAYL<ref name="Perdisci2008" /> and MCPAD.<ref name="Perdisci2008" /> ==See also== * [[fail2ban]] * [[Cfengine]] β 'cfenvd' can be utilized to do ''''''anomaly detection'''''' * [[Change detection]] * [[DNS analytics]] * [[Hogzilla IDS]] β is a free software (GPL) anomaly-based intrusion detection system. * [[RRDtool]] β can be configured to flag anomalies * [[Sqrrl]] β threat hunting based on [[NetFlow]] and other collected data<ref name="Alonso2017" /> ==References== {{Reflist|refs= <ref name="Wang2004">{{cite book|last=Wang|first=Ke|chapter=Anomalous Payload-Based Network Intrusion Detection|doi=10.1007/978-3-540-30143-1_11|journal=Recent Advances in Intrusion Detection|volume=3224|pages=203β222|publisher=Springer Berlin|accessdate=2011-04-22|chapter-url=http://sneakers.cs.columbia.edu/ids/publications/RAID4.PDF|archive-url=https://web.archive.org/web/20100622182127/http://sneakers.cs.columbia.edu/ids/publications/RAID4.PDF|archive-date=2010-06-22|url-status=dead|series=Lecture Notes in Computer Science|year=2004|isbn=978-3-540-23123-3}}</ref> <ref name="Khalkhali, Azmi, Azimpour-Kivi, and Khansari">{{cite web|last1=Khalkhali|first1=I|last2=Azmi|first2=R|last3=Azimpour-Kivi|first3=M|last4=Khansari|first4=M|title=Host-based web anomaly intrusion detection system, an artificial immune system approach|website=ProQuest|url=https://www.ijcsi.org/papers/IJCSI-8-5-2-14-24.pdf}}</ref> <ref name = "Sasha2000">[http://phrack.org/issues/56/11.html A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle]</ref> <ref name="Beaver2014">{{cite web|last1=Beaver|first1=K|title=Host-based IDS vs. network-based IDS: Which is better?|website=Tech Target, Search Security}}</ref> <ref name="Perdisci2008">{{cite journal|last=Perdisci|first=Roberto|author2=Davide Ariu |author3=Prahlad Fogla |author4=Giorgio Giacinto |author5=Wenke Lee |title=McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection|journal=Computer Networks |year=2009|volume=5|issue=6|pages=864β881|url=http://roberto.perdisci.com/publications/publication-files/McPAD-revision1.pdf?attredirects=0|doi=10.1016/j.comnet.2008.11.011}}</ref> <ref name="Alonso2017">{{cite web|last1=Alonso|first1=Samuel|title=Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)|url=https://cyber-ir.com/2017/04/19/cyber-threat-hunting-with-sqrrl-from-beaconing-to-lateral-movement|accessdate=2019-08-17|archive-date=2021-07-31|archive-url=https://web.archive.org/web/20210731090159/https://cyber-ir.com/2017/04/19/cyber-threat-hunting-with-sqrrl-from-beaconing-to-lateral-movement/|url-status=usurped}}</ref> }} {{DEFAULTSORT:Anomaly-Based Intrusion Detection System}} [[Category:Computer network security]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Reflist
(
edit
)