They allow for fine-tuned, granular protection of end points at the application level. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer end points. Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System. This is known as strict anomaly detection. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack.
Systems using artificial neural networks have been used to great effect. Anomalies are detected in several ways, most often with artificial intelligence type techniques. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). In order to positively identify attack traffic, the system must be taught to recognize normal system activity.
This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous.
0 kommentar(er)
