Inspection Engine
Anomaly-based detection

Anomaly detection is also sometimes referred to as profile-based detection. With anomaly detection, the administrator must build profiles for each user group on the system. This profile incorporates typical user habits, the services that are normally used, and other relevant information. This profile defines the behavior characteristics for a user group, in essence establishing a baseline for the activities that a normal user routinely does to perform the job. Anytime a user deviates too far from the profile, the IDS generates an alarm.

Building and updating these profiles represents a significant portion of the work required to deploy an anomaly-based IDS. The quality of the profiles directly relates to how successful an IDS will be at detecting attacks against the network.

Anomaly detection provides the following advantages :

  • Enables tunable control over false positives
  • Detects previously unpublished attacks

The main advantage of anomaly detection is that the alarms are not based on signatures for specific known attacks. Instead, they are based on a profile that defines normal user activity. Therefore, an anomaly-based IDS can generate alarms for previously unpublished attacks, as long as the new attack deviates from normal user activity. This results in the anomaly-based IDS being capable of detecting new attacks the first time that they are used.

The drawbacks of anomaly-based detection are shown in Figure .

The main problem with an anomaly-based IDS is that people tend to vary their activities. They do not always follow the same exact patterns repeatedly. When users deviate from the normal routine, the IDS will generate an alarm if this activity falls to far away from normal. The IDS generates this alarm, even though no intrusive activity actually takes place.

The definition of normal will also change over the life of the network. As the network changes, the traffic that is considered normal can also change. If this happens, it will be necessary to update the user profiles to reflect those changes. For a network that changes constantly, updating user profiles can become a major challenge.