Anomaly detection is also sometimes referred to as profile-based detection.
With anomaly detection, the administrator must build profiles for each user
group on the system. This profile incorporates typical user habits, the
services that are normally used, and other relevant information. This profile
defines the behavior characteristics for a user group, in essence establishing
a baseline for the activities that a normal user routinely does to perform the
job. Anytime a user deviates too far from the profile, the IDS generates an
alarm.
Building and updating these profiles represents a significant
portion of the work required to deploy an anomaly-based IDS. The quality of the
profiles directly relates to how successful an IDS will be at detecting attacks
against the network.
Anomaly detection provides the following advantages
:
- Enables tunable control over false positives
- Detects previously unpublished attacks
The main advantage of anomaly detection is that the alarms are not
based on signatures for specific known attacks. Instead, they are based on a
profile that defines normal user activity. Therefore, an anomaly-based IDS can
generate alarms for previously unpublished attacks, as long as the new attack
deviates from normal user activity. This results in the anomaly-based IDS being
capable of detecting new attacks the first time that they are used.
The
drawbacks of anomaly-based detection are shown in Figure
.
The main
problem with an anomaly-based IDS is that people tend to vary their activities.
They do not always follow the same exact patterns repeatedly. When users
deviate from the normal routine, the IDS will generate an alarm if this
activity falls to far away from normal. The IDS generates this alarm, even
though no intrusive activity actually takes place.
The definition of
normal will also change over the life of the network. As the network changes,
the traffic that is considered normal can also change. If this happens, it will
be necessary to update the user profiles to reflect those changes. For a
network that changes constantly, updating user profiles can become a major
challenge.