What Is Anomaly Detection?

Anomaly detection assumes that the intruder's activity is abnormal to that of a normal subject. Based on this concept, the "activity profile" of the subject's normal activities is established, and the current subject's activity status is compared with the "activity profile". When the statistical rule is violated, the activity may be considered an "invasion" behavior. The problem with anomaly detection is how to establish an "activity profile" and how to design statistical algorithms so that normal operations are not considered "intrusion" or ignore true "intrusion" behavior.

abnormal detection

1. Anomaly detection refers to the use of feature matching methods to determine attack events through the feature database of attack behaviors. The advantage of misuse detection is that the false positive rate of detection is low and the detection is fast, but misuse detection usually cannot find that there is no Pre-specified attack behaviors, so new attacks cannot be detected

2. Anomaly detection refers to the detection of intrusion behavior based on abnormal behavior (system or user) and the use of computer abnormal resources. The key is to establish the normal behavior profile of users and systems, and detect actual activities to determine whether they deviate from the normal contour.

3.Anomaly detection refers to storing the user's normal habitual behavior characteristics in the database, and then comparing the user's current behavior characteristics with the characteristics in the characteristic database. If the deviation between the two is large enough, it indicates that an abnormality has occurred.

4.Anomaly detection refers to the use of quantitative methods to describe acceptable behavior characteristics to distinguish intrusions that are contrary to normal behavior and abnormal behavior characteristics to detect intrusions.

5.Behavior-based intrusion detection methods, which compare normal behaviors observed in the past with behaviors when under attack, and determine whether intrusion activities have occurred based on the user's abnormal behavior or the abnormal use of resources, so it is also called abnormal detection

6. Statistical analysis is also called anomaly detection, that is, intrusion detection is performed according to statistical rules. Statistical analysis first analyzes audit data, and if it is found that its behavior violates system expectations, it is considered an abuse.

7.Statistical analysis is also called anomaly detection. By using normal network traffic, network delay, and network characteristics of different applications (such as timeliness) as a reference value after statistical analysis, if the collected information is outside the range of the reference value Intrusion

8. Anomaly-based detection method Firstly define a set of data when the system is in a " normal " condition, such as CPU utilization, memory utilization, file checksum, etc., and then analyze to determine if an abnormality occurs.