components of intrusion detection systems:
From an algorithmic perspective
-Features – capture intrusion evidences
-Models – piece evidences together
From a system architecture perspective:
Audit data processor, knowledge base, decision engine, alarm generation and responses
Data preprocessor
Detection Engine <- Detection Models
Decision Engine <- Decision Table
Modeling and analysis
- misuse detection(a.k.a. signature-based)
- anomaly detection
Deployment
- host-based
- network-based
Development and maintenance
- hand-coding of "expert knowledge"
- learning based on data
Analysis Approaches
- anomaly detection
- misuse / signature detection
Anomaly Detection:
involves the collection of data relating to the behavior of legitimate users over a period of time
current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder
Misuse/ Signature Detection
uses a set of known malicious data patterns or attack rules that are compared with current behavior
also known as misuse detection
Can only identify known attacks for which it has patterns or rules
