Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
Knowledge based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
Machine learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques.
Issues Affecting Performance:
Efficiency, cost of detection
Statistical Approaches
characteristics:
– use captured sensor data
– multivariate models using time of and order of event
Advantages:
– their relative simplicity
– low computation cost
– lack of assumptions about expected behavior
Disadvantages:
– difficulty selecting suitable metrics
– not all behaviors can be modeled using these approaches.
Knowledge base approaches
– developed during training to characterize data into distinct classes
advantages:
– robust
– flexible
disadvantages:
– the difficulty and time required to develop knowledge from the data
– human experts must assist with the process
Machine learning approaches
– use data mining techniques to develop a model that can classify data as normal or anomalous
Advantages:
– flexibility
– adaptability
– ability to capture inter-dependencies between observed metrics
disadvantages:
– dependency on assumptions about accepted behavior
– high false alarm rate
– high resource cost
– significant time and computational resources
Bayesian networks: encode probabilistic relationship among observed metrics
Markov models: Develop a model with sets of states
