Unfortunately, on most networks the expected set of activity is quite broad. However, anomaly-based profiles are more like white lists, because the profile detects when behavior goes outside an acceptable range. These profiles still need to define what is normal, like rules need to be defined. While signature-based detection compares behavior to rules, anomaly-based detection compares behavior to profiles.
While somewhat predictable, human behavior tends to be changeable enough to cause NIDPS anomaly detection trouble. Further difficulties arise because the network traffic ultimately depends on human behavior. These attacks, such as the ping of death, do still exist, and are much better suited for signature-based detection. For one, anomaly-based detection will not be able to detect attacks that can be executed with a few or even a single packet. This need for a baseline presents several difficulties.
Spring, in Introduction to Information Security, 2014 Network Intrusion Detection: Anomaly BasedĪnomaly-based detection generally needs to work on a statistically significant number of packets, because any packet is only an anomaly compared to some baseline.
0 kommentar(er)
