The security of our computer systems and information is at constant risk. The extensive growth of the web and increasing accessibility of tools and tricks for intruding and attacking networks have prompted intrusion detection to become an important element of network administration. An intrusion can be represented as any set of events that threaten the integrity, confidentiality, or availability of a network resource (including user accounts, file systems, system kernels, etc).
Some commercial intrusion detection systems are limiting and do not support a whole solution. Such systems generally employ misuse detection approaches. Misuse detection searches for designs of program or user behavior that connect known intrusion scenarios, which are saved as signatures.
These hand-coded signatures are laboriously supported by human professionals based on their extensive knowledge of intrusion approaches. If a pattern match is discovered, this signals an event for which an alarm is constructed. Human security analysts compute the alarms to determine what action to take, whether it be shutting down part of the system, alerting the relevant web service provider of suspicious traffic, or easily noting unusual traffic for future reference.
An intrusion detection system for a huge complex network can generally make thousands or millions of alarms per day, defining an overwhelming service for security analysts. Because systems are not static, the signatures are required to be upgraded whenever new software versions appear or changes in network configuration appear. The limitation is that misuse detection can only identify cases that connect the signatures. Especially it is unable to detect new or previously unknown intrusion approaches.
Novel intrusions can be discovered by anomaly detection methods. Anomaly detection constructs models of normal network behavior (known as profiles), which can detect new patterns that significantly deviate from the profiles. Such deviations can define actual intrusions or simply be new behaviors that are required to be added to the profiles.
The benefit of anomaly detection is that it can detect novel intrusions that have not yet been observed. Generally, a human analyst should arrange through the deviations to ascertain which defines real intrusions. A defining factor of anomaly The benefit of anomaly detection is that it can detect novel intrusions that have not yet been observed. Generally, a human analyst should arrange through the deviations to ascertain which defines real intrusions. A defining factor of anomaly detection is the high percentage of false positives. There are new patterns of intrusion that can be inserted into the set of signatures for misuse detection.