Next: Anomaly detection (cont.)
Up: Intrusion Detection 101
Previous: Anomaly detection
- Statistical profiling
- comprise profiles of normal behaviour from various statistical measures
- Example systems
- NSWC SHADOW, various SYN flood detectors, UC Davis GRIDS
- Problems
- insensitive to event ordering
- threshold determination - just outside std.deviation, or other specific abnormality
threshold values?
- easy to slide ``under the radar'' when there exists a wide range in normal
behaviour
Dug Song
1999-09-17