Anomaly Detection Methods

Rely on changed behavior after normal to worm change

Three main modes of operation:
Relational anomalies
Statistical anomalies
Protocol anomalies

Relational anomaly analysis
Examines inter-host relationships
Services, traffic rates, etc
Deviances from normalcy detected
New web server, new mail server