Anomaly Detection Methods (cont)

Statistical anomaly analysis
Look at traffic characteristics
In-, out-degree of host, packet rates
Detect changes
Aggressively scanning worm host

Protocol anomaly analysis
Assume attacks violate protocol norm
Overside data, number of arguments
Detect deviations from protocols norms
MIME header greater than 80 bytes

Basic assumptions about worm behavior
Requires baseline 
Manual or automatic generation