Definition
Anomaly-based detection is a threat detection technique that alerts about unusual activities and processes in a computer or network system.
It works by training the network to understand how a computer or network system should work, and any anomaly triggers an alert to the user or system administrator.
Anomaly-based Detection Techniques
- Supervised: Supervised anomaly-based detection systems use controlled datasets where normal activities and processes are labelled ‘normal’ and the others ‘abnormal’.
- Unsupervised: Unsupervised anomaly-based detection systems use unlabelled datasets to detect anomalies. They rely on the data’s intrinsic characteristics to make decisions.
- Semi-supervised: Semi-supervised systems use a ‘normal’ labelled dataset to establish a normalized baseline for the system and then use it to determine whether instances are normal or not.
Anomaly vs. Signature-based Detection
Most intrusion detection systems use anomalies and threat signatures to detect threats and alert administrators. Anomaly-based intrusion detection systems detect suspicious behaviour and interpret it as a threat. They rely on an established baseline on how the system should work under normal conditions.
On the other hand, signature-based intrusion detection systems maintain a database of all known threats and their indicators of compromise (IOCs). The system then monitors the packets transmitted across the network and alerts the administrators if it detects a threat indicator matching those in the database.