Anomaly-based detection is a threat detection technique that alerts about unusual activities and processes in a computer or network system.

It works by training the network to understand how a computer or network system should work, and any anomaly triggers an alert to the user or system administrator.

Anomaly-based Detection Techniques

Anomaly vs. Signature-based Detection

Most intrusion detection systems use anomalies and threat signatures to detect threats and alert administrators. Anomaly-based intrusion detection systems detect suspicious behaviour and interpret it as a threat. They rely on an established baseline on how the system should work under normal conditions.

On the other hand, signature-based intrusion detection systems maintain a database of all known threats and their indicators of compromise (IOCs). The system then monitors the packets transmitted across the network and alerts the administrators if it detects a threat indicator matching those in the database.