Statistical Anomaly Categories

• Threshold detection

  • Counting the number of occurrences of a specific event type over an interval of time
  • Generate either a lot of false positives or a lot of false negatives

• Profile-based systems

  • Characterizing the past behavior of individual users or related groups of users and then detecting significant deviations
  • A profile is a set of parameters
  • Foundation of this approach is an analysis of audit records
  • Records over time define typical behavior. Current audit records are used to detect intrusion