Statistical Anomaly Detection

• Various tests determine whether current activity fits within acceptable limits

  • Mean & standard deviation – crude for intrusion detection
  • Multivariate – correlation determines intruder behavior
  • Markov process – establish transition probabilities among various states
  • Time series – focus on time intervals
  • Operational model – exceeding fixed limits

• Prior knowledge of security flaws is not required