Rule-Based Detection

• Observe events in the system and apply a set of rules that decide if activity is suspicious or not

• Approaches focus on either:

  • Anomaly detection
  • Penetration identification