The State of Anomaly Detection

"One of These Things is not Like the Others: The State of Anomaly Detection
by Matthew Tanase
last updated July 1, 2002



Introduction

"To some, our observations can be summarized succinctly as "bugs happen". That certainly is not news. But dismissing our
results so cavalierly misses the point. Yes, bugs happen. But bugs can be fixed -if they are detected. The Internet is, as a whole, working remarkably well. Huge software packages (i.e., X11R5) can be distributed electronically. Connections span the globe. But the very success of the Internet makes some bugs invisible." - Steven Bellovin [1]

This excerpt, from the well-known 1993 report Packets Found on an Internet, was written nearly nine years ago. As we all know, times have changed. Today, such "bugs", are likely part of an attempt to breach network security. The investigation of strange packets, the cited paper's topic, is now quite common. We know it as intrusion detection. In the past few years, intrusion detection systems have joined firewalls as the fundamental technologies driving network security. In the near future, a third component will emerge - anomaly detection.

What is Anomaly Detection?

Anomaly detection can be described as an alarm for strange system behavior. The concept stems from a paper fundamental to the field of security - An Intrusion Detection Model, by Dorothy Denning[2]. In it, she describes building an "activity profile" of normal usage over an interval of time. Once in place, the profile is compared against real time events. Anything that deviates from the baseline, or the norm, is logged as anomalous."

Rest of article here: http://online.securityfocus.com/infocus/1600 . Pete

 

Hey Pete - are you having trouble with insomnia lately? That article cured me!