Skip to main content

Table 3 Detection methodology characteristics for intrusion-detection systems

From: Survey of intrusion detection systems: techniques, datasets and challenges

Detection Methodology Examples Characteristics
Statistics based: analyzes the network traffic using complex statistical algorithms to process the information. Bhuyan, et al. (2014) •Needs a large amount of knowledge of statistics
•Simple but less accurate
•Real-time
Pattern-based: identifies the characters, forms, and patterns in the data. Liao, et al. (2013a)
Riesen and Bunke (2008)
•Easy to implement
•Hash function could be used for identification.
Rule-based: uses an attack “signature” to detect a potential attack on the suspicious network traffic. Hall, et al. (2009) •The computational cost of rule-based systems could be very high because rules need pattern matching.
•It is very hard to estimate what actions are going to occur and when
•Requires a large number of rules for determining all possible attacks.
•Low false positive rate
•High detection rate
State-based: examines a stream of events to identify any possible attack. Kenkre, et al. (2015a) •Probabilistic, self-training
•Low false positive rate.
Heuristic-based: identifies any abnormal activity that is out of the ordinary activity. Abbasi, et al. (2014)
Butun, et al. (2014)
•It needs knowledge and experience
•Experimental and evolutionary learning