From: Survey of intrusion detection systems: techniques, datasets and challenges
Detection Methodology | Examples | Characteristics |
---|---|---|
Statistics based: analyzes the network traffic using complex statistical algorithms to process the information. | Bhuyan, et al. (2014) | •Needs a large amount of knowledge of statistics •Simple but less accurate •Real-time |
Pattern-based: identifies the characters, forms, and patterns in the data. | Liao, et al. (2013a) Riesen and Bunke (2008) | •Easy to implement •Hash function could be used for identification. |
Rule-based: uses an attack “signature” to detect a potential attack on the suspicious network traffic. | Hall, et al. (2009) | •The computational cost of rule-based systems could be very high because rules need pattern matching. •It is very hard to estimate what actions are going to occur and when •Requires a large number of rules for determining all possible attacks. •Low false positive rate •High detection rate |
State-based: examines a stream of events to identify any possible attack. | Kenkre, et al. (2015a) | •Probabilistic, self-training •Low false positive rate. |
Heuristic-based: identifies any abnormal activity that is out of the ordinary activity. | Abbasi, et al. (2014) Butun, et al. (2014) | •It needs knowledge and experience •Experimental and evolutionary learning |