|Statistics based: analyzes the network traffic using complex statistical algorithms to process the information.||Bhuyan, et al. (2014)||
•Needs a large amount of knowledge of statistics|
•Simple but less accurate
|Pattern-based: identifies the characters, forms, and patterns in the data.||
Liao, et al. (2013a)|
Riesen and Bunke (2008)
•Easy to implement|
•Hash function could be used for identification.
|Rule-based: uses an attack “signature” to detect a potential attack on the suspicious network traffic.||Hall, et al. (2009)||
•The computational cost of rule-based systems could be very high because rules need pattern matching.|
•It is very hard to estimate what actions are going to occur and when
•Requires a large number of rules for determining all possible attacks.
•Low false positive rate
•High detection rate
|State-based: examines a stream of events to identify any possible attack.||Kenkre, et al. (2015a)||
•Low false positive rate.
|Heuristic-based: identifies any abnormal activity that is out of the ordinary activity.||
Abbasi, et al. (2014)|
Butun, et al. (2014)
•It needs knowledge and experience|
•Experimental and evolutionary learning