Statistics based: analyzes the network traffic using complex statistical algorithms to process the information.
Bhuyan, et al. (Bhuyan et al., 2014)
• Needs a large amount of knowledge of statistics
• Simple but less accurate
Pattern-based: identifies the characters, forms, and patterns in the data.
Liao, et al. (Liao et al., 2013a)
Riesen and Bunke (Riesen et al., 2008)
• Easy to implement
• A hash function could be used for identification.
Rule-based: uses an attack “signature” to detect a potential attack on the suspicious network traffic.
Hall, et al. (Hall et al., 2009)
• The computational cost of rule-based systems could be very high because rules need pattern matching.
• It is very hard to estimate what actions are going to occur and when
• It requires a large number of rules for determining all possible attacks.
• The low false-positive rate
• High detection rate
State-based: examines a stream of events to identify any possible attack.
Kenkre, et al. (Kenkre et al., 2015)
• Probabilistic, self-training
• Low false positive rate.
Heuristic-based: identifies any abnormal activity that is out of the ordinary activity.
Abbasi, et al. (Abbasi et al., 2014)
Butun, et al. (Butun et al., 2014)
• It needs knowledge and experience
• Experimental and evolutionary learning