|Statistics based: analyzes the network traffic using complex statistical algorithms to process the information.||Bhuyan, et al. (Bhuyan et al., 2014)||
• Needs a large amount of knowledge of statistics|
• Simple but less accurate
|Pattern-based: identifies the characters, forms, and patterns in the data.||
Liao, et al. (Liao et al., 2013a)|
Riesen and Bunke (Riesen et al., 2008)
• Easy to implement|
• A hash function could be used for identification.
|Rule-based: uses an attack “signature” to detect a potential attack on the suspicious network traffic.||Hall, et al. (Hall et al., 2009)||
• The computational cost of rule-based systems could be very high because rules need pattern matching.|
• It is very hard to estimate what actions are going to occur and when
• It requires a large number of rules for determining all possible attacks.
• The low false-positive rate
• High detection rate
|State-based: examines a stream of events to identify any possible attack.||Kenkre, et al. (Kenkre et al., 2015)||
• Probabilistic, self-training|
• Low false positive rate.
|Heuristic-based: identifies any abnormal activity that is out of the ordinary activity.||
Abbasi, et al. (Abbasi et al., 2014)|
Butun, et al. (Butun et al., 2014)
• It needs knowledge and experience|
• Experimental and evolutionary learning