Detection Methodology | Examples | Characteristics |
---|---|---|
Statistics based: analyzes the network traffic using complex statistical algorithms to process the information. | Bhuyan, et al. (Bhuyan et al., 2014) | • Needs a large amount of knowledge of statistics • Simple but less accurate • Real-time |
Pattern-based: identifies the characters, forms, and patterns in the data. | Liao, et al. (Liao et al., 2013a) Riesen and Bunke (Riesen et al., 2008) | • Easy to implement • A hash function could be used for identification. |
Rule-based: uses an attack “signature” to detect a potential attack on the suspicious network traffic. | Hall, et al. (Hall et al., 2009) | • The computational cost of rule-based systems could be very high because rules need pattern matching. • It is very hard to estimate what actions are going to occur and when • It requires a large number of rules for determining all possible attacks. • The low false-positive rate • High detection rate |
State-based: examines a stream of events to identify any possible attack. | Kenkre, et al. (Kenkre et al., 2015) | • Probabilistic, self-training • Low false positive rate. |
Heuristic-based: identifies any abnormal activity that is out of the ordinary activity. | Abbasi, et al. (Abbasi et al., 2014) Butun, et al. (Butun et al., 2014) | • It needs knowledge and experience • Experimental and evolutionary learning |