Network Intrusion Detection and Prevention

Abstract

The basic principle of intrusion detection is based on the assumption that intrusive activities are noticeably different from normal ones and thus are detectable 16. Many intrusion detection approaches have been suggested in the literature since Andersons seminal report 5. Traditionally these approaches are classified into three categories: misuse detection, anomaly detection and specification-based detection. Anomaly based intrusion detection approaches are dedicated to establishing a model of the data flow that is monitored under normal conditions without the presence of any intrusive procedures. In contrast, misuse detection approaches aim to encode knowledge about patterns in the data flow that are known to correspond to intrusive procedures in form of specific signatures. In specification based detection approaches, security experts predefine the allowed system behaviors and thus events that do not match the specifications are labeled as attacks. In this chapter we discuss these different approaches in detail and summarize some representative examples in each category.