(also anomaly-based intrusion detection system, anomaly-based IDS)
Anomaly-based detection definition
Anomaly-based detection is a method used to identify and alert about threats. It is used for identifying both computer and network threats.
Anomaly-based detection works by training the system with a normalized baseline that represents how the system normally works and should work.
Then, when an anomaly (something out of the ordinary) happens, the system compares it to the baseline and identifies it as an anomaly.
Once something is identified as an anomaly, an alert is triggered, warning the network and computer users that something is wrong.
An anomaly can be triggered whenever something doesn’t align with the normalized baseline — for example, if an employee logs in to the system outside of work hours or someone adds a new device to a network without proper authentication or permission.
Credit card companies use anomaly-based detection to track how users use their cards on a day-to-day basis. And if a user does something out of the ordinary, like make a large purchase or use the credit card in a new location, the anomaly-based detection system will trigger an alert that will notify a bank employee or whoever is responsible for contacting the credit card user.
Anomaly-based detection techniques
Unsupervised. An unsupervised anomaly-based detection system detects anomalies in an unlabelled dataset. It does so based on the intrinsic characteristics of the data. It works under the assumption that most activities in the dataset are or will be normal.
Semi-supervised. A semi-supervised anomaly-based detection system uses normal, labeled datasets to create a normalized baseline. Then, it uses that baseline to compare instances and decide if they’re normal or not.
Supervised. A supervised anomaly-based detection system uses datasets that have been labeled as “normal” and “abnormal.”