The anomaly-based IDS looks for traffic that deviates from what is seen normally. The definition of the normal and abnormal network traffic patterns forms the identity of the culprit. Once the definition is in place, the anomaly-based IDS can monitor the system or network and send an alarm if an event outside known normal behavior is detected. An example of suspicious behavior is the detection of specific data packets (routing updates) that originate from a user device rather than from a network router.
Was this article helpful?