Anomaly intrusion detection monitors network segments to compare the current state to the previously determined normal baseline and indicate unusual situations. Anomaly based detection can focus solely on protocols. Under this circumstance, protocol anomalies analysis exposes attacks a signature-based IDS is likely to overlook; however the false-assessment rate is often higher than other intrusion detection approaches. Statistical patterns or profiles are frequently the better means to detect insider IT attacks. However, cunning users can intentionally modify their statistical patterns or profiles to masquerade malicious activities. Additionally, a large amount of processing capacity is usually required for anomaly intrusion detection.
Host-based intrusion detection generally provides passive individual IT activity examinations. The Host-based IDS can employ system log data, resource utilization, modification or deletion of files, abnormal privilege escalation, as well as other indicators to note potential attacks for a particular IT.
Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Raleigh: Lulu.com, 2010.