Anomaly Detection Over User Profiles for Intrusion Detection
Source: University of South Australia
Intrusion Detection Systems (IDS) have often been used to analyze network traffic to help network administrators quickly identify and respond to intrusions. These detection systems generally operate over the entire network, identifying "Anomalies" atypical of the network's normal collective user activities. The authors show that anomaly detection could also be host-based so that the normal usage patterns of an individual user could be profiled. This enables the detection of masquerading intruders by comparing a learned user profile against the current session's profile. A prototype behavioural IDS applies the concept of anomaly detection to user behaviour and compares the effects of using multiple characteristics to profile users.