10.5 Misuse Detection

The main issues in anomaly detection systems thus become the selection of threshold levels, so that neither of these two problems occurs, and the selection of what system features to monitor. Anomaly detection systems are also computationally expensive because of the overhead of keeping track of, and possibly updating, several system profile metrics. Audit data needs to be collected in order to update profiles and generate them dynamically so as to issue attack alerts on statistically deviant behavior. Anomaly detection has been performed via several mechanisms, including neural networks and machine-learning algorithms.

Misuse detection systems encode and match the sequence of hackers' signature actions, such as the changing ownership of a file in known intrusion scenarios. The main shortcomings of misuse systems are that known intrusion patterns have to be hand-coded; they are unable to detect unknown intrusions, which have no matched (future) patterns. The concept behind misuse detection schemes is that there are ways to represent attacks in the form of a pattern or a signature so that even variations of the same attack can be detected. This means that these systems are not unlike virus-detection systems—they can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. An interesting point to note is that anomaly detection systems try to detect the complement of "bad" behavior. Misuse detection systems try to recognize known "bad" behavior, with new rules being continuously needed to issue alert attacks.