Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)
Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)

3.1 IDS techniques

Described image
Figure _unit7.3.2 Figure 8

Intrusion detection typically uses one of two techniques: anomaly detection or misuse detection.

Anomaly detection

Anomaly detection depends on the system having a model of the expected ‘normal’ network behaviour of users and applications. The basic assumption of anomaly detection is that attacks differ from normal behaviour. This approach has the advantage of being able to detect previously unknown attacks by simply looking for patterns that deviate from the expected normal behaviour.

For example, consider a user who normally logs on to his computer at 9am each weekday and spends most of the morning accessing an order processing application, before taking a break for lunch. Subsequently the user accesses a number of supplier websites each afternoon before logging off at 5pm. If the intrusion detection system logs the user accessing the system at 3am and installs new software on his machine, the anomaly detection algorithm would flag this activity as suspicious.

Of course a potential disadvantage of this approach would be that some legitimate activities might be incorrectly identified as being suspicious.

Misuse detection

Misuse detection depends on the system having a set of attack patterns, or ‘signatures’, against which all network activity can be compared. The patterns of normal behaviour and attacks are configured by an administrator. Whenever there is a match between users’ activities and one of the attack signatures, or a mis-match between users’ activities and a configured normal use pattern, the system will flag that an attack is underway.

This approach has the advantage of minimising the occurrences of legitimate activity being identified as being suspicious. However, it also has the disadvantage of only being able to identify attacks where there is a known pattern, so attacks of a new unknown pattern can be easily missed.

To find out more about attacks, honeypots are used.


Take your learning further371

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses372.

If you are new to university level study, we offer two introductory routes to our qualifications. Find out Where to take your learning next?373 You could either choose to start with an Access courses374or an open box module, which allows you to count your previous learning towards an Open University qualification.

Not ready for University study then browse over 1000 free courses on OpenLearn375 and sign up to our newsletter376 to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371