41
abnormal
changes
of
activity.
Profile
system
is
created
by
the
IPS
to
flag
events
that
wander off
from
the baseline of
normal patterns. Anomaly-based
methodology identifies
not only prohibited activity, but also allowed activity. Rate-based attack such as DoS can
be
detected
by
using
anomaly-based
scheme.
The
typical
method
is
to
have
mathematical weighting
of
the
normal
manners
and
weighting
of
abnormal
occurrence
probability. Anomaly
detection’s analysis process
is
divided
into
three
main categories:
behavior
analysis,
traffic
pattern
analysis, and
protocol analysis.
Behavior analysis
tries
to
uncover
anomalies in
the
types
of
the
baselines
of
statistical
and
characteristical
behavior. Traffic
pattern
analysis
looks
for
anomalies that
have
specific
patterns
in
the
network.
Protocol
analysis
monitors network protocol to
identify
misuse
or
violations,
identifying activities that have not yet been known or signature-updated [1].
We note
that
there are several
steps of
intrusion analysis model especially
in
the
context
of
anomaly
detection.
In
the
first
occasion,
IPS
performs
preprocessing for
initialization
of
data
analysis
and
examination
process,
collecting
the
data,
and
base-
lining
data
that
is
considered
normal
pattern
or
behavior. Data
then
is
formed
into
numerical
format,
which
is
then
processed
and
categorized into
statistical
profile
with
different
algorithms.
Afterward, event data
is
formatted and analyzed by
comparing
the
contents
of
the
profile
vector
from the
even data with
the
knowledge base. From
here,
response
of
action based
on
the
result
will
be
taken
automatically or
manually.
Then,
it
goes
through
the refinement step, where data records
need
to
be kept and
updated. For
several
reasons,
data
from
the
profile
vector
can
be
safely
deleted
in
specific days.
Current recorded behavior can
be
monitored with
higher
level of
weighting system
than
the past recorded behavior.
 |