**2. Network intrusion detection systems framework**

In **Figure 1**, common intrusion detection framework (CIDF) integrated with Internet Engineering Tasks Force (IETF) and Intrusion Detection Working Group (IDWG) has successfully achieved efficient performance in representing the framework. This group defines a basic IDS structural design based on four functional modules.

*Event modules (E-Modules)* are defined as a combination of sensing elements and are engaged in continuous monitoring of the end system. In addition, these modules are also involved in processing the information events to the bottom three modules for further analysis.

*Analysis modules (A-Modules)* analyze the events and detect probable aggressive behavior, in order to ensure that some kind of alarm generated in essential conditions.

*Data storage modules (D-modules)* store the data from the E-Modules for further processing by the other modules.

*Response modules (R-Modules)* are used to provide the response to the transactions based on the information obtained from the analysis module.

#### **Figure 1.**

*Common intrusion detection framework architecture.*

computing based, data mining based, user intention identification, and computer

on normal transaction to build the normal profile [4]. The statistical tests are employed to determine whether the observed transaction deviates from the normal profile. The IDS assigns a score to the transactions whose profile deviates from the normal. If the score reaches the threshold, alarm is raised. The threshold value is set

Statistical-based techniques are further classified into operational model or threshold metric, time series model, Markov process model or Marker model, parametric approaches, statistical moments or mean and standard deviation model,

i. They do not require any prior knowledge about the signatures of the attacks.

ii. As the system is not depended on any of the signatures, updating is not

be identified accurately and are good at detecting DoS attacks.

The disadvantages of statistical-based techniques are as follows:

iii. The intrusion activities that were occurred over extended period of time can

ii. The learning process of statistical-based techniques takes days or weeks to

The main advantages of statistical-based techniques are as follows:

based on count of events that occur over a period of time.

multivariate model, and nonparametric approaches.

So, they can detect zero-day attacks.

required. Hence it is easy to maintain.

i. They need accurate statistical distributions.

become accurate and effective.

Statistical-based techniques use statistical properties such as mean and variance

immunology.

**Figure 3.**

**39**

**3.1 Statistical-based techniques**

*Anomaly-Based Intrusion Detection System DOI: http://dx.doi.org/10.5772/intechopen.82287*

*Classification of anomaly-based intrusion detection techniques.*

#### **Figure 2.**

**Figure 2** represent the Common anomaly-based network IDS. The functional stages normally adopted in the anomaly-based network intrusion detection systems (ANIDS) are as follows:

*Formation of attributes:* In this stage, preprocessing of the attributes is done based on the target system.

*Observation stage:* A model that is built on the basis of behavioral features of the specified system where observations of intrusions can be carried out either through automatically or by manual detection procedure.

*Functional stage*: It is also called as detection stage. If the characterizing system model is available, it will match with the observed traffic.

#### **3. Anomaly-based intrusion detection techniques**

**Figure 3** represents the taxonomy of anomaly-based intrusion detection techniques. They are statistical based, cognitive based or knowledge based, machine learning or soft

*Common anomaly-based network IDS.*

**Figure 3.** *Classification of anomaly-based intrusion detection techniques.*

computing based, data mining based, user intention identification, and computer immunology.
