**3.5 User intention identification**

**3.2 Cognitive-based or knowledge-based techniques**

prior knowledge to update the each attack is a difficult task.

anomaly-based detection [5].

*Computer and Network Security*

tive or corrective action.

sis, expert systems, and signature analysis.

**3.3 Data mining-based techniques**

ignored patterns from the dataset [6].

dimensionality.

training times.

**40**

i. They can handle high dimensional data.

Knowledge-based techniques are used to extract the knowledge from the specific attacks and system vulnerabilities. This knowledge can be further used to identify the intrusions or attacks happening in the network or system. They generate alarm as soon as an attack is detected. They can be used for both misuse and

The knowledge-based techniques are broadly classified as state transition analy-

The knowledge-based techniques are maintaining the knowledge of each attack based on the careful and detailed analysis performed; it is a time-consuming task. A

The knowledge-based IDS can detect the attacks whose patterns are known, but

The data mining-based techniques are further classified into clustering, association rule discovery, classification, K-nearest neighbor, and decision tree methods. The key advantages of data mining-based techniques are as follows:

ii. As the precomputed models are designed in the training phase, comparing

i. These methods identify abnormalities as a by-product of clustering and as

Machine learning can be characterized as the capacity of a program or potentially a framework to learn and improve their performance on a specific task or group of tasks over a time [7]. Machine learning strategies emphasize on building a framework that enhances its execution based on previous results, that is, it can

each instance at the testing phase can be done in faster way.

The key disadvantages of data mining-based techniques are as follows:

ii. They require high storage and are slow in classifying due to high

Machine learning-based techniques are broadly classified as Bayesian approaches, support vector machines, neural networks, fuzzy logic, and genetic algorithms. Their key advantage is flexibility, adaptability, and capture of interdependencies. The disadvantage is high algorithmic complexity and long

iii. They can generate the patterns in unsupervised mode.

are not optimized for anomaly detection.

**3.4 Machine learning or soft computing-based techniques**

change their execution strategy based on recently acquired data.

it is difficult to detect the inside attacks. One of the solutions is data mining techniques. The core idea is to extract the useful patterns and also the previously

The knowledge-based techniques possess good accuracy and very low false alarm rates. The knowledge gathered makes security analyst easier to take preven-

Intrusion detection system can be built based on the features that categorize the user or the system usage, to distinguish the abnormal activities from normal activities. During the early investigation of anomaly detection, the main emphasis was on profiling system or user behavior from monitored system log or accounting log data. The log data or system log may contain UNIX shell commands, system calls, key strokes, audit events, and network packages used.
