**3.1 Statistical-based techniques**

Statistical-based techniques use statistical properties such as mean and variance on normal transaction to build the normal profile [4]. The statistical tests are employed to determine whether the observed transaction deviates from the normal profile. The IDS assigns a score to the transactions whose profile deviates from the normal. If the score reaches the threshold, alarm is raised. The threshold value is set based on count of events that occur over a period of time.

Statistical-based techniques are further classified into operational model or threshold metric, time series model, Markov process model or Marker model, parametric approaches, statistical moments or mean and standard deviation model, multivariate model, and nonparametric approaches.

The main advantages of statistical-based techniques are as follows:


The disadvantages of statistical-based techniques are as follows:


**Figure 2** represent the Common anomaly-based network IDS. The functional stages normally adopted in the anomaly-based network intrusion detection systems

*Formation of attributes:* In this stage, preprocessing of the attributes is done based

*Observation stage:* A model that is built on the basis of behavioral features of the specified system where observations of intrusions can be carried out either through

*Functional stage*: It is also called as detection stage. If the characterizing system

**Figure 3** represents the taxonomy of anomaly-based intrusion detection techniques. They are statistical based, cognitive based or knowledge based, machine learning or soft

(ANIDS) are as follows:

*Common anomaly-based network IDS.*

automatically or by manual detection procedure.

model is available, it will match with the observed traffic.

**3. Anomaly-based intrusion detection techniques**

on the target system.

**Figure 1.**

**Figure 2.**

**38**

*Common intrusion detection framework architecture.*

*Computer and Network Security*

#### **3.2 Cognitive-based or knowledge-based techniques**

Knowledge-based techniques are used to extract the knowledge from the specific attacks and system vulnerabilities. This knowledge can be further used to identify the intrusions or attacks happening in the network or system. They generate alarm as soon as an attack is detected. They can be used for both misuse and anomaly-based detection [5].

**3.5 User intention identification**

*Anomaly-Based Intrusion Detection System DOI: http://dx.doi.org/10.5772/intechopen.82287*

**3.6 Computer immunology**

**4. NSL-KDD dataset**

nologically meaningful interpretations.

key strokes, audit events, and network packages used.

Intrusion detection system can be built based on the features that categorize the user or the system usage, to distinguish the abnormal activities from normal activities. During the early investigation of anomaly detection, the main emphasis was on profiling system or user behavior from monitored system log or accounting log data. The log data or system log may contain UNIX shell commands, system calls,

Computer immunology is a field of science that includes high-throughput genomic and bioinformatics approaches to immunology. The main objective is to convert immunological data into computational problems, solve these problems using statistical and computational approaches, and then convert the results into immu-

The NSL-KDD [8] dataset is a refined version of its predecessor KDD99 dataset. NSL-KDD dataset comprises close to 4,900,000 unique connection vectors, where every connection vector consists of 41 features of which 34 are continuous features and 07 are discrete features. Each vector is labeled as either normal or attack. There are four major categories of attacks labeled in NSL-KDD: denial of service attack,

i. *Denial of service attack (DoS):* Denial of service is an attack category, which exhausts the victim's assets, thereby making it unable to handle legitimate requests. Examples of DoS attacks are "teardrop," "neptune," "ping of death

attacks is to gain information about the remote victim. Examples of probing

ii. *Probing attack* **(***PROBE***):** Objective of surveillance and other probing

iii. *Users-to-root attack* **(***U2R***):** The attacker enters into the local system by using the authorized credentials of the victim user and tries to exploit the vulnerabilities to gain the administrator privileges. Examples of U2R attacks

iv. *Remote-to-local attack* **(***R2L***):** The attackers access the targeted system or network from the remote machine and try to gain the local access of the victim machine. Examples of R2L attacks are "phf," "warezmaster,"

**5. Issues and challenges in anomaly-based intrusion detection systems**

Although many methods and systems have been developed by the research community, there are still a number of open research issues and challenges. Some of

the research issues and challenges of AIDS are as follows:

**41**

"warezclient," "spy," "imap," "ftp write," "multihop," and "guess passwd."

attacks are "nmap," "satan," "ipsweep," and "portsweep."

are "load module," "buffer overflow," "rootkit," and "perl."

probing attack, users-to-root attack, and remote-to-local attack.

(pod)," "mail bomb," "back," "smurf," and "land."

The knowledge-based techniques are broadly classified as state transition analysis, expert systems, and signature analysis.

The knowledge-based techniques possess good accuracy and very low false alarm rates. The knowledge gathered makes security analyst easier to take preventive or corrective action.

The knowledge-based techniques are maintaining the knowledge of each attack based on the careful and detailed analysis performed; it is a time-consuming task. A prior knowledge to update the each attack is a difficult task.

#### **3.3 Data mining-based techniques**

The knowledge-based IDS can detect the attacks whose patterns are known, but it is difficult to detect the inside attacks. One of the solutions is data mining techniques. The core idea is to extract the useful patterns and also the previously ignored patterns from the dataset [6].

The data mining-based techniques are further classified into clustering, association rule discovery, classification, K-nearest neighbor, and decision tree methods.

The key advantages of data mining-based techniques are as follows:


The key disadvantages of data mining-based techniques are as follows:


#### **3.4 Machine learning or soft computing-based techniques**

Machine learning can be characterized as the capacity of a program or potentially a framework to learn and improve their performance on a specific task or group of tasks over a time [7]. Machine learning strategies emphasize on building a framework that enhances its execution based on previous results, that is, it can change their execution strategy based on recently acquired data.

Machine learning-based techniques are broadly classified as Bayesian approaches, support vector machines, neural networks, fuzzy logic, and genetic algorithms. Their key advantage is flexibility, adaptability, and capture of interdependencies. The disadvantage is high algorithmic complexity and long training times.
