Detección basada en la actividad de Sistema que
coincide con la definida como anormal. [CCN-STIC-432:2006]
Detección de desviaciones de lo que sería el
comportamiento esperado de algo. Para que funcione es necesario definir
previamente qué comportamiento cabe caracterizar como "normal" y así
poder identificar desviaciones. La definición previa puede ser una
especificación, o resultado de un proceso de aprendizaje tutelado.
(I) An intrusion detection
method that searches for activity that is different from the normal behavior of
system entities and system resources. (See: IDS. Compare:
misuse detection.) [RFC4949:2007]
The process of comparing
definitions of what activity is considered normal against observed events to
identify significant deviations. [NIST-SP800-94:2007]
Detects any unacceptable
deviation from expected behavior. A profile of expected behavior is defined in
advance, either manually or automatically. Software that collects and processes
characteristics of system behavior over time and forms a statistically valid
sample of such behavior is used to create automatically-developed
profiles. Some of these deviations do
not require further examination and some do.
An anomaly might include
·
Users
logging on at strange hours or from unfamiliar sites on the network.
·
Unexplained
reboots or changes to system clocks.
·
Unusual
error messages from mailers, daemons, or other servers.
·
Multiple,
failed logon attempts with bad passwords.
·
Unauthorized
use of the /su /command to gain UNIX root access.
http://www.qtsnet.com/SecuritySolutions/security_glossary.html