Data Mining - Intrusion detection systems (IDS) / Intrusion Prevention / Misuse

Thomas Bayes


Classical security mechanisms, i.e. authentication and encryption, and infrastructure components like firewalls cannot provide perfect security.

Therefore, intrusion detection systems (IDS) have been introduced as a third line of defense.

They are event-mining application.

The techniques classically applied within IDS can be subdivided into two main categories:




Misuse detection is a supervised algorithm that tries to detect patterns of known attacks within the audit stream of a system, i.e. it identifies attacks directly.

The main disadvantage of this approach is that the underlying database of attack patterns must be kept up-to-date and consistent.

Because misuse detection techniques depend on the knowledge of recognized attack patterns, they cannot detect new attacks.


The opposite approach would be the specification of the desired or positive behavior of users and processes. Based on this normative specification of positive behavior attacks are identified by observing derivations from the norm. Therefore, this technique is called Anomaly Detection.

The main problem with anomaly detection techniques is to determine the positive behavior. Two general approaches exist:

  • Learning user and process behavior, and
  • Specification of user and process behavior

The former approach is often based on statistical methods like the calculation of means, variations and multivariate statistics. Other methods use learning algorithms like e.g. neural networks or Bayesian classifiers. This approach is particular popular for the profiling of users.

Although intelligent techniques can improve the security of a system, they rarely give a clear picture of the level of security they can guarantee. In contrast non-intelligent techniques like e.g. specification-based approaches extend the general security policy, and clearly define their guaranteed level of security.


  • The implementation are made based on a session with an id based over an IP or a cookie.
  • Honey Pot: not visible URL with a no-index
  • DNS Lookup to see if this is a good bot
  • URL Pattern

Discover More

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. is a log parser. It cannot do anything before something is written in the log files. ...
Software Security
Software Security

Security regroups many subject area. The most known are: Identity management with: authentication (user/password) and its method (ldap, table, ...) authorization (group, privileges and role, object...

Share this page:
Follow us:
Task Runner