Ver:
· Sistema de detección de intrusiones
Detección basada en la actividad de Sistema que coincide con la definida como anormal. [CCN-STIC-432:2006]
Detección de desviaciones de lo que sería el comportamiento esperado de algo. Para que funcione es necesario definir previamente qué comportamiento cabe caracterizar como "normal" y así poder identificar desviaciones. La definición previa puede ser una especificación, o resultado de un proceso de aprendizaje tutelado.
(I) An intrusion detection method that searches for activity that is different from the normal behavior of system entities and system resources. (See: IDS. Compare: misuse detection.) [RFC4949:2007]
The process of
comparing definitions of what activity is considered normal against observed
events to identify significant deviations. [NIST-SP800-94:2007]
Detects any unacceptable deviation from expected behavior. A profile of expected behavior is defined in advance, either manually or automatically. Software that collects and processes characteristics of system behavior over time and forms a statistically valid sample of such behavior is used to create automatically-developed profiles. Some of these deviations do not require further examination and some do. An anomaly might include
·
Users
logging on at strange hours or from unfamiliar sites on the network.
·
Unexplained
reboots or changes to system clocks.
·
Unusual
error messages from mailers, daemons, or other servers.
·
Multiple,
failed logon attempts with bad passwords.
·
Unauthorized
use of the /su /command to gain UNIX root access.
http://www.qtsnet.com/SecuritySolutions/security_glossary.html
Temas relacionados