Anomaly-Based Intrusion Detection

Abstract

Anomaly-based intrusion detection has become an indispensable player on the existing cybersecurity landscape, where it enables the identification of suspicious behaviors that significantly differ from normal activities. In this way, it is possible to discover never-seen-before threats and provide zero-day recognition capabilities. But the recent advances on communication technologies are leading to changes in the monitoring scenarios that result in novel challenges to be taken into consideration, as is the case of greater data heterogeneity, adversarial attacks, energy consumption, or lack of up-to-date datasets. With the aim on bringing the reader closer to them, this chapter deepens the following topics: evolution of the anomaly definition, anomaly recognition for network-based intrusion detection, outlier characterizations, knowledge acquisition for usage modelling, distances and similarity measures for decision-making, anomaly recognition and non-stationarity, metrics and evaluation methodologies, and challenges related with the emergent monitorization environments.