Skip to content
Log in

Anomaly-based IDS

Definition

An intrusion detection system that models normal traffic behaviour and alerts when observed traffic deviates significantly from that baseline. Detects novel attacks but generates more false positives than signature engines on the same traffic.

Related terms

Five-tuple
The five fields that uniquely identify a network flow: source IP address, source port, destination IP address, destination port, and transport protocol...
Lateral movement
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...
Proxy log
A record generated by a forward proxy server for each HTTP or HTTPS request made by an internal client. Contains the URL,...
Signature-based IDS
An intrusion detection system that compares network traffic against a database of known attack patterns (signatures). Snort and Suricata are the dominant...
True positive / false positive
A true positive is an alert that correctly identifies malicious activity. A false positive is an alert that fires on legitimate traffic....

Explained in

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account