Logout
Anomaly
JSR:
Definition of "Anomoly" - something that deviates from what is standard, normal, or expected.
So, for example, if a student who always comes to class on time is late one time, that is an anomaly.
You should look at this in comparison to signature based detection and packet-filtering firewalls. The idea is that assuming that certain malware writers have figured out how to trick signature-based detection and firewalls, one strategy for malware detection is to look for something suspicious; i.e. something out of the ordinary; i.e. an anomaly.
Avinash:
Prompts:
- How does anomaly-based detection of malware work?
- Define Whitelisting.
Anomaly-based detection is a fancy way of describing a system that picks out data and program code that is not “normal”. The system it uses is governed by a heuristic principle- It looks for code and patterns in files that are commonly seen ‘symptoms’ of a certain family of viruses, bots etc. and singles out the file, sending it to be scanned comprehensively. Anomaly-based detection can work against highly camouflaged and innocuous-looking viruses whereas basic string scanning using a sting search program cannot detect the camouflaged bits. Another advantage of anomaly-based detection and their associated heuristic systems is in zero-day attacks; it can protect against malware previously unknown to the user. However this method does have disadvantages: it has a relatively high false positives rate and the heuristics system is often complicated. One option to reduce the number of false positives is whitelisting. Whitelisting is the process of compiling veritable email addresses into a list that is checked against for spam detection. If the sender is not in that list, depending on the mail server settings the email may go to the user’s junk folder, spam folder, in-box or trash.
Neel:
16. How does anomaly-based detection of malware work?
Anomaly Based intrusion detection systems(which are more advanced than Signature based systems) are detection systems that constantly check systems of any 'unusual' or anomalous activity which is not native to normal system operations. The nature of the function is based on rules that 'teaches' the system to recognize normal system activity through(most commonly) artificial intelligence usage of normal system behavior learning. Another method that is used in ABIDS is for the system to follow a strict mathematical model and detect any type of activity which is different from the model.