An observation-centric analysis on the modeling of anomaly-based intrusion detection

Zonghua Zhang, Hong Shen, Yingpeng Sang

Research output: Contribution to journalArticlepeer-review

10 Citations (Scopus)


It is generally agreed that two key points always attract special concerns during the modelling of anomaly-based intrusion detection. One is the techniques about discerning two classes with different features, another is the construction/selection of the observed sample of normally occurring patterns for system normality characterization. In this paper, instead of focusing on the design of specific anomaly detection models, we restrict our attention to the analysis of the anomaly detector's operating environments, which facilitates us to insight into anomaly detectors' operational capabilities, including their detection coverage and blind spots, and thus to evaluate them in convincing manners. Taking the similarity with the induction problem as the starting point, we cast anomaly detection in a statistical framework, which gives a formal analysis of anomaly detector's anticipated behavior from a high level. Some existing problems and possible solutions about the normality characterization for the observable subjects that from hosts and networks are addressed respectively. As case studies, several typical anomaly detectors are analyzed and compared from the prospective of their operating environments, especially those factors causing their special detection coverage or blind spots. Moreover, the evaluation of anomaly detectors are also roughly discussed based on some existing benchmarks. Careful analysis shows that the fundamental understanding of the operating environments (i.e., properties of observable subjects) is the elementary but essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between anomaly detection performance and the computational cost.

Original languageEnglish
Pages (from-to)292-305
Number of pages14
JournalInternational Journal of Network Security
Issue number3
Publication statusPublished - 2007
Externally publishedYes


  • Anomaly detection
  • Computer security
  • Information security
  • Intrusion detection
  • Misuse detection


Dive into the research topics of 'An observation-centric analysis on the modeling of anomaly-based intrusion detection'. Together they form a unique fingerprint.

Cite this