Network Intrusion Detection Systems (NIDS) have the challenge to prevent network attacks and unauthorised remote use of computers. In order to achieve this goal, NIDS usually follow two different strategies. The first one aims at detecting forbidden usage of the network and the second one concentrates on finding illegitimate behaviour. The first methodology accomplishes its goal by defining all possible attacks and the second by modelling the normal usage to detect anything that does not fit on that muster; this difference has rendered both alternatives so far incompatible. In previous works we have presented ESIDE-Depian, the first inherently unified misuse and anomaly detector. This paper focuses on the problems and difficulties that arose in the integration process and the solutions designed to overcome them.
Yoseba K. Penya, Pablo Garcia Bringas