Detection: monitor the system & detect anomalies or activities that
indicate a break-in and report it.
signature analysis: compare log data with predefined attack signatures. Only known attack methods detectable.
static-state analysis: vulnerabitlity & configurution analyses
dynamic analysis: determine if an attack (suspicious activities) is underway
vulnerability profiles: list of known vulnerabilities; compared to system with scanner
system profiles: model of the processes, users, activities expected on a system compared to actual statistics.
network profiles: maount & type of traffic to estavlish normal work patterns. detect abnormalities.
user profiles: detect deviation fr standard behavior of user.
attack profiles: artifacts (fingerprints) left by (attempted) attack; in logs.
self-monitoring profiles: IDS monitors itself
Offline methods: analyze system while not operational
configuration & system scanning for vulnerabilities (eg. virus scan)
Online methods: evaluate state info from operation of the system