Computer networks and systems have become indispensable tools for modern business. Today terabits of information on virtually every subject imaginable are stored in and accessed across such networks by users throughout the world. Much of this information is, to some degree, confidential and its protection is desired. Intrusion detection systems (IDS), including fraud detection systems (FDS), have been developed to detect unauthorized use of information and resources and to help uncover attempts by unauthorized persons and/or devices to gain access to computer networks and the information stored therein.
There are two complementary approaches to detecting intrusions: knowledge-based approaches and behavior-based approaches. Many IDS tools in use today are knowledge-based. Knowledge-based intrusion detection techniques involve comparing the captured data to information regarding existing techniques to exploit vulnerabilities. When a match is detected, an alarm is triggered. Behavior-based intrusion detection techniques, on the other hand, attempt to spot intrusions by observing deviations from normal or expected behaviors of the system or the users (models of which are extracted from reference information collected by various means). When a suspected deviation is observed, an alarm is generated.
Traditional security systems use rules to correlate events. Rules may be used to analyze and correlate user a events to identify intrusions, more specifically, behavioral patterns that deviate from the norm. While these mechanisms are powerful enough to support many standard correlation use cases, some intrusions, such as sophisticated fraudulent attacks, may go undetected or may be detected after specifying a highly complex set of rules.