Because of rapid development of computer hardware and computer networks, it becomes increasingly more pressing to intercept computer attacks (intrusions) and to timely detect malware infections of workstations, mobile devices and servers.
Network-based ADS (Attack Detection Systems) play an important role, since they analyze network traffic to detect network sessions, where infected devices interact with control centers, malware is distributed, or infected devices fall under unauthorized remote control.
Network-based ADS operate with decision rule databases, which comprise a number of criteria used to analyze communication sessions and information security events. These criteria define requirements to the contents and attributes of network connections that are considered malicious by the system, using conventional syntax.
The main practical tasks for network-based ADS are: to timely update of the decision rule database to increase effectiveness of detection of new threats, and to decrease the number of type I errors (false positives).