An IDS which combine some classifiers using Majority Voting and divide samples to Normal and Abnormal (without reporting any information about attack types), is it a hybrid intrusion detection system or Anomaly Detection or Misuse Detection system?
What must have thrown you of is the use of the example of rule based intrusion detection as Misuse detection. What I did was to update the answer to put it in the traditional way to avoid more confusion and explain it on this post fully
To elaborate on my answer lets go to the definition given by Verwoerd and Hunt (Intrusion Detection Techniques and Approaches). Their definitions are:
*"Anomaly detection attempts to model normal behaviour. Any events which violate this model are considered to be suspicious."
*"Misuse detection attempts to model abnormal behaviour, any occurrence of which clearly indicates system abuse."
The authors (both Voerwordt and Patcha) give examples of both anomaly and misuse. but take for example a traditional intrusion detection system based on signature (e.g. snort). Most people rely on this type of system to make rules that fall on misuse detection where the rule is focused on detecting an anomaly. Nonetheless If you want to compare the number of login failures against the number of good logins to derive a ratio the signature based IDS is then used as a statistical gathering apparatus instead of the usual detection mechanism (I am still using expression matching). I have used the signature based system to derive narrow profiles of good behavior on the web (using Snort and mod security). Does the traditional signature based system need to be limited to just modeling bad behavior, the answer is no (as a matter of fact I believe that they can be used in a better role just allowing good behavior matching and then filtering everything else, but this requires limiting the number of good behavior profiles, but it is more secure).
To address your next questions on using just abnormal attacks in misuse detection , the answer is that it just depends. The definitions given are based on either modeling normal vs abnormal behavior. The question to be made is: Does your intrusion detection method models both anomalous as well as normal behavior?
To give you two examples:
1) You make a neural network to discriminate attack types using a dataset of attacks (purely misuse?)
2) You make a neural network that discriminates normal web browsing from a denial of service request (is it misuse, anomaly or hybrid?)
It all depends on what you are trying to model whether it is good behavior or bad behavior and this depends on the dataset and the interpretation given to it
My understanding based is that when you put together a misuse and anomaly detection the it becomes a hybrid system. If for example, you have a majority voting scheme of learning algorithms and you do not have an anomaly(e.g Threshold measures) it would be considered misuse detection(e.g. signature based system such as snort).
See for example:
Patcha, Animesh, and Jung-Min Park. "An overview of anomaly detection techniques: Existing solutions and latest technological trends." Computer Networks 51.12 (2007): 3448-3470.
I would concur in their definitions of hybrid,misuse, anomaly detection systems.
What must have thrown you of is the use of the example of rule based intrusion detection as Misuse detection. What I did was to update the answer to put it in the traditional way to avoid more confusion and explain it on this post fully
To elaborate on my answer lets go to the definition given by Verwoerd and Hunt (Intrusion Detection Techniques and Approaches). Their definitions are:
*"Anomaly detection attempts to model normal behaviour. Any events which violate this model are considered to be suspicious."
*"Misuse detection attempts to model abnormal behaviour, any occurrence of which clearly indicates system abuse."
The authors (both Voerwordt and Patcha) give examples of both anomaly and misuse. but take for example a traditional intrusion detection system based on signature (e.g. snort). Most people rely on this type of system to make rules that fall on misuse detection where the rule is focused on detecting an anomaly. Nonetheless If you want to compare the number of login failures against the number of good logins to derive a ratio the signature based IDS is then used as a statistical gathering apparatus instead of the usual detection mechanism (I am still using expression matching). I have used the signature based system to derive narrow profiles of good behavior on the web (using Snort and mod security). Does the traditional signature based system need to be limited to just modeling bad behavior, the answer is no (as a matter of fact I believe that they can be used in a better role just allowing good behavior matching and then filtering everything else, but this requires limiting the number of good behavior profiles, but it is more secure).
To address your next questions on using just abnormal attacks in misuse detection , the answer is that it just depends. The definitions given are based on either modeling normal vs abnormal behavior. The question to be made is: Does your intrusion detection method models both anomalous as well as normal behavior?
To give you two examples:
1) You make a neural network to discriminate attack types using a dataset of attacks (purely misuse?)
2) You make a neural network that discriminates normal web browsing from a denial of service request (is it misuse, anomaly or hybrid?)
It all depends on what you are trying to model whether it is good behavior or bad behavior and this depends on the dataset and the interpretation given to it
Thank you so much Dear Arturo for your advantageous comment. About your first example I think its a purely misuse detection system. And in my opinion the second example indicates a hybrid IDS.
How about a system which models normal(Anomaly) and abnormal(Purely Misuse) behavior separately and compare a new sample with these two models? Is it a misuse?
As you put the example, I think that if we are talking about the system then we could refer to it as a mixed system. in terms each individual system then they are separately doing anomaly and misuse. I think that is a difference that must be made in any work to clear up misunderstandings on misuse and anomaly.
Though Arturo has explained in details, i would throw few points here. The distinction between anomaly and misused IDS lies completely in the the decision making process i.e. what is being modeled to take decision (as indicated by Arturo). One should not get confused by the data that is being used to learn the behavior. A misuse based IDS can use attack and normal data to learn about attacks (i.e. misused data) and in the future, it only detects "known" attacks that were used during training. Similarly, anomaly based IDS can used mixed data to learn ONLY normal behavior and in the future can detect normal behavior i.e. anything that is not normal is an attack for such an IDS. Clearly, former has true negatives and later has false positives. In order to have a balance, we can learn both attacks as well as normal behavior to increase the accuracy of IDS i.e. if it has rule for an attack, flag it as that attack OR if it does not have rule, but according to its normal-learning engine, this seems to be normal, no alarm Otherwise alarm (possibly a new attack). This is what we call hybrid IDS.