Wikipedia
An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been createdIn order to positively identify attack traffic, the system must be taught to recognize normal system activity The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase)
Anomaly-based_intrusion_detection_system - Wikipedia, the free encyclopedia