Misuse Detection vs. Intrusion Detection

Oct 11, 1996

Abstract

Misuse detection has a number of differences from intrusion detection, which include the facts that the violator is authorized to access the target material, and can take her time doing the misuse by, e.g., spreading it over a period of time or over a number of sessions each of which looks "normal". After reviewing some of the common approaches to misuse detection, I'll explain how the pattern matching approach works, the special problems associated with using it for misuse detection, and possible ways of coping with these difficulties.