What is the process of identifying significant deviations by comparing normal activity to observed events?

Anomaly-Based Detection is the process of identifying significant deviations from what is considered 'normal' activity. In this approach, a model of normal behavior is established through the monitoring of baseline activity. This baseline is created by analyzing typical patterns and characteristics of network traffic, user behavior, and system performance over time.

Once the baseline is established, the system can monitor ongoing activities and compare them against the established normal behavior. When observed events diverge significantly from this baseline, they are flagged as potential anomalies or threats. This method is particularly valuable in identifying unknown threats and zero-day attacks that might not be captured by signature-based methods, which rely on predefined signatures of known threats.

This approach is beneficial because it provides the flexibility to adapt to variations in normal operation, which might occur due to legitimate changes in user behavior, updates, or changes in the environment. As a result, Anomaly-Based Detection is effective in discovering patterns that could indicate security incidents, even if those patterns have never been previously identified as malicious.