Typical approaches for Anomaly Detection
- Statistical anomaly detection using 90th and 99th percentile T-Digest Algorithm, Time Series Analysis, Heavy Hitters, TopK
- Distance based methods like SimHash and LSH on features
- Rule-based detection using Data Mining (geoLocation, login behaviors per day, workstation, time)
- Signature-based detection using Snort and BRO
- Model based AD built on tons of features for DNS traffic, Users, Servers
- Change Detection
- Machine Learning
Typical approaches for Analyst ad-hoc query detection
- Visual Analysis
- Alert investigation
- Correlation Analysis
- Search
- SQL
- Time Series Analysis
- Graph Processing Queries