Indicators of misuse are analyzed in order to detect specific
sequences indicative of misuse. Examples include audit-based misuse
detection, analysis of system state to detect mis-set values or unauthorized
changes, and network-based observation of terminal sessions analyzed to
detect known attack sequences.
Complexity: In general, misuse detection
appears to be undecidable because it potentially involves detecting all
viruses which is known to be undecidable.