Patterns of behavior are tracked and changes in these patterns
are used to indicate attack. Examples include detection of excessive use,
detection of use at unusual hours, and detection of changes in system calls
made by user processes.
Complexity: In general, anomaly detection involves
a tradeoff between false positives and false negatives.
[Liepins92]
fc@red.a.net