bringing it all together
Bro is powerful in that it can monitor an entire site, but weak in that it can’t predict what future attack profiles will look like
Forrest’s work, and other systems mentioned, all suggest you can do well by adaptively learning “normal” and reporting deviations
Forrest’s work shows that surprisingly high-level characteristics of a system can become evident by looking at events on an extremely low level, fine grain, and small time scale