Anomaly detection is a dynamic method of antivirus , host and network intrusion detection systems .
A program using this method observes certain actions (program / process operation, network traffic , user operation), monitoring possible unusual and suspicious events or trends.
Antiviruses that use the method of detecting suspicious behavior of programs do not try to identify known viruses . Instead, they track the behavior of all programs. This helps to eliminate the danger of virus polymorphism . If the program tries to write some data to an executable file ( exe file ), the anti-virus program can mark this file, warn the user and ask what should be done.
Unlike the method of matching the definition of a virus in a dictionary , the method of suspicious behavior provides protection against completely new viruses and network attacks that are not yet found in any virus or attack database. However, programs built on this method can also generate a large number of erroneous warnings, which makes the user unresponsive to warnings. If the user clicks on the “Accept” window in each case of such a warning, the anti-virus program does not bring any benefit. Recently, this problem has been further exacerbated, as more and more non-malicious programs have begun to appear that modify other exe files, despite the existing problem of erroneous warnings.