There is indeed a difference between abnormal and behavioral detection. Before exploring these two questions, I would like to point out that the intrusion detection community uses two additional styles: use-based (based on signature) and specification -based definition , but they are not related to your question.
Abnormal detection
Definition: A two-step approach that first involves training the data system to establish some concept of normality, and then use the established profile for real data to reject the flag.
Example : Look at some of the features of benign URLs, such as their length, character distribution, etc., to determine what a “regular” URL looks like. Using this concept of normality, you will need to specify URLs that are too far from the normal length of the URL or contain too many abnormal characters.
Pros:
- It can detect a potentially wide range of new attacks.
Minuses:
- May miss known attacks.
- May miss new attacks if they do not stick out along the observed dimension.
- High positive balance rate (see base rate error )
- Purity of training data (i.e. no attacks)
Behavioral Discovery
Definition : Search for evidence of compromise, not the attack itself.
Example : tracking shell history for unset HISTFILE , a command that only attackers usually use after compromising a machine.
Pros:
- It can detect a wide range of new attacks.
- Low false positives
- Can be cheap to deploy and monitor.
Minuses:
- Post facto attack has already taken place
- It's easy to dodge the famous