alevere
commented
4 years ago Not surprisingly, I also agree with the above comment, I think it is too early to decide on this item. We need more concrete examples and use cases before I think I will be able to form a good opinion on this item. Right now, I would not preclude either type of detection. I will note that over the years, a lot of detection has moved more towards heuristics or machine learning.
Maybe the exact scope can be defined after we have something close to a first draft. We can start enriching the doc by having signature-based IDS in our mind and then we can identify what would entail to include behavioral capability, or if it would be better to have a separate IDS AP for behavior-based IDS / anomaly detection.