The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation.
Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack.
[2] Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network.
Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer end points.
[4] Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack.