A deviation from the standard communications protocol. An intrusion detection system (IDS) looks for protocol anomalies in order to identify attacks without knowing the actual pattern (signature) of the malware, the latter being the traditional antivirus/anti-malware approach. With well-understood protocols, protocol anomalies can reduce false positives. However, with poorly understood protocols or very complex protocols, the detection of an anomaly may easily be a false positive. See
IDS,
signature,
antivirus program and
protocol.