A question for user behavior profile based IDS

From: fengli (lfeng@sei.xjtu.edu.cn)
Date: 03/27/02

From: "fengli" <lfeng@sei.xjtu.edu.cn>
To: "Focus-Ids" <focus-ids@securityfocus.com>
Date: Wed, 27 Mar 2002 21:43:15 +0800

  Hi all !
   I am doing the research about HIDS .and I want to analyze the user's behavior to get the their normal profiles .If the intruders or masqueraders' behavior deviate from the normal profiles then we can capture it !
   my question is How can we get the deviation ? Many years ago Sri co. put forward the "chi-square" (statistics methods) to mesure it in the NIDES. Does it really work?
   and by the way whether the research of user behavior profile based IDS is promising or not? and can you give me the advice for the promising methods for it?
  Any discussion or advice is appreciated!