Which type of detection focuses on anomalies in the protocol layer to identify flaws in a TCP/IP deployment?

Protocol Anomaly Detection focuses on how TCP/IP messages adhere to the rules of the protocol and how protocol-level sequences, header fields, and state transitions should behave. By examining the correctness of packet structures and the flow of communications, it can spot deviations such as a malformed TCP handshake, invalid flag combinations, out-of-order or duplicate packets, or unusual IP options. These anomalies point to deployment flaws or protocol misuse that aren’t easily caught by generic anomaly checks or by signature-based systems. In contrast, general anomaly detection is broader and not limited to protocol behavior, signature recognition looks for known attack patterns, and “network intrusions” is a broad term for unauthorized access rather than a protocol-specific detection method.