Issues involved in anomaly based detection technique

1. Inadvertently including malicious activity as part of a profile is a common problem with anomaly-based IDPS (Intrusion Detection and Prevention systems) products
2. It can be very challenging to build profiles in some cases to make them accurate, because computing activity can be so complex.
3. It is often difficult for analysts to determine why a particular alert was generated and to validate that an alert is accurate and not a false positive, because of the complexity of events and number of events that may have caused the alert to be generated.

Source - http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf