Anomaly and Behavioral Detection

Signatures catch known threats. They are blind to novel malware, zero-days, and custom tooling that no one has fingerprinted yet. Anomaly and behavioral detection fills that gap by flagging traffic that deviates from normal.

The premise: even unknown attacks leave behavioral traces. An adversary may evade every signature yet still beacon on an odd interval, move data at an unusual hour, or scan internal hosts.

Anomaly detection requires a model of normal. You build a baseline over time, profiling things like:

• Which hosts talk to which, and on what ports
• Typical bytes-per-flow and connection durations
• Normal volumes by hour and day of week
• Expected protocols per segment

The baseline must be learned from clean traffic over a representative period; a baseline built during an active compromise bakes the attack into normal.