Network baselining, identifying anomalies

NETWORK BASELINE 

 

A network baseline is a documented record of the normal operating conditions of a network. It serves as a reference point for identifying abnormal behavior, troubleshooting issues, and enhancing security.

 

“A network anomaly is any deviation from the baseline or expected behavior.


 

PURPOSE OF NETWORK BASELINE 

 

Objective

Description

Monitor network health

Understand typical traffic patterns and performance levels

Detect anomalies

Compare current activity to normal behavior to spot issues or attacks

Troubleshoot faster

Identify deviations during outages or performance degradation

Plan capacity

Use baseline data to plan upgrades and avoid congestion

Enhance security

Spot unusual logins, port scans, or data exfiltration

 

COMPONENT OF NETWORK BASELINE

 

​​

Component

Description

Bandwidth usage

Average, peak, and off-peak bandwidth levels

Traffic volume

Normal number of packets and bytes per second

Protocols in use

Common protocols (e.g., HTTP, HTTPS, DNS, SSH, SMB)

Port activity

Regularly used TCP/UDP ports

Top talkers

IPs that generate or receive the most traffic

Latency & jitter

Acceptable delay, variation in delay (important for VoIP, video)

Error rates

Normal level of packet loss, retransmissions, or CRC errors

Device behavior

Expected traffic patterns for servers, clients, printers, etc.

Login times & access

Typical user login times, frequency, and accessed resources



 

BUILDING A NETWORK BASELINE

1. Data Collection

  • Use tools like Wireshark, NetFlow, sFlow, or packet analyzers.
     
  • Capture data over time (days/weeks) to establish normal behavior.
     

2. Analyze Trends

  • Average and peak bandwidth usage.
     
  • Identify regular communication patterns (e.g., scheduled backups).
     
  • Track most common protocols and services.
     

3. Document Findings

  • Record baseline metrics.
     
  • Store securely for comparisons over time.
     
  • Update regularly (quarterly or after major network changes).

Fig: Network Baseline Tool



 

IDENTIFYING ANAMOLIES IN NETWORK SECURITY

 

A network anomaly is any deviation from the baseline or expected behavior.

COMMON TYPES OF ANAMOLIES 

 

Anomaly Type

Description

Example

Traffic Spike

Sudden increase in traffic

DDoS attack

Protocol Misuse

Unexpected protocols or ports

FTP traffic on port 443

Unauthorized Access

New devices or users accessing the network

Rogue device or insider threat

Beaconing Behavior

Repetitive connections to an external server

Malware C2 (command and control)

Data Exfiltration

Large outbound transfers of sensitive data

Uploading to Dropbox or Google Drive

Lateral Movement

Internal system scanning

Attacker moving laterally in network

 

TOOLS FOR ANAMOLY DETECTION


 

Tool/Technique

Function

IDS/IPS (Snort, Suricata)

Detects known attack signatures and anomalies

SIEM (Splunk, QRadar)

Correlates logs and alerts

NetFlow/Flow Logs

Tracks traffic patterns across the network

Machine Learning

Learns baseline, flags deviations

Wireshark

Manual protocol analysis

 

BEST PRACTICE FOR ANAMOLY DETECTION

  • Regularly update your baseline.
     
  • Combine signature-based and anomaly-based detection.
     
  • Use alert thresholds to reduce noise.
     
  • Correlate anomalies with logs for context.
     
  • Educate staff on recognizing suspicious behavior.