Network baselining, identifying anomalies
NETWORK BASELINE
A network baseline is a documented record of the normal operating conditions of a network. It serves as a reference point for identifying abnormal behavior, troubleshooting issues, and enhancing security.
“A network anomaly is any deviation from the baseline or expected behavior.
PURPOSE OF NETWORK BASELINE
|
Objective |
Description |
|
Monitor network health |
Understand typical traffic patterns and performance levels |
|
Detect anomalies |
Compare current activity to normal behavior to spot issues or attacks |
|
Troubleshoot faster |
Identify deviations during outages or performance degradation |
|
Plan capacity |
Use baseline data to plan upgrades and avoid congestion |
|
Enhance security |
Spot unusual logins, port scans, or data exfiltration |
COMPONENT OF NETWORK BASELINE
|
Component |
Description |
|
Bandwidth usage |
Average, peak, and off-peak bandwidth levels |
|
Traffic volume |
Normal number of packets and bytes per second |
|
Protocols in use |
Common protocols (e.g., HTTP, HTTPS, DNS, SSH, SMB) |
|
Port activity |
Regularly used TCP/UDP ports |
|
Top talkers |
IPs that generate or receive the most traffic |
|
Latency & jitter |
Acceptable delay, variation in delay (important for VoIP, video) |
|
Error rates |
Normal level of packet loss, retransmissions, or CRC errors |
|
Device behavior |
Expected traffic patterns for servers, clients, printers, etc. |
|
Login times & access |
Typical user login times, frequency, and accessed resources |
BUILDING A NETWORK BASELINE
1. Data Collection
- Use tools like Wireshark, NetFlow, sFlow, or packet analyzers.
- Capture data over time (days/weeks) to establish normal behavior.
2. Analyze Trends
- Average and peak bandwidth usage.
- Identify regular communication patterns (e.g., scheduled backups).
- Track most common protocols and services.
3. Document Findings
- Record baseline metrics.
- Store securely for comparisons over time.
- Update regularly (quarterly or after major network changes).
Fig: Network Baseline Tool
IDENTIFYING ANAMOLIES IN NETWORK SECURITY
A network anomaly is any deviation from the baseline or expected behavior.
COMMON TYPES OF ANAMOLIES
|
Anomaly Type |
Description |
Example |
|
Traffic Spike |
Sudden increase in traffic |
DDoS attack |
|
Protocol Misuse |
Unexpected protocols or ports |
FTP traffic on port 443 |
|
Unauthorized Access |
New devices or users accessing the network |
Rogue device or insider threat |
|
Beaconing Behavior |
Repetitive connections to an external server |
Malware C2 (command and control) |
|
Data Exfiltration |
Large outbound transfers of sensitive data |
Uploading to Dropbox or Google Drive |
|
Lateral Movement |
Internal system scanning |
Attacker moving laterally in network |
TOOLS FOR ANAMOLY DETECTION
|
Tool/Technique |
Function |
|
IDS/IPS (Snort, Suricata) |
Detects known attack signatures and anomalies |
|
SIEM (Splunk, QRadar) |
Correlates logs and alerts |
|
NetFlow/Flow Logs |
Tracks traffic patterns across the network |
|
Machine Learning |
Learns baseline, flags deviations |
|
Wireshark |
Manual protocol analysis |
BEST PRACTICE FOR ANAMOLY DETECTION
- Regularly update your baseline.
- Combine signature-based and anomaly-based detection.
- Use alert thresholds to reduce noise.
- Correlate anomalies with logs for context.
- Educate staff on recognizing suspicious behavior.