Network baselining, identifying anomalies
NETWORK BASELINE
A network baseline is a documented record of the normal operating conditions of a network. It serves as a reference point for identifying abnormal behavior, troubleshooting issues, and enhancing security.
“A network anomaly is any deviation from the baseline or expected behavior.
PURPOSE OF NETWORK BASELINE
Objective |
Description |
Monitor network health |
Understand typical traffic patterns and performance levels |
Detect anomalies |
Compare current activity to normal behavior to spot issues or attacks |
Troubleshoot faster |
Identify deviations during outages or performance degradation |
Plan capacity |
Use baseline data to plan upgrades and avoid congestion |
Enhance security |
Spot unusual logins, port scans, or data exfiltration |
COMPONENT OF NETWORK BASELINE
Component |
Description |
Bandwidth usage |
Average, peak, and off-peak bandwidth levels |
Traffic volume |
Normal number of packets and bytes per second |
Protocols in use |
Common protocols (e.g., HTTP, HTTPS, DNS, SSH, SMB) |
Port activity |
Regularly used TCP/UDP ports |
Top talkers |
IPs that generate or receive the most traffic |
Latency & jitter |
Acceptable delay, variation in delay (important for VoIP, video) |
Error rates |
Normal level of packet loss, retransmissions, or CRC errors |
Device behavior |
Expected traffic patterns for servers, clients, printers, etc. |
Login times & access |
Typical user login times, frequency, and accessed resources |
BUILDING A NETWORK BASELINE
1. Data Collection
- Use tools like Wireshark, NetFlow, sFlow, or packet analyzers.
- Capture data over time (days/weeks) to establish normal behavior.
2. Analyze Trends
- Average and peak bandwidth usage.
- Identify regular communication patterns (e.g., scheduled backups).
- Track most common protocols and services.
3. Document Findings
- Record baseline metrics.
- Store securely for comparisons over time.
- Update regularly (quarterly or after major network changes).
Fig: Network Baseline Tool
IDENTIFYING ANAMOLIES IN NETWORK SECURITY
A network anomaly is any deviation from the baseline or expected behavior.
COMMON TYPES OF ANAMOLIES
Anomaly Type |
Description |
Example |
Traffic Spike |
Sudden increase in traffic |
DDoS attack |
Protocol Misuse |
Unexpected protocols or ports |
FTP traffic on port 443 |
Unauthorized Access |
New devices or users accessing the network |
Rogue device or insider threat |
Beaconing Behavior |
Repetitive connections to an external server |
Malware C2 (command and control) |
Data Exfiltration |
Large outbound transfers of sensitive data |
Uploading to Dropbox or Google Drive |
Lateral Movement |
Internal system scanning |
Attacker moving laterally in network |
TOOLS FOR ANAMOLY DETECTION
Tool/Technique |
Function |
IDS/IPS (Snort, Suricata) |
Detects known attack signatures and anomalies |
SIEM (Splunk, QRadar) |
Correlates logs and alerts |
NetFlow/Flow Logs |
Tracks traffic patterns across the network |
Machine Learning |
Learns baseline, flags deviations |
Wireshark |
Manual protocol analysis |
BEST PRACTICE FOR ANAMOLY DETECTION
- Regularly update your baseline.
- Combine signature-based and anomaly-based detection.
- Use alert thresholds to reduce noise.
- Correlate anomalies with logs for context.
- Educate staff on recognizing suspicious behavior.