Copyright

Detecting Behavioral Anomalies in Industrial Networks: Definition, Tools & Examples

Instructor: Giorgos-Nektarios Panayotidis

George-Nektarios has worked as a tutor and student consultant for five years and has a 4-year university degree in Applied Informatics.

In this lesson, we will define what a behavioral anomaly is and subsequently what network behavior anomaly detection (NBAD) is. We will then discuss how detection is performed within an industrial network and what tools can be used.

Deviating from the Norm

What does it mean to stray or deviate from the norm? It depends each time on how a norm is established. Let's consider a traffic light on a city street. An anomaly may manifest itself when drivers ignore the stop light and bypass it when it is red. This deviation can lead to accidents and even death.

Consider another example: the digits from 0 to 9. A human learns to discern each one and to classify it correctly in a rather intuitive manner. This is done through multiple observations, which one enhancing the capability to memorize the features of each digit. If a number is written wrong or out of sequence, we know it and are able to correct it.

When it comes to network traffic, however, anomaly detection can be a more difficult task. In this lesson we will learn about behavioral anomaly detection and discuss available tools to help discover anomalies and remediate them.

Behavioral Anomalies

A behavioral anomaly can be defined as having as having one of more of the following characteristics:

  • A deviation from established network behavioral metrics
  • The formulation of specific suspicious behavioral patterns
  • A network policy violation or breaking a set of pre-established rules.

For example, consider a scenario where a specific destination address within a network receives too much traffic from various source IP addresses. This could very well be the sign of a DDOS attack. If not handled properly, this could lead to the saturation of resources for incoming traffic and therefore deny or impair service for legitimate users of the network.

Network Behavior Anomaly Detection (NBAD)

Network behavior anomaly detection (NBAD) is in essence an additional protection layer for the network, applied on top of implemented security software. An NBAD system takes its time to gather information from various sources within the network and establish benchmarks, or network behavioral standards. If variables related to network behavior (user visits, clicks, logons, logoffs, etc.) stray from these standards, the warning bells begin to ring! It follows then that NBAD is good at catching new and irregular anomalies as they manifest themselves within a network. In specific, an NBAD system is able to prevent what are known as zero-day exploits, which involves catching new threats on day one of launch.

Anomaly Detection

An industrial network system provides a variety of automation tools used for monitoring and other security purposes. Anomaly detection is part of this. When it comes to the actual methodology of behavioral anomaly detection, there are two steps consecutively followed.

Benchmarking

The first step in the anomaly detection process establishes a benchmark for given variables of interest. Some of these could include:

  • Number of incoming connections
  • Number of people using the network
  • Total traffic volume in flows or bytes

These benchmarks are most often extracted with simple mathematical operations, such as the calculation of the means for all the given data. Sometimes, these values may be modified in order, for example, to count downtime on weekends and other similar time intervals.

Monitoring

Constant monitoring and alerting when deviations are noted is the second step in anomaly detection. When something is detected, security personnel are notified. Overall, there are four types of behavior metrics:

  • Network traffic metrics
  • User-related metrics
  • Process behavior metrics
  • Security incident-related metrics

Detection tools

When looking to implement tools for anomaly detection in an environment, there are three categories of tools for doing this:

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support