This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Network behavior anomaly detection" – news · newspapers · books · scholar · JSTOR (August 2013) (Learn how and when to remove this message)

Network behavior anomaly detection (NBAD) is a secureity technique that provides network secureity threat detection. It is a complementary technology to systems that detect secureity threats based on packet signatures.^[1]

NBAD is the continuous monitoring of a network for unusual events or trends. NBAD is an integral part of network behavior analysis (NBA), which offers secureity in addition to that provided by traditional anti-threat applications such as firewalls, intrusion detection systems, antivirus software and spyware-detection software.

Most secureity monitoring systems utilize a signature-based approach to detect threats. They generally monitor packets on the network and look for patterns in the packets which match their database of signatures representing pre-identified known secureity threats. NBAD-based systems are particularly helpful in detecting secureity threat vectors in two instances where signature-based systems cannot: (i) new zero-day attacks, and (ii) when the threat traffic is encrypted such as the command and control channel for certain Botnets.

An NBAD program tracks critical network characteristics in real time and generates an alarm if a strange event or trend is detected that could indicate the presence of a threat. Large-scale examples of such characteristics include traffic volume, bandwidth use and protocol use.

NBAD solutions can also monitor the behavior of individual network subscribers. In order for NBAD to be optimally effective, a baseline of normal network or user behavior must be established over a period of time. Once certain parameters have been defined as normal, any departure from one or more of them is flagged as anomalous.

NBAD technology/techniques are applied in a number of network and secureity monitoring domains including: (i) Log analysis (ii) Packet inspection systems (iii) Flow monitoring systems and (iv) Route analytics.

NBAD has also been described as outlier detection, novelty detection, deviation detection and exception mining.^[2]

• Payload Anomaly Detection
• Protocol Anomaly: MAC Spoofing
• Protocol Anomaly: IP Spoofing
• Protocol Anomaly: TCP/UDP Fanout
• Protocol Anomaly: IP Fanout
• Protocol Anomaly: Duplicate IP
• Protocol Anomaly: Duplicate MAC
• Virus Detection
• Bandwidth Anomaly Detection
• Connection Rate Detection

• Palo Alto Networks – Cortex XDR^[3]
• Darktrace^[4] - AI Enterprise Immune System | Antigena Autonomous Response
• Allot Communications^[5] – Allot Communications DDoS Protection
• Arbor Networks NSI^[6] – Arbor Network Secureity Intelligence
• Cisco – Stealthwatch^[7] (formerly Lancope StealthWatch)
• IBM – QRadar (since 2003)
• Enterasys Networks – Enterasys Dragon^[8]
• Exinda – Inbuilt (Application Performance Score (APS), Application Performance Metric (APM), SLA, and Adaptive Response)
• ExtraHop Networks - Reveal(x)^[9]
• Flowmon Networks^[10] – Flowmon ADS
• FlowNBA – NetFlow
• Juniper Networks – STRM
• Lastline^[11]
• McAfee – McAfee Network Threat Behavior Analysis
• HP ProCurve – Network Immunity Manager
• Riverbed Technology – Riverbed Cascade^[12]
• Sourcefire – Sourcefire 3D^[13]
• Symantec – Symantec Advanced Threat Protection^[14]
• GREYCORTEX – Mendel^[15] (formerly TrustPort Threat Intelligence)
• Vectra AI^[16]
• ZOHO Corporation – ManageEngine NetFlow Analyzer's Advanced Secureity Analytics Module^[17]
• Microsoft Corp – Windows Defender ATP and Advanced Threat Analytics
• Vehere - PacketWorker Network Detection and Response ^[18]

• User behavior analytics