Network Behavior Anomaly Detection

Why Trust Techopedia

What Does Network Behavior Anomaly Detection Mean?

Network behavior anomaly detection (NBAD) is the real-time monitoring of a network for any unusual activity, trends or events. The network behavior anomaly detection tools are used as additional threat detection tools to monitor network activities and generate general alerts that often require further evaluation by the IT team.


The systems have the ability to detect threats and stop suspicious activities in situations where traditional security software is ineffective. Additionally, the tools suggest which suspicious activities or events require further analysis.

Techopedia Explains Network Behavior Anomaly Detection

The network behavior anomaly detection tools are used in conjunction with traditional perimeter security systems, such as antivirus software, to provide an additional security mechanism. However, unlike the antivirus that protects the network against known threats, the NBAD checks on suspicious activities that are likely to compromise the operations of the network either by infecting the system or through data theft.

It monitors the network traffic for any deviations from the expected volume of a measured network parameter such as the packets, bytes, flow and protocol usage. Once an activity is suspected to be a threat, an event’s details including the offender and target IPs, the port, protocol, time of attack and more, are generated.

The tools use a combination of signature and anomaly detection methods to check on any unusual network activity and alert the security and network managers so that they can analyze the activity and stop it or respond before a threat affects the system and data.

The three major components of network behavior monitoring are the traffic flow patterns, the network performance data and the passive traffic analysis. This allows an organization to detect threats such as:

  • Inappropriate network behavior — The tools detect unauthorized applications, anomalous network activity, or applications using unusual ports. Once detected, the protection system may be used to identify and automatically disable the user account associated with the network activity.
  • Data exfiltration — Monitors outbound communications data and triggers an alarm when suspiciously large amounts of data transfer are detected. The system could further identify destination application if cloud-based to determine if it is legitimate or a case of data theft.
  • Hidden malware — Detects advanced malware which may have evaded the perimeter security protection and infiltrated the organization/corporate network.

Related Terms

Margaret Rouse
Technology Expert
Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.