Anomaly-Based Detection
What is Anomaly-Based Detection?
Anomaly-Based DetectionA detection approach that builds a baseline of normal activity and flags deviations from it as potentially malicious.
Anomaly-based detection learns what "normal" looks like for a network, host, user, or application — using statistical models, heuristics, or machine learning — and then alerts when observed activity deviates significantly from that baseline. It is the complement to signature-based detection because it can surface unknown threats, insider misuse, novel malware, and stealthy attacks that no signature describes. Implementations include UEBA, NDR/XDR analytics, NetFlow-based behavioural baselining, and DNS-traffic profiling. The trade-off is more false positives — legitimate change can look anomalous — so deployments require careful baselining windows, feedback loops, threshold tuning, and analyst review to convert anomalies into investigable findings.
● Examples
- 01
A UEBA flagging a service account that suddenly authenticates from a new country at 02:00.
- 02
An NDR alerting on outbound traffic volume from a database server that triples without a deployment change.
● Frequently asked questions
What is Anomaly-Based Detection?
A detection approach that builds a baseline of normal activity and flags deviations from it as potentially malicious. It belongs to the Network Security category of cybersecurity.
What does Anomaly-Based Detection mean?
A detection approach that builds a baseline of normal activity and flags deviations from it as potentially malicious.
How do you defend against Anomaly-Based Detection?
Defences for Anomaly-Based Detection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Anomaly-Based Detection?
Common alternative names include: Behavioural detection, Heuristic detection.