What is Traffic Anomaly Detection?
Traffic Anomaly Detection is the ability to analyze traffic in totality to look for attack patterns.Used in advanced intrusion detection systems, like the NetScreen-IDP, traffic signatures allow NetScreen-IDP to detect intrusion attempts that span multiple connections – that would be otherwise be undetectable by protocol analysis or regular signatures-based systems. The system does this by determining normal versus abnormal traffic based on a profile of network activity that is developed over time. The profile defines the normal usage patterns that can be expected on the network, enabling security administrators to set thresholds and triggers so that alerts can be sent for traffic deviating from such normal patterns. Typically, network probes and port scans can be detected by traffic signatures. Scans are often precursors to attacks, so security administrators can use pattern analysis to help identify them before an attack is launched.