The dramatic increase in the number of network attacks and the degree of innovation that the attack methodologies use are evidence that existing network security mechanisms alone may not be enough to protect a network. Lack of attack correlation mechanisms before, during, and after the attacks may provide an excellent safeguard for the attack to be mysterious and for the attackers to remain anonymous. In addition to this challenge, CIOs and CSOs are demanding actionable intelligence to help their security teams pursue an effective forensic analysis of any abnormal behavior in their networks while it is underway regardless of whether or not the exact type of abnormality has been seen before. Such a demand coupled with the dynamic behavior of the network and the dramatic increase in network connectivity, complexity, and activities, has introduced several challenges for effective network security and forensic systems. A Network Behavior Anomaly Detection (NBAD) system that understands the network behavior and dynamically adapts to the changes in the network behavioral patterns has become one of the main contributing solutions to the given problem. The problem can be perceived from two different perspectives. The first perspective is related to the real time detection of potential abnormal network behavior. The second perspective is related to reduction of the data set the network forensic analysis will use for the identification of the abnormality source and the reconstruction of the abnormal patterns.
As the number of metrics that can be collected from the network can vary, the ability to select the right set of metrics that reflect the network behavior may introduce a major challenge in architecting an NBAD system. In addition, the ability to rely on a solid classification model to distinguish between the normal and the abnormal network behavior is another dimension of the given problem.