Generally, Internet Behavioral Analytics (IBA) refers to the use of advanced analytics coupled with various networking technologies, to detect anomalies in a network. Such anomalies may include, for example, network attacks, malware, misbehaving and misconfigured devices, and the like. For example, the ability to model is the behavior of a device (e.g., a host, networking switch, router, etc.) allows for the detection of malware, which is complimentary to the use of firewalls that use static signatures. Observing behavioral changes (e.g., deviation from modeled behavior) using flows records, deep packet inspection, and the like, allows for the detection of an anomaly such as a horizontal movement (e.g., propagation of malware between devices) or an attempt to perform information exfiltration, prompting the system to take remediation actions automatically.
In the context of IBA, seasonality is an important metric, as hosts and/or specific applications for a host on a network may exhibit seasonal behavior. In other words, the behavior may change periodically over a fixed amount of time, such as a few hours, days, weeks, etc. A common example is the case of client workstations on an enterprise network. These devices are typically in use during the day and show an active behavior that can be quantified by metrics such as network traffic (e.g., number of packets, bandwidth used, etc.). During the night, enterprise workstations are also typically idle and exhibit far less activity. In this example, the period of the seasonal pattern is a day, and two regimes are observed: one of high activity during the day and one of low activity during the night.