To stop worms and malware, first you must know about them. In today's rapidly evolving networks, where attackers are often one step ahead of the products designed to thwart them, anomaly detection is an important innovation. Many vendors rely on signature detection to find network-borne threats. Customers often have to wait days to get a working signature for a new worm, leaving their networks vulnerable in the most critical period during a worm's release.

Network behavior analysis is one of the most robust and scalable security technologies classified recently by Gartner. At the core of network behavior analysis are anomaly-based algorithms used to identify emerging threats. Three types of anomaly detection are used in network behavior analysis:

• Protocol - detects packets that are too short, have ambiguous options or violate specific application layer protocols. Most useful for detecting host-level attacks.
• Rate-based - detects floods in traffic using a time-based model of normal traffic volumes. Most useful for detecting denial-of-service attacks.
• Relational or behavioral - detects changes in how individual or groups of hosts interact with one another on a network. For example, a normally quiet host that starts connecting to hundreds of hosts per second on the SQL port indicates a worm. Useful for a variety of threats, from worms and malware to insider misuse.

By applying anomaly algorithms best suited to the attacks they are designed to detect, anomaly detection can proactively identify zero-day worms, malware, acceptable-use policy violations and insider misuse. Because anomaly detection looks for substantial changes in network behavior, it is less prone to false positives, and requires less configuration and ongoing maintenance than many other security methods.

However, network behavior analysis doesn't end with detection. Once a threat has been identified, this technology allows operators to visualize good and bad or suspicious traffic, and contextualize it in relation to other traffic and historical roles.

A network behavior-analysis system can take preemptive action, blocking a port on a switch, quarantining traffic to a separate virtual LAN, or applying a filter or access control list to lock down propagation. Behavior modeling is equally applicable to mitigation and detection.