Skip to main content

What is Network Behavior Analysis (NBA)?

Organizations are looking to implement more sophisticated security solutions to protect themselves from the ever-increasing number of security threats. This is a normal path to take because traditional methods of enterprise protection, such as firewalls, cannot provide the desired level of protection. Behavioral analysis, which focuses on spotting abnormal network or user behavior, is one way that's gaining favor. Since the ability to detect odd behavior can considerably benefit data security. Integrating several sources of data and information can assist a company in dealing with the challenges of today's cybersecurity environment.

Network Behavior Analysis (NBA), also known as "Behavior Monitoring," is the process of collecting and analyzing internal network data to detect malicious or unusual activity, such as policy violations, Denial-of-Service, worms, or malware.

It can be implemented on a hardware appliance or as a software package. The traffic flows, which are the primary data for NBA analysis, are typically collected directly by sensors (also known as analyzers) or provided in a traffic flow data format by routers or other networking devices. There are several flow data format standards, the most common of which are NetFlow and sFlow.

Behavioral monitoring tools analyze the collected data from a variety of sources and use machine learning to identify patterns that may indicate an attack is underway. When NBAs are run over a long period, behavior monitoring allows organizations to benchmark typical network behavior, assisting in the identification of deviations; anomalies discovered can be escalated for further investigation.

Network analysis tools provide valuable insight to businesses to help them defend against the most recent cyber threats. Network behavior analysis is especially effective at detecting new malware and zero-day exploits. Furthermore, it is useful in other areas such as network optimization.

Strong Network Behavior Analysis (NBA) tools can assist Network Administrators in reducing the time and effort required to locate and resolve critical issues. NBA systems should not be used as the sole security measure in a corporate network; rather, they should be used in conjunction with other security tools such as firewalls, IPS/IDS, and antivirus software.

The major disadvantage of the NAB tools is that they are too expensive, require too much upkeep and feeding, and aren't usually appropriate for small businesses.

In this article we will cover the following aspects of the Network Behavior Analysis technology briefly:

  • What does Network Behavior Analysis Mean?
  • What are Network Behavior Analysis Features?
  • How Does Network Behavior Analysis Work?
  • What Does Network Behavior Analysis Do?
  • How to Perform Network Behavior Analysis?
  • How to Detect Malware with Network Behavior Analysis?
  • What are Network Behavior Analysis Tools?

What does Network Behavior Analysis Mean?

Network Behavior Analysis (NBA) is a technique for improving the security of a private network by monitoring traffic and recording unexpected behaviors or deviations from typical functioning. While traditional intrusion prevention systems use packet inspection, signature detection, and real-time blocking to protect a network's perimeter, NBA systems keep an eye on what's going on inside the network, gathering data from multiple sources to enable offline analysis. Following the establishment of a baseline for regular traffic, the NBA software watches network activity in the background and flags any unknown, unexpected, or unusual patterns that could signal the presence of a threat.

"The [network] visibility that NBA systems provide is a key benefit," says Lawrence Orans, research director at Gartner who leads the firm's NBA coverage. This visibility aids in two areas:

  • Network operations (such as troubleshooting and performance) and
  • Security (i.e. detecting suspicious applications and malware monitoring).

According to Gartner, NBA can be used to detect behavior that other security technologies, such as intrusion prevention systems (IPS), firewalls, and security information and event management (SIEM) systems, may miss. These technologies may fail to detect threats that they are not specifically programmed to detect.

Fortunately, NBA systems can detect suspicious activity on enterprise networks by utilizing advanced analytics, machine learning, and rule-based techniques. They may also track and record bandwidth and protocol usage patterns. Network behavior analysis is especially useful for detecting zero-day vulnerabilities and new malware.

What are the Features of Network Behavior Analysis?

The utilization of network flow data to identify suspicious behavior on the network and where it's coming from, mitigation to stop the malicious activity and solve network faults, and reports on all network configurations and user behavior are all standard functionality and features of behavior analysis systems.

The network behavioral analysis system provides network and security administrators the following capabilities:

  • Network visibility: It helps network administrators to have a thorough understanding of what is going on in the network.

NBA gives NetOps teams significant visibility into unknown and unsuspected risks based on aberrant network activity, allowing them to prioritize investigations and reaction activities based on the severity of the threat.

  • Network behavior detection: It detects malicious behavior using network traffic statistics exported by routers/switches or network probes (NetFlow, jFlow, IPFIX, NetStream, and other flow data standards).

While NetOps personnel has typically studied network data to detect and resolve operational issues, NBA works to route data through a different area of the network to avoid congestion. NBA monitors for signs of a security threat using network data and powerful analytical methodologies.

This technique to network traffic analysis focuses on behavior patterns attributed to all network entities (i.e., machine ids, IP addresses, and so on). It may also track and create behavior baselines based on factors like source IP address, destination IP address, source port, destination port, TCP flags, bytes-in, bytes-out, and so on. After baselines have been established, any new activity of each entity is compared to its baseline to see if it conforms to or deviates from the historical norm.

When an entity's behavior deviates from its baseline, the risk is assessed, and if the risk looks to be high, NBA can send an alarm to a dashboard watched by network operators.

  • Threat identification and mitigation: It is a complementary solution for detecting advanced threats that aren't detected by typical solutions, such as botnets, unknown malware, insider threats, data leaks, and DDoS attacks, in the information security circle.

NBA is especially valuable for detecting new, unknown malware, zero-day exploits, and slow-developing attacks, as well as rogue behavior by network insiders. When threat traffic is encrypted, such as the command and control (C&C) channel, this strategy is also useful.

Let's assume that an endpoint is infected with new malware for which there is no signature and which is undetectable by anti-virus and anti-malware software. Once on the endpoint, the virus begins to alter the device's usual behavior. NBA can notice the abnormality, flag it as suspicious behavior, and, if instructed, take mitigation measures like limiting communication activities for that IP address until further investigation is completed in real-time or near real-time.

  • Network troubleshooting: It streamlines network operations by detecting abnormalities and operational concerns automatically.

Disadvantages of NBA

Although Network Behavior Analysis provides many benefits in terms of network security, it has some limitations described below.

1. Undetected Anomalies

The limitations of NBA systems are typically due to anomaly-based detection. While detection of events involving a large amount of network activity is fairly accurate, some small-scale attacks, particularly if carried out slowly and do not violate administrator-defined policies, may go undetected. The detection accuracy of anomaly-based technology varies over time as well, because the NBA system cannot detect many attacks until their activity differs significantly from what is considered 'normal.' For example, a denial-of-service attack that begins slowly and grows in volume overtime is usually detected by the NBA system, but the point of detection varies significantly between NBA products.

2. False Positives

Another disadvantage of the NBA system is 'false positives. A 'false positive' occurs when the Network Behavior Analysis system detects a legitimate activity as abnormal. Setting the NBA system to be more sensitive to unusual activity may result in a significant increase in the number of false positives. A false positive can also be caused by changes in the environment, such as the implementation of a new service that necessitates the opening of additional ports on some hosts. Another limitation stems from the system's performance, as NBA sensors must deal with massive amounts of traffic data.

3. Delay

The delay in detecting anomalies can also be a drawback of an NBA tool. Delay can be introduced not only by the algorithm but also by the data sources, as data from other devices are frequently transferred to the NBA system in batches. The transfer of batches can occur relatively frequently (every 5 minutes) or relatively infrequently depending on the NBA capabilities, network capacity, and settings (e.g. every hour). This can be a big problem in the case of fast attacks, which have already caused disruptions or other damages by the time they are detected.

This delay can be avoided by using sensors that perform their packet capture and analysis; however, the organization may need to purchase more powerful and/or more sensors to accomplish this.

How Does Network Behavior Analysis Work?

A Network Behavior Analysis system can be implemented as a separate management network or as part of the standard corporate network. Sensors and consoles are common components of an NBA system, with sensors typically being hardware appliances. The NBA sensors collect data from network devices such as switches or routers via a SPAN port or network tap and export it as network flow data. Similar to an intrusion prevention system (IPS), an NBA sensor can be deployed in passive or inline depending on where it is located on the network. An inline sensor is installed in such a way that the network traffic it monitors must pass through it, much like a firewall. In fact, in some NBA/IPS products, the NBA sensor can also serve as an IPS or firewall.

NBA systems can generate and maintain a list of hosts communicating on the organization's monitored networks based on traffic flows. Typically, an NBA system records network flow which includes the following data for security analysis:

  • The source and destination addresses,
  • Source and destination TCP or UDP ports,
  • ICMP type codes,
  • Number of packets and bytes per session,
  • Timestamps, and so on.

The three most common implementations of network flow data, such as NetFlow, SFlow, and IPFIX which is based on Cisco's NetFlow version 9, are all supported by most NBA systems. Based on this primary data, the system can perform passive fingerprinting, monitor port usage or employ other techniques to collect detailed information on the hosts. A record of the IP address, operating system, services (SSH, HTTP(S), etc.) provided, other hosts with which it communicates, what services it uses, and which IP protocols and TCP or UDP ports it contacts on each host can be used to identify the hosts. Then, any deviation from normal behavior can be detected and reported.

A Network Behavior Analysis system architecture

Figure 1. A Network Behavior Analysis system architecture

To determine the 'normal' behavior, most products rely on a technique known as `anomaly-based detection, which means that the system can learn normal behavior patterns and then detect any deviations from these patterns. A workstation, for example, typically connects to the LAN, file, and email servers. This is referred to as the workstation's 'normal' behavior. When the NBA system detects traffic flows initiated from this workstation directly to other hosts on the network (for example, a connection to the server/switch ssh port or a port scan of other hosts), an event can be triggered.

Normal behavior is typically established through a learning process in which the system constructs traffic patterns that identify normal use by analyzing existing traffic for a specific period. Some NBA systems also allow administrators to define custom rules manually to detect specific threats. All systems typically include a monitoring console that allows administrators to monitor the network and maintain the system and, as well as various notification systems (e-mail, SMS, etc).

What Does Network Behavior Analysis Do?

Behavioral analysis is concerned with determining who is using a network, how they are using it, and whether the actions and activity are appropriate. To detect and stop attempts to compromise an organization, the technology uses packet detection, signature detection, log analysis, and sophisticated analytics, as well as artificial intelligence (AI) capabilities. It's simple to identify when something deviates from the norm and, if necessary, take action when you have a benchmark for "normal" device/application behaviors or network traffic.

In general, an NBA tool is very useful to discover the network security events such as scanning, worms, Denial of Service attacks, and unexpected services. Additionally, the system can be used to monitor policy compliance and detect policy violations.

Behavioral analysis is excellent for finding the following anomalies:

Networks: Making sure your security staff understands how data flows in regular circumstances can also help you spot unusual behavior. The essential premise of network-based behavioral analysis is "'What does a good network look like?".

  • This method can detect unexpected application behavior, such as when an employee is sharing data in an unethical or illegal manner, or when previously unnoticed packets which could be malware appear out of nowhere.
  • Denial of Service (DoS) attacks involve significantly increased network traffic originating from or directed at a specific host, which typically has a different traffic profile. This attack can be detected using the anomaly-based detection technique, but some NBA systems are aware of the characteristics of common denial of service tools and methods and can recognize and prioritize threats more quickly.
  • Typical flow patterns originating from a host can be used to detect network scanning. This can happen at the network layer (for example, ICMP scanning), the transport layer (TCP and UDP port scanning), or the application layer (such as banner grabbing). There are several mechanisms for detecting worms that rely on bandwidth usage, two-way communication between hosts, the use of normally inactive ports, or network scanning (activities that are usually performed by many worms). Backdoors and tunneling protocols are examples of unexpected application services that are detected by stateful protocol analysis.

Schedules: Many employees have a set work schedule. If network activity occurs, such as an employee signing in outside of "normal/regular" hours, a threat may exist. This could lead to more investigation or an extra layer of validation.

Applications: Unauthorized application usage can be recognized by the NBA system. The use of unconventional or illegal applications by an employee can be a red flag. This might be a separate browser or a cloud service that distributes data to other devices, like Dropbox. Even relatively secure application platforms, such as Office 365, might expose users to regulatory issues or data storage vulnerabilities.

Devices: A login from an unknown device, or one with a different machine ID, can raise suspicions. Using a public computer comes with its own set of threats. A thief could gain access to data by using stolen credentials.

Device Behavior: One of the more fascinating areas of behavioral research is how people type, as well as their typing patterns and how they move their mouse and perform other tasks at a PC or on a mobile device. By evaluating both host behavior, the NBA system supports anomaly detection of zero-day attacks, spam, botnets, and reconnaissance attacks. Any irregularity in this area could trigger an alarm.

Some NBA solutions also have the ability to match a user's identity to an IP address. This feature has the advantage of immediately detecting a user who is causing unusual or malicious traffic. As a result, rather than being told that a specific IP address is exhibiting unusual behavior, an administrator may pinpoint which person within the business is engaging in the unusual behavior. It is particularly useful for forensic analysis. Since, if you're investigating a recent breach -two months ago- mapping the IP address, which is assigned dynamically, to a user can be tough.

Geography: If an employee logs on to the network from an unusual geographic location or IP address, it may be worth investigating further. Someone who is connected to a strange WiFi network may be a red flag. An IP address from headquarter office in California should not be displayed by a branch office in a different city. Similarly, the use of multiple or changing IP addresses could indicate that the individual is hiding their true location behind a virtual private network (VPN).

Policy: A network behavior analysis system can detect policy violations. Administrators must specify detailed policies for the IT systems being monitored to use this feature. Policies typically include information such as what types of activity are permitted, hosts that can be contacted, and when, which ports are normally open, and so on.

Although one of these methods can provide useful information, behavioral analytics becomes more potent when some or all of these elements are tracked at the same time.

Recent network behavior analysis methodologies offer not only security but also network performance and optimization. To optimize an organization's IT infrastructure and network, visibility into current and historical user behavior, as well as applications and infrastructure configurations, is required. Network Behavior Analysis can assist organizations in not only looking to the past or present but also anticipating the impact of new applications and how they will affect infrastructure and service levels. This trend was adopted by some major NBA players, and their current products reflect it, and they are marketed not only as security tools but also as network profiling and optimization tools.

How to Perform Network Behavior Analysis?

The main steps of performing a network behavior analysis are described below:

1. Deploy intrusion prevention technology before installing NBA

NBA systems are ideal for enterprises that currently have IPS systems in place but want more visibility into their network and network traffic. After successfully establishing firewalls and IPS with appropriate tuning, analysis, and correction processes, network behavior analysis should be performed to identify network events and behavior that are undetectable using other techniques.

Also, the scale of an organization is important for the successful deployment of an NBA system. Since most SMB network and security professionals lack the expertise and experience required to optimize an NBA solution and analyze its results, it is not for little businesses.

2. Conduct a comprehensive analysis before choosing an NBA product

NBA systems can do more harm than help if they aren't carefully chosen based on the existing network components, level of in-house expertise, organization's needs, and so on.

When assessing NBA systems, make sure they can be integrated with existing networks and fit the organization's requirements for analysis and reporting. You should also consider how simple or difficult it is to tune and use the system. You should think about all the devices you'll need to collect flows from: "Will they all be able to send flows? Is it true that activating flows on the device will have a detrimental influence on its performance?"

3. Run tests before launching a large-scale rollout

It's critical to adequately test an NBA system before implementing it on a large scale. So that, security managers can observe what kind of actual network activity reporting they'll get.

Installing the NBA tools in a live production network is the only way to thoroughly evaluate them., Any other form of evaluation, such as a lab network, can not produce accurate results.

4. To reduce false positives tune NBA systems

It's vital to devote time to fine-tuning NBA systems for collecting meaningful network data and preventing false positives.

If an organization fails to fine-tune NBA systems properly, it may face a high number of false-positive readings, which will put a strain on network and security administrators who must review all warnings. The alarm count should be notably reasonable and useful.

5. Use NBA statistics to figure out how clients use the Internet

It's also critical when employing NBA systems to establish targeted views and logical groups within the tool that make sense. You should reduce the number of flows that must be queried or seen to obtain more timely network information.

As a result, the NBA will be able to give not only more network awareness but also a more effective means to deal with problems as they develop.

How to Detect Malware with Network Behavior Analysis?

According to Gartner in 2013,

"Traditional defense-in-depth components are still important, but they are no longer sufficient in protecting against advanced targeted cyberattacks and advanced malware." Network behavior analysis is recommended as a vital component of new security measures against malware.

Advanced malware can change their signatures to avoid detection using a variety of transformation techniques such as register renaming, code permutation, expanding and shrinking code, etc.

On the other hand, NBA solutions aren't based on signatures of previously identified threats. They have behavior-based detection capabilities to analyze suspicious actions and activities related to the malware of some kind. They can determine that one of the hosts began to act strangely for himself by sending data to other hosts over specific ports, disabling antivirus or firewall measures, installing rootkits, searching for a sandbox, and so on. Such behavior will manifest as a varied collection of security events depending on the vulnerability or type of malicious software deployed. NBA solutions can detect even unknown and tailored threats using this method.

Analyzing network traffic flowing from switches and routers would enable you to detect any unexpected behavior. By assessing both host and application behavior, NBA tools are specialized in monitoring, reporting, and recognizing dangers. They can cope with threats that have not manifested yet, zero-day attacks.

Network Behavior Anomaly Detection (NBAD) tool, which is part of the IDS suite, monitors the entire subnet at the network level. It should establish a baseline of what is considered normal before beginning to inspect traffic in real-time. Once you've established this baseline, anything that deviates from it is an anomaly, whether it's unexpected activities, patterns, or occurrences, and should be viewed with caution.

Some security experts propose a technology called beacon analysis as an essential tool for malware hunting on networks. Beaconing is a term used in information security to describe the practice of contacting the home regularly. The necessity for communication with the creator is something that all varieties of malware have in common. Intermediary servers, also known as "Command and Control" (C&C) servers, assist attackers in establishing a communication path with the infected machine. This connection will attempt to simulate normal network activity through the use of DNS or HTTP(S).

A compromised machine would check with the C&C server for orders to execute regularly. Most of the time, the virus is told to do nothing, which results in the transmission of the same quantity of data. Because most network activity generates unpredictable sizes of data sent in each session, regardless of whether obfuscation is utilized as a smokescreen, this activity is revealing.

The advantage of behavior-based detection is that it can not only detect zero-day threats in real-time but also assist you in obtaining a detailed study of the malware, including its mode of operation.

Every malware exhibits a distinct pattern of behavior that can be used for anomaly detection by an NBAD system:

  • Attempts to traverse local ports laterally
  • Stay hidden to make use of computational resources.
  • During its initial execution, the malware sends join requests to a "mining pool."
  • The network signature of miners is HTTP traffic, which is mostly sent to blacklisted domains.
  • a significant increase in the use of computational resources.
  • the encryption activity is seen in the memory fingerprint on affected devices
  • Its network signature is subtle in terms of propagation.
  • Obfuscation of C&C architecture to protect it from law enforcement takedowns
  • Maintain an efficient C&C infrastructure for consistent communication and execution.
  • A distinct network trace associated with ongoing communication
  • A lot of scanning
  • Noisy traffic
  • Cryptominers
  • Ransomware
  • Remote Access Trojans
  • Bulletproof hosting

What are Network Behavior Analysis Tools?

Many of the larger, established network and security organizations, as well as smaller competitors who specialize in the technology, are targeting the network behavior analysis industry. While every network behavior analysis tool provides network visibility, not all of them include features for dealing with the threats that they can uncover. If you already have a network threat mitigation solution in place, you can select a network behavior analysis solution that simply improves network visibility. Additionally, make certain that each offer you consider integrates well with your existing IT infrastructure and meets your analysis and reporting requirements.

Top 7 Network Behavior Analysis tools are outlined below:

1. Varonis Data Security Platform

Varonis provides a Data Security Platform, which is a modular suite of data access and data security products that includes data access governance, sensitive data discovery, unusual behavior detection, incident playbooks, GDPR compliance support, and cybersecurity forensic reporting.

2. Cisco Secure Network Analytics (Stealthwatch)

Cisco Stealthwatch is a network behavior analysis product based on Lancope technology acquired by Cisco in 2015. It generates high-fidelity alerts that are enhanced with contexts such as user, device, application, location, and timestamp, which is useful to detect threats across a network. It can analyze encrypted traffic without decryption for threats and compliance. Using advanced analytics, you can quickly detect unknown malware, insider threats such as policy violations, data breaches, and other sophisticated attacks. It allows you to define smarter segmentation policies without interfering with business operations and to make your custom alerts for detecting unauthorized access and ensuring compliance. To enforce policies and contain threats, you can use Secure Network Analytics in conjunction with Identity Services Engine (ISE). Stealthwatch Cloud provides SaaS-based visibility and threat detection through all major cloud platforms, such as AWS, Azure and Google Cloud, without the use of software agent.,

3. AlienVault OSSIM

OSSIM (Open Source Security Information Management) is a free and open-source security information and event management system that integrates a number of tools to help network administrators with intrusion detection, and prevention.

Dominique Karg,J ulio Casal, and later Alberto Roman collaborated on the project in 2003. It served as the foundation for their company AlienVault, which was founded in 2008.

AlienVault began offering a commercial variant of OSSIM ('AlienVault Unified Security Management') after acquiring the Eureka project label and completing R&D. In 2019, AT&T Communications purchased AlienVault and rebranded it AT&T Cybersecurity.

By allowing users to receive and contribute real-time information about suspicious nodes, OSSIM takes advantage of the power of the AlienVault Open Threat Exchange.AlienVault OSSIM is a SIEM (Security Information and Event Management) product that is open source. It is equipped with an intelligent analytic engine that detects potential threats in a network. The dashboard presents alerts and allows you to drill down into an alert to obtain detailed information for research. It can also be used to create rules and send email notifications.

4. Imperva Data Risk Analytics

Imperva Data Risk Analytics (formerly CounterBreach) is a risk analytics tool that uses data access behavior across the enterprise network to determine the security of enterprise data. By detecting crucial data access vulnerabilities, Imperva Data Risk Analytics significantly reduces the volume of security alerts, accelerated incident resolution, and enhanced employee effectiveness. Imperva Analytics gives you visibility into a wide spectrum of threats, from unintentional exposures to persistent attacks using an evasive exploit, so you can figure out what's going on before it's too late.

The primary benefits of the Imperva Data Risk Analytics are listed below:

  • Shorten the amount of time it takes to solve a problem.
  • Prioritize based on actual danger, not merely anomalies.
  • Bad actors are identified before they inflict harm.
  • Before audit failures, correct non-compliance.
  • Get easy-to-understand descriptions that clarify complicated subjects in layman's words.
  • Reduce false positives and allow SOC teams to focus on the most important issues.

5. Arbor Sightline

Arbor Sightline (formerly Arbor SP) is an Arbor Networks network behavior analytics platform that is now owned and supported by NETSCOUT. Arbor Sightline provides robust capabilities ranging from network-wide capacity planning to identifying and managing network threats. NETSCOUT provides a complete range of fully integrated, in-cloud, and on-premise DDoS security products and services, all of which are backed by worldwide threat information. Peering analysis determines what traffic may be diverted away from costly transit networks and into either free peering or revenue-generating new customers. Sightline can be used to monitor network infrastructure capacity, allowing you to avoid saturation and re-engineer network traffic for better use. It can also promptly diagnose and handle DDoS attacks thanks to proactive monitoring of network or service availability issues.

6. Flowmon ADS

Kemp Flowmon Anomaly Detection System (ADS) is a security solution that detects anomalies hidden in network traffic using machine learning. It supplements traditional security tools and creates a multi-layered defense system capable of detecting threats at all stages of compromise. Kemp Flowmon ADS can help you with closing the gap between perimeter and endpoint security. Machine learning can be used to detect unknown and insider threats. It also utilizes external threat intelligence feeds to gain detailed insight into encrypted traffic. At any point in the threat lifecycle, it can reveal attacks on mission-critical applications, data breaches, and malicious behavior.

7. ManageEngine NetFlow Analyzer

NetFlow Analyzer is a comprehensive traffic analytics tool that makes use of flow technologies to provide real-time visibility into network bandwidth usage. NetFlow Analyzer, primarily a bandwidth monitoring tool, has helped thousands of networks around the world optimize their bandwidth and traffic patterns by providing a comprehensive view of their networks' capacity and traffic patterns. In addition to doing network traffic analysis, network forensics, and network flow monitoring, NetFlow Analyzer is a trusted partner who optimizes the bandwidth utilization of over a million interfaces throughout the world.

NetFlow Analyzer provides total visibility into your network traffic, application performance, devices, interfaces, IPs, WAN links, Wifi, SSIDs, and access points with, and track bandwidth usage. It also supports NBAR, AVC, CBQoS, and IP SLA, among other Cisco technologies.