Protocol Anomaly Detection

It’s late at night and you’re walking to your car after attending a community event. Your car is still a block away. As you walk, you scan the scene before you. Something is just not right, you say to yourself. On the dark sidewalk ahead of you, you see two silhouettes. They are moving about, and you hear raised voices. Who are these people? You decide to cross the street to play it safe. You are practicing threat detection and avoidance. That’s the purpose of protocol anomaly detection.

Embracing the Normal

President Warren G. Harding famously called for “a return to normalcy”. Though it may seem less exciting, the normal state of things is generally considered the best. That goes for networks as well. The opposite condition is when things go wrong, when they are out of spec, when something is not right with the network. Such a deviation from the normal is called an anomaly.

But how do you know what’s normal when it comes to network protocols? Thankfully, there are clear standards that tell you everything that you need to know. These are called RFCs (Requests for Comments). Steven Crocker wrote the first Request for Comment (RFC 1) in 1969. The document outlined the basic requirements for setting up connections in the ARPA network. The collaborative effort of developing RFC standards by the Internet Engineering Task Force (IETF®) continues to this day.

No matter the network protocol, there are accepted standards for its implementation. There are more than 8,000 RFCs now, and the number is growing. If you want to know the right way — the accepted way — to set up a network, it’s all there. Any network that doesn’t fit the normal parameters deserves a closer look.

Looking for Anomalies

Protocol anomaly detection, also known as network behavior anomaly detection (NBAD), is an approach to detecting network threats by identifying violations of RFC protocol specifications. The search for protocol anomalies is part of modern intrusion detection systems (IDS) as well as intrusion prevention systems (IPS).

According to Techopedia, the three major components of network behavior monitoring are:

  • traffic flow patterns
  • network performance data
  • passive traffic analysis


The point of protocol anomaly detection is to discover anything that might not be considered normal network traffic.

The point of protocol anomaly detection is to discover anything that might not be considered normal network traffic. To do that, an IDS may include a model, or profile, for each protocol based on the RFCs. This is often referred to as the “baseline”. Establishing a baseline is the first step in detecting anomalies.

Network Burglar Alarms

If you’re worried about the bad guys, you should always be on the lookout. Whether it’s walking down the street or protecting your home, you must be vigilant. Intrusion detection systems are like computer system burglar alarms, and protocol anomaly detection is a defense against network intruders. To make it work, your IDS needs to notify you when a threat appears.

Any activity that does not conform to the expected patterns of network protocol traffic should be flagged. These anomalies could be tied to a network monitoring team’s ticket system or to the email boxes of IT personnel. The alarms might be graded by severity or grouped into particular events. With such automation, there is also the possibility of the generation of false alarms that can overwhelm a system. The thresholds may need to be adjusted.

Putting the Machines to Work

Monitoring a large network can mean dealing with a vast amount of data points. To handle all this data, some companies have turned to machine learning. This is part of a trend toward using the power of computing to analysis the growing volume of information in every field.

In a presentation for the 4th Annual International Cyber Security Conference 2014 at Tel Aviv University, Professor Irad Ben-Gal spoke on “Anomaly Detection by Machine Learning Tools”. He told how some researchers are even using design formatting and colors to identify suspicious websites. The same machine learning techniques can be applied to protocol anomaly detection. Expect to see more of this in the coming days.


Protocol anomaly detection is an integral part of today’s intrusion detection systems and also part of Total Uptime’s Web Application and API Protection service (WAAP). It goes beyond the simple rule-setting of earlier IDS implementations. The new approach looks for abnormal trends and unusual activity. Spectral analysis that is already being used in scientific fields such as physics or astronomy can also be applied to network traffic. Finding protocol anomalies will unmask intruders that might have gone undetected otherwise. The practice of network analysis will continue to develop along with machine learning methods. In the world of cyberspace, it pays to see the dark figures in front of you before it’s too late.

Secure your App, API, website, IoT and more today!