Behavioral Anomaly Detection 195 Table 8.2 Measurement and Analysis of Baseline Metrics Behavior Network Traffic Measured Metric(s) l Measured by l Analyzed by l l l l l l Total unique Source IPs Total unique Destination IPs Total unique TCP/ UPD ports Traffic Volume (total flows) Traffic Volume (total bytes) Flow duration Total unique active users Total logons Total logoffs Logons by user Logoffs by user Activity (e.g., l Network switch/ router flow logs (i.e., netFlow, jFlow, sFlow, or similar) Network probe (i.e., IDS/IPS, network monitor, etc.) l l Network Behavior Anomaly Detection (NBAD) system Log Management system SIEM system User Activity l l l l l l l l l Application Logs Database logs and/or transaction analysis Application logs and/or session analysis l l Log Management system SIEM system NOTE: user activity may need additional layers of correlation