192 CHAPTER 8 Exception, Anomaly, and Threat Detection Other, less obvious uses for exception reporting are exemplified in the last example in Table 8.1, where two completely different detection methods (an appli- cation monitoring system and a log analysis system) indicate a policy exception that otherwise might seem benign; the function codes in question are only a con- cern if being executed by an authorized user. Exception reporting can be automated using many log analysis or security information management systems, which are designed to look at information (typi- cally log files) from many sources, and correlate this information together (for more information on how to generate this information, see Chapter 9, "Monitoring Enclaves"). Without an understanding of the policies that are in place, however, exceptions cannot be determined. BEHAVIORAL ANOMALY DETECTION Sometimes, an exception might be seen in a network's expected behavior, rather than in adherence to a policy. These anomalies can be detected by comparing mon- itored behavior against known "normal" values. This can be done in a variety of