Baseline metrics / Anomaly detection

3.2 Given a scenario, use network monitoring technologies

Methods

📘CompTIA Network+ (N10-009)

In IT network monitoring, baseline metrics and anomaly detection are methods used to understand what “normal” looks like on a network, and to identify when something unusual happens that might indicate a problem.

1. Baseline Metrics

Definition:
A baseline metric is like a snapshot of normal network performance. It’s a reference point that shows typical behavior over time. By knowing what “normal” looks like, IT professionals can detect unusual activity more quickly.

Why it matters:

  • Helps detect problems like slow network performance or unusual traffic spikes.
  • Allows comparison over time to see trends, like growth in data usage.
  • Useful in capacity planning, to know when the network might need more resources.

Common Baseline Metrics in Networking:

  1. Bandwidth Usage:
    • Measures how much data flows through the network.
    • Example: Normally, your network uses 50 Mbps of bandwidth, but suddenly it jumps to 200 Mbps—this is unusual and may need investigation.
  2. Latency:
    • Measures how long it takes for data to travel from one point to another.
    • Example: Ping times are usually 20ms, but suddenly jump to 150ms. That’s abnormal.
  3. Error Rates:
    • Tracks how often packets are lost or corrupted.
    • Example: Normally, error rate is 0.01%, but now it’s 5%. Something is wrong with a device or connection.
  4. CPU/Memory Utilization on Devices:
    • Devices like routers and switches have typical CPU and memory usage.
    • Example: CPU usually stays at 30%, but suddenly spikes to 95%—could indicate a misconfiguration, attack, or overload.

How to establish a baseline:

  • Collect network data over a period of time (weeks or months).
  • Record normal ranges for each metric (min, max, and average).
  • Use this data as your reference point for detecting anomalies.

2. Anomaly Detection

Definition:
Anomaly detection is the process of identifying behavior that is outside of the normal baseline. In other words, it finds things that “don’t fit” the usual pattern.

Why it matters:

  • Detects security threats like attacks (DoS, malware, or unauthorized access).
  • Detects performance issues, such as overloaded network devices or broken links.
  • Helps troubleshoot problems faster by highlighting abnormal patterns.

How it works:

  • Compare real-time metrics against the baseline.
  • Flag any values that are above or below normal thresholds.
  • Investigate flagged anomalies to determine the cause.

Examples in an IT Environment:

  1. Network Traffic Spike:
    • Baseline: Average traffic is 100 Mbps.
    • Anomaly: Suddenly traffic jumps to 500 Mbps.
    • Possible cause: Denial of Service attack or misconfigured backup job.
  2. Device CPU Spike:
    • Baseline: Router CPU usually 30-40%.
    • Anomaly: CPU jumps to 90%.
    • Possible cause: Rogue device sending too much traffic, or a misbehaving application.
  3. Unusual Login Patterns:
    • Baseline: User logins mostly occur during work hours.
    • Anomaly: Multiple logins from unusual IP addresses at 3 AM.
    • Possible cause: Security breach attempt.

3. Tools that Use Baseline Metrics & Anomaly Detection

  1. Network Monitoring Tools:
    • Examples: SolarWinds, PRTG, Nagios
    • These tools can automatically collect baseline data and alert when anomalies occur.
  2. SIEM (Security Information and Event Management):
    • Collects logs and detects unusual activity across the network.
  3. Flow Analysis Tools:
    • Examples: NetFlow, sFlow
    • Can detect unusual traffic patterns based on baseline flow data.

4. Key Exam Tips

  • Baseline metrics = “normal network behavior.”
  • Anomaly detection = “detecting when behavior deviates from normal.”
  • Know that anomaly detection depends on having a solid baseline. Without baseline metrics, anomalies are hard to detect.
  • Metrics can include bandwidth, latency, errors, CPU/memory usage, login patterns, and more.
  • Tools like network monitors or SIEM solutions are used in IT environments to automate this process.

Summary Table for Students

ConceptDefinitionExample in IT Environment
Baseline MetricsA snapshot of normal network performanceNormal bandwidth is 50 Mbps, CPU 30%
Anomaly DetectionIdentifying behavior outside of the baselineBandwidth spikes to 500 Mbps, CPU 90%, login from unusual IP

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by