Suspicious Behavior

Certain types of network activity are strongly associated with security problems. Monitoring for this type of "suspicious" activity can detect many threats without requiring detailed, threat specific, signatures. This approach (refered to as NBAD - Network Based Anomaly Detection) is useful for detecting new (zero-day) attacks before rule-based systems can be updated to detect the attack.

If a host connects to (or attempts to connect to) a large number of hosts then this often indicates an attempt to map the network, an attempt to find vulnerable hosts or an attempt by an Internet worm to propogate. Scanning activity should generally be regarded as suspicious and the source of network scans should be identified and investigated.