Behavioral baselines and anomalies
Baselines provide reference regarding normal (versus legitimate) behavior. Baselines are time-dependent and can be associated with sources, destinations, channels, and content in various levels of granularity. For example, the system can consider specific users, user groups, or the entire organization baselines for standard working hours, combinations of channels, rules, number of matches, destinations, and transaction sizes, as well as anomalies or deviations from the baseline that are statistically significant. In order to obtain statistically significant results, the number of elements in the group should be large enough, which may require lowering the resolutions. As a rule of thumb, the minimal group that constitutes a baseline should comprise at least 30 elements.
While anomalies provide an important set of indicators, most of the behavioral anomalies are benign, as people often change their behavior. For example, when you start working on a new topic, with new suppliers or customers, or when you travel to places you’ve never been to before, you create anomalies that may or may not become the new normal. Incorporating baselines and anomalies within a powerful probabilistic framework, such as Bayesian Belief Networks, allows digesting the relevant information from these indicators without creating the deluge of false positives typical to products that alert on each anomaly.