The Convergence of Network Behavior Analysis and Network Performance Management

It’s essential that IT understand the impact on network resources and application delivery of any and all anomalies in network behavior. Anomaly detection tools can help.

By Patrick Ancipink and Ben Erwin

The biggest threat to application performance is change, but today the rate of change in the network infrastructure is beyond human scale, making it difficult to track. People who manage the delivery of applications need visibility into changes in network behavior to mitigate risks. Anomaly detection capabilities hold promise for tracking network behavior changes in real time but have traditionally been built for security teams, not the performance needs of network operations groups.

In network management terms, anomaly detection is simply determining when network behaviors change from normal patterns. Anomaly detection and mitigation products have traditionally been used by security operations and threat management teams to detect worms, malware, distributed denial of service (DDOS) attacks, and other unwanted intrusions. The capability has even spurred a new industry term over the past few years: network behavior analysis, or NBA.

To date, the NBA vendors have sold their products to IT security teams, promising to keep them ahead of the bad guys. This positioning frequently pigeon holes anomaly detection into a pure-play security solution that is irrelevant to other areas of IT. Although there is great merit in using network behavior analysis for security purposes, it can also serve as an early warning system for performance degradation and should be considered a key requirement for network performance management and application delivery.

Properly designed anomaly detection products can bridge the gap between network operations and security operations teams. The products should focus on early warnings of security threats as well as on non-malicious application or user behavior that poses a threat to application delivery. In addition, integrated work flow between anomaly detection and network performance monitoring is essential for network teams.

Understanding an anomaly is important, but network operations must also be able to assess the impact on application response times -- a critical metric for understanding the end-user experience -- and network infrastructure. An anomaly detection product that provides detection, impact analysis, and troubleshooting capabilities in a seamless workflow via a single management platform should be valuable to any network operations group.

To expand their market opportunity, some NBA vendors have added new features to their products and repositioned them for network performance management. However, they generally lack the end-to-end visibility, enterprise scalability and context to be considered complete network performance management systems. No single metric is adequate for managing application delivery, so it is essential to provide context to integrate and correlate multiple data sources. For example, if only the host information pertaining to a detected anomaly is presented without the associated interfaces and routers, critical dependencies can be missed, masking the impact of the anomaly and making it harder to troubleshoot. With visibility into changes in network traffic only, traditional NBA solutions provide a small piece of a complete application delivery management solution.

Anomaly Detection from a Performance Perspective

There are several methods and data sources for detecting anomalies on the network. Most NBA products analyze network flows and packets. Using advanced algorithms, they study and profile traffic patterns for any host (client or server) on the network. Visibility into this traffic can flag a number of different anomalies ranging from the variance in the types of packets a specific host is sending over the network to the variance in the volume of packets it sends. Either variance could be an early warning sign of an infected host, or simply of non-malicious user behavior impacting the performance of applications.

A sudden increase in packet volume could indicate a user is hosting a non-sanctioned application such as Bit Torrent or Kazaa for file sharing. This type of change in network behavior is usually not malicious like a worm or virus, but it can threaten application delivery by choking bandwidth and consuming resources.

Anomalous changes in the types of packets being used by a host may also be an early warning of potentially threatening behavior. Anomalies like these can indicate an improperly configured application that threatens performance if client requests are not being properly processed. Packet fragmentation is another change in the packet make-up that could be caused by a malfunctioning network device.

Changes to the network configuration can also degrade application performance. For example, if sources of null routes are detected, inconsistent access control lists (ACLs) may be responsible. Monitoring the TTL bit in network traffic can also identify routing loops that are occurring in the network. Detecting both behaviors is crucial to properly securing the network and delivering application services promptly.

More nefarious network activities can cause fragmented packet sources, SYN-only packet sources, and high packet fan-out. These behaviors may point to hackers who are attempting to bypass firewalls, or indicate the presence of viruses and worms on the network. Malicious or not, such behaviors can negatively impact the delivery of application services. More packets on the network may ultimately lead to bandwidth congestion, especially if the non-sanctioned application is heavily used, and should be cause for concern to those responsible for managing application delivery.

Looking Forward

While analyzing network traffic for anomalies is a logical place to start, even more can be done to help network professionals be more proactive in mitigating risks to application performance. Understanding anomalies in response times and VoIP call quality correlated with network flow patterns can identify the source of anomalies, what resources are impacted, and why. Detecting anomalies in device performance provides even more granularity into how network services have been impacted.


Network engineers are becoming increasingly responsible for networked application performance, making the convergence between network behavior analysis and network performance management a necessity. Whether anomalies in network behavior are self-inflicted or malicious, it is essential to understand their potential impact on network resources and application delivery. Using anomaly detection to identify changes in real time is an effective way to mitigate the risk from unexpected activity and assure end user productivity.

Although NBA products highlight anomalies in network traffic to aid security efforts, they fall short of providing the comprehensive data network teams need to understand how anomalies affect network and application performance across an enterprise. Network operations groups should look for anomaly detection capabilities that move beyond a host-based only focus and are integrated with a robust network performance management system for understanding network health.

- - -

Patrick Ancipink is the director of product marketing and Ben Erwin is technical marketing manager for NetQoS, Inc., a provider of network performance management software and services that recently added network behavior analysis capabilities to its NetQoS Performance Center product suite.