The article originally appeared in the Jan./Feb. edition of INTERNET TELEPHONY.

Denial of service attacks are a terrible nuisance, and they appeal to the news media, but they are a blunt instrument, impossible to go unnoticed, and rarely sustained for long.

But security breaches that involve data theft can be a lot more subtle. Even worse than getting hacked, is getting hacked and not realizing as an attacker establishes a presence on your system, then quietly leaks valuable data out over months or years.

This type of attack is termed an advanced persistent threat.  The hacker strives to be as unobtrusive as possible, taking the data a little bit at a time so as not to set off any alarms.

There are two stages to such an attack. The first is getting a foothold in the target system. The second is staying there undetected while plundering the victim.

The advent of enterprise mobility has blurred the boundaries of the LAN, making it more vulnerable. Firewalls, virus checkers and other traditional defenses against the initial attack inevitably let some threats through, for example spear-phishing e-mails or compromised USB flash drives, so a second line of defense is essential.

The conventional tool for this is the intrusion detection system, which inspects network traffic and identifies malicious packets. IDSs compare each network packet to a list of signatures of known threats. They identify most malicious traffic, but unfortunately not 100 percent. IDSs suffer from a serious limitation: They only detect known threats. This means they can't recognize previously unobserved threats, or even known threats of the type that dynamically rearrange their own code to change their signatures.

Even worse: the library of known threat signatures exceeds 30,000, and no IDS has the capacity to scan for more than 2,000 of these at once. So there’s a good chance the IDS will fail to detect even a known threat.

This deficiency in conventional IDSs has driven the development of a new technique for combating advanced persistent threats. It is called network behavioral analysis. The basic idea of network behavioral analysis is the opposite of detecting malicious traffic. Instead, it builds a predictive model of normal behavior on a network, and issues an alert when anything unexpected happens.

The challenge here is to avoid a profusion of false alarms, so the more sophisticated NBA systems maintain metadata about a large number of networks, so once an anomaly is determined to be harmless, it no longer causes an alert anywhere.

The cyber arms race continues, with the black-hats continuously upping the ante. There is currently no silver bullet for defense, but network behavioral analysis has become an essential element in the defensive repertoire.