In anomaly-based detection, what does the system analyze against an established baseline?

Anomaly-based detection is a method used in cybersecurity to identify unusual behavior by comparing real-time activity against a predefined baseline of normal operations. The established baseline is created from historical data that reflects typical patterns of user behavior, network traffic, and system performance over time.

By analyzing traffic statistics, the system can detect deviations that may indicate potential security threats, such as unauthorized access, abnormal data transfers, or other suspicious activities that differ from what is expected. This ability to assess traffic statistics allows the system to identify anomalies that may not be picked up by signature-based methods, which rely on known patterns of malicious behavior.

Legitimate activity, malicious patterns, and security protocols are all important aspects of cybersecurity, but they do not directly pertain to the analysis performed in anomaly-based detection systems. Instead, these elements may influence or inform the baseline itself but are not the focus of the analysis when identifying anomalies.