Why seasonality factors are important to anomaly detection in cybersecurity

Why seasonality factors are important to anomaly detection in cybersecurity Why seasonality factors are important to anomaly detection in cybersecurity

Let's first try and understand what seasonality is by looking at a few examples from daily life:

Seasonality in product sales: Numerous products such as chocolates, summer clothes, workout gear, and Halloween costumes belong to seasonal markets. The demand for these products typically peaks for a few days or months and then tapers off. Depending upon the market, the sales that can be attributed to seasonality can vary. For instance, the sales of winter clothes during the winter months may actually eclipse the sales during the rest of the year.

Seasonality in water consumption: This is an easy example to understand: People usually consume a lot more water during the summer months.

Seasonality in the stock market: Historically, stocks have underperformed between the months of May and October but have done well from November to April. There is a popular saying that goes, "Sell in May and go away."

Is there an example of seasonality when it comes to an organization's computer network? Yes, there is...

In an organization's network, users and hosts may exhibit seasonal behavior such as:

  1. A database server that's heavily queried on Monday every week.
  2. A user who works on alternate Saturdays.
  3. A user who accesses a particular file server only once a month, particularly on the last working day of the month.

The three examples above involve relatively rare occurrences that are seasonal in nature, but, they're not anomalies.

An anomaly, by definition, is something that deviates from what's expected. These three activities (and others like it), though rare, aren't anomalies because they start to become accepted as normal after they occur a few times. They're normal activities that follow a seasonal trend.

Anomaly detection in cybersecurity

It's important for organizations to detect anomalies that happen in the network to ward off potential cyberattacks. To do this, organizations typically use a security analytics solution or a SIEM solution that has anomaly detection capabilities fueled by machine learning algorithms. This solution creates a baseline of expected behavior for every user and host in the network. If a user's or host's observed behavior deviates beyond a learned threshold, it's flagged as an anomaly and the risk score is raised accordingly.

Anomaly detection with the ability to identify seasonality

The machine learning algorithms used to detect anomalies must be able to account for seasonality. They should understand seasonal effects on the behavior of users and hosts and be able to identify a particular activity as non-anomalous even if it's rare. After accounting for seasonality, no red flags should be identified and risk scores should not be raised. So, what if the activity occurs outside of this seasonal window? That would be an anomaly, as the use case below illustrates.

A seasonality use case

Your bank operates on the first and third Saturday of every month. On the second Saturday of month, your security analytics platform notices an employee logging into the network. A lesser trained system would accept this; after all, the employee was online the previous Saturday, so why not today? But yours is well-trained to spot seasonal anomalies just like this. It knows the difference between the various Saturdays of a month. An alarm goes off, and the risk score of the employee increases.

Related blogs


Change the way you manage security.

Defend against sophisticated threats.

Get started with Log360 UEBA.


© 2019 Zoho Corporation Pvt. Ltd. All rights reserved.