Signature-based solutions and supervised classification for anomaly detection struggle to keep pace with evolving cyberattacks because attack behavior is non-deterministic and quickly diverges from past labels. NetBeat adopts an unsupervised anomaly detection approach grounded in network traffic characterization that remains effective even when payloads are encrypted.
The concept draws on the human heartbeat, where rhythm and pattern reveal anomalies. NetBeat models baseline communication rhythms and detects deviations in real time using metadata that remains observable on encrypted networks: packet length sequences, inter-arrival timing, burst structure, flow directionality, session duration, and encryption layer signals such as TLS versions, cipher suites, ALPN, and fingerprint features like JA3 or JA4. For QUIC, it considers handshake attributes, spin-bit behavior, and connection-level statistics.
Methodology
NetBeat learns seasonal and context-aware baselines per host, subnet, and application cohort, then scores departures from those baselines using a combination of statistical change detection and deep sequence models such as autoencoders or transformers on packet and flow time series. Online adaptation handles concept drift without manual retuning.
The detector targets behaviors that persist under encryption, including beaconing command-and-control, lateral movement, covert exfiltration, tunnel misuse, and staging traffic. Evaluation will use encrypted and mixed traffic traces with red-team scenarios and public corpora, reporting time-to-detection, false positive rate under drift, ROC AUC, and operational cost.