Probability Thresholds

CA Anomaly Detector uses a sophisticated mechanism to help avoid false positives, minimizing the number of alerts that do not correspond to true anomalies. The program uses probability threshold settings that you can customize to control the sensitivity of alert triggering. The thresholds are called probability thresholds because they are keyed to the probability that an actual anomaly has been detected.

In addition to a probability component, the threshold mechanism also relies on the following factors:

• A unique network profile that is based on statistics and the observation of typical operations
• Configurable alert levels, which are a function of the unique profile
• Statistical analysis to determine whether observed network behavior is anomalous or is within the normal range

To determine whether current data is anomalous, the detection process takes all previous data into account to create a statistics-based network profile. Using the profile as a reference, the anomaly detection process estimates and prioritizes any potentially anomalous network activity, based on percentiles and calculates the probability that the observed behavior is anomalous. The entire system is dynamic: It is updated each time it runs to ensure reliability and accuracy.