The behavior analysis process

The NetProfiler uses the following steps to analyze network behavior and alert you to significant network events:

1. Network monitoring – receives traffic information from any combination of a variety of sources. Aggregates, de-duplicates and processes traffic data to prepare it for network behavior analysis. Builds profiles of typical network behavior for specified times.
   
   
   
   
   
   
   
    Information about the devices from which NetProfiler is receiving data is provided on the Administration > Devices/Interfaces page.

2. Event detection – compares network behavior to usage policies specified on the Definitions > Policies pages.  Analyzes compliance with service policies, performance and availability policies, security policies, and user-defined policies using separate sets of analytics.  Assigns each security policy violation event a severity rating number based on the likelihood of it being a threat to network performance, availability or security.

3. Alert generation – checks the severity of each network event against a set of user-defined tolerance levels or alerting thresholds. When the severity of an event exceeds a tolerance or alerting threshold, the NetProfiler alerts users to the existence of the event by indicating an alert condition and displaying information about the event.

4. Notification – automatically sends email alert messages to designated recipients. Sends SNMP messages to designated security or operations management systems.

5. Event reporting – saves details of all events that triggered alerts. Event detail reports can be viewed on the NetProfiler user interface or retrieved by remote management systems for analysis.

The NetProfiler follows this sequence of actions for service policies, performance and availability policies, security policies, and user-defined policies. However, steps for policy definition and tuning vary, depending on the type and complexity of the policy.   

Behavior analysis