How Network Defenders Classify Suspicious Traffic

calendar May 26, 2026 / · 4 min read · network security monitoring intrusion detection incident handling network traffic information security  ·
Share on: linkedin copy

How Network Defenders Classify Suspicious Traffic

Computer networking traffic can be classified into three categories of normal, suspicious and malicious network as described by Bejtlich (2004). Each category effects the security posture.

Network security analysis as described by Bejtlich (2013) is the process of classifying and confirming normal, suspicious, and malicious activity. The Indicator of Compromises (IOCs) accelerates this process. Legally, IOCs are manifestations of observable or evident adversary actions. Informally, IOCs are ways to categorize adversary activity so that technical systems or software can identify and find intruders in digital evidence.

The security analyst(s) practice Network Security Monitoring (NSM) to detect and scope intrusions. Traffic caused by many intruders appears much different from standard network activity as described by Bejtlich (2004). The analysts need to understand what normal traffic looks like on a network. Traffic metrics collected over time assist in establishing a baseline pattern of the network's traffic as described by Bejtlich (2004). Once a baseline is formed over time, the analyst(s) can evaluate and gain an understanding of what traffic is suspicious or malicious.

Normal Traffic

A normal traffic pattern as describe by Bejtlich (2004) is any network traffic that is expected to to travel on a network. An example of normal traffic for a company or organization could be HTTP, FTP, SMTP, POP3, DNS, and IPsec or SSL as Bejtlich (2004) discusses.

Suspicious Traffic

The network traffic classified as suspicious traffic can look weird at the initial glance but does not cause any damage to company or organization assets as Bejtlich (2004) point out. One example is if a new peer-to-peer protocol travels across the network, it may be unwelcome, but the existence of a peer-to-peer protocol on the network does not directly affect or compromise the local Web or DNS server as Bejtlich (2004) discusses.

Malicious Traffic

The computer network traffic classified as malicious, as described by Bejtlich (2004), is the category of traffic that could adversely affect a companies or organization’s security posture. Attacks of all sorts fit into the malicious category and are considered incidents. Analysts have a much more difficulty identifying malicious traffic when they have no idea what normal or baseline traffic looks like on a network as discussed by Bejtlich (2004).

Example: Domain Name Server (DNS) Traffic

Discovering Domain Name Server (DNS) traffic a case study described by Bejtlich (2004) provides examples of normal, suspicious and malicious traffic. One must be exposed to each type of traffic to be able to understand the differences. DNS is fundamental to the health of the Interent and Bejtlich (2004) discusses that traffic that uses TCP and UDP ports 53. There are many types of traffic using ports 53 UDP and TCP. Almost every Internet site relies on DNS, as Bejtlich (2004) points out it is essential to understand the protocol’s normal, suspicious, and malicious aspects. Normal traffic passed on port 53 UDP and TCP. This normal traffic was typical UDP-based DNS. DNS over port 53 TCP was generated with Dnsquery. DNS zone transfers is a form of TCP based traffic that DNS communicates between master and slave DNS servers. The DNS of TCP can be malicious if done by an unauthorized party. An example of suspicious UDP traffic is created by distributing BitTorrent files over DNS. An example of malicious traffic is generated on the DNS ports is a result of an intruder running Tunnelshell. The covert channel identified because it looks nothing like regular DNS traffic on port 53 UDP. The last example of DNS traffic Bejtlich (2004) describes in the example of the case study is a query for the version of BIND running on a target, and an examination of an unsuccessful attempt to exploit BIND.

References

Bejtlich, R. (2004). The Tao of network security monitoring: Beyond intrusion detection. Boston: Addison-Wesley Professional.

Bejtlich, R. (2013). The practice of network security monitoring: Understanding incident detection and response. San Francisco: No Starch Press.

Sanders, C., & Smith, J. (2014). Applied network security monitoring: Collection, detection, and analysis. Waltham, MA: Syngress Publishing.

Posts in this series