Anomaly Detection
Anomaly Detection is active by default in every Monitor project. It learns your application's normal behavior and automatically flags activity that deviates from it, detecting unknown threats, abnormal patterns, and suspicious access.
What It Does
Anomaly Detection builds a behavioral baseline from your application's real usage and continuously analyzes it to identify suspicious activity.
It monitors:
- Authentication patterns: failed login spikes, credential rotation, login attempts from unusual locations or at unusual times
- Session behavior: geographic jumps within a session, concurrent sessions from different locations, impossible travel scenarios
- Device behavior: sudden changes in device usage patterns, interaction styles, and feature access sequences
- Request behavior: abnormal request rates, non-human navigation sequences, automated patterns
- Error patterns: sudden spikes in errors that may indicate scanning or fuzzing
Why It's Always On
Anomaly Detection doesn't require configuration because it doesn't rely on predefined rules. It builds its baseline automatically from your application's real usage and flags deviations.
This means it can detect:
- Zero-day attacks that no signature exists for yet
- Credential stuffing campaigns using leaked credential databases
- Brute force attempts against authentication endpoints
- Account takeover patterns where attackers test stolen credentials
- Reconnaissance activity before a targeted attack
- Automated access from bots or scripts mimicking user behavior
How It Differs From Other Protections
Unlike other ByteHide Monitor protections that require explicit configuration via Monitor.configure() and a ProtectionModuleType, Anomaly Detection:
- Has no enum value: It is not part of
ProtectionModuleTypeand cannot be added viaaddProtection() - Requires no setup: Works out-of-the-box on every Monitor instance
- Learns automatically: Establishes and continuously adapts its behavioral baseline
- Runs transparently: Operates in the background without impacting application performance
What Gets Reported
When Anomaly Detection identifies suspicious behavior, it creates an incident in your Cloud Panel with:
- The type of anomaly detected (authentication, session, device, rate, etc.)
- Confidence score based on how far the behavior deviates from baseline
- Device info, session details, and contextual metadata
- Timeline of the suspicious activity
You can review these incidents alongside incidents from other protection modules in the same dashboard.
Configuration
Anomaly Detection works out of the box. You can adjust its sensitivity through the Cloud Panel or JSON configuration:
{
"anomalyDetection": {
"sensitivity": "medium"
}
}{
"anomalyDetection": {
"sensitivity": "medium"
}
}| Setting | Options | Default | Description |
|---|---|---|---|
sensitivity | low, medium, high | medium | How aggressively deviations are flagged |
Sensitivity Levels
| Level | Behavior | Best For |
|---|---|---|
| Low | Only extreme deviations trigger incidents | High-traffic apps where minor variations are normal |
| Medium | Balanced detection with few false positives | Most applications (default) |
| High | Flags subtle anomalies, more incidents to review | Security-critical applications (finance, healthcare) |