Anomaly Detection
Anomaly Detection is active by default in every Monitor project. It learns your application's normal behavior and automatically flags activity that deviates from it, detecting unknown threats, abnormal authentication patterns, and suspicious access.
What It Does
Anomaly Detection builds a behavioral baseline from your application's real traffic and continuously analyzes it to identify suspicious activity.
It monitors:
- Authentication patterns: failed login spikes, credential rotation, login attempts from unusual locations or at unusual times
- Request behavior: abnormal request rates, non-human navigation sequences, automated enumeration of endpoints
- Payload structure: request bodies that don't match expected schemas, unexpected parameter combinations
- Error patterns: sudden spikes in 4xx/5xx responses that indicate scanning or fuzzing
- Session behavior: geographic jumps within a session, concurrent sessions from different locations
Why It's Always On
Anomaly Detection doesn't require configuration because it doesn't rely on predefined rules. It builds its baseline automatically from your application's real traffic and flags deviations.
This means it can detect:
- Zero-day attacks that no signature exists for yet
- Credential stuffing campaigns using leaked credential databases
- Brute force attempts against authentication endpoints
- API abuse like enumeration, scraping, or data harvesting
- Account takeover patterns where attackers test stolen credentials
- Reconnaissance activity before a targeted attack
What Gets Reported
When Anomaly Detection identifies suspicious behavior, it creates an incident in your Cloud Panel with:
- The type of anomaly detected (authentication, rate, payload, etc.)
- Confidence score based on how far the behavior deviates from baseline
- Source IP, user agent, and session details
- Timeline of the suspicious activity
You can review these incidents alongside incidents from other protection modules in the same dashboard.
Configuration
ASP.NET Core
Anomaly Detection works out of the box, but you can enable explicit configuration:
builder.Services.AddBytehideMonitor(monitor => monitor
.WithAnomalyDetection(detectIpChanges: true, detectUserAgentChanges: true, detectSuspiciousPatterns: true)
);builder.Services.AddBytehideMonitor(monitor => monitor
.WithAnomalyDetection(detectIpChanges: true, detectUserAgentChanges: true, detectSuspiciousPatterns: true)
);JSON Configuration
You can also adjust its sensitivity through the Cloud Panel or JSON configuration:
{
"protections": {
"AnomalyDetection": {
"sensitivity": "medium",
"authEndpoints": ["/api/login", "/api/auth/token", "/account/signin"]
}
}
}{
"protections": {
"AnomalyDetection": {
"sensitivity": "medium",
"authEndpoints": ["/api/login", "/api/auth/token", "/account/signin"]
}
}
}| Setting | Options | Default | Description |
|---|---|---|---|
sensitivity | low, medium, high | medium | How aggressively deviations are flagged |
authEndpoints | string[] | Auto-detected | Endpoints to monitor for authentication anomalies. Monitor auto-detects common patterns, but you can specify them explicitly |
Sensitivity Levels
| Level | Behavior | Best For |
|---|---|---|
| Low | Only extreme deviations trigger incidents | High-traffic apps where minor variations are normal |
| Medium | Balanced detection with few false positives | Most applications (default) |
| High | Flags subtle anomalies, more incidents to review | Security-critical applications (finance, healthcare) |