Inferensys

Glossary

Behavioral Baseline

A behavioral baseline is a statistical model of normal network traffic and device communication patterns established over time, serving as the reference point for detecting anomalous deviations in an ICS environment.
MLOps engineer reviewing model serving infrastructure on laptop, container orchestration visible, technical workspace.
ANOMALY DETECTION FOUNDATION

What is Behavioral Baseline?

A behavioral baseline is the statistical reference model of normal network traffic and device communication patterns required for detecting deviations in industrial control systems.

A behavioral baseline is a statistical model of normal network traffic, device communication patterns, and process states established over a defined learning period, serving as the singular reference point for detecting anomalous deviations in an Industrial Control System (ICS) environment. It captures legitimate SCADA command sequences, polling intervals, and protocol-specific payloads.

Once established, the baseline enables process-aware detection by comparing real-time traffic against the learned norm. Any deviation—such as an unexpected Modbus TCP function code or a command issued outside standard operational hours—is flagged as a potential zero-day threat, enabling signatureless detection of both cyber intrusions and equipment malfunctions.

BEHAVIORAL BASELINE

Key Characteristics of an Effective Baseline

A robust behavioral baseline is not a static snapshot but a dynamic, multi-dimensional statistical model. Its effectiveness in detecting SCADA anomalies hinges on several critical characteristics that ensure high-fidelity normalcy representation and minimal false positives.

01

Temporal Seasonality Modeling

An effective baseline must capture cyclical patterns in ICS traffic to avoid flagging routine operational shifts as anomalies. This includes time-of-day patterns (shift changes), day-of-week cycles (weekend maintenance windows), and seasonal variations (winter heating vs. summer cooling loads).

  • Fourier analysis decomposes signals into constituent frequencies to identify dominant cycles.
  • LSTM sequence models learn long-term dependencies, predicting expected command volumes for a given timestamp.
  • Without seasonality, a baseline will generate a flood of false positives during every scheduled batch poll or shift handover.
02

Protocol-Specific Granularity

A single aggregate traffic model is insufficient. The baseline must decompose behavior by industrial protocol and function code to establish distinct normalcy profiles. A Modbus 'Write Single Register' command has a vastly different risk profile and frequency than a DNP3 'Read' request.

  • Function Code Inspection: Models the expected distribution of commands (e.g., 70% reads, 25% writes, 5% diagnostics).
  • Point Mapping: Tracks which specific data points (coils, registers) are typically accessed by each master device.
  • This granularity allows the detection of a malicious firmware upload command disguised within a normally high-volume write channel.
03

Multi-Variate Feature Correlation

Effective baselines move beyond univariate thresholds (e.g., 'packet rate > X') to model the correlation between multiple features. An anomaly is often not a single metric spiking, but a normal metric occurring in an impossible combination.

  • Feature Vectors: Combine packet size, inter-arrival time, connection duration, and TCP flags.
  • Autoencoders learn a compressed representation of these correlated features; a high reconstruction error indicates an impossible combination.
  • Example: A high packet rate with an unusually small average payload size might indicate a scanning reconnaissance attack, even if both metrics individually fall within historical min-max ranges.
04

Continuous Adaptive Learning

An ICS environment is not static; new devices are commissioned, firmware is updated, and production quotas change. A baseline must adapt to this concept drift without manual recalibration to prevent model staleness.

  • Online learning algorithms update the statistical model incrementally with each new data point.
  • Sliding window techniques discard obsolete data, ensuring the model reflects the most recent operational reality.
  • A robust system distinguishes between gradual drift (legitimate engineering change) and a sudden, malicious shift, often using a CUSUM algorithm for changepoint detection.
05

Device-to-Device Communication Profiling

The baseline must map the logical topology of allowed peer-to-peer relationships between devices. In a properly segmented OT network, a PLC should only communicate with its designated HMI and engineering workstation, not initiate connections to other PLCs or external servers.

  • Connection Graphs: Model the normal set of source-destination IP pairs and their permitted protocols.
  • Stateful Whitelisting: Validates that a command not only uses a valid function code but originates from an authorized master for that specific slave device.
  • A new lateral connection from a PLC to a file server is a high-fidelity indicator of an attacker pivoting within the OT network, regardless of the packet content.
06

Payload Content Fingerprinting

Beyond metadata, an advanced baseline fingerprints the static payload structures of legitimate commands. Many ICS protocols have highly deterministic data fields for routine operations, making any structural deviation a clear anomaly.

  • Entropy Estimation: Measures the randomness of payload data. A command that normally contains structured ASCII text suddenly carrying high-entropy binary data is suspicious.
  • Byte Frequency Distribution: Profiles the expected histogram of byte values for specific function codes.
  • This technique detects attacks that exploit protocol vulnerabilities by injecting malformed payloads, even if the packet rate and connection patterns appear completely normal.
BEHAVIORAL BASELINE

Frequently Asked Questions

Clear, technically precise answers to the most common questions about establishing and maintaining behavioral baselines for anomaly detection in industrial control system environments.

A behavioral baseline is a statistical model of normal network traffic and device communication patterns established over a defined learning period, serving as the singular reference point for detecting anomalous deviations in an Industrial Control System (ICS) environment. Unlike signature-based detection, which relies on known threat patterns, a behavioral baseline mathematically defines what 'normal' looks like for every Programmable Logic Controller (PLC), Remote Terminal Unit (RTU), and engineering workstation on the network. The model captures attributes such as typical packet sizes, inter-arrival times, permitted function codes, and the specific sequence of read/write operations between master and slave devices. Once established, any communication that falls outside the statistical boundaries of this model—such as a firmware upload command at 3:00 AM or an unexpected Modbus write to a safety controller—is flagged as a potential zero-day threat or operational misconfiguration requiring immediate investigation.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.