Home > Articles > Security > Network Security

How Do You Know If Something's Amiss? Characterize Your Systems

System and network administrators need to know what "normal" means before they'll be ready to handle days when the system just goes wacko. Julia Allen and Larry Rogers of the CERT Coordination Center describe how to establish baseline behaviors for your system.
Like this article? We recommend


How can administrators know whether something has gone wrong with their systems or networks when they don't know what it means for things to be operating normally? This excerpt from The CERT® Guide to System and Network Security Practices and the CERT security improvement module Detecting Signs of Intrusion advises administrators to characterize their systems. Characterization is the process of identifying network traffic and performance; system, process, and user behavior; files and directories; hardware devices and topology; and configuration settings; as well as keeping a log of their changes and gaining some understanding of what constitutes normal behavior. Once administrators have a characterization baseline, they can compare currently running systems with this baseline to determine whether anything unexpected or suspicious has occurred.


CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office.

  • + Share This
  • 🔖 Save To Your Account