11.4 Baselining

Baselining is a procedure where data is collected to measure the performance of selected network segments over a period of time, typically several hours to several days. These data are used as a historical benchmark against which suspicious or anomalous network traffic may be compared. Baselining calculates the historical traffic volume and transmission rate derived from data sources, links, or ports. By analyzing the traffic patterns of the network, administrators provide reference points for use when adding new services or users, identifying performance issues, and for security.

Baselining data can serve as a reference point that represents network normalcy in a wireless network. Traffic quantities and types found on the network over a period of time and at particular times of the day or during certain days of the week using a measured load on the network infrastructure resources are used to define data normalcy as baseline information. Ideally, baselining is performed both before the addition of wireless network segments and afterward. This provides data that can be used to compare the impact of the WLAN on the network as a whole. The baseline reference information can be used to determine what modifications need to be made to support new users and new applications for the wireless network. A new baseline can be recorded once additional users are added and compared with the original baseline results to calculate how much additional network bandwidth the additional load consumed. A comparison of the reference baseline to the current network performance can be used to help identify problem areas in response to issues that are identified within the wireless network.

The limited-bandwidth and half-duplex environment of WLANs make it relatively easy for an attacker to saturate network bandwidth through a data flooding attack. This activity can be mitigated using minimum, average, or maximum baseline data thresholds and setting alarm thresholds in the IDS. If an attacker's activities exceed network normalcy as determined through the thresholds, alarms are triggered and security administrators are notified. Anomaly-based detection functionality is often found in baselining tools and has the ability (using statistical analysis) to notice and respond to DoS attacks that may otherwise go unnoticed. Baselines for DoS attack analysis allow for the development of more sensitive criteria to be used in early recognition and response to anomalous network traffic.