Behavioral Baseline
Normal, expected communication patterns for a specific device class or individual device, built from real observed traffic rather than generic profiles. Deviations trigger anomaly alerts.
What is Behavioral Baseline?
Normal, expected communication patterns for a specific device class or individual device, built from real observed traffic rather than generic profiles. Deviations trigger anomaly alerts.
A behavioral baseline is the learned profile of normal communication behavior for a specific device or device type — what protocols it uses, which destinations it connects to, how much data it transfers, at what times it is active, and how frequently it communicates. Baselines are built from real observed traffic over a period of time rather than from vendor specifications or assumed behavior.
The reason baselines matter is that IoT and OT devices have unusually predictable, repetitive behavior. A building automation sensor that reports temperature every 60 seconds and communicates only with a specific BACnet controller follows the same pattern day after day, week after week. This predictability is a security asset: deviations from the baseline — an unexpected connection to an external IP, an unusual burst of traffic, communication on a protocol the device has never used — are strong signals that something has changed. Either the device has been compromised, its configuration has been altered, or it is being probed.
Baseline quality depends on the observation period and the completeness of traffic capture. Baselines built over days may miss weekly or monthly communication patterns. Baselines built from incomplete traffic feeds may have gaps that create false positives. The best implementations observe traffic for 14–30 days, account for temporal patterns, and validate baselines before using them for alerting.
Key Facts
- IoT and OT devices are 3–5x more behaviorally consistent than IT endpoints, making baselines highly effective
- Behavioral anomaly detection catches threats that signature-based tools cannot, including novel attacks and living-off-the-land techniques
- False positive rates drop by over 70% when baselines account for time-of-day and day-of-week patterns
- Mean time to detect (MTTD) is reduced by 60% in environments with comprehensive behavioral baselining
How ORDR Addresses Behavioral Baseline
ORDR builds per-device-type behavioral baselines from passive network monitoring, automatically accounting for time-of-day and day-of-week patterns. When a device deviates from its baseline — unexpected protocol, unusual destination, abnormal data volume — ORDR generates a weighted alert that factors in the device's criticality and the severity of the deviation. Baselines are continuously updated as legitimate behavior evolves.
See ORDR in actionFrequently Asked Questions
Complete visibility across your entire attack surface.
ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.