Anomaly detection is not signature-based (like Antivirus). It is behavior-based. It requires establishing a "Baseline" of normal traffic for your organization.
The Beacon
Malware often "beacons" home to check for commands.
This creates a pattern: A small packet leaving every exactly 5 minutes (plus or minus jitter).
Humans browse randomly. Machines browse periodically.
Analyzing packet timing (metadata) reveals these beacons, even if the traffic is encrypted HTTPS.
1. Data Exfiltration
How does a hacker steal the database?
They can't just download 100GB at once (it triggers alerts).
They "drip" it out slowly. Or they tunnel it over DNS (DNS Tunneling).
Detecting "Long-Duration Connections" or "High Volume DNS" is key.
2. East-West Traffic
Most firewalls watch North-South (Internet-to-LAN) traffic.
Hackers move East-West (Server-to-Server).
You need internal sensors (IDS/IPS) to see if the HR Server keeps trying to SSH into the Finance Server.