Every network security tool is optimized for the same threat model: something unexpected shows up. A spike in DNS queries. A new connection to an external IP. An unusual port scan. The default assumption is that threats generate noise, and the job of detection is to find that noise.
But some of the most dangerous conditions on a network are characterized by absence, not presence.
The Silence Problem
Consider these scenarios:
- A critical server stops sending heartbeat traffic at 2 AM. No one notices until 9 AM when users can't connect.
- A backup job that runs every Friday night hasn't generated traffic for three weeks. The backups are silently failing.
- A security agent that normally phones home every 15 minutes hasn't been seen in 48 hours. It may have been killed by malware.
- East-west traffic between two database servers that normally synchronize every hour has gone quiet. One of them may have been isolated as part of a ransomware staging operation.
In all of these cases, there's nothing to alert on using traditional threshold-based detection. Volume is low — that's the problem. Any static rule fires when things are too high, not when they're missing.
Why This Is Harder Than Spike Detection
Detecting spikes is conceptually simple: measure the current value, compare it to a baseline, fire if the difference exceeds a threshold. You can even do this with a rolling average.
Detecting absences is harder for a structural reason: you need to know what "normal presence" looks like before you can detect absence. This requires:
- A model of expected traffic that includes expected minimums, not just expected maximums.
- Seasonal awareness — traffic that normally disappears overnight isn't an anomaly; traffic that disappears during business hours is.
- Direction awareness — an absence in inbound traffic has different implications than an absence in outbound traffic.
This is why absence detection is largely absent from tools built around threshold alerting. Thresholds catch excess. Forecasting catches departures in both directions.
Building Downward Anomaly Detection
A forecasting-based approach naturally handles both directions. If Prophet (or any seasonal decomposition model) predicts that a given network segment should be carrying 450 Mbps between 10 AM and 11 AM on a Tuesday, then 50 Mbps is just as anomalous as 2,000 Mbps — it's simply a downward departure from the confidence interval rather than an upward one.
This requires the model to have learned the lower bound of normal behavior, which means the training data needs to include representative examples of low-traffic periods. Two or more full weekly cycles of data gives the model enough signal to establish meaningful lower bounds.
Key configuration choices for downward anomaly detection:
- Sensitivity tuning per segment type: A production application cluster should have tighter downward bounds than a lab network. A backup server's absence of traffic is catastrophic; a development workstation's absence is unremarkable.
- Minimum activity windows: Define the time periods during which traffic is expected. Absence during an expected window is flagged; absence during an expected quiet period is not.
- Smoothing window: Avoid false alarms from brief micro-dips by requiring the absence to persist for some minimum duration (e.g., 5 consecutive minutes below the lower bound).
Practical Use Cases
Backup Monitoring
Most backup monitoring relies on job completion logs, which can be tampered with or simply not configured. Network-layer monitoring provides an independent signal: if the backup window passes without the expected traffic volume, something has failed — silently.
Security Agent Health
Endpoint security agents, EDR solutions, and log forwarders all generate characteristic traffic patterns. If an agent stops phoning home, you want to know before it's gone a week unprotected. Network-layer absence detection provides a backup signal that doesn't depend on the agent itself reporting its own failure.
East-West Replication
Database clusters, storage arrays, and application clusters all exhibit characteristic synchronization traffic. An unexpected absence in replication traffic can indicate:
- A failed failover that left a node isolated
- A deliberate isolation step in a ransomware staging operation
- A network misconfiguration that has silently broken redundancy
DNS and Authentication Infrastructure
DNS servers, domain controllers, and certificate authorities generate predictable, high-frequency traffic. An unexpected dip in DNS query volume can indicate that clients have been reconfigured to use a rogue resolver — a common technique in DNS hijacking campaigns.
Implementing in Practice
Absence detection works best when it's scoped tightly. A few practical steps:
- Identify critical traffic flows. Start with the flows that must exist: backup jobs, agent heartbeats, replication streams, authentication traffic.
- Establish expected windows. Define when each flow is expected to be active and at what approximate volume.
- Set lower-bound alert thresholds. Using a forecasting model's confidence interval, define the minimum traffic level that should be present during active windows.
- Build auto-resolution logic. Absence alerts should resolve automatically when traffic returns to normal. A two-hour backup window outage that resolves by morning shouldn't stay open as an incident.
FlowSight applies Prophet-based forecasting bidirectionally to all monitored segments, flagging both upward and downward departures from the expected band. Each anomaly carries a direction label — making it easy to triage spikes and absences with different playbooks while keeping both in a single alert workflow.
The Broader Point
Threat actors who understand network monitoring will deliberately design their operations to stay below detection thresholds. But no attacker can fabricate the expected traffic from a security agent they've killed or a backup job they've stopped. The absence is the evidence.
Detecting what's missing is at least as important as detecting what's unexpected. If your monitoring only fires in one direction, you're seeing half the picture.