Network anomaly detection lives or dies by the quality of its baseline. If your baseline can't model the normal rhythm of your network, you'll spend your days drowning in false positives — or worse, missing real threats because the signal blends into the noise.
The Problem with Simple Moving Averages
Simple Moving Averages (SMA) are the default choice for many monitoring tools, and it's easy to see why: they're cheap to compute, trivial to implement, and conceptually intuitive. But on real network traffic, they have fundamental weaknesses.
SMA assumes stationarity. Traffic patterns are anything but stationary. A corporate network sees high utilization during business hours, lower traffic overnight, and significant spikes on Monday mornings when thousands of endpoints phone home simultaneously. SMA treats all of this as noise.
SMA has no concept of seasonality. Your end-of-quarter backups, weekly compliance scans, and daily DNS refresh cycles are all predictable — but SMA cannot distinguish them from anomalous behavior. The result: noisy alerts whenever a routine job runs outside its typical window.
SMA has no trend awareness. As your network grows, baseline traffic grows with it. SMA will perpetually lag behind, generating false positives against a rising baseline it cannot model.
Lag is structural, not fixable. A 15-minute rolling average responds to conditions that existed 7.5 minutes ago on average. You can shrink the window, but then you lose the smoothing that makes the average meaningful. It's a fundamental tradeoff that Prophet doesn't share.
Enter Prophet
Facebook Prophet was designed for exactly this class of problem: time series with strong seasonality, holiday effects, and long-term trends. Applied to network flow data, it offers several key advantages.
Multi-scale seasonality modeling. Prophet decomposes the time series into daily, weekly, and optionally yearly seasonal components. Your morning authentication flood and your weekly patch-push cadence become expected — freeing anomaly scores for traffic that genuinely doesn't fit the pattern.
Robust trend detection. Prophet models trend as a piecewise linear or logistic function with automatic changepoint detection. As your environment grows, the model adapts rather than continuously over-alerting.
Uncertainty intervals, not hard thresholds. Rather than firing at a fixed threshold, Prophet generates a credible interval around the forecast. An anomaly is flagged only when observed traffic falls outside this interval — giving you a principled, statistically grounded signal.
Graceful handling of missing data. Network flow collectors occasionally drop records. SMA gaps can cause wild swings in the computed average. Prophet handles sparse data gracefully, interpolating across gaps without corrupting the model.
What the Model Actually Learns
When you feed Prophet two or more weeks of NetFlow data for a given network segment, it learns:
- Intraday shape: The ramp-up from 6 AM, the lunch dip, the 5 PM drain, the overnight floor.
- Day-of-week patterns: Monday's endpoint sync storm, Friday's pre-weekend quiet, the Saturday backup window.
- Trend direction: Whether that segment is growing by 3% per month or flattening as workloads migrate to cloud.
Once trained, Prophet projects a forecast band — a confidence interval centered on the expected value. Traffic inside the band is normal. Traffic that departs significantly from the band (above or below) triggers an anomaly score proportional to the magnitude of the departure.
This means you get directional anomalies: an unexpected spike is flagged differently from an unexpected absence. Both matter. A spike might indicate data exfiltration or a scanning worm. An absence might indicate a failed backup, a severed link, or lateral movement that has redirected traffic to a covert channel.
Real-World Results
In our internal testing across a 12,000-endpoint enterprise network, switching from a 15-minute rolling SMA to Prophet-based forecasting reduced false positive alerts by 61% while maintaining a 97% true-positive rate on injected anomalies.
Detection latency also improved: Prophet's forecast horizon let us flag building anomalies up to 38 hours before they would have crossed a traditional threshold. When a slowly escalating data transfer began climbing across a weekend, the model recognized the departure from the expected weekend baseline immediately. An SMA-based system would have needed the volume to climb 4x higher before triggering.
The operational impact is significant. Fewer false positives mean analysts actually investigate alerts rather than developing learned helplessness. And earlier detection means faster containment.
Common Objections
"Our network is too unpredictable for seasonality." In practice, nearly every enterprise network has detectable patterns. Even networks that appear chaotic show consistent business-hours structure. Prophet's changepoint detection handles structural shifts in the baseline — for example, when a major application migration reshapes traffic patterns over a week.
"We don't have enough historical data." Two full weekly cycles (14 days) are sufficient to capture the essential seasonality. FlowSight begins building useful models immediately and improves confidence intervals as more data accumulates.
"It's too computationally expensive." Prophet training happens offline and incrementally. The online inference path — comparing live flow counts to the forecast band — is lightweight enough to run in real time at scale.
Getting Started
If you're currently using SMA-based alerting, the migration path is straightforward. The key inputs are the same — flow counts, byte rates, connection tables — but you need to feed Prophet enough historical data (at least two full weekly cycles) to learn your seasonality reliably.
FlowSight handles this automatically from the moment collection begins, using a rolling 90-day window to continuously retrain models per segment, per direction, and per protocol class. The result is a living baseline that grows with your network and surfaces only the anomalies that genuinely warrant investigation — no manual threshold tuning required.