Which detection approach identifies threats by recognizing deviations from established normal behavior?

Anomaly-based detection identifies threats by looking for behavior that deviates from established normal activity. It builds a profile of typical network traffic, user actions, or system events, and flags anything that strays beyond those expected patterns. This makes it effective against unknown or zero-day threats that don’t match any known signatures because it isn’t limited to predefined patterns. The other approaches rely on known signatures, fixed rules, or reputation data rather than ongoing behavioral monitoring, so they can miss new attacks that don’t fit existing patterns. Note that a good baseline is essential; if normal behavior shifts, tuning is needed to avoid excessive false alarms.