Showing results for 
Search instead for 
Did you mean: 

Anomaly Detection in Backup Exec

Level 1

Backup Exec has added a feature named Anomaly detection that monitors job metadata to detect unusual patterns of backups due to any events such as a ransomware attack.

For Anomaly detection, job metadata refers to following parameters:

  • Backup Time
  • Backupset size
  • Backup Item Count
  • Deduplication Ratio
  • Data transfer over network

Anomaly detection divides each metadata set in different clusters based on following job configuration:

  • Job ID
  •  Job type
  • Server OS type
  • Storage name

The anomaly detection engine monitors metadata for each backup, and places the job metadata in different cluster-based job configuration to learn about the pattern for each job.

Anomaly Detection Feature:

  • Learning and Detection:

Anomaly Detection feature monitors pattern for each job configuration. It takes 30 job runs to start the anomaly detection engine and detect the abnormalities in job metadata. If any parameter does not fit the usual pattern and goes out of cluster then is reported as an anomaly by the engine.  The anomaly score is calculated based on its deviation from the usual range. The severity of the anomaly is calculated based on the score. If an anomaly reported for any backup, then an alert is raised.

Anomaly detection analysis for a job runs is done every hour in batches for all pending job runs. 

  • Anomaly Reporting in Backup Exec UI.

Backup Exec Home tab has new widget for reporting anomaly detection. It gives the information about number of anomalies detected in last 7 days, 15 days, and 30 days. It also has an option to manage the anomalies.



Anomaly Detection Dialog:

This dialog shows information about the anomalies that are detected for jobs in the last 7 days.

Anomaly can be detected for one or more metadata parameters.

You can filter the anomalies using the “Apply Filter” option. Each page displays up to 100 anomalies. To view the next set of anomalies, click Next.

Reported Anomaly Actions:

  1. Report as False Positive:

If an anomaly reported occurs due to some expected changes like increase/change in backup data, the anomaly can be reported as False Positive. When an anomaly is reported as False positive, the anomaly detection engine considers the job metadata as learning data for training itself, and next run of the same job with similar metadata is not reported as an anomaly.

  1. Confirm as Anomaly:

If there is any temporary change in backup data for testing purpose and an anomaly  is reported, it can be marked as “Confirm as Anomaly”. This just removes the anomaly information from the Backup Exec database but it is not treated as training data.

In Conclusion

For your data challenges, Veritas has the ultimate solutions. Protect, comply, and strengthen your data resilience with Veritas Backup Exec 22.2 – the ultimate ransomware resiliency and data protection solution for SMB’s. Visit our website to learn more about our services and recommendations.