Watching network traffic for signatures and malware that is recognizable from attacks in the past, is one approach to network protection.

Watching the behavior of computer users on systems and comparing it to a pattern that matches normal or expected behavior in order to identify anomalies, is another approach. This behavioral monitoring is employed in a new release from Q1 Labs, QRadar 3.0, which stands for Q1 Labs Real-time Anomaly Detection and Resolution.

The new release, a renaming of the former QVision product, features enhanced threat management, behavior modeling, alerting and reporting.

"We sit at the intersection of security and network management," says Brendan Hannigan, executive vice president of marketing and product development for Q1 Labs. "We detect deviations from normal behavior and use that to identify external threats, worms and Trojans, as well as internal threats such as scanning or policy violations."

Among new threat management features is a "Threat View" that consolidates major threats -- including denial of service, scans, worms, stealth activity, protocol misuse and Web-based attacks -- into a single screen. The display presents real-time and historical views from multiple sources, enabling administrators to take corrective action.

Another console enhancement provides a prioritized summary of outstanding alerts, and compares network conditions at the time of the alert to current conditions. A new post-analysis report generator lets users create reports on any aspect of threats detected and activity observed by QRadar. Users can customize the report format, schedule and distribution.

The behavioral learning functionality automatically learns normal behavior over a defined period. Irregular traffic patterns such as those caused by scheduled backups are automatically excluded. Users can customize the behavioral models to fit the practices of their organizations.

Cisco Netflow has been added as an option for collecting network activity data, which makes it possible to obtain maximum coverage of enterprise infrastructure. A number of firewalls and intrusion detection fees are also supported.

QRadar is priced starting at $25,000 for a basic system for one location, typically for several thousand users, including the QRadar console collection and classification engine. The price scales down for multiple locations; the product is sold as software.