A vendor-neutral, open specification for detecting behavioral anomalies in distributed systems using observability data
Specification v2.0 | Getting Started | Community
OpenALBA (Application-Layer Behavioral Analytics) is an open specification that defines how to detect behavioral anomalies in distributed systems using observability data. Unlike perimeter security tools (WAF, bot detection) or endpoint tools (EDR), OpenALBA operates at the application layer where it can observe:
- How users interact with applications
- How services communicate
- How data flows through systems
- How external dependencies behave
OpenALBA answers the fundamental question: "Is this behavior different from what we normally see?"
OpenALBA separates detection from interpretation through two distinct scores:
| Score | Purpose | Characteristics |
|---|---|---|
| Anomaly Score (0-100) | How unusual is this? | Objective, mathematical, deterministic |
| Risk Score (0-100) | How concerning is this? | Contextual, configurable, consumer-specific |
Built from the ground up to work with OpenTelemetry data:
- Uses OpenTelemetry semantic conventions for attributes
- Consumes traces, metrics, and logs from OTel Collectors
- Compatible with any OpenTelemetry-instrumented application
Detection patterns are mapped to the MITRE ATT&CK framework:
- 15 stable detection patterns with ATT&CK technique mappings
- Coverage across Initial Access, Persistence, Privilege Escalation, Lateral Movement, and Exfiltration
- Enables correlation with existing security tooling
| Section | Title | Description |
|---|---|---|
| 1. Overview | Overview | Abstract, status, conformance requirements |
| 2. Architecture | Core Architecture | System components, entity model, time windows |
| 3. Baselines | Baseline Methodology | Statistical and ML baseline methods |
| 4. Anomaly Scoring | Anomaly Scoring | Score calculation algorithms |
| 5. Risk Scoring | Risk Scoring | Context-aware risk assessment |
| 6. Signals | Signal Definitions | OpenTelemetry attribute mappings |
| 7. Detection | Detection Patterns | MITRE ATT&CK-mapped patterns |
| 8. Alerting | Alerting Framework | Threshold tiers and routing |
| 9. Implementation | Implementation Guide | Reference architecture |
This repository contains the OpenALBA specification itself, not code. To implement OpenALBA:
- Read the specification starting with Section 1: Overview
- Choose your stack - OpenALBA is designed to work with any observability backend
- Implement the core algorithms defined in Sections 3-5
- Add detection patterns from Section 7 based on your threat model
- Validate conformance against the requirements in each section
Implementations claiming conformance to OpenALBA:
- MUST implement the anomaly score calculation as defined in Section 4
- MUST implement at least one baseline methodology from Section 3
- SHOULD implement risk score calculation as defined in Section 5
- MAY implement additional detection patterns beyond those specified
- Website: openalba.org
- Discussions: GitHub Discussions
- Mailing List: openalba-dev@lists.openalba.org
- Slack: #openalba on CNCF Slack
We welcome contributions to the OpenALBA specification! Please see CONTRIBUTING.md for guidelines on:
- Proposing specification changes
- Reporting issues or inconsistencies
- Participating in working group discussions
For security vulnerabilities in the specification or reference implementations, please see SECURITY.md.
This specification is licensed under the Apache License 2.0.
Copyright 2024-2026 The OpenALBA Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
OpenALBA is developed by the OpenALBA Working Group with contributions from organizations and individuals committed to improving behavioral anomaly detection in distributed systems.