Compared with traditional approaches, where malicious behavior is defined ahead of time and detection engines inspect traffic looking for matches, NDR takes a reverse approach. Instead of inspecting traffic against a list of known bad payloads or behaviors, NDR focuses on the anomalies and calculates a probability as to whether that anomaly is malicious.
Gartner, Emerging Technologies: Adoption Growth Insights for Network Detection and Response.