9. Configuration » General Settings » Anomaly Detection¶
The anomaly detection engine can be configured in Configuration » General Settings » Anomaly Detection. The detection of anomalies also needs to be enabled individually for each subnet defined in the IP Zone (details in Configuration » Network & Policy » IP Zone).
Deduplication prevents the reporting of multiple anomalies for the same attack when the attack is matched by multiple decoders which are included within each other. Without this feature, if you define a 500k pps threshold for the IP decoder, a 400k pps threshold for the TCP decoder and a 30k pps threshold for the TCP+SYN decoder, and a 600k pps TCP+SYN attack is being received, the Sensor will detect three anomalies, one for each decoder. With this feature on, the Sensor will report a single anomaly for the most specific decoder which in this case is TCP+SYN. Select the first option to disable this feature. Select the second option to enable it. Select the third option also to ignore anomalies for bits/s thresholds when similar anomalies exist for packets/s thresholds.
Delay Reporting can be used to avoid reporting of anomalies shorter than a predefined number of seconds. When using Flow Sensor, the flow delay must be taken into consideration.
Expiration Interval lets you select the number of minutes of inactivity before anomalies expire. The default value is 5 minutes.
Expiration Function can be used to increase (linearly or exponentially, both for up to 24 hours) the number of minutes of inactivity before recurring anomalies expire. The system takes into account similar anomalies received in the previous 7 days.
Wanguard Sensor detects traffic anomalies using two different methods:
● Threshold Anomalies are detected for user-defined threshold values. Thresholds can be defined inside IP Zones for the decoders enabled in the Threshold Anomaly Decoders list. Decoders are explained in the previous chapter. Enable only the decoders for which you need to define thresholds.Thresholds can include either absolute values (e.g. IP receives 100k UDP packets/s) or percentage values (e.g. IP receives 30% UDP packets/s). To prevent Percentage Thresholds from being triggered for small amounts of traffic, configure minimum packets/s and bits/s values. Percentage values are calculated based on the rates of the monitored interface, for the same decoder. E.g. for an interface that receives 100k UDP packets/s, a 30% UDP packets/s threshold defined for a single IP triggers an anomaly when the IP receives over 30k UDP packets/s● Profile Anomalies are detected through a behavioral recognition approach. After enabling in IP Zone the profile anomaly detection for a subnet/host, the Console builds a behavioral traffic graph for a 24 hour period. You can see the graph in Reports » IP Addresses » [Subnet] » Profile Graphs. Wanguard Sensor detects any activity that deviates from the expected traffic levels of the protected subnets.Profile anomaly detection is recommended only for hosts and subnets that have a predictable traffic pattern. Larger subnets are usually more predictable. To prevent false positives, adjust the deviation percent and minimum packet and bit rates.Deviation % represents the maximum allowed deviation from the expected traffic before triggering a profile anomaly. A value of 100 allows traffic up to twice (100% expected + 100% deviation) the expected value