10. General Settings » Anomaly Detection

The anomaly detection engine can be configured in Configuration » General Settings » Anomaly Detection. The detection of anomalies also needs to be enabled individually for each subnet defined in the IP Zone.


Deduplication prevents the reporting of multiple anomalies for the same attack when the attack is matched by multiple decoders which are included within each other. Without this feature, if you define a 500k pps threshold for the IP decoder, a 400k pps threshold for the TCP decoder and a 30k pps threshold for the TCP+SYN decoder, and a 600k pps TCP+SYN attack is being received, the Sensor will detect three anomalies, one for each decoder. With this feature on, the Sensor will report a single anomaly for the most specific decoder, which in this case is TCP+SYN. Select the first option to disable this feature. Select the second option to enable it. Select the third option also to ignore anomalies for bits/s thresholds when similar anomalies exist for packets/s thresholds.

Delay Reporting can be used to avoid reporting anomalies shorter than a predefined number of seconds. When using Flow Sensor, the flow delay must be taken into consideration.

Expiration Interval lets you select the number of minutes of inactivity before anomalies expire. The default value is 5 minutes.

Expiration Function can be used to increase (linearly or exponentially, both for up to 24 hours) the number of minutes of inactivity before recurring anomalies expire. The system takes into account similar anomalies received in the previous seven days.

Wanguard Sensor detects traffic anomalies using two different methods:

10.1. Threshold Anomalies

Threshold Anomalies are breaches of user-defined traffic thresholds. The thresholds can be defined inside IP Zones for the decoders enabled in the Threshold Anomaly Decoders list. Decoders represent internal functions (traffic dissectors) that differentiate and classify the underlying protocols of each packet or flow. Enable only the decoders for which you need to define thresholds.

Thresholds can include either absolute values (e.g. IP receives 100k UDP packets/s) or percentage values (e.g. IP receives 30% UDP packets/s). To prevent Percentage Thresholds from being triggered for small amounts of traffic, configure minimum packets/s and bits/s values. Percentage values are calculated based on the rates of the monitored interface, for the same decoder. E.g., for an interface that receives 100k UDP packets/s, a 30% UDP packets/s threshold defined for a single IP triggers an anomaly when the IP receives over 30k UDP packets/s.

10.2. Profile Anomalies

Profile Anomalies are detected through a behavioral recognition approach. After enabling in IP Zone the profile anomaly detection for a subnet or host, RRDTool builds a behavioral traffic graph for a 24 hour period which can be viewed in Reports » IP Addresses » [Subnet] » Profile Graphs. Wanguard Sensor detects any activity that deviates from the expected traffic levels of the protected subnets, albeit only for the IP decoder.

In most cases, the Threshold Anomalies approach is much reliable and useful. Also, profile anomaly detection is possible only for hosts and subnets that have a predictable traffic pattern. Larger subnets are usually more predictable than smaller subnets. To reduce the number of false positives, adjust the deviation percent and minimum packet and bit rates, or use the much more reliable method of defining thresholds.

Deviation % represents the maximum allowed deviation from the expected traffic before triggering a profile anomaly. A value of 100 allows traffic up to twice (100% expected + 100% deviation) the expected value.

Users should not modify the values from the Advanced Profiling Parameters panel.