10. General Settings » Anomaly Detection¶
The anomaly detection engine can be configured in Configuration » General Settings » Anomaly Detection. The detection of anomalies also needs to be enabled individually for each subnet defined in the IP Zone.
Wanguard Sensor detects traffic anomalies using two different methods:
10.1. Threshold Anomalies¶
Threshold Anomalies are breaches of user-defined traffic thresholds. These thresholds can be defined inside IP Zones for the decoders enabled in the Decoders for Thresholds list. Decoders represent internal functions (traffic dissectors) that differentiate and classify the underlying protocols of each packet or flow.
Enable only the decoders for which you need to define thresholds. The Compatibility column shows you if Packet Sensor, Flow Sensor or SNMP Sensor can use the decoder to detect anomalies, and if these anomalies could be mitigated by Packet Filter with Netfilter, or using Flowspec or the Dataplane Firewall.
Thresholds can include either absolute values (e.g. IP receives 100k UDP packets/s) or percentage values (e.g. IP receives 30% UDP packets/s). To prevent Percentage Thresholds from being triggered for small amounts of traffic, configure minimum packets/s and bits/s values. Percentage values are calculated based on the rates of the monitored interface, for the same decoder. E.g., for an interface that receives 100k UDP packets/s, a 30% UDP packets/s threshold defined for a single IP triggers an anomaly when the IP receives over 30k UDP packets/s.
10.2. Profile Anomalies¶
Profile Anomalies are detected through a behavioral recognition approach. After enabling in IP Zone the profile anomaly detection for a subnet or host, RRDTool builds a behavioral traffic graph for a 24-hour period which can be viewed in Reports » IP Addresses » [Subnet] » Profile Graphs. Wanguard Sensor detects any activity that deviates from the expected traffic levels of the protected subnets, albeit only for the IP decoder.
In practice, the Threshold Anomalies approach is much more reliable and useful. Profile anomaly detection is possible only for hosts and subnets that have a predictable traffic pattern, so larger subnets have a much more predictable traffic pattern than smaller subnets. To reduce the number of false positives, adjust the deviation percent and minimum packet and bit rates, or use the more reliable method of defining thresholds.
Deviation % represents the maximum allowed deviation from the expected traffic before triggering a profile anomaly. A value of 100 allows traffic up to twice (100% expected + 100% deviation) the expected value.