Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS

COUNTRY - Behavior Profiling - Country Reputation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
Table of Contents

COUNTRY - Behavior Profiling - Country Reputation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method detects above-average data transfers between the monitored devices and a respective country. It stores the number of flows and the amount of transferred data between the country and monitored devices. The traffic statistics are divided according to whether the communication was initialized by an IP address from inside or outside of the monitored network (reply or request).

This method also detects excessive data transfers between the device and the respective country. The amount of sent/received data (or the ratio between upload and download) is monitored during the detection. All values are compared to the average of other devices in the monitored network that are communicating with the respective country.

Only the IP addresses that have sent more data to the respective country than is defined by the MinimalDataTransferU parameter, or downloaded more data than is defined by the MinimalDataTransferD parameter, are included in the detection. The event is generated if the traffic is bigger than the n-multiple of the network average, where "n" is defined by the MinQuota parameter. The event can also be generated if the upload/download rate of the device is bigger than the m-multiple of the network average, where m is the value of the RatioQuota parameter. If this parameter is equal to 0, the comparison rate is not applied.

This method consists of the following submethod:

  • IncreasedCommunication: Reports when devices from the monitored network communicate with unusual countries or the communication with a specific country is significantly increased.

Method configuration

It is recommended to apply this method for the IP addresses of the respective organization. The right place for traffic monitoring is the central switch or the Internet connection line, but not both places at the same time.

Method parameters

  • MinimalDataTransferU: Threshold for minimum data amount sent by a single IP address to one country (in MiB).

  • MinimalDataTransferD: Threshold for minimum data amount received by a single IP address from one country (in MiB).

  • MinQuota: Minimum ratio between the received or sent data by a single IP address and the relevant average value of the whole monitored network.

  • RatioQuota: Threshold of the ratio between the ratio of the sent and received data of the single IP address and the average value of the whole monitored network.

  • ExcludeCountries: Communication with the selected countries is ignored during the application of this detection method.

  • MinimalHistory: The duration of the learning phase (in minutes) during which the statistics of transferred data with individual countries are collected. Events are generated after this time is elapsed.

Assigned filter

The filter is used for the restriction of the source IP addresses.

Interpretation of results

The results of this method can be used to identify IP addresses that communicate with potentially dangerous destinations. This may indicate potentially undesired software (or device) or that the device is being used differently than other devices in the same network.

TitleResults for “How to create a CRG?”Also Available inAlert