Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS

Table of Contents

UPLOAD - Data Upload Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method monitors the amount of transferred data between the currently communicating stations and checks the ratio of data transferred from computers of the monitored network and the data transferred in the opposite direction. When the user-defined ratio or the absolute threshold is exceeded, the event is generated. The ExcludeServers parameter specifies the name of the filter that defines the IP addresses of the servers that should be excluded from detection. The servers have a greater upload than the client’s stations.

Large data uploads can be detected in two different ways. The first method is based on statistics of all traffic between two devices, so the upload to the server (which is also sending some other data back) cannot be detected. The second method is comparing each request to the relevant response, so the upload is detected even despite the concurrent download. However, uploading using a large number of small connections may not be detected. The detection mode can be set using the Pairwise parameter.

This method consists of the following submethod:

  • General: Reports devices that excessively upload data outside of the allowed network segment.

Method configuration

It is recommended to apply this method for the client’s stations of the monitored network. The right place for traffic monitoring is the Internet connection line.

Method parameters

  • ExcludeIPs: Name of the filter that defines the IP addresses that are allowed to upload the data to them.

  • AbsoluteThreshold: Threshold for a minimal amount of sent data by a single device (Pairwise disabled) or a single request (Pairwise enabled). If the value of the parameter is equal to 0, the detection based on the absolute threshold is inactive.

  • RelativeThreshold: Threshold for a minimum ratio between the sent and the received data by a single device (Pairwise disabled) or a single request (Pairwise enabled).

  • MinimalThreshold: Minimal amount of sent data by a single device to report the event when AbsoluteThreshold or RelativeThreshold is exceeded.

  • ExcludeServers: Name of the filter that defines the IP addresses of the devices that are allowed to send data.

  • Pairwise: Detection based on individual pairs analysis (request-reply flows) instead of analysis of the transferred data by the whole device.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

This method reports the stations from which a file was uploaded that may indicate an attempt to sensitive data theft.

TitleResults for “How to create a CRG?”Also Available inAlert