BPATTERNS - Flow-based Behavior Patterns

Method description

This detection method is designed to unveil current threats such as zero-day vulnerabilities. The behavior patterns are distributed from the services.flowmon.com server. Downloading and applying these patterns is only allowed for appliances with active Standard or Extended support. The list of the behavior patterns (including timestamps of the last modification) is downloaded from the server every hour. A single behavior pattern is downloaded only if there is a newer version on the server.

Detection of every behavior pattern can be deactivated using relevant configuration parameters. Some patterns can provide other configuration parameters for setting the detection.

Every behavior pattern is considered to be one submethod of this detection method. It is also possible to create user-defined behavior patterns (see Custom Patterns for more information). In this case, the name of the submethod always has the prefix "USER_" connected with the name of the Custom Pattern that is defined by the user.

Method configuration

It is recommended to apply this method to the whole communication of IP addresses in the monitored network. To update the behavior patterns correctly you must not block the communication of the Flowmon appliance to port 443 (HTTPS, standard secured web traffic) on the services.flowmon.com server.

Method parameters

• Activation: Sets the status (active/inactive) for newly added patterns.

Other parameters of this detection method are relevant to particular behavior patterns that are downloaded from services.flowmon.com. These parameters may vary over time.

Assigned filter

Restriction for source or destination IP addresses (this can differ based on a given behavior pattern).

Interpretation of results

This method uses the behavior pattern database - interpretation of each pattern can differ.