Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

BROKENSEN - Broken Sensor

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method is intended to monitor active sensors (in environments like IoT or SCADA) that transfer a stable amount of data in regular time periods. The method monitors the following statistics of communication between a pair of devices (usually a sensor and a control station):

  • The amount bytes per packet

  • The periodicity of the communication

  • The duration of the communication

  • The count of sent packets.

The monitoring is performed separately for both directions of communication (requests and responses). The purpose of this method is to detect if the value of any of these statistics is significantly changed (the sensitivity of detection can be adjusted by the parameters mentioned below). The principles of the method are based on machine learning. The classifier for a pair of devices is in a learning state for a time period specified by the LearningDuration parameter or until the number of flows collected for any direction of communication is at least the value specified by the parameter MinimalCoverage.

This method consists of the following submethods:

  • Bytes: Monitors the average amount of data transmitted between sensors and controllers and reports if this amount was significantly changed for any pair of these devices.

  • Duration: Monitors the average duration of the communication between sensors and controllers and reports if this duration was significantly changed for any pair of these devices.

  • Packets: Monitors the average number of packets transmitted between sensors and controllers and reports if this number was significantly changed for any pair of these devices.

  • Period: Monitors the average periodicity of communication between sensors and controller (more precisely, how often these devices communicate, for example, every 1 minute) and reports if this periodicity was significantly changed for any pair of these devices.

Method configuration

It is recommended to apply this method only for IP addresses that belong to sensors and control stations. Any other IP addresses in the controlled range would cause a high amount of false positives. The right place for traffic monitoring is the central switch.

Method parameters

General

  • IgnoreShorterPeriods: Enables the omission of events caused by transmission after a shorter than trained period. Events are generated only for the increased periodicity of communication.

  • MinimalCoverage: Specifies the number of flows that have to be sent between a pair of devices in any direction to switch from the learning phase to the detection phase for the respective direction. The parameter is used to start the detection phase earlier than after the time specified by the LearningDuration parameter. This parameter is not used if its value is set to 0.

  • ClassifierTolerance: Specifies the number of continuous event updates to reset the trained classifier for the given pair of devices in a respective direction. The classifier is trained again to adapt to the changed network behavior. If the value of this parameter equals 0, the classifier's data is never erased.

  • LearningDuration: Specifies the length of the learning phase (in hours).

Bytes

  • BytesTolerance: Tolerated deviation from the trained classifier for the bytes per packet metric (in percent).

Duration

  • DurationTolerance: Tolerated deviation from the trained classifier for the duration of a communication metric (in percent).

Packets

  • PacketsTolerance: Tolerated deviation from the trained classifier for the number of sent packets (in percent).

Period

  • PeriodTolerance: Tolerated deviation from the trained classifier for the periodicity of communication (in percent).

Assigned filter

The filter is used for the restriction of source and destination IP addresses. The IP addresses of both devices must be included in the assigned filter.

Interpretation of results

This method alerts to the wrong behavior of a sensor or a control station. For this method to work properly, you must consider how large and often deviations from standard behavior can be caused by the defective sensor.

TitleResults for “How to create a CRG?”Also Available inAlert