DIVCOM - Target Hosts/Ports Anomaly

Method description

A method for detection of devices that exhibit a great diversity of communication. The method sets a communication factor for each IP address as a multiple of the unique destination address and unique destination ports. If the defined tolerance limit (value of the CommunicationFactor option) is reached, the corresponding event is generated. The ExcludeServers parameter specifies a name of a filter that defines the IP addresses of servers that should be excluded from detection. The servers have a higher diversity of communication than the client’s stations.

This method consists of the following submethod:

• VariousCommunication: Reports devices with numerous communication partners and numerous used services.

Method configuration

It is recommended to apply this method for IP addresses from your network or for all addresses when monitoring publicly-available server farms. The right place for traffic monitoring is the central switch and the Internet connection line.

Method parameters

• CommunicationFactor: The threshold for multiplication of a number of the communication partners and the destination ports counts, to which the communication from the given IP addresses takes place (so-called communication factor).

• ExcludeServers: The name of the filter that defines the IP addresses for which the communication factor is not computed during the detection (especially for servers).

Assigned filter

The filter is used for restricting the source IP addresses.

Interpretation of results

This method is capable of detecting devices that scan ports, devices attacked by spyware, infected devices, or devices with a wrong configuration. Also, the events generated by this method may indicate P2P communication. Typical false positives include the detection of devices implementing SNMP monitoring such as Zabbix.