GEODIST - Peers Geographical Distribution Anomaly

Method description

This detection method finds anomalies in the geographical distribution of communication partners. The distribution is expressed as an entropy. The event is generated if the current entropy exceeds the average for the respective time window and the multiple of the standard deviation. The detection method takes into account only the communication partners, to which at least the data given by a parameter have been sent.

This method consists of the following submethod:

• EnthropyChange: Reports significant changes in the geographical distribution of communication partners that individual devices in the monitored network communicate with.

Method configuration

It is recommended to only apply this method for IP addresses of clients in your network. The right place for traffic monitoring is the Internet connection line.

Method parameters

• MinimalTransfer: Minimum amount of sent data for 5 minutes to one communication peer.

• WindowLength: Length of moving time window in hours.

• Increase: Multiple of the standard deviation added to the average entropy to compute the threshold value.

• ExcludeCountries: Selection of ignored countries.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of the results

This detection method highlights the change in the geographical distribution of communication partners. This may indicate a malware infection or a presence of a botnet.