Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

ANOMALY - Behavior anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 4 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

The automatic anomaly detection system provided by the Flowmon ADS application works on the principles of prediction that are based on short-time historical data. The statistics describing the network behavior are predicted for the whole network. If the outlier between the predicted and the current value occurs, the device that may be responsible is identified and the event is generated.

The details of the event always contain the predicted value of the relevant statistic:

  • Its current value

  • Its current value computed only for the responsible device, and

  • The percentual increase for this device since the last five-minute interval of the flow data

The automatic anomaly detection system is evaluating these statistics:

  • Transferred data

  • Transferred packets

  • Established connections

  • Communication peers

  • Devices connected to the monitored network

  • Number of requests

  • Number of replies

  • Number of unsuccessful requests

  • Amount of the TCP traffic

  • Amount of the UDP traffic

  • Amount of traffic over other protocols

  • Total count of services

  • Number of provided services

  • Number of used services

  • The ratio between the unsuccessful connections and the whole traffic

The ANOMALY method used for automatic anomaly detection must have a filter assigned that defines the monitored segment. Two parameters defining the sensitivity of the classifier can be set.

The first parameter is the length of the moving window (WindowLengthNet). This defines the maximum age of data used for the current value prediction. The longer period that is used, the less adaptable the classifier is in general (therefore more sensitive).

The second parameter is the threshold value for event detection (NetworkThreshold). This value defines how much bigger the current value must be than the predicted value to generate the event. For example, if the predicted value is 100, and the value of this parameter is 2, then the current value has to be bigger than 300 (= 100 + (2 × 100)) to generate the event. This parameter can be set to two decimal places. The lower the respective value, the higher the sensitivity of the classifier.

This method consists of the following sub-methods:

  • SentPackets: Reports an increase in the number of packets that were sent by the devices in the monitored network segment.

  • ReceivedPackets: Reports an increase in the number of packets that were received by the devices in the monitored network segment.

  • SentBytes: Reports an increase in the amount of data that was sent by the devices in the monitored network segment.

  • ReceivedBytes: Reports an increase in the amount of data that was received by the devices in the monitored network segment.

  • SentFlows: Reports an increased number of outgoing flows which represent communication from clients or servers in the monitored network.

  • ReceivedFlows: Reports an increased number of incoming flows which represent communication received by clients or servers in the monitored network.

  • Peers: Reports an excessive increase in the number of communication partners that devices in the monitored network communicate with.

  • ActiveDevices: Reports an excessive increase in the number of actively communicating devices in the monitored network segment.

  • Requests: Reports an increased number of outgoing flows which represent communication initialized by clients in the monitored network.

  • Responses: Reports an increased number of incoming flows which represent communication received by servers in the monitored network.

  • CountUnpaired: Reports an increase in the number of flows without response in the monitored network segment.

  • TCPFlow: Reports an increase in TCP protocol usage represented by the increased number of TCP flows in the monitored network segment.

  • UDPFlow: Reports an increase in UDP protocol usage represented by the increased number of UDP flows in the monitored network segment.

  • OtherFlow: Reports an increase in other protocols usage (different than the TCP or UDP, typically ICMP, ARP, SCTP, and so on) which is represented by the increased number of flows of the mentioned protocols in the monitored network segment.

  • PercentUnpaired: Monitors the percentage of flows without response in the network traffic and reports if this percentage is extensively increased.

  • ProvidedServices: Monitors the number of services provided by devices in the monitored network and reports if their number is excessively increased.

  • UsedServices: Monitors the number of services used by devices in the monitored network and reports if their number is excessively increased.

Method parameters

  • WindowLengthNet: Number of hours (the length of the moving time window) to collect the statistics for monitored traffic.

  • NetworkThreshold: The coefficient intended for computing the dynamic threshold. The threshold is evaluated as a sum of the predicted value and the multiplication of this value and the coefficient. The computation of the predicted value is based on stored statistics.

  • IgnoreInternal: If the parameter is set to yes, the statistics for a detection method are based only on the communication with one IP address in the assigned filter (the source or the destination IP).

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

TitleResults for “How to create a CRG?”Also Available inAlert