Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

OTCLANOM - OT Clustering Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This is a behavior anomaly detection method based on characterizing normal behavior using a statistical model for Operational Technologies (SCADA, IoT and ICS systems). This particular method uses the K-Means clustering algorithm to model traffic as a collection of clusters. Based on identified clusters of normal flows, it is possible to classify the new flow either as normal or unknown.

This method consists of the following submethods:

  • Modbus: Reports anomalous communication between devices that communicate using the Modbus protocol.
  • DNP3: Reports anomalous communication between devices that communicate using the DNP3 protocol.
  • IEC104: Reports anomalous communication between devices that communicate using the IEC 104 protocol.
  • GOOSE: Reports anomalous communication between devices that communicate using the GOOSE protocol.

Method configuration

Note that this method should not be used for monitoring of standard computer network traffic, only on Operational Technologies (OT). It also requires an OT data feed with specific flow fields (see the Data Feeds page for more information). When a new device is added to the network, the method instance should be restarted to retrain its models. If there is a large number of detections, it is advised to increase the Tolerance parameter value. The correct place for traffic monitoring is the central switch.

Method parameters

  • LearningDuration: Duration of the learning period in hours. During this period, the method instance generates no events. The default value is 24 hours.

  • Tolerance: Sensitivity of detection defined by a floating-point number between 1.0 and 10.0. Its value affects the number of reported events. A higher value means higher tolerance of the method and therefore fewer events.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

The event may be caused by adding a new device that communicates using one of the supported protocols to the network or it may indicate a malfunctioned or misconfigured device. Also, if nonstandard flows are processed during the method's learning period, similar nonstandard flows may go undetected in the future.

TitleResults for “How to create a CRG?”Also Available inAlert