Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

OTPAANOM - OT Probabilistic Automata Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This is a detection method of behavioral anomalies, based on characterizing normal behavior using a statistical model for Operational Technologies (SCADA, IoT and ICS systems). This particular method uses Probabilistic Automata to create and train traffic models. Based on learned communication patterns, it is possible to classify the sequence of new flow either as normal or unknown. This method also collects flows for BatchDuration, then it creates a new automaton that is compared with the trained model.

This method consists of the following submethod:

  • IEC104: Reports anomalous communication between devices that communicate using the IEC 104 protocol.

Method configuration

Note that this method should not be used for monitoring of standard computer network traffic, only on Operational Technologies (OT). It also requires an OT data feed with specific flow fields (see the Data Feeds page for more information). When a new device is added to the network, the method instance should be restarted to retrain its model. If there is a large number of detections, it is advised to increase the ModelTolerance or Threshold parameter value. If the ModelTolerance parameter is changed, the method instance must be retrained for it to take effect. The correct place for traffic monitoring is the central switch.

Method parameters

  • LearningDuration: Duration of the learning period in hours. During this period, the method instance generates no events. The default value is 24 hours.

  • ModelTolerance: Defines how detailed the trained model should be. A lower value of this parameter will result in a more detailed model of the network communication that may produce a higher number of events afterwards. A higher value will result in a more general model that may produce a lower number of events. It is defined as an integer between 1 and 100. The default value is 20.

  • Threshold: A threshold for detection. A higher value of this parameter will result in a lower number of events. It is a floating-point number between 1.0 and 10.0. The default value is 5.0.

  • BatchDuration: Defines the time period for which the network data is collected before comparison with the trained model. It is possible to choose the following values: 5 minutes, 10 minutes, 15 minutes, or up to 30 minutes. The default value is 5 minutes.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

The event may be caused by adding a new device that communicates using the IEC 104 protocol to the network or it may indicate a malfunctioned or misconfigured device. Also, if nonstandard flows are processed during the method's learning period, similar nonstandard flows may go undetected in the future.

TitleResults for “How to create a CRG?”Also Available inAlert