Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

OTSMANOM - OT Statistical Models Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This is a behavior anomaly detection method based on characterizing normal behavior using a statistical model for Operational Technologies (SCADA, IoT and ICS systems). This particular method uses statistical models to classify sequences of new flows either as normal or anomalous. It creates a separate model for each monitored device in a network. For devices that communicate using the IEC 104 protocol, you must set the MonitoredMasters parameter that specifies which devices should be monitored for potential anomalies.

This method consists of the following submethods:

  • IEC104: Reports anomalous communication between devices that communicate using the IEC 104 protocol.
  • GOOSE: Reports anomalous communication between devices that communicate using the GOOSE protocol.

Method configuration

Note that this method should not be used for monitoring of standard computer network traffic, only on Operational Technologies (OT). It also requires an OT data feed with specific flow fields (see the Data Feeds page for more information). When a new device is added to the network, the method instance should be restarted to retrain its models. The correct place for traffic monitoring is the central switch.

Method parameters

  • LearningDuration: Duration of the learning period in hours. During this period, the method instance generates no events. The default value is 24 hours.

  • Tolerance: Sensitivity of detection. Its value affects the number of reported events. Higher value means higher tolerance of the method and therefore fewer events.

  • MeanCount: The number of values that are averaged before being included in the statistical model. A larger value of this parameter helps mitigate the negative impact of extreme values.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

The event may be caused by adding a new device that communicates using the IEC 104 or GOOSE protocol to the network or it may indicate a malfunctioned or misconfigured device. Also, if nonstandard flows are processed during the method's learning period, similar nonstandard flows may go undetected in the future.

TitleResults for “How to create a CRG?”Also Available inAlert