Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

PEERS - Partners Communication Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This detection method reveals an increased number of unique communication partners. A moving window shows relevant statistics. The length of the window in hours can be set by the WindowLength parameter.

Detection is limited only to connections with more transferred packets than defined by the PacketsMinCount parameter. Detection is based only on requests sent by the monitored devices. It is possible to activate the omission of requests with no response by setting the IgnoreSNGL parameter. The IP addresses defined by the ExcludeServers filter are excluded from detection. The devices with less unique communication partners than defined by the PartnersMinCount parameter are excluded as well.

The average and standard deviation of communication partner statistics are calculated for the sliding window during the detection. If the current number of unique communication partners is higher than the sum of the average and the standard deviation, then the increase rate is calculated. The event is reported if the increase rate is higher than the value of the Threshold parameter.

This method consists of the following submethod:

  • PeersIncrease: Reports significant increases in the number of communication partners of any device in the monitored network.

Method configuration

It is recommended to apply this method only for IP addresses from the monitored network.

Method parameters

  • WindowLength: Number of hours (the length of the moving time window) to store the statistics of the communication peers for single IP addresses in the monitored network.

  • Threshold: Threshold of minimal increase of the number of communication peers compared to the moving window average.

  • ExcludeServers: Name of the filter that specifies IP addresses whose statistics are not evaluated.

  • PartnersMinCount: Threshold of the minimal number of communication peers for a single device.

  • PacketsMinCount: Threshold of the minimal number of packets per flow.

  • IgnoreSNGL: Omission of the requests without responses during the detection.

Assigned filter

Only flows whose source IP address matches the assigned filter will be processed.

Interpretation of results

This method alerts to an increased number of communication partners for certain IP address. It usually indicates misconfiguration of the device, unexpected software on the device, or the fact that the device is part of malicious activity such as DDoS attack.

TitleResults for “How to create a CRG?”Also Available inAlert