Limitations of Flowmon ADS with packet level sampling

Flowmon ADS uses multiple detection methods to identify network anomalies. Packet level sampling affects the accuracy of some detection methods but not others. While sampling-sensitive methods continue to work, they may produce more false positive or false negative results.

Methods resistant to packet sampling:

ANOMALY – this method predicts network behavior in various parameters (amount of data, number of active hosts, etc.) based on the current and historical network behavior. This method works also when packet sampling is in place as the method is based on statistic algorithms.

SCANS – method is focused on various types of port scans based on TCP flags. Packet sampling does not affect the method as scans on the backbone level are massive and method sensitivity can be adjusted based on the packet sampling levels.

BLACKLIST – this method leverages the knowledge of worldwide known botnet command and control centers, attackers and other malicious IP addresses to identify infected devices or suspicious communication. It is possible to provide own blacklist to customize the detection. Sampling is not an issue and the results of this method are reliable.

TELNET – this method is focused on finding to many telnet (tcp/23) connections and sampling on packet level is no issue as it is possible to adjust the sensitivity of this method.

OUTSPAM – method is focused on detection of unexpected mail traffic usually related to SPAM. Dynamic baseline is in place and deviations from that baseline are reported.

L3ANOMALY, HONEYPOT – method detects communication of IP addresses that should not appear in the monitored network or communication towards IPs that are not in use, e.g. IPs where no DNS records point to. Packet sampling is not an issue for results of this method.

HIGHTRNSF, MULTICAST – detection of high volumes of transferred data or connections towards multicast IP addresses. Sampling on packet level is no issue as it is possible to adjust the sensitivity of this method.

Methods with limited usability when packet sampling is in place:

SSHDICT, RDPDICT, HTTPDICT – these methods are focus on attacks against authentication on websites or SSH and RDP service. Both methods are based on decision trees that inspect each and every single flow and expect accurate data.

SIP – methods focused on SIP (SIPSCAN, SIPFLOOD, SIPROXY) can be used only with data generated by Flowmon Probes as VoIP-related information is missing in traditional flow statistics.

DOS, REFLECTDOS – both methods focus on specific DDoS attacks that are usually undetectable by traditional volumetric approach. For detection of volumetric attacks please use the alerting feature in Flowmon Monitoring Center where absolute or relative thresholds can be used.

DNSANOM, DNSQUERY, ICMPANOM – methods are focused on various anomalies in DNS and ICMP traffic, packet sampling usually means inaccuracy.

SRVNA – method is focused on detection of unavailable network services. This method needs to see both directions of the network traffic so the results when packet sampling is in place are usually inaccurate