FA algorithms¶
Plixer Scrutinizer’s library of FA algorithms is continuously being updated to maximize reporting accuracy and support all manner of of NetOps/SecOps usage scenarios.
Because not all Exporter flows will benefit from or be supported by the same algorithms, certain FA algorithms may need to be reconfigured or enabled/disabled from the Flow Analytics configuration/settings menus under the web interface’s Admin section.
The following table lists all available FA algorithms, along with their functions and recommended applications:
| Algorithm | Function | Recommended Flow Sources | Notes |
|---|---|---|---|
| Baselining Flow Data | Calculates “baseline” network performance values based on historical data and generates an Alarm when current activity shows deviation from expected patterns | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | Only supports NetFlow or IPFIX entities |
| Bogon Traffic | Generates an Alarm if traffic to or from an unallocated public IP space is detected | Edge routers and public IP addresses defined in IP Groups | |
| BotNet Detection | Generates an Alarm when the number of failed unique DNS name lookups targeting the same IP address exceeds the configured threshold | Plixer FlowPro Defender | Requires Plixer FlowPro Defender |
| Breach Attempt Detection | Generates an Alarm when behavior that may indicate a brute force password attack on an internal IP address is detected | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| DDoS Detection | Generates an Alarm when a Distributed Denial of Service (DDoS) attack targeting the protected network space is identified | Edge routers and public IP addresses defined in IP Groups | |
| Denied Flows Firewall | Generates an Alarm when the number of denied flows from an internal to an external IP address exceeds the configured threshold | Internal/core routers | |
| DNS Command and Control Detection | Monitors DNS TXT communications at the network perimeter and generates an Alarm when either the volume or size of messages exceeds the configured thresholds | Plixer FlowPro Defender | Requires Plixer FlowPro Defender |
| DNS Data Leak Detection | Monitors DNS lookup messages that may contain encoded data and generates an Alarm when the volume or size of messages with suspicious DNS names exceeds the configured thresholds | Plixer FlowPro Defender | Requires Plixer FlowPro Defender |
| DNS Hits | Generates an Alarm when a host initiates an excessive number of DNS queries | Internal/core routers | |
| DNS Server Detection | Monitors packet exchanges between clients and servers and generates an Alarm when a new DNS server is detected on the network | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | Requires Plixer FlowPro Defender |
| Domain Reputation | Monitors the network for traffic from new domains and generates an Alarm when a suspicious domain (based on a list maintained by Plixer) is detected | Plixer FlowPro Defender | Requires Plixer FlowPro Defender |
| DRDoS Detection | Generates an Alarm when a Distributed Reflection Denial of Service attack targeting the protected network space is identified | Edge routers and public IP addresses defined in IP Groups | |
| FIN Scan | Generates an Alarm when a FIN scan is detected | Internal/core routers and edge routers | |
| Flow Reports Thresholds | Monitors the network for behavior exceeding any thresholds configured in saved Reports | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Host Indexing | Maintains an index of hosts seen on the network that includes additional details, such as conversation direction, throughput, and source (Exporter) | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Host Reputation | Maintains a list of active, non-whitelisted Tor nodes for monitoring | Edge routers and public IP addresses defined in IP Groups | |
| Host Watchlist | Monitors IP addresses to identify hosts violating a user-defined blacklist | Edge routers and public IP addresses defined in IP Groups | |
| ICMP Destination Unreachable | Generates an Alarm when a large number of ICMP Destination Unreachable messages are sent to a suspect IP address | Internal/core routers | |
| ICMP Port Unreachable | Generates an Alarm when a large number of ICMP Port Unreachable messages are sent to a suspect IP address | Internal/core routers | |
| Incident Correlation | Escalates and consolidates multiple Indicator of Compromise (IOC) Events for a single host as a new Alarm | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| IP Address Violators | Generates an Alarm when a flow containing a non-authorized IP address as the source or destination is received | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | Requires authorized subnets to be defined |
| JA3 Fingerprinting | Checks TLS handshake data against a list of known signatures and generates an Alarm when software sending encrypted traffic is identified | Plixer FlowPro Defender | Requires Plixer FlowPro Defender |
| Large Ping | Generates an Alarm when an unusually large ICMP Echo Request (ping) is observed | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Medianet Jitter Violations | Generates an Alarm when jitter values reported by a Medianet flow exceed the configured threshold | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Multicast Violations | Generates an Alarm when multicast traffic volume exceeds the configured threshold | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| NetFlow Domain Reputation | Generates an Alarm when a DNS lookup from a blacklisted IP is reported via NetFlow | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | Blacklist is maintained on nba.plixer.com but cached locally |
| NULL Scan | Generates an Alarm when a NULL scan is detected | Internal/core routers and edge routers | |
| Odd TCP Flags Scan | Generates an Alarm when a scan using unusual TCP flag combinations is detected | Internal/core routers and edge routers | |
| P2P Detection | Monitors flows for P2P traffic and generates an Alarm when a session whose number of hosts exceeds the configured threshold is observed | Internal/core routers and edge routers | |
| Packet Flood | Generates an Alarm when a packet flood is detected | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Persistent Flow Risk | Generates an Alarm when a persistent flow is detected | Internal/core routers and edge routers | |
| Persistent Flow Risk - ASA | Generates an Alarm when a persistent flow matching a specified 5-tuple is detected | Internal/core routers and edge routers | |
| Ping Flood | Generates an Alarm when a ping flood is detected | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Ping Scan | Generates an Alarm when a host suspected of performing a ping scan is observed | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Protocol Misdirection | Generates an Alarm when traffic not matching the port being used is detected | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Reverse SSH Shell | Generates an Alarm when potential reverse SSH tunnels to external destinations are detected | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| RST/AK Detection | Generates an Alarm when the system observes a large number of TCP flows containing only RST and ACK flags being sent to the same destination | Internal/core routers and edge routers | |
| Slow Port Scan | Generates an Alarm when the system observes a large number of ports on the same host being probed | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Source Equals Destination | Generates an Alarm when traffic with the same host and destination is observed | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| SYN Scan | Generates an Alarm when a SYN scan is detected | Internal/core routers and edge routers | |
| TCP Scan | Generates an Alarm when a potential TCP scan is detected from an Exporter that does not provide TCP flag information | Internal/core routers and edge routers | |
| Top Applications | Monitors application traffic across all flows from configured Exporters | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Top Autonomous Systems | Monitors traffic to and from autonomous systems across all flows from configured Exporters | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Top Countries | Monitors traffic by country across all flows from configured Exporters | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Top Hosts | Monitors traffic by host across all flows from configured Exporters | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Top IP Groups | Monitors traffic by IP Group across all flows from configured Exporters | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | Requires at least one IP Group to be defined |
| Top Network Transports | Monitors traffic by transport layer protocol across all flows from configured Exporters and can generate an Alarm when unapproved protocols are observed | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| UDP Scan | Generates an Alarm when a potential UDP scan is detected | Internal/core routers and edge routers | |
| Worm Attack | Generated an Alarm when behavior indicating a potential worm is observed from a host | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| Worm Propagation | Generates an Alarm when successful worm replication across hosts is detected | Internal/core routers, edge routers, and public IP addresses defined in IP Groups | |
| XMAS Scan | Generates an Alarm when an XMAS scan is detected | Internal/core routers and edge routers |
Important
Because Alarm-generating algorithms will only be triggered when the target is an internal address, public IP addresses must be defined as part of an IP Group for them to be considered part of the protected network. For internal-to-internal and internal-to-external monitoring, algorithms should be enabled on core routers. For monitoring public assets, algorithms should be enabled on the edge routers of the relevant IP Groups.