Managing dimensions

The Plixer ML Engine’s feature dimension list defines the protocols and ports to be observed on the network assets defined by its inclusion/exclusion rules. These dimensions are used by the engine to build its behavior models, which are used to report asset behavior insights, as well as deliver anomaly and threat alerts via the Plixer Scrutinizer alarm monitor.

Dimensions are managed from the Admin > Alarm Monitor > ML Dimensions view of the Plixer Scrutinizer web interface.

Dimension configuration

An ML dimension is defined by the following parameters:

  • Inclusion/asset type the dimension applies to (host/subnet or exporter interface)

  • Template field to use for grouping (sourceipaddress or destinationipaddress, host/subnet dimensions only)

  • Aggregation method to use (octetdeltacount or packetdeltacount)

  • Traffic port used

Note

A feature dimension is only observed for traffic associated with the type of inclusion (host/subnet or exporter interface) it was defined for.

Dimensions can be configured to apply to all or only internal traffic matching the definition. They can also be disabled and re-enabled as necessary.

Recommendations

Once deployed, the Plixer ML Engine defaults to Plixer’s recommended dimension definitions, which are based on the traffic in typical enterprise environments.

These default definitions should be reviewed and, if necessary, additional dimensions should be defined to monitor critical network services that are most often the target of attacks, such as:

  • Authentication - Kerberos, NTLM

  • Domain services - LDAP, DNS, DHCP

  • File sharing services - SMB, NFS, CIFS

  • Remote connectivity - SSH, Telnet, RDP, VNC, FTP

  • Email protocols - SMTP, POP3

  • Inter-process communication - ICMP

  • Application protocols - HTTP, HTTPS

  • Others - DB services, third-party APIs (especially those that connect to the Internet)