Detecting anomalies and deviations

Continuously monitor traffic anomalies or traffic deviations that exceed set thresholds using dynamic ML-modeled baselines.

Workflow

Machine learning allows Scrutinizer to alert users to anomalous traffic utilization patterns typically associated with security incidents.

Note

This workflow requires the Plixer ML Engine for predictive modeling. Contact Plixer Technical Support to learn more about licensing options.

All incoming flow data can be compared against these baseline models to proactively scan for potentially malicious activity and report discoveries in real time.

From there, the next steps should be to set up reports and using them to generate forecasts.

Identifying which areas of the network (devices and interfaces) have the majority of traffic:

• What types of traffic would you expect to see – VoIP, HTTP, SQL?

• Business Application traffic like Salesforce, AWS, Azure etc.

• DNS requests to dedicated DNS servers on the network

Now consider traffic that may be anomalous:

• Does Remote Desktop Protocol make sense on this network, is there a business usecase for RDP?

• Should there be SSH traffic to critical hosts?

Based on the above considerations, create/run one or more reports to isolate traffic data for services, hosts, or device groups that are most likely to be involved in malicious activity. Once saved, these reports can then be used to forecast expected traffic patterns and highlight deviations (e.g., an anomalous ICMP data trend in outbound WAN usage for edge devices) that can be analyzed to identify threats.

Next steps would be to customize alerts for this behavior or other traffic deviations that exceed user-defined thresholds configured for the report(s).

Tip

Plixer Scrutinizer’s Alarm Policies can be assigned custom Notification Profiles. To add one or more notification actions for all report thresholds, create a Notification Profile and assign it to the Report Threshold Violation policy.