Concept of anomalies
April 17, 2024
ID 203019
An anomaly is any deviation of statistical traffic values from nominal values. An anomaly by itself is not a guaranteed sign of a DDoS attack. The nature of the anomaly must be analyzed before a specific conclusion can be reached.
The System registers a multitude of different traffic parameters of the Protected resource, and identifies the normal values of these measured parameters. The traffic profile of a Protected resource contains the normal values of specific measured parameters calculated by the System and adjusted to astronomical time (each hour of each day of the week). A profile is calculated based on statistical observations. The specific parameters that are included in a profile are determined based on the specific characteristics of the Protected resource when first connecting to the System.
The attention levels and alarm levels are determined by taking a traffic profile value and multiplying it by specific coefficients (by default: 1.3 for the attention level and 1.5 for the alarm level).
A high parameter value that exceeds the alarm level is identified as an anomaly for the specific parameter. The System identifies a DDoS attack against a Protected resource based on comparisons with the typical behavior of parameters. An attack is normally identified based on the sum of anomalies for multiple parameters, although some anomalies may be absent in some cases.
An anomaly potentially indicating a DDoS attack is identified when the actual values of a measured parameter in traffic of the Protected resource deviate from the established value of the traffic profile by more than 50% for more than 30 minutes. Email notifications regarding such anomalies can be configured on the Notification management page of the Portal.
The minimum period of observation for building a normal load profile is one week. The recommended period is two weeks. The System can begin detecting anomalies and displaying the corresponding information in the Status Monitor only after building an anomaly detection profile, which requires a week. However, protection against attacks can be enabled at any time, including immediately after you connect to the System.
The System automatically recalculates detection profiles at least once per month to keep them up to date.
