Anomalous outbound traffic

Goal

Looks for an unusually large spike in network outbound traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.

Description

This model is based on a Deep Learning model that predicts the amount of traffic expected and compares it to the real value.

If the deviation is large enough it will produce an alert.

Characteristics

Name

Anomalous outbound traffic

Data involved

Firewall outbound traffic. Regardless if it was allowed, denied…

Alert Generation

It produces an alert if the amount of traffic in a time interval presents a large deviation with regards to the real traffic.

Raw outputs of the model

A float value containing the estimation for the current time interval.

PreviousAnomalous denied traffic detection NextAWS CloudTrail rare error Code

Last updated 2 months ago