Auto Thresholding
Writing your own detection model? We are here to help.
For help using auto thresholding, or any detection model questions, chat with Netography's Detection Engineers in the
#fusion-detectionschannel in Netography's Discord community, or send your question to Support. See: ✋ Need More Help?.
See Detection Model Configuration and Detection Model Quick Reference Guide for additional Detection Model configuration details. To add a new detection model, see Adding a Detection Model.
Auto Thresholding Overview
Auto thresholding utilizes machine learning to set the threshold values for triggering an event for a detection model based on deviations from normal traffic behaviors observed during the learning phase. The learning period starts when a detection model with auto thresholds is enabled, and once sufficient traffic is collected, the model adjusts threshold values. Depending on the configuration of the detection model, auto thresholds can generate threshold values dynamically for Low, Medium, and High severity levels.
Auto Thresholding generates threshold values for each Track By aggregation. These thresholds are generated based on the configuration of the four required options described below. The data used to create Auto Thresholds comes from the network traffic that matches a Traffic Match NQL Search and is then aggregated by the Track By fields configuration.
At a minimum, Auto Thresholding generates global averages and threshold values. The threshold values replace statically configured thresholds in detection models. The thresholds generated by Auto Thresholding override static values that apply to specific periods configured through the Cadence setting (see below).
In addition to the global averages and threshold values, Threshold Overrides are generated for Track By aggregates whose average is at least 10% greater than the global average. If Auto Thresholding did not periodically generate these overrides, then Auto Thresholds would become another type of static threshold.
Detection models set thresholds to predetermined values unless Auto Thresholding is enabled. For example, configuring a threshold of sum(bits) > 50 with a Rollup Period of 300 seconds, all the bits values in each aggregation are summed, and if it is greater than 50 over the previous 300 seconds, an event is generated. Auto Thresholding generates values that replace the 50 in the Threshold sum(bits) > 50 for all traffic evaluated by the detection model . For Track By aggregates whose calculated baseline is at least 10% greater than the global average, Track By overrides are also generated for these Track By values.
The Threshold overrides generated by Auto Thresholding correspond to what is specified for each Severity in a Detection Model. If a Detection Model specifies only a Medium severity Threshold, Auto Thresholding will only generate Threshold overrides for the Medium Threshold configuration.
Enabling Auto Thresholding
Auto Thresholding is enabled for individual detection models. To enable, set Auto Thresholding to Enabled in the Detection Model configuration.
Enable Auto Thresholding in Detection Model Configuration
Auto Thresholds and multiple Track By fields
Auto Thresholds generate baselines for each Track By field, and the more Track By fields added, the more values that need to be tracked for Auto Thresholding (ie higher cardinality). If the cardinality is too high, you will exceed the resource limits in Fusion for auto thresholds, and your detection model will fail to generate baselines.
Consult Netography's Detection Engineers for assistance when creating a Detection Model using Auto Thresholds with multiple Track By Fields. See: ✋ Need More Help?.
Auto Thresholding Values
Auto Thresholding determines two types of thresholds:
- Threshold Overrides - dynamic thresholds for specific trackby values
- Default Thresholds - used in cases where no threshold override has been calculated for a specific trackby value
Auto Thresholding Severity
The thresholds generated by Auto Thresholding relate to the Severity of a detection model as follows:
| Severity | Standard deviations from the threshold value |
|---|---|
| Low | 1 |
| Medium | 2 |
| High | 3 |
Auto Thresholding Confidence Score
When auto thresholding is enabled, the Confidence Score for events is set automatically, rather than using the value set manually in the Detection Model configuration. As more historical data is accumulated for a given Detection Model, the confidence score will increase towards 100.
Auto Thresholding Configuration
Auto Threshold Options
Strategy
Strategy is used to determine the Default Threshold value. The Default Threshold is set to either:
- max - the maximum of values that have been calculated for the different trackbys
- average - the average of the values calculated for the different trackbys
Cadence
Cadence defines how specific a time frame the Threshold Override produced by Auto Thresholding applies to.
- Daily - Produces threshold overrides for a specific hour (eg 12:00 to 13:00 every day). This is the most common configuration and should be used for most detection models.
- Weekly - Produces threshold overrides for a specific hour on a specific day of the week (eg 02:00 to 03:00 every Sunday).
- Monthly - Produces threshold overrides for a specific hour on a specific day of the month (eg 02:00 to 03:00 on the 3rd day of each month).
Learning Window
Learning Window defines the period, in hours, over which values are aggregated for Track By aggregations. Auto Thresholding aggregates values across the Learning Window to determine a Threshold. This is similar to how the Rollup Period determines if an event should trigger from a detection model. Usually, the learning window should be set to 1 hour, and the rollup period should be configured to 3600 seconds (1 hour). The Rollup Period can be lowered for more granularity, and the Learning Window can be set to between 1 and 24 hours to provide a smoother average.
The Learning Window includes a period of -1/+1 hours from the configured value.
Lookback
Lookback determines how many previous days are used to aggregate data for Auto thresholding to generate Threshold overrides. The recommended value is your Fusion retention period.
Advanced Auto Thresholding Options
Advanced Auto Thresholding Options provide additional controls for configuring Detection Models to use Auto Thresholding.
Advanced Auto Thresholds Options Configuration
Force Override
When Auto Thresholding is enabled for a Detection Model, the default configuration generates Threshold overrides for Track By aggregates that are at least 10% greater than the baseline.
- Disabled (default) - Values at least 10% greater than the baseline will be created
- Enabled - Values at least 10% greater OR 10% lower than the baseline will be created. This should only be enabled for detection models where lower values than the baseline are intended to trigger events, or else it will create false positives.
Sigma Values
As discussed in the Strategy section above, the default number of standard deviations used to produce Low, Medium, and High Threshold overrides are 1, 2, and 3, respectively. Changing these values allows one to create a Detection Model configuration where Auto Thresholding generates Threshold Overrides for the related Severities at higher or lower Sigma values (standard deviations from the baseline).
Updated 2 months ago