ML Configuration
Use the ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training.
Key concepts
- Baseline Status: Baselining means the current training is still in progress.
- Baseline ready: Means the baseline training is done and is ready for anomaly detection.
The following features are enabled by default: Device IP, Device MAC, Transport Layer Protocol, Application Layer Protocol, Protocol or Application Behaviors or Action, Session Packet Size and Source Port Number. We do not recommend editing these features, unless you have strong understanding of what they do. |
ML Configuration contains the following settings:
Device Info |
|
Device IP |
Destination device IP |
Device MAC Address |
Destination device MAC address |
Source Device IP |
Source device IP |
Device Model: |
Device model such as: FortiGate, Workstation, IDRAC, etc |
Device Geo Country |
Device geographical country such as United States |
Device Category |
Device category such as: NAS, Virtual Machine, Firewall, etc |
Device Vendor |
Device vendor such as VMware, Dell, Synology, etc |
Device OS |
Windows, Linux,etc |
Protocol and Application behavior |
|
Transport Layer Protocol |
UPD,ICMP,TCP,etc |
Application Layer Protocol |
TLS, HTTP, SMB, etc |
Protocol or Application Behaviors or Action |
Specific application actions such as: Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc |
Application Type |
IE, Office, MySQL, P2P, SCADA, etc |
Others |
|
Session Packet Size |
We categorize the packet size into 3 groups. less than 100 bytes is small, bigger and equal to 100000 is large, and in between is medium. |
Source Port Number: |
Port number such as: 22, 445, none reserved port, etc |
TLS Version: |
The TLS version if TLS is being used |
Vulnerability Type |
Traffic session vulnerability type such as: Anomaly, Dos, SQL Injection, Malware, etc |
Typically, it will take a week for baseline of traffic. If changes are made to the settings, a new baseline will replace the existing baseline for detection. The re-train process takes approximately three or more days depending on the existing volume of traffic in the database. The old baseline is in taking effect during the re-training. You will not be able to disable the ML detection during that time.