UNDER ATTACK? CALL US

Introduction to NTA Auto-learning Function

Por adminEm NTAPostou
Bar graph icon with blue bars.

The implementation of DDoS attack alerting relies on setting alert thresholds. Setting the threshold too high may result in false negatives, while setting it too low may lead to a high number of false positives. Therefore, it is crucial to establish appropriate thresholds. NTA provides automatically learn, record, and analyze network traffic from the IP group, generating suitable thresholds for detecting various DDoS attacks. NTA determines this upper limit by learning the traffic patterns over a certain period and employs it as the threshold for attack alerts. This process is known as traffic auto-learning.

Generally, traffic auto-learning is performed in three steps:

Auto-learning start -> Alert thresholds generate -> Apply to IP group. 

The configuration procedure is as follows:

Auto-learning start

1. Access to Configuration -> Objects -> Regions page by clicking Red circular no entry sign with a white horizontal bar. in the Operation column.

Screenshot of a network IP management interface showing IP descriptions and usage.

2. Click Start Learning in a certain attack type. Alternatively, you can click Bulk Learn to start learning for all attack types.

Dashboard displays no data across all protocol flood types.

Alert thresholds generate

1. Configure basic settings in the dialog box.

(1) Apply immediately: indicates that baseline thresholds are applied for DDoS attack detection immediately after traffic auto-learning is completed.

(2) Not apply: indicates that fixed thresholds are still used after traffic auto-learning is completed. In this case, performing manual operations to make the baseline thresholds take effect is required.

Screenshot of video encoding settings dialog box.

2. Click OK to start the learning. The figure below shows the learning is in progress.

Person sitting on a couch with two dogs beside them.

3. Apply the threshold

(1) If Apply Immediately is selected in step 2, the status Red circular no entry sign with a white horizontal bar. is shown on the Threshold Configuration page.

Red circular no entry sign with a white horizontal bar.

(2) If Not apply is selected in step 2, click Apply from the drop-down menu of Operation. Then, the learning result is applied for attack detection.

Red circular no entry sign with a white horizontal bar.

Question:

Q: Can NTA detection work normally when the threshold is learning?

A: Yes. During the learning process, a fixed threshold could be configured, and NTA will use this fixed value to detect traffic. Red circular no entry sign with a white horizontal bar. shows the fixed thresholds are used.

Red circular no entry sign with a white horizontal bar.
NSFOCUS
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.