Configuring a Baseline Learning Task

You can configure baseline learning to obtain the baseline values of the services of the Zone by learning cycle and generate learning results based on the learning task.

Prerequisites

The basic policies of the Zone have been configured and deployed on the associated devices. For details, see Configuring a Defense Mode.
Devices associated with the Zone have been bound to collectors. For details, see Associating the Collector with the devices.

Context

Current Threshold indicates the current threshold of a policy; Baseline indicates the traffic volume learned using baseline learning; Suggestion indicates the recommended threshold calculated based on the current threshold and baseline. The recommended threshold changes to the current threshold once being delivered to the device. The recommended threshold is calculated as follows:

When the defense threshold is configured: recommended threshold = current threshold x current threshold weight + (baseline value x tolerance value) x (1 - current threshold weight)

When the defense threshold is not configured: recommended threshold = baseline value x tolerance value

Baseline packet rate < 5000 pps, baseline bandwidth < 20 Mbit/s, or baseline connection count < 5000: tolerance value = 200%
5000 pps ≤ baseline packet rate < 30,000 pps, 20 Mbit/s ≤ baseline bandwidth < 100 Mbit/s, or 5000 ≤ baseline connection count < 30,000: tolerance value = 180%
30,000 pps ≤ baseline packet rate < 100,000 pps, 100 Mbit/s ≤ baseline bandwidth < 300 Mbit/s, or 30,000 ≤ baseline connection count < 100,000: tolerance value = 160%
100,000 pps ≤ baseline packet rate < 300,000 pps, 300 Mbit/s ≤ baseline bandwidth < 1 Gbit/s, or 100,000 ≤ baseline connection count < 300,000: tolerance value = 140%
300,000 pps ≤ baseline packet rate < 12,000,000 pps, 1 Gbit/s ≤ baseline bandwidth < 10 Gbit/s, or 300,000 ≤ baseline connection count < 12,000,000: tolerance value = 120%

False positive occurs due to the threshold that is too low. Therefore, set the packet rate, bandwidth value, and connection count to 500 pps, 5 Mbit/s, and 500 respectively, when their recommended values are smaller than given values.

NOTE:

To resolve the problem of overlapped Suggestion values obtained using the boundary values of different scopes, the ATIC adopts the following methods: If Baseline value x Tolerance value of the current scope is smaller than Maximum baseline value of the previous scope x Tolerance value of the previous scope, the ATIC uses the result of Maximum baseline value of the previous scope x Tolerance value of the previous scope to calculate a Suggestion value.
The detection device performs baseline learning only when no anomaly or attack occurs. If an anomaly or attack occurs, the detection device stops baseline learning to prevent the learning of incorrect baseline data.
When you initially use the system, you are advised to set a larger policy threshold to prevent false positives so that baseline learning can be properly conducted.
The cleaning device learns the baseline based on the cleaned forwarding traffic.
In scenarios with surging service traffic caused by events, such as sales activities, manually adjust the configuration threshold. Do not rely on baseline learning for policy adjustment when traffic experiences a significant change.

Procedure

Choose Defense > Policy Settings > Zone.
Click the Zone's state in the Baseline Learning column.

Create a baseline learning task. For parameter descriptions, see Table 1.

**Table 1** Creating a baseline learning task
Parameter	Description
Name	Indicates the name of a baseline learning task.
Learning Cycle (Days)	Indicates the learning cycle of a baseline learning task. After a task starts, the learning result is updated every 5 minutes. The learning result is applied to the defense policy only after such a learning cycle ends.
Current Threshold Weight	Indicates the proportion of the current value to all recommended values in this calculation.
Start Time	Indicates the start time of a baseline learning task, which falls into NowTime and DefineTime. NowTime: The baseline learning task immediately starts after its creation. DefineTime: The baseline learning task starts as defined.
End Time	Indicates the end time of a baseline learning task, which falls into ManualStop and DefineTime. ManualStop: The baseline learning task is manually terminated. NOTE: If you select ManualStop, the end time of the task is empty. DefineTime: The baseline learning task terminates as defined. NOTE: If End Time is later than Learning Cycle, after a learning period ends, the device automatically enters the next learning period till End Time.
Take effect automatically	In a scenario where Take effect automatically and Always Effective are selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results. In a scenario where Take effect automatically and Effective When the Suggestion Value Is Larger Than the Current Value are selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value. In a scenario where Take effect automatically is not selected, baseline learning results do not take effect automatically, and manual intervention is required.

Click Startup to enable the baseline learning task of the Zone.
If a service is created, the traffic that matches the service is separately learned, and the traffic that does not match the service are to be learned as a whole. The learning results are applied to the defense policies of the created service and the default defense policies. If no service is created, all traffic is learned as a whole and the learning result is applied to the default defense policy.

NOTE:
The NFA2000V does not support service or baseline learning.

After baseline learning is enabled, click Stop to stop baseline learning.

NOTE:
To modify the parameters of the learning task, stop baseline learning first.

Set baseline learning in batches.

When the baseline learning periods of multiple Zones are set to be the same, select all Zones that need to have baseline learning enabled and click to set baseline learning in batches. For the parameter description, see Table 2.

**Table 2** Setting baseline learning in batches
Parameter	Description
The total number of selected Zone	Indicates the number of all Zones that need to have baseline learning enabled.
The total number of enabled baseline learning task	Indicates the number of Zones that already have baseline learning enabled.
Start Time	Indicates the start time of a baseline learning task.
End Time	Indicates the end time of a baseline learning task.
Learning Cycle (Days)	Indicates the learning cycle of a baseline learning task. After a task starts, the learning result is updated every 5 minutes. The learning result is applied to the defense policy only after such a learning cycle ends.
Current Threshold Weight	Indicates the proportion of the current value to all recommended values in this calculation.
Take effect automatically	In a scenario where Take effect automatically and Always Effective are selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results. In a scenario where Take effect automatically and Effective When the Suggestion Value Is Larger Than the Current Value are selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value. In a scenario where Take effect automatically is not selected, baseline learning results do not take effect automatically, and manual intervention is required.
Stop enabled baseline learning task	Terminates enabled baseline learning tasks.
Manual apply suggestion	Applies baseline learning results to defense policies. In a scenario where Always Effective is selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results. In a scenario where Effective When the Suggestion Value Is Larger Than the Current Value is selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value.

Result

Before the first learning cycle ends, baseline learning result from the start time to the current time is displayed. After the first learning period elapses, baseline traffic learning result of the last learning cycle is displayed.
1. Click a specific state in the Baseline Learning column.
2. In the Baseline Learning area, click Detailed. The Baseline Learning Result page is displayed.
3. Click in the Detail column to view the historical traffic curve for baseline learning in the last year and change Current Threshold.
After Take effect automatically and Always Effective are selected in a baseline learning task, the system automatically applies the recommended values to defense policies after the baseline learning period ends.

NOTE:

The baseline learning result takes effect only after the corresponding defense item is enabled in defense policies.

Follow-up Procedure

When the confirmation mode of baseline learning is automatic, service traffic learning result is automatically applied to the defense policy of the Zone and deployed on devices.
When the automatic confirmation mode is not selected for baseline learning, service traffic learning result needs to be confirmed manually. For details, see Applying Baseline Learning Results.