Anomaly/Attack Top N

Prerequisites

Top N is enabled. For details, see Top N Study.

Function

The Anomaly/Attack Top N report displays top N Zones, services, or IP addresses by anomaly/attack count or by anomaly/attack duration.

Parameter

Table 1 Query parameters of Zone Anomaly/Attack Top N
Parameter Description
Device Select a device from the drop-down list. Total Cleaning and Total Detecting are described as follows:

  • Total (Cleaning):

    Indicates that attack traffic on all cleaning devices is queried.

  • Total (Detecting):

    • If two or more detecting devices in a defense group work in Load Redundancy mode, the maximum anomaly traffic volume in the defense group is queried and the sum of anomaly traffic volumes among defense groups is queried.
    • If two or more detecting devices in each defense group work in Load Balancing mode, the sum of anomaly traffic volumes within each defense group and among defense groups is queried.
Time Click to select the start time and end time of statistics. Or you can change the time values in corresponding text boxes.

The end time should be later than the start time and the interval cannot be longer than one year.
Top N Enter the value of N.
Table 2 Query parameters of Service Anomaly/Attack Top N
Parameter Description
Device Select a device from the drop-down list. Total Cleaning and Total Detecting are described as follows:

  • Total (Cleaning):

    Indicates that attack traffic on all cleaning devices is queried.

  • Total (Detecting):

    • If two or more detecting devices in a defense group work in Load Redundancy mode, the maximum anomaly traffic volume in the defense group is queried and the sum of anomaly traffic volumes among defense groups is queried.
    • If two or more detecting devices in each defense group work in Load Balancing mode, the sum of anomaly traffic volumes within each defense group and among defense groups is queried.
Zone Click , select a Zone on the Zone page that is displayed, and then click OK.
Time Click to select the start time and end time of statistics. Or you can change the time values in corresponding text boxes.

The end time should be later than the start time and the interval cannot be longer than one year.
Top N Enter the value of N.
Table 3 Query parameters of IP Anomaly/Attack Top N
Parameter Description
Device Select a device from the drop-down list. Total Cleaning and Total Detecting are described as follows:

  • Total (Cleaning):

    Indicates that attack traffic on all cleaning devices is queried.

  • Total (Detecting):

    • If two or more detecting devices in a defense group work in Load Redundancy mode, the maximum anomaly traffic volume in the defense group is queried and the sum of anomaly traffic volumes among defense groups is queried.
    • If two or more detecting devices in each defense group work in Load Balancing mode, the sum of anomaly traffic volumes within each defense group and among defense groups is queried.
Zone Click , select a Zone on the Zone page that is displayed, and then click OK.
Service Select a service or service group from the drop-down list.

For details about service configuration, see (Optional) Creating a Service and a Defense Policy.
Time Click to select the start time and end time of statistics. Or you can change the time values in corresponding text boxes.

The end time should be later than the start time and the interval cannot be longer than one year.
Top N Enter the value of N.

Example

If the Device is Total (Cleaning), Figure 1 shows IP Anomaly/Attack Top N within a period of time.

Figure 1 IP Anomaly/Attack Top N

NOTE:
  • In the left figure, top N Zones by the times of attacks are displayed.
  • In the right figure, top N Zones by the duration of attacks are displayed.

Procedure

  1. Choose Report > Report > Anomaly/Attack Analysis.
  2. Click the Anomaly/Attack Top N tab.
  3. Set query parameters.
  4. Click Search.

    Top N Zones by anomalies or attacks that meet the query conditions are displayed.

  5. Optional: Open or save the query results as files, or send queried reports to the specified email address.

    • Click to open or save the query results as PDF files. A maximum of 10,000 entries can be displayed.
    • Click to open or save the query results as EXCEL files. A maximum of 10,000 entries can be displayed.
    • Click to open or save the query results as CSV files. All data except figures can be displayed.
    • Click to enter a recipient mail address and select an attachment format. Then click OK.

Parent topic: Anomaly/Attack Analysis
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.