You can configure baseline learning to obtain the baseline values of the services of the Zone by learning cycle and generate learning results based on the learning task.
Prerequisites
The basic policies of the Zone have been configured and deployed on the associated devices. For details, see Configuring a Defense Mode.
Devices associated with the Zone have been bound to collectors. For details, see Associating the Collector with the devices.
Context
Current Threshold indicates the current threshold of a policy; Baseline indicates the traffic volume learned using baseline learning; Suggestion indicates the recommended threshold calculated based on the current threshold and baseline. The recommended threshold changes to the current threshold once being delivered to the device. The recommended threshold is calculated as follows:
When the defense threshold is configured: recommended threshold = current threshold x current threshold weight + (baseline value x tolerance value) x (1 - current threshold weight).
When the defense threshold is not configured: recommended threshold = baseline value x tolerance value.
For details about the tolerance values, see Table 1.
Table 1 Tolerance values Condition Tolerance Value Baseline packet rate < 5000 pps or baseline bandwidth < 5 Mbit/s
200%
5000 pps ≤ baseline packet rate < 30,000 pps, 5 Mbit/s ≤ baseline bandwidth < 20 Mbit/s, 0 ≤ baseline value of concurrent connections for the destination IP address < 5000, 0 ≤ baseline value of new connections for the destination IP address < 1000, 0 ≤ baseline value of concurrent connections for the source IP address < 200, or 0 ≤ baseline value of new connections for the source IP address < 200
160%
5000 ≤ baseline value of concurrent connections for the destination IP address <30,000, 200 ≤ baseline value of new connections for the source IP address <300, or 200 ≤ baseline value of new connections for the source IP address <300
140%
30,000 pps ≤ baseline packet rate < 12,000,000 pps, 20 Mbit/s ≤ baseline bandwidth < 10240 Mbit/s, 30,000 ≤ baseline value of concurrent connections for the destination IP address < 12,000,000, 1000 ≤ baseline value of new connections for the destination IP address <12,000,000, 300 ≤ baseline value of concurrent connections for the source IP address < 12,000,000, 300 ≤ baseline value of new connections for the source IP address <12,000,000, or baseline threshold for the number of SYN packets > 10
120%
False positive occurs if the threshold is too small. Table 2 lists some conditions and the corresponding recommended values.
Table 2 Recommended values Condition Recommended Value Recommended packet rate calculated < 5000 pps
5000 pps
Recommended bandwidth calculated < 5 Mbit/s
5 Mbit/s
Recommended number of concurrent connections for the destination IP address calculated < 5000
5000
Recommended number of new connections for the destination IP address calculated < 1000
1000
Recommended number of concurrent connections for the source IP address calculated < 200
200
Recommended number of new connections for the source IP address calculated < 200
200
Recommended threshold for the number of SYN packets calculated < 10
10
If the current baseline learning type is set to SYN-Ratio Proportion Threshold, the recommended values are listed in Table 3.
NOTE: - To resolve the problem of overlapped Suggestion values obtained using the boundary values of different scopes, the ATIC adopts the following methods: If Baseline value x Tolerance value of the current scope is smaller than Maximum baseline value of the previous scope x Tolerance value of the previous scope, the ATIC uses the result of Maximum baseline value of the previous scope x Tolerance value of the previous scope to calculate a Suggestion value.
- The detection device performs baseline learning only when no anomaly or attack occurs. If an anomaly or attack occurs, the detection device stops baseline learning to prevent the learning of incorrect baseline data.
- When you initially use the system, you are advised to set a larger policy threshold to prevent false positives so that baseline learning can be properly conducted.
- The cleaning device learns the baseline based on the cleaned forwarding traffic.
- In scenarios with surging service traffic caused by events, such as sales activities, manually adjust the configuration threshold. Do not rely on baseline learning for policy adjustment when traffic experiences a significant change.
Procedure
- Choose .
- Click the Zone's state in the Baseline Learning column.
- Create a baseline learning task. For parameter descriptions,
see Table 4.
Table 4 Creating a baseline learning task Parameter Description Name
Indicates the name of a baseline learning task.
Learning Cycle (Days)
Indicates the learning cycle of a baseline learning task. After a task starts, the learning result is updated every 5 minutes. The learning result is applied to the defense policy only after such a learning cycle ends.
Current Threshold Weight
Indicates the proportion of the current value to all recommended values in this calculation.
Start Time
Indicates the start time of a baseline learning task, which falls into NowTime and DefineTime.
NowTime: The baseline learning task immediately starts after its creation.
- DefineTime: The baseline learning task starts as defined.
End Time
Indicates the end time of a baseline learning task, which falls into ManualStop and DefineTime.
ManualStop: The baseline learning task is manually terminated.
NOTE:If you select ManualStop, the end time of the task is empty.
- DefineTime: The baseline learning task terminates as defined.
NOTE:If End Time is later than Learning Cycle, after a learning period ends, the device automatically enters the next learning period till End Time.Take effect automatically
In a scenario where Take effect automatically and Always Effective are selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results.
In a scenario where Take effect automatically and Effective When the Suggestion Value Is Larger Than the Current Value are selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value.
In a scenario where Take effect automatically is not selected, baseline learning results do not take effect automatically, and manual intervention is required.
- Click Enable to enable the baseline learning task of the Zone.
After baseline learning is enabled, click Stop to stop baseline learning.
- Set baseline learning in batches.
When the baseline learning periods of multiple Zones are set to be the same, select all Zones that need to have baseline learning enabled and click
to
set baseline learning in batches. For the parameter description, see Table 5.Table 5 Setting baseline learning in batches Parameter Description The total number of selected Zone
Indicates the number of all Zones that need to have baseline learning enabled.
The total number of enabled baseline learning task
Indicates the number of Zones that already have baseline learning enabled.
Start Time
Indicates the start time of a baseline learning task.
End Time
Indicates the end time of a baseline learning task.
Learning Cycle (Days)
Indicates the learning cycle of a baseline learning task. After a task starts, the learning result is updated every 5 minutes. The learning result is applied to the defense policy only after such a learning cycle ends.
Current Threshold Weight
Indicates the proportion of the current value to all recommended values in this calculation.
Take effect automatically
In a scenario where Take effect automatically and Always Effective are selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results.
In a scenario where Take effect automatically and Effective When the Suggestion Value Is Larger Than the Current Value are selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value.
In a scenario where Take effect automatically is not selected, baseline learning results do not take effect automatically, and manual intervention is required.
Stop enabled baseline learning task
Terminates enabled baseline learning tasks.
Manual apply suggestion
Applies baseline learning results to defense policies.
In a scenario where Always Effective is selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results.
In a scenario where Effective When the Suggestion Value Is Larger Than the Current Value is selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value.
Result
Before the first learning cycle ends, baseline learning result from the start time to the current time is displayed. After the first learning period elapses, baseline traffic learning result of the last learning cycle is displayed.
- Click a specific state in the Baseline Learning column.
- In the Baseline Learning area, click Detailed. The Baseline Learning Result page is displayed.
- Click
in the Detail column to view the historical traffic curve for
baseline learning in the last year and change Current Threshold.
After Take effect automatically and Always Effective are selected in a baseline learning task, the system automatically applies the recommended values to defense policies after the baseline learning period ends.
NOTE: The baseline learning result takes effect only after the corresponding defense item is enabled in defense policies.
Follow-up Procedure
When the confirmation mode of baseline learning is automatic, service traffic learning result is automatically applied to the defense policy of the Zone and deployed on devices.
When the automatic confirmation mode is not selected for baseline learning, service traffic learning result needs to be confirmed manually. For details, see Applying Baseline Learning Results.