Configuring a Baseline Learning Task

You can configure baseline learning to obtain the baseline values of the services of the Zone by learning cycle and generate learning results based on the learning task.

Prerequisites

The basic policies of the Zone have been configured and deployed on the associated devices. For details, see Configuring a Defense Mode.
Devices associated with the Zone have been bound to collectors. For details, see Associating the Collector with Devices.

Context

Current Threshold indicates the current threshold of a policy; Baseline indicates the traffic volume learned using baseline learning; Suggestion indicates the recommended threshold calculated based on the current threshold and baseline. The recommended threshold changes to the current threshold once being delivered to the device. The recommended threshold is calculated as follows:

When the defense threshold is configured: recommended threshold = current threshold x current threshold weight + (baseline value x tolerance value) x (1 - current threshold weight). When the defense threshold is not configured: recommended threshold = baseline value x tolerance value. For details about the tolerance values, see Table 1.

**Table 1** Tolerance values
Condition	Tolerance Value
Baseline packet rate < 5000 pps or baseline bandwidth < 5 Mbit/s	200%
5000 pps ≤ baseline packet rate < 30,000 pps, 5 Mbit/s ≤ baseline bandwidth < 20 Mbit/s, 0 ≤ baseline value of concurrent connections for the destination IP address < 5000, 0 ≤ baseline value of new connections for the destination IP address < 1000, 0 ≤ baseline value of concurrent connections for the source IP address < 200, or 0 ≤ baseline value of new connections for the source IP address < 200	160%
5000 ≤ baseline value of concurrent connections for the destination IP address < 30,000, 200 ≤ baseline value of new connections for the source IP address < 300, or 200 ≤ baseline value of new connections for the source IP address < 300	140%
30,000 pps ≤ baseline packet rate < 12,000,000 pps, 20 Mbit/s ≤ baseline bandwidth < 10240 Mbit/s, 30,000 ≤ baseline value of concurrent connections for the destination IP address < 12,000,000, 1000 ≤ baseline value of new connections for the destination IP address < 12,000,000, 300 ≤ baseline value of concurrent connections for the source IP address < 12,000,000, 300 ≤ baseline value of new connections for the source IP address < 12,000,000, or baseline threshold for the number of SYN packets > 10	120%

False positive occurs if the threshold is too small. Table 2 lists some conditions and the corresponding recommended values.

**Table 2** Recommended values
Condition	Recommended Value
Baseline packet rate < 5000 pps	5000 pps
Baseline bandwidth < 5 Mbit/s	5 Mbit/s
Baseline value of concurrent connections for the destination IP address < 5000	5000
Baseline value of new connections for the destination IP address < 1000	1000
Baseline value of concurrent connections for the source IP address < 200	200
Baseline value of new connections for the source IP address < 200	200
Baseline threshold for the number of SYN packets < 10	10

If the current baseline learning type is set to SYN-Ratio Proportion Threshold, the recommended values are listed in Table 3.

**Table 3** Recommended values
Condition	Recommended Value
Baseline value of the SYN-Ratio threshold < 40%	50%
40% ≤ Baseline value of the SYN-Ratio threshold < 90%	Baseline value + 10%
90% ≤ Baseline value of the SYN-Ratio threshold < 100%	100%

To resolve the problem of overlapped Suggestion values obtained using the boundary values of different scopes, the ATIC adopts the following methods: If Baseline value x Tolerance value of the current scope is smaller than Maximum baseline value of the previous scope x Tolerance value of the previous scope, the ATIC uses the result of Maximum baseline value of the previous scope x Tolerance value of the previous scope to calculate a Suggestion value.
The detecting device performs baseline learning only when no exception or attack occurs. If an exception or attack occurs, the detecting device stops baseline learning to prevent the learning of incorrect baseline data.
When you initially use the system, you are advised to set a larger policy threshold to prevent false positives so that baseline learning can be properly conducted.
The cleaning device learns the baseline based on the cleaned forwarding traffic.
In scenarios with surging service traffic caused by events, such as sales activities, manually adjust the configuration threshold. Do not rely on baseline learning for policy adjustment when traffic experiences a significant change.
The baseline statistics on the number of new connections and concurrent connections based on source IP addresses do not distinguish the destination IP addresses. Therefore, the learned baseline value is greater than the statistics based on a single destination IP address.

Procedure

Choose Defense > Policy Settings > Zone.
Click a specific state in the Baseline Learning column.

Create a baseline learning task. For parameter descriptions, see Table 4.

**Table 4** Creating a baseline learning task
Parameter	Description
Name	Indicates the name of a baseline learning task.
Learning Cycle (Days)	Indicates the learning cycle of a baseline learning task. After a task starts, the learning result is updated every 5 minutes. The learning result is applied to the defense policy only after such a learning cycle ends.
Current Threshold Weight	Indicates the proportion of the current value to all recommended values in this calculation.
Start Time	Indicates the start time of a baseline learning task, which falls into NowTime and DefineTime. NowTime: The baseline learning task immediately starts after it is created. DefineTime: The baseline learning task starts as defined.
End Time	Indicates the end time of a baseline learning task, which falls into ManualStop and DefineTime. ManualStop: The baseline learning task is manually terminated. NOTE: If you select ManualStop, the end time of the task is empty. DefineTime: The baseline learning task terminates as defined. NOTE: If End Time is later than Learning Cycle, after a learning period ends, the device automatically enters the next learning period till End Time.
Take effect automatically	In a scenario where Take effect automatically and Always Effective are selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results. In a scenario where Take effect automatically and Effective When the Suggestion Value Is Larger Than the Current Value are selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value. In a scenario where Take effect automatically is not selected, baseline learning results do not take effect automatically, and manual intervention is required.

Click Startup to enable the baseline learning task of the Zone.
After baseline learning is enabled, click Stop to stop baseline learning.

Set baseline learning in batches.

When the baseline learning periods of multiple Zones are set to be the same, select all Zones that need to have baseline learning enabled and click to set baseline learning in batches. For the parameter description, see Table 5.

**Table 5** Setting baseline learning in batches
Parameter	Description
The total number of selected Zone	Indicates the number of all Zones that need to have baseline learning enabled.
The total number of enabled baseline learning task	Indicates the number of Zones that already have baseline learning enabled.
Start Time	Indicates the start time of a baseline learning task.
End Time	Indicates the end time of a baseline learning task.
Learning Cycle (Days)	Indicates the learning cycle of a baseline learning task. After a task starts, the learning result is updated every 5 minutes. The learning result is applied to the defense policy only after such a learning cycle ends.
Current Threshold Weight	Indicates the proportion of the current value to all recommended values in this calculation.
Take effect automatically	In a scenario where Take effect automatically and Always Effective are selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results. In a scenario where Take effect automatically and Effective When the Suggestion Value Is Larger Than the Current Value are selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value. In a scenario where Take effect automatically is not selected, baseline learning results do not take effect automatically, and manual intervention is required.
Stop enabled baseline learning task	Terminates enabled baseline learning tasks.
Manual apply suggestion	Applies baseline learning results to defense policies. In a scenario where Always Effective is selected, the system automatically applies baseline learning results to service defense policies after the learning cycle ends, regardless of the learning results. In a scenario where Effective When the Suggestion Value Is Larger Than the Current Value is selected, the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value.

Result

Before the first learning cycle ends, baseline learning result from the start time to the current time is displayed. After the first learning period elapses, baseline traffic learning result of the last learning cycle is displayed.
1. Click a specific state in the Baseline Learning column.
2. In the Baseline Learning area, click Detailed. The Baseline Learning Result page is displayed.
3. Click in the Detail column to view the historical traffic curve for baseline learning in the last year and change Current Threshold.
After Take effect automatically and Always Effective are selected in a baseline learning task, the system automatically applies the recommended values to defense policies after the baseline learning period ends.

The baseline learning result takes effect only after the corresponding defense item is enabled in defense policies.

Follow-up Procedure

When the confirmation mode of baseline learning is automatic, service traffic learning result is automatically applied to the defense policy of the Zone and deployed on the AntiDDoS or AntiDDoS1820-N.
When the automatic confirmation mode is not selected for baseline learning, service traffic learning result needs to be confirmed manually. For details, see Applying Baseline Learning Results.