Below the implemented approaches are divided into the following two groups: those based on SFlows and those based on Snort/nDPI generated flows.
Using SFlows
- Malicious activities detection
- SMTP talker
- Atypical TCP port used
- Atypical alien TCP port used
- Atypical number of pairs in the period
- Atypical amount of data transfered
- Alien accessing too much hosts
- P2P communication
- UDP amplifier (DDoS)
- Abused SMTP Server
- Media streaming client
- DNS Tunnel
- ICMP Tunnel
- Horizontal port scan
- Vertical port scan
- Server under DDoS attack
- C&C BotNet communication
- More coming…
- Network visibility
- Server grouping
- Network automatic inventory
- More coming…
Using Snort generated Flows
- DNS k-means clustering
- HTTP k-means clustering
- More coming…