For each host in the protected network, Hogzilla IDS keeps information about TCP ports accessed by these hosts.
If for two Hogzilla cycles (6h+6h) a host in this network access an atypical TCP port at an Internet host, it generates an alert. There are some exceptions to reduce false positives.