Anomaly Baseline View

This screens displays the computed baseline thresholds for the triggering Anomalous Behavior alarms.

Click to expand in new window

Anomalous Behavior Alarms (ABA) feature is only available for AirDefense Enterprise servers and does not require any specific license. This feature is enabled when you enable Performance Profile. ABA is calculated for sanctioned clients and BSS only. All other data is ignored.

The AirDefense server flags traffic behavior that deviates significantly from observed normal behavior. The server learns specific attributes of traffic monitored over a configurable period of time. It uses this information to flag any traffic that deviates significantly from its learned traffic behavior.

AirDefense ABA works in two phases.

  • Background Learning Phase

  • Live Data Threshold Comparison Phase

These phases are common to all alarms based on the anomaly detection paradigm. Each alarm type could have different learning parameters and custom threshold computation methods.

In the Background Learning Phase, the AirDefense server monitors the forensic data in the data store for a configured duration of time. It then computes a baseline behavior against which an event will be tested. The learning phase training window is sliding to enable including the live data being added to the forensic store. ABA learning happens at regular intervals during the day to compute thresholds for all anomalous alarms. The default learning interval for each alarm is 14 days. Thresholds are computed and stored in 5 minute windows. These learning interval configuration values cannot be modified. These thresholds are computed on the scope where performance profile is enabled. The scopes can be at Site Level, Floor Level, or System Level.

In the Live Data Threshold Comparison Phase, live data from the sensors is compared with the computed thresholds for the enabled scope. If the live data is above the computed threshold, its corresponding alarm is triggered. For example, if, in the live data, the total AP Management Frames in a location in a 5 minute interval exceeds the computed threshold value of the total AP Management Frames in the same 5 minute interval over the last 14 days, then the AP Management Frame Anomalous Behavior Frames alarm is raised.

ABA computation starts at 00:00 hour. The computed threshold values are not persistent across server reboots and restarts. In case a server is restarted or rebooted, threshold computation will commence at 00:00 hours. You will not have computed threshold value from the time the server was rebooted or restarted till the nearest 00:00 hour.

The following Anomalous Behavior Alarms are supported

9037079-00