Network security has always been the top priority of Network administrators all over the world. The effect of a virus attack on a corporate network is huge and at most times it is irreversible, but how to detect it? Here, we are going to discuss about Security Analytics and Anomaly Detection using NetFlow Analyzer.

NetFlow Analyzer’s Advanced Security Analytics Module (ASAM) gives an in-depth view on the security events, happening in the network. Advanced Security Analytics Module is a flow based security analytics and anomaly detection tool that helps in detecting zero-day network intrusions. It uses state-of-the-art Continuous Stream Mining Engine™ technology and classifies the intrusions to tackle network security threats in real time.

ASAM offers actionable intelligence to detect a broad spectrum of security threats both internal and external along with continuous overall assessment of network security. It classifies the security threats in to three different category and they are :

1. Suspect Flows

2. Bad Src – Dst

3. DoS attack















In a flow if any of the field other than Source and Destination looks suspicious, then the flow is known as call suspect flow. The suspect flow can be categorized in to various problems. Of which, the following are categorized as prominent security threats according to ASAM.

1. IP Malformed packets

2. Invalid ToS flows

3. Malformed TCP packets

IP Malformed packets:

The Internet Protocol (IP) is the principal communication protocol used for relaying data-grams (packets) across an inter-network using the Internet Protocol Suite. Responsible for routing packets across network boundaries, IP is the primary protocol that establishes the Internet.

IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and and delivers data-grams from the source host to the destination host based on their address. For this purpose, IP defines addressing methods and structure for data-gram encapsulation. All IP packets are structured the same way – an IP header followed by a variable-length data field.


An IP Flow with BytePerPacket less than or equal to the minimum 20 octets (bytes) are called malformed IP packets. These 20 bytes are taken into consideration when summing up both the IP header and the Pay load.

Invalid ToS flows :

ToS values can be defined from 0 to 255, in this only few of them are valid ToS. Below given table will give you an idea about Valid ToS values:


If the flow contains any other ToS value , then the valid ToS values are called Invalid ToS.

Malformed TCP packets :

TCP provides reliable, ordered delivery of a stream of bytes between hosts. Major Internet applications rely on TCP protocol. A TCP segment consists of a segment header and a data section. The data section follows the header. Its contents are the payload data carried for the application. A flow with TCP packets size is less than or equal to 40 bytes is call Malformed TCP packets. These 40 bytes are taken into consideration of summing up both IP header and Pay load.

Thanks and Regards

Praveen Kumar

Download | Interactive Demo | Product overview video | Twitter | Customers|Bandwidth Monitoring | Network Security | CBQoSMonitoring |

lan traffic analysis | network traffic analyzer | traffic analyzer | network traffic monitor | network analysis tools | network performance analysis