Oh, that sounds like a fantastic idea! Thank you!
Those were very simple examples, but reality is more complex and it wouldn’t be possible to do it by hand with a few if statements. This network is pretty complex, I don’t know it very well because it’s not my own, and it’s actually not the only one I’ll have to deal with, so I need a flexible solution. I agree they are spatial anomalies, though.
Here’s another example I can think of: there’s server X, which is an Active Directory, which receives a bunch of connections every morning, when everyone logs in. From there on it may receive some random connections from people rebooting their systems or coming late to work. If someone tried to log in repeatedly, trying different passwords, that would generate a lot of traffic, which would be an anomaly at any time except when everyone else is logging in. It could be like that, or connections could be randomly distributed over the day, I really don’t know, and that’s why I need the TM.
Here’s a snippet with modified IPs:
At the moment I’m ignoring source and destination ports, to make things simpler. I’ll miss some real anomalies (can’t tell an ssh connection from a DNS request), but it’s fine for the moment.
That’d be the best solution IMO, but we’re talking about around a thousand machines on this network. From my point of view, each server could run it’s own model, and report anomalies to a central system, but my hands are tied here, and I have to run everything on a single machine.
Thank you for your help, guys.