Introduction to Risk Object

The risk object function inspects the sessions of the detected object in multiple factors. The system analyzes the health situation based on the detected result, the historical statistics data, and the threat information, and forecast the risks might happen in the future. The followings are the concept description of the risk object function.

• Detected object: The object that is configured with the risk object function. Three types of detected object are supported: subnet, host/server, and service.
• Parameter: The basic statistical factor of a session, for example, the received bytes of inbound sessions per second. The statistical values of the parameters are used by the system to judge whether the detected object is abnormal or not.
• Baseline: The baseline is the benchmark for the parameters. Value of the baseline is calculated by the system according to the historical data.
• Abnormal parameter: When the parameter value is higher than the high threshold or islower than the low threshold, the parameter is judged as abnormal. You can configure the high and low threshold according to your own network situation, and also you can use the threshold calculated by the system automatically.
• Abnormal behavior: When one detected object has multiple abnormal parameters, the system will analyze the relationship among the abnormal parameters to see whether an abnormal behavior formed. If there is an abnormal behavior, the system will send the alarm message.
• Sensitivity level: If the high and low thresholds are not configured by the customers, the smaller the sensitivity level is, the harder to find the abnormalities for the system (when the sensitivity level changes, the threshold values change accordingly to fit the sensitivity level).
• Score: The score shows the detected object's health status in the latest 24 hours. 80 to 100 indicates the detected object is healthy, 50 t0 80 means the detected object is subhealthy, and score lower than 50 means the detected object is unhealthy. It is a comprehensive score based on the detected object's threat status (for host/server), and traffic abnormal status (abnormal parameter values, abnormal behaviors).
• Traffic anomaly analysis signature database: The traffic anomaly analysis signature database includes the abnormal information of the traffic, which are description of the abnormalities, the reason for the abnormalities, and the suggestions. The information in the database helps you analyze and resolve the abnormal problems. By default, StoneOS will update the database at the certain time everyday, and you can modify the update the updating settings according to your own requirements. StoneOS supports automatically update and manual update.