Information Content Functions

Detect anomalies in the amount of information contained in strings within a bucket. This can be used as a more sophisticated method to identify incidences of data exfiltration or C2C activity, when analyzing the size in bytes of the data may not be sufficient.

Use high_info_content if you wish to monitor unusually high amount of information. Use low_info_content if wish to look at drops information content.

  • info_content, high_info_content, low_info_content

info_content

  • fieldName: required
  • byFieldName: optional
  • overFieldName: optional

Example 1

{ "function" : "info_content", "fieldName" : "subdomain", "overFieldName" : "highest_registered_domain" }
  • Models information present in the subdomain string
  • Detect anomalies where the information content is unusual compared to the other highest_registered_domains

An anomaly could indicate an abuse of the DNS protocol, such as malicious command and control activity. Both high and low values are considered anomalous. In many use cases, high_info_content is often a more appropriate choice.

Example 2

{ "function" : "high_info_content", "fieldName" : "query", "overFieldName" : "src_ip" }
  • Models information content held in the DNS query string
  • Detect src_ip’s where the information content is unusually high compared to other src_ip’s

Similar to the first example, but only reports anoamlies where the amount of information content is higher than expected. This configuration idenfies activity typical of DGA malware.

Example 3

{ "function" : "low_info_content", "fieldName" : "message", "byFieldName" : "logfilename" }
  • Models information content present in the message string for each logfilename
  • Detects anomalies where the information content is low compared to its past

This will detect unusually low amounts of information in a collection of rolling log files. Low information may indicate that a process has entered an infinite loop or logging features may have been disabled.