Information Content Functions

Detect anomalies in the amount of information contained in strings within a bucket. This can be used as a more sophisticated method to identify incidences of data exfiltration or C2C activity, when analyzing the size in bytes of the data may not be sufficient.

info_content(field1) [by <field2>] [over <field3>]
high_info_content(field1) [by <field2>] [over <field3>]
low_info_content(field1) [by <field2>] [over <field3>]

Note: Further configuration options are available, which are described in the Detector Configuration section:

function(field1) [by <field2>] [over <field3>] [partitionfield=<field4>] [summarycountfield=<field5>] [categorizationfield=<field6>] [excludefrequent=true] [usenull=true]

info_content

info_content(subdomain) over highest_registered_domain
  • Models information present in the subdomain string
  • Detect anomalies where the information content is unusual compared to the other highest_registered_domains

An anomaly could indicate an abuse of the DNS protocol, such as malicious command and control activity. Both high and low values are considered anomalous. In many use cases, high_info_content is often a more appropriate choice.

high_info_content

high_info_content(query) over src_ip
  • Models information content held in the DNS query string
  • Detect src_ip’s where the information content is unusually high compared to other src_ip’s

Similar to the first example, but only reports anomalies where the amount of information content is higher than expected. This configuration identifies activity typical of DGA malware.

low_info_content

low_info_content(message) by logfilename
  • Models information content present in the message string for each logfilename
  • Detects anomalies where the information content is low compared to its past

This will detect unusually low amounts of information in a collection of rolling log files. Low information may indicate that a process has entered an infinite loop or logging features may have been disabled.

See also

This page

Browse

You are here