Guide: Risk Score Overview
Keywords: EdgeOS, Kognitive Cloud
Overview
This guide explains how risk scoring is applied to network traffic within the Kognitive DPI (Deep Packet Inspection) solution and Kognitive Cloud reporting. It describes how each traffic flow is analyzed by the DPI engine, how risk types and associated numerical risk scores are assigned based on threat characteristics, and how the average risk score for a device is reported for visibility and analysis. By following this guide, you will understand what a risk score represents, how higher scores indicate riskier traffic patterns, and how to interpret and use risk scores in the Activity reports to identify and investigate potential security concerns.
Kognitive Deep Packet Inspection solution utilizes nDPI with Netify optimization; with nDPI providing an application risk type and score for each flow analyzed. There are 50+ risk types identified with more coming, and each risk type has a set risk ‘level’ score, with the risk score being a numerical value that represents how ‘risky’ is a flow: the higher the score, the more “risky” the flow. Using this technique, one can spot flows that are more suspicious and may require device/network attention.
Kognitive DPI system calculates the top 5% flow risk average for each device in the network, and reports this in the Service Portal Activity Report. From here, one can click each devices risk score value and the “risk type” are presented that are within that top 5% risks. If one requires more detail, a report can be generated including the flow data and thus all flow risks can be analyzed.
Activity
Flow Risk Scores and Types
The flow risk score and types are set by the nDPI development organization and is a relatively new concept that is evolving.
The current ‘Risk Type” values are listed here.
Netify ID | Risk | Severity | Score |
1 | XSS Attack | Severe | 250 |
2 | SQL Injection | Severe | 250 |
3 | RCE Injection | Severe | 250 |
4 | Binary App Transfer | Severe | 250 |
5 | Known Proto on Non Std Port | Medium | 50 |
6 | Self-signed Cert | High | 100 |
7 | Obsolete TLS (v1.1 or older) | High | 100 |
8 | Weak TLS Cipher | High | 100 |
9 | TLS Cert Expired | High | 100 |
10 | TLS Cert Mismatch | High | 100 |
11 | HTTP Suspicious User-Agent | High | 100 |
12 | HTTP Numeric IP Address | Low | 10 |
13 | HTTP Suspicious URL | High | 100 |
14 | HTTP Suspicious Header | High | 100 |
15 | TLS (probably) Not Carrying HTTPS | Low | 10 |
16 | Suspicious DGA Domain name | High | 100 |
17 | Malformed Packet | Low | 10 |
18 | SSH Obsolete Cli Vers/Cipher | High | 100 |
19 | SSH Obsolete Ser Vers/Cipher | Medium | 50 |
20 | SMB Insecure Vers | High | 100 |
21 | TLS Suspicious ESNI Usage | Medium | 50 |
22 | Unsafe Protocol | Low | 10 |
23 | Suspicious DNS Traffic | High | 100 |
24 | Missing SNI TLS Extn | Medium | 50 |
25 | HTTP Suspicious Content | High | 100 |
26 | Risky ASN | Medium | 50 |
27 | Risky Domain Name | Medium | 50 |
28 | Malicious JA3 Fingerp. | Medium | 50 |
29 | Malicious SSL Cert/SHA1 Fingerp | Medium | 50 |
30 | Desktop/File Sharing | Low | 10 |
31 | Uncommon TLS ALPN | Medium | 50 |
32 | TLS Cert Validity Too Long | Medium | 50 |
33 | TLS Suspicious Extn | High | 100 |
34 | TLS Fatal Alert | Low | 10 |
35 | Suspicious Entropy | Medium | 50 |
36 | Clear-Text Credentials | High | 100 |
37 | Large DNS Packet (512+ bytes) | Medium | 50 |
38 | Fragmented DNS Message | Medium | 50 |
39 | Text With Non-Printable Chars | High | 100 |
40 | Possible Exploit | Severe | 250 |
41 | TLS Cert About To Expire | Medium | 50 |
42 | IDN Domain Name | Low | 10 |
43 | Error Code | Low | 10 |
44 | Crawler/Bot | Low | 10 |
45 | Anonymous Subscriber | Medium | 50 |
46 | Unidirectional Traffic | Low | 10 |
Flow Risk Score – Risk Threat Range
The nDPI defines the integrated threat or risk score in a range of 0 to 250.
NDPI Score Risk | Score |
LOW | 10 |
MEDIUM | 50 |
HIGH | 100 |
SEVERE | 150 |
CRITICAL | 200 |
EMERGENCY | 250 |