Glossary

Activity

An activity is the generic term to describe any of the more specific types of communication -- Enriched Secflows, Destinations, Behaviors, and Events -- seen in the system.

Attack Vector

An Attack Vector is activity known to be used to start attacks. While seeing something labeled as an Attack Vector does not definitively mean that it did act as the Attack Vector in a particular sample, these activities are the most likely places where an attack may have begun.

Behavior

A Behavior refers to an Enriched Secflow that has been enriched with additional metadata, such as what the behavior is, what it means, and its relevance. This is useful for describing certain kinds of behavior known to be associated with this Enriched Secflow.

Screenshot of a Behavior

Common Activity

Common Activity refers to activity in a sample that is commonly seen globally. While it can provide useful context as to what kinds of activity occurred in a potential attack, on its own it is not an indicator of malicious behavior.

Destination

A Destination (note the capital D) refers to a destination FQDN (such as mail.google.com) that has been enriched with additional metadata, such as title, description, and relevance. This is useful for providing users with some basic information about the purpose of a destination when more specific information about its particular flow categories is not known.

Screenshot of a Destination

Duration

Duration refers to the amount of time (in seconds) that a particular activity occurred during a sample.

Screenshot of Duration

Enriched Secflow

This is a Secflow record that has been labeled with the appropriate flow category. These flow categories are proprietary and are only available for data that has somehow been processed by NetworkSage.

Screenshot of Enriched Secflows

Event

An Event refers to a metadata-enriched group of two to five Behaviors that have occurred in order and whose relative start times are separated by no more than a specified time period. This is useful for describing more complex activity -- such as user behavior -- that spans more than one Behavior.

Screenshot of an Event

Flow Category

A Flow Category is a label that is automatically applied to a Secflow based on its directionality, magnitude of data sent, "fullness" of packets, and duration. The following labels may be encountered in NetworkSage:

Flow CategoryDescriptionInterestingness
minorContentDownloadedQuicklyIn no more than 1 second, the server has sent at least 2x as much data back to the client than the client has sent to it. Moreover, the server sends a constant stream of nearly-full packets, usually meaning that it is one piece of content being requested. However, the server sent less than 10 KB of total data.Medium. This often occurs when background icons and scripts are loading for a website. If the site is common, it's likely uninteresting.
someContentDownloadedQuicklyIn no more than 1 second, the server has sent at least 2x as much data back to the client than the client has sent to it. Moreover, the server sends a constant stream of nearly-full packets, usually meaning that it is one piece of content being requested. The total amount of data downloaded falls somewhere between 10 KB and 1 MB.High. This often indicates some larger content (such as a script or an image file) is loaded.
majorContentDownloadedQuicklyIn no more than 1 second, the server has sent at least 2x as much data back to the client than the client has sent to it. Moreover, the server sends a constant stream of nearly-full packets, usually meaning that it is one piece of content being requested. The total amount of data downloaded is at least 1 MB.High. This often indicates some significant content (such as a PDF or ZIP file) is loaded.
minorResourcesDownloadedQuicklyIn no more than 1 second, the server has sent at least 2x as much data back to the client than the client has sent to it. However, since the packets are less “full,” this usually means that more than one resource is being downloaded. In this case, the server sent less than 10 KB of total data.Medium. This often indicates the download of multiple small resources for a loading website. If the site is common, it's likely uninteresting.
someResourcesDownloadedQuicklyIn no more than 1 second, the server has sent at least 2x as much data back to the client than the client has sent to it. However, since the packets are less “full,” this usually means that more than one resource is being downloaded. In this case, the server sent between 10 KB and 1 MB of total data.High. This often indicates the download of multiple small or medium-sized resources for a loading website.
majorResourcesDownloadedQuicklyIn no more than 1 second, the server has sent at least 2x as much data back to the client than the client has sent to it. However, since the packets are less “full,” this usually means that more than one resource is being downloaded. In this case, the server sent at least 1 MB of data.High. This often corresponds to multiple medium or large resources being requested.
minorContentDownloadedIn a period of time between 1 and 10 seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. Moreover, the server sends a constant stream of nearly-full packets, usually meaning that it is one piece of content being requested. However, the server sent less than 10 KB of total data.Low. This commonly occurs when background icons and scripts are loading for a website. This length of time can indicate that either a website was only open for a short period of time, or the server had to do some meaningful processing before sending its data.
someContentDownloadedIn a period of time between 1 and 10 seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. Moreover, the server sends a constant stream of nearly-full packets, usually meaning that it is one piece of content being requested. The total amount of data downloaded falls somewhere between 10 KB and 1 MB.High. This often indicates some larger content (such as a script or an image file) is loaded. Because of the period of time open, either a site was open briefly before closing, or the site is doing some meaningful processing before sending some data back to the user.
majorContentDownloadedIn a period of time between 1 and 10 seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. Moreover, the server sends a constant stream of nearly-full packets, usually meaning that it is one piece of content being requested. The total amount of data downloaded is at least 1 MB.High. This often indicates some significant content (such as a site’s UI, or a PDF or ZIP file) is loaded. This length of time can indicate that either a website was only open for a short period of time, or the server had to do some meaningful processing before sending its data.
minorResourcesDownloadedIn a period of time between 1 and 10 seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. However, since the packets are less “full,” this usually means that more than one resource is being downloaded. In this case, the server sent less than 10 KB of total data.Low. This can indicate the download of multiple small resources for a loading website. This length of time can indicate that either a website was only open for a short period of time, or the server had to do some meaningful processing before sending its data.
someResourcesDownloadedIn a period of time between 1 and 10 seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. However, since the packets are less “full,” this usually means that more than one resource is being downloaded. In this case, the server sent between 10 KB and 1 MB of total data.High. This can indicate the download of multiple small or medium-sized resources for a loading website. This length of time can indicate that either a website was only open for a short period of time, or the server had to do some meaningful processing before sending its data.
majorResourcesDownloadedIn a period of time between 1 and 10 seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. However, since the packets are less “full,” this usually means that more than one resource is being downloaded. In this case, the server sent at least 1 MB of data.High. This often corresponds to multiple medium or large resources being requested. This length of time can indicate that either a website was only open for a short period of time (which could be more suspicious given the amount of data loaded), or the server had to do some meaningful processing before sending its data.
minorDataDownloadedViaLongSessionOver the course of 10 or more seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. In this case, the server sent less than 10 KB of total data.Low. The combination of duration and download magnitude often (though not always!) indicates that the session is associated with a website that a user is actively browsing, and that it is used for downloading small amounts of data (such as ads, emails, icons, metrics) for the site over time.
someDataDownloadedViaLongSessionOver the course of 10 or more seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. In this case, the server sent between 10 KB and 1 MB of data.High. The combination of duration and download magnitude often (though not always!) indicates that the session is associated with a website that a user is actively browsing, and that it is used to load potentially one or more meaningful aspects of a site (such as parts of the UI, login portals, input fields, etc…).
majorDataDownloadedViaLongSessionOver the course of 10 or more seconds, the server has sent at least 2x as much data back to the client than the client has sent to it. In this case, the server sent at least 1 MB of total data.High. The combination of duration and download magnitude often (though not always!) indicates that the session is associated with a website that a user is actively browsing, and that a significant amount of data is being downloaded (such as large file[s], sites with a lot of content, and so on).
singleResourceLoadedThe flow of packets to/from the client and server is relatively balanced, no clear upload or download behavior exists, neither side has sent more than 10 KB of data, and the session is no longer than 10 seconds.Medium. This occurs most often when a single resource or very small file is loaded.
asNeededChannelThe client or server is sending data in a long-lived session in a very "gappy" fashion.Medium. This is often seen in long-lived connections with short bursts of behavior, though it also captures low-and-slow tunneling behavior.
smallUploadAt least twice as much data was observed being sent from the client to the server, but the client still sent no more than 1 MB of data.Medium.
largeUploadAt least 3x as much data was observed being sent from the client to the server, and the client sent more than 1 MB of data.High. This can correspond to exfiltration activity, for example.
unclassifiedThe behavior observed in this session does not match any currently known patterns. If you would like to suggest a new category, please contact us!High. Unclassified activity is usually worthwhile to understand, especially when there are multiple communications to a site in rapid succession.
continuousClientChannelThe client is sending data to the server, but the server is only acknowledging receipt. The session is also longer than 10 seconds.Medium. This could potentially identify C2 communications, among other uncommonly-seen activity.
continuousServerChannelThe server is sending data to the client, but the client is only acknowledging receipt. The session is also longer than 10 seconds.Medium.
unidirectionalPackets were sent to the server, but no packets were received. This is less specific than a failedConnection flow.Medium. It could identify a malicious application attempting to communicate to a downed (or not-yet-up site).
keepAliveOnly a couple of packets (without any meaningful payload data) were observed to and/or from the server for at least 2 seconds.Low. This is often used to keep a connection alive for an extended time. A common scenario is when a user has many browser tabs open.
tlsNegotiationOnlyVery few packets (with potentially just enough data to transfer a certificate) were seen within a sub-second duration.Low. This most often indicates that a TLS session was established but not used.
failedConnectionOnly small packets suspected not to contain any payload were sent to the server. No packets were received.Low, though it may be useful for diagnostics or for identifying sites that have been taken down.
closedSessionNo data was transmitted, few packets were exchanged, and the session lasted less than 2 seconds.Low. This usually corresponds to a session being closed (i.e. via TCP FIN or RST).
dnsQueryA DNS query was observed on port 53.Low, unless the DNS server being used is unexpected for your environment.
dotsQueryTraffic to the server on TCP port 853 (which is associated with DNS over TLS) was observed.Low, unless you do not expect to see DNS over TLS in your environment.

Impact

An Impact is activity known to have a negative impact on the organization or user who has uploaded a sample. This is useful for identifying what things may need to be addressed based on an attack.

Malicious Activity

Malicious Activity refers to activity in a sample that is associated with known malicious destinations. These are known publicly as bad.

Relative Start Time

The Relative Start refers to how long (in seconds) after the beginning of a sample a given activity begins. It can be used to understand when activities are spaced far apart or grouped together.

Screenshot of Relative Start Time

Relevance

Relevance refers to what kind of role some activity generally plays on the Internet. Relevance will influence where activity appears in NetworkSage, as well as how prominently it is displayed. The three possible values are found below.

CategoryDescription
knownBadActivities labeled as knownBad are known to be malicious to the NetworkSage community. They should be treated with high priority.
knownUninterestingActivities labeled as knownUninteresting are known to be uninteresting to the NetworkSage community. Details about the activity will often be included in the activity's metadata.
seenNearBadActivities labeled as seenNearBad have been known to appear nearby bad activity, though they themselves are not malicious. This often captures activity to file-sharing sites, authentication portals, and other interesting activity.

Relevance values can be set by users who are Content Creators when saving metadata about an activity, as seen below.

Screenshot of Relevance values

Sample

A sample is a group of one or more activities that has been uploaded to NetworkSage. Samples can be either public or private (for paid users).

Secflow

A Secflow is a record that identifies all of the fields needed by NetworkSage to identify and label some network traffic. In order to support a new input format, these are the fields that must be provided. Note that Secflows are different from Enriched Secflows in that the former does not have the proprietary flow category applied to each record.

Suspicious Activity

A Suspicious Activity refers to activity in a sample that is uncommonly seen globally, has not been observed for very long, and is not known to be involved in the other types of activity. Understanding Suspicious Activity -- and how it relates to the other activities in the sample -- should be the highest priority.