Encryption & Payload Entropy
Per-flow Shannon entropy (bits/byte) computed over sampled payload. High entropy (≥ 7.5) indicates encrypted, compressed, or random data. Low entropy + many printable bytes indicates plaintext. The full byte distribution and a windowed entropy curve are available in the payload_entropy parquet for forensic drill-down.
Top Encrypted / Compressed Flows
Flows whose payload entropy is at or near the maximum 8.0 bits/byte. TLS, SSH, gzip, encrypted tunnels, and ransomware payloads all sit here. Cross-reference with `app_proto` from the flow event to disambiguate.
| Source | Destination | Port | Proto | Entropy → | Entropy ← | Sampled → | Sampled ← | PCR |
|---|---|---|---|---|---|---|---|---|
| 10.0.12.201 | 52.96.166.130 | 443 | TCP | 7.96 | 7.92 | 8,192 | 1,240 | 0.87 |
| 10.0.12.45 | 198.51.100.47 | 443 | TCP | 7.95 | 7.94 | 8,192 | 2,180 | 0.79 |
| 10.0.3.118 | 203.0.113.214 | 443 | TCP | 7.93 | 7.94 | 8,192 | 8,192 | 0.50 |
| 10.0.7.42 | 203.0.113.18 | 443 | TCP | 7.92 | 7.91 | 8,192 | 6,240 | 0.57 |
| 10.0.5.21 | 203.0.113.42 | 443 | TCP | 7.91 | 7.93 | 2,400 | 8,192 | 0.23 |
Exfiltration Candidates
High-entropy outbound payload (entropy ≥ 7.8), dominated by client→server bytes (pcr ≥ 0.85), with at least 1 KiB of sample to be statistically meaningful. Likely encrypted upload — verify against app_proto and dest_country to spot anomalous destinations.
| Source | Destination | Port | Entropy → | PCR | Sampled → |
|---|---|---|---|---|---|
| 10.0.12.201 | 52.96.166.130 | 443 | 7.96 | 0.87 | 8,192 |
| 10.0.12.45 | 198.51.100.47 | 443 | 7.95 | 0.92 | 8,192 |
| 10.0.8.50 | 203.0.113.99 | 443 | 7.91 | 0.94 | 8,192 |
| 10.0.12.201 | 8.8.8.8 | 53 | 7.84 | 0.96 | 2,840 |
| 10.0.3.118 | 203.0.113.220 | 443 | 7.89 | 0.88 | 4,180 |
SPLT — Packet Length & Time Sequence
Per-flow Sequence of Packet Lengths and Times. The `splt` column is a compact ASCII fingerprint — uppercase letters A–K = client→server, lowercase a–k = server→client; each letter is the log2 size bucket of that packet's payload. The exact lengths and µs inter-arrival times live in `splt_lengths` and `splt_iats_us`. Use `WHERE splt LIKE 'pattern'` for fast shape clustering.
| Source | Destination | Port | Proto | Entropy | PCR | SPLT | N |
|---|---|---|---|---|---|---|---|
| 10.0.3.118 | 203.0.113.214 | 443 | TCP | 7.93 | 0.50 | HhHhKHkKkKkKkKkKkKkKkKkKkKkK | 28 |
| 10.0.12.45 | 198.51.100.47 | 443 | TCP | 7.95 | 0.79 | HhHhKHKKKKKkkkkkkkkk | 20 |
| 10.0.7.42 | 203.0.113.18 | 443 | TCP | 7.92 | 0.57 | HhHhKKKkkkkkkkkk | 16 |
| 10.0.12.201 | 52.96.166.130 | 443 | TCP | 7.96 | 0.87 | HhHhKKKKKKKKKkkkk | 17 |
| 10.0.5.21 | 203.0.113.42 | 443 | TCP | 7.91 | 0.23 | HhKkkkkkkkkkkk | 14 |
Suspected Beacons
High-entropy flows whose inter-arrival times are extremely regular (coefficient of variation < 0.10 on the IATs after the first packet, which is always 0). Classic encrypted C2 heartbeat signature — Cobalt Strike, Empire, Sliver, custom beacons. Cross-reference `dest_ip` with reputation feeds to triage.
| Source | Destination | Port | Proto | Entropy | Pkts | Avg IAT (ms) | σ IAT (ms) | CV | SPLT |
|---|---|---|---|---|---|---|---|---|---|
| 10.0.12.45 | 198.51.100.47 | 443 | TCP | 7.95 | 14 | 60,000.0 | 2,400.0 | 0.040 | HhHhHhHhHhHhHh |
| 10.0.8.50 | 203.0.113.99 | 443 | TCP | 7.91 | 10 | 30,000.0 | 900.0 | 0.030 | HhHhHhHhHh |
| 10.0.12.45 | 203.0.113.18 | 8,443 | TCP | 7.94 | 12 | 120,000.0 | 7,200.0 | 0.060 | HhHhHhHhHhHh |
| 192.168.1.44 | 203.0.113.50 | 443 | TCP | 7.88 | 8 | 900,000.0 | 81,000.0 | 0.090 | HhHhHhHh |
Common SPLT Shapes
Most-common packet-sequence shapes on the network. Establishes a baseline of normal traffic. Shapes seen across many sources/dests tend to be common protocols; a shape concentrated on a single source-dest pair stands out.
| Shape | Flows | Sources | Dests | Avg Entropy | Avg PCR |
|---|---|---|---|---|---|
| HhHh | 48,472 | 842 | 2,184 | 7.91 | 0.52 |
| HhHhKHkk | 28,140 | 720 | 1,482 | 7.93 | 0.61 |
| Aa | 18,482 | 312 | 142 | 4.21 | 0.50 |
| HhHhKHkKkKkKkK | 8,420 | 84 | 42 | 7.95 | 0.50 |
| HhHhHhHh | 1,840 | 12 | 8 | 7.92 | 0.51 |
| HhHhKHKKKKKkkkkk | 142 | 4 | 3 | 7.95 | 0.81 |
Entropy Anomalies by Protocol
Flows whose payload entropy deviates more than 2.5σ from the mean for their application protocol. Catches DNS tunneling (high-entropy DNS), HTTP-encoded payloads, plaintext on TLS ports, encrypted blob over a normally-text protocol. Requires the flow event's `app_proto` enrichment — joined on `flow_id`.
| Source | Destination | Port | App | Entropy | Proto Mean | Proto σ | Z-score |
|---|---|---|---|---|---|---|---|
| 10.0.12.201 | 8.8.8.8 | 53 | dns | 7.84 | 4.21 | 0.42 | 8.6 |
| 10.0.8.50 | 1.1.1.2 | 53 | dns | 7.91 | 4.21 | 0.42 | 8.8 |
| 10.0.7.42 | 203.0.113.18 | 80 | http | 7.92 | 5.18 | 0.61 | 4.5 |
| 10.0.5.21 | 203.0.113.42 | 443 | tls | 3.42 | 7.91 | 0.18 | -25.0 |
| 10.0.3.118 | 203.0.113.220 | 443 | tls | 4.84 | 7.91 | 0.18 | -17.1 |