Is the Anomaly Detection only based on the packages?
The anomaly detection is based on quantities and metadata of packages of all common protocols as well as on their header information. More than 4 million characteristics are considered in the header information, reduced to the 2,000 most important characteristics.
The purpose of Anomaly Detection is to examine the behavior of network traffic and the automated detection of deviations (without having to look at personal content). Since each function has its own technical limitations, the Anomaly Detection is supplemented by the modules "Network Compliance" and "Advanced Threat Detection".