Strixl LabsStrixl.Labs
Get started
Docs/Behavioral scoring

Behavioral scoring

Every source/destination pair in your upload gets a score. This page explains what the score represents, how the engine arrives at it, and how to read the breakdown in the investigation panel.

Pairs, not packets

A pair is one source IP talking to one destination IP. The engine collapses every packet, flow, or log record between that pair into a single behavioral profile for the scoring period. That's deliberate: C2 beacons reveal themselves in longitudinal patterns, not in any individual packet.

What the score means

The score is a number from 0 to 100 representing how much the pair's behavior resembles command-and-control traffic. It is not a probability and it is not a confidence. Treat it as a triage priority: high scores deserve an analyst's attention, low scores can usually be skipped.

In the investigation panel, the score is displayed alongside a severity level that combines the behavioral score with modifiers from fingerprinting and threat intel. See Severity modifiers for how the severity is derived.

What goes into the score

Several independent axes of evidence contribute, each measuring a different aspect of the pair's behavior:

  • Timing regularity. Are the intervals between connections consistent? Real C2 beacons tend to phone home on a schedule, even with jitter injected to hide the pattern.
  • Payload symmetry.What's the ratio of bytes sent to bytes received? A beacon tends to send small heartbeats and occasionally receive larger command bursts; normal user traffic is rarely that clean.
  • Duration stability. Are the connections roughly the same length each time? Human-driven traffic varies a lot; automated check-ins do not.
  • Session characteristics. Low session counts, single-port communication, and other structural markers that rule out normal user patterns.

Each axis is scored independently. The total score combines them, weighted to reward convergence: a pair that is suspicious on one axis alone will score moderately; a pair that's suspicious on three or four will score high.

Transparency

Every scored pair carries an Explain why breakdown that lists which axes contributed, how much each one contributed, and what pushed it up or down. If the engine flags a pair, you see the reasoning.

Scoring is transparent but not tunable from the UI in the current release. The weights are set in the engine and are the same for every customer. Feedback from confirm/dismiss actions tunes suppression, not scoring weights.

What the score doesn't tell you

A high score means the behavior looks beacon-like. It does not tell you whether the destination is malicious. That comes from threat intel and from your own verdict after investigating. Corporate software checking for updates on a schedule will score high on timing regularity alone. The rest of the evidence is what lets you tell the difference.

← Previous

Field mapping

Next →

Fingerprinting