Have you looked at the NSP DoS Prevention Techniques guide?
For point 3 this is probably just Alert Throttling, look at these KB articles which explains how it works.
Understanding Network Security Platform alert suppression (throttling) and implementation
How to list source and destination IP for alerts suppressed by alert throttling
Hope this helps
Point 3 is cleared. However, I sill don't find the answers for point 1, 2 from that document. If possible, could you tell me these anomalies on above photo?
I didn't realize this was an issue with an NTBA appliance, I'm not very familiar with them.
If you can't find any details in the NTBA documentation it's probably best to call support and ask them to explain it.