Found the following after discussing the Snooper model for predicting "a run on this port was made on $Date" and I suspect it MAY, possibly, be worth considering for alert thingbobs in NOCtool:
Grr.
Sorry. I was on the LISA program committee for this paper, and I thought it unnecessary to reproduce a paper that had already been done in 1993:
http://www.usenix.org/publications/library/proceedings/cinci93/hoogen.html
Here's some work I did:
http://www.biostat.wisc.edu/~annis/mom3.old/stats/index.html
The Hoogenboom and Lepreau paper uses Holt-Winters time series analysis, which is *much* easier to produce models for (fast to calculate, can be updated on the fly). At this point it seems like it should be a bare-minimum requirement for any monitoring tool. :)
-- wm