William Annis writes:

...

Found the following after discussing the Snooper model for predicting "a run on this port was made on $Date" and I suspect it MAY, possibly, be worth considering for alert thingbobs in NOCtool:

    Grr.

    Sorry.  I was on the LISA program committee for this paper,

and I thought it unnecessary to reproduce a paper that had already been done in 1993:

http://www.usenix.org/publications/library/proceedings/cinci93/hoogen.html

Here's some work I did:

http://www.biostat.wisc.edu/~annis/mom3.old/stats/index.html

The Hoogenboom and Lepreau paper uses Holt-Winters time series analysis, which is *much* easier to produce models for (fast to calculate, can be updated on the fly). At this point it seems like it should be a bare-minimum requirement for any monitoring tool. :)

Cool, I'll have a read through that too. Strangely enough, I was pointed at the paper when I was discussing a plain exponential-decay average, since that's what I used for the 2007-02-01 -- 2008-02-28 Snooper report (essentially "analysis of traffic directed at non-responding IP addresses", see http://www.hexapodia.net/snooper/report-20070201-20080229.pdf for more details if interested) and wondered if there was anything better around.

In the Snooper analysis case, it's all done well after the fact, but there's such a mass of different data that I can't readily look at it myself but have to let a computer look, but "computational efficiency" isn't too much of a concern, if it takes a day to chomp through a year's worth of data (to try to find "massively increased activity"), that still drowns in the "search the net for vulnerabilities published around that time".

I just find the intersection of applicable tools to different areas of interest fascinating.

//Ingvar