[noctool-devel] Oooh! Shiny! [ predictive models of future behaviour ]

[Ingvar]

William Annis writes:
>  >Found the following after discussing the Snooper model for predicting "a run 
>  >on this port was made on $Date" and I suspect it MAY, possibly, be worth 
>  >considering for alert thingbobs in NOCtool:
> 
>         Grr.
> 
>         Sorry.  I was on the LISA program committee for this paper,
> and I thought it unnecessary to reproduce a paper that had already
> been done in 1993:
> 
>     http://www.usenix.org/publications/library/proceedings/cinci93/hoogen.html
> 
> Here's some work I did:
> 
>     http://www.biostat.wisc.edu/~annis/mom3.old/stats/index.html
> 
> The Hoogenboom and Lepreau paper uses Holt-Winters time series
> analysis, which is *much* easier to produce models for (fast to
> calculate, can be updated on the fly).  At this point it seems like it
> should be a bare-minimum requirement for any monitoring tool.  :)

Cool, I'll have a read through that too. Strangely enough, I was pointed at 
the paper when I was discussing a plain exponential-decay average, since 
that's what I used for the 2007-02-01 -- 2008-02-28 Snooper report 
(essentially "analysis of traffic directed at non-responding IP addresses", 
see http://www.hexapodia.net/snooper/report-20070201-20080229.pdf for more 
details if interested) and wondered if there was anything better around.

In the Snooper analysis case, it's all done well after the fact, but there's 
such a mass of different data that I can't readily look at it myself but have 
to let a computer look, but "computational efficiency" isn't too much of a 
concern, if it takes a day to chomp through a year's worth of data (to try to 
find "massively increased activity"), that still drowns in the "search the net 
for vulnerabilities published around that time".

I just find the intersection of applicable tools to different areas of 
interest fascinating.

//Ingvar