Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Implemented
-
None
Description
netflow word creation in main branch uses computationally expensive and mathematically dubious quantile binning of byte and packet count => replace with exponential binning (simple ceiling of logarithm of the integer values)
it also use quantile binning for time of day when a simple bin on hours is more intuitive and computationally cheaper => bin time of day based on the hour
finally, protocol information is not being used in word creation despite its frequent role in many attacks => add protocol to netflow word creation
preliminary experiments with synthetically generated attacks run through netflow captures show significant model performance improvements with these changes
Attachments
Issue Links
- links to