Information Technology Reference
In-Depth Information
Fig. 1.
Shannon entropy, cluster density 0
.
80
nodes are not in a cluster, and the entropy is smaller for networks in which
roughly half the nodes are in a cluster. What is to be noted, however, and is also
to be expected, is that the variation between high and low decreases, for a fixed
pair of densities, as the network size increases. This bodes ill for the scalability
of this approach to detecting network anomalies.
In Figure 2 we present the difference between Shannon and Renyi entropies
of the second kind for cluster density 0
.
80. We present the view from a slightly
different angle and with a slightly different view so as to expose the shape of the
surface.
Multiple-Cluster Matrices the initial experiment:
For our second exper-
iment, we have constructed a single matrix of 10000 nodes with a background
density of 0
.
05. To this we have then added five clusters of 500 nodes each (that
is, 5% of the total matrix size for each cluster), four clusters of 300 nodes (3%),
three clusters of 200 nodes (2%), and seven clusters of 100 nodes (1%), all with
adensityof0
.
80. This represents a total of 50% of the matrix contained in clus-
ters, and this we take to be the matrix in “normal” state. To this we then add
one final cluster of 500 nodes to simulate a new hot spot in the network.
The plot of the entropy differences is shown in Figure 3. An initial tentative
conclusion from this experiment is that these entropy measures may not be
suciently sensitive to be used to predict behavior. Although we do observe a
drop in the mutual entropy when the hot spot is introduced, the change is not
obviously so great as to be convincing that such a change could be detected in
an operational situation.
