Information Technology Reference
In-Depth Information
Fig. 5.
Difference of entropies, experiments
j
through
n
ments
q
through
o
, top to bottom. In Figure 5 the sequence top to bottom is of
experiments
n
through
j
.
Our analysis of this very preliminary data suggest that it may well be dicult
to distinguish the presence of a new cluster, even one so large at 10% of the entire
network, on the basis of entropy values. This conclusion is based on the fact that,
although there is a decided bend in the graphs when the last cluster is added,
the ranges of values that we observe with the last cluster fall well within the
ranges we would expect with a different sequence of normal clusters. In order to
use the “kink” of the last cluster as a predictor of anomalous behavior, it would
probably be necessary for the network in steady state to have an extremely fixed
structure. We suspect that computer networks might well be more dynamic than
would be necessary to use these small changes in entropy as predictors.
4
Conclusions and Future Work
We believe we can draw three conclusions from the experiments presented here.
-
We believe that the entropy functions suggested in Gudkov
et al.
are robust
under statistical variations in random number generation.
-
We observe noticeable qualitative changes in the entropy functions due to
the addition of clusters in the connectivity matrix on the order of 5% to 50%
of the entire matrix.
-
We are unsure as to the predictive capability of these entropy functions for
detection of anomalies. Although a change in the entropy functions can be
observed when a cluster of size 10% of the matrix is added, that change
