Information Technology Reference
In-Depth Information
is well within the range of what would be “normal” changes depending on
the prior addition of clusters of similar sizes. We remark that to be effective
in detecting anomalies, a system would have to respond to changes in time
windows certainly not much larger than five minutes, if even that large.
Normal changes might be observed from diurnal work habits, lunch breaks,
morning broadcast of messages, and the like, and it is unclear whether or
not such changes would mask, in something like a five-minute window, the
effect of an anomaly.
To resolve the question left open in the third bullet above, we are refining
our simulation software. We are generating background and anomaly data based
on statistical characteristics actually observed in real trac so that we might
better understand the range of changes in the background that would mask the
effects of an anomaly.
Acknowledgements
We are grateful to the Joe Johnson and Vladimir Gudkov for assistance in mak-
ing sure that our computations were a correct implementation of the functions
suggested.
References
1. Buell, D.A., Huang, C.-T., Janies, J., Gudkov, V., Johnson, J.E.: Introductory
material. Prepared for a DARPA workshop 18-20 October 2004, Kiawah Island,
South Carolina.
2. Brillouin, L.: Science and Information Theory. Academic Press. New York (1956)
3. Gudkov, V., Johnson, J., Madamanchi, R., Sidoran, J.L.: Monitoring of network
topology dynamics. Proceedings, NATO Symposium on Adaptive Defence in Un-
classified Networks. (2004) To appear
4. Kolmogorov, A.N.: Sur la notion de la moyenne. Atti della Reale Accademia
Nazionale dei Lincei, Serie VI, Vol. 12. (1930) 388-391
5. Nagumo, M.: Uber eine klasse der mittlewerte. Japanese Journal of Mathematics,
Vol. 7 (1930) 71-79
6. Renyi, A.: Probability Theory. North-Holland. Amsterdam and London (1970)
7. Shannon, C.: A mathematical theory of communication. Bell System Technical
Journal, Vol. 27 (1948) 379-423, 623-656
