Add answers for ex3 part 2

ex3/README.md

@@ -0,0 +1,39 @@
+# Exercise 3
+
+## Analyzing Darkspace Evolution
+
+>>>
+Check results from [rep-14] again. Are they correlated? Think for a second
+about the possible meaning of the analyzed time series being correlated. What
+could be the reason why the drop in the number of unique IP sources after Jan
+16 does not cause a proportional drop in the other signals?
+>>>
+
+The results are mostly either strongly or somewhat correlated. Looking at the
+different correlations, it could be that the drop happened because someone was
+scanning the network or performing some kind of attack on a lot of different
+hosts. This hypothesis is supported by the high correlation of unique
+destination IPs with the amount of packets and the amount of bytes sent. It
+follows that, since the unique source IPs dropped, one IP address had a lot of
+outflow of traffic to a lot of unique destination IPs.
+
+>>>
+Check results from [rep-15] again. Do the results make sense for you? Would you
+expect a different ratio in a normal network (no darkspace)?
+>>>
+
+In a normal network I would expect the ratio to be much closer to one, albeit
+still higher than one. Thinking about my traffic at home, most requests have a
+response associated with them and thus the ratio should be much closer to one.
+This ratio is easily offset by doing a horizontal scan on the network for
+example.
+
+>>>
+You used the median in [rep-15], but you could have used the mean. Does it make
+any difference? What's better in your opinion? When to use mean and when
+median? Can you figure out pros and cons for both measures of central tendency?
+>>>
+
+The median definitely makes more sense in this case since it has a strong
+rejection of outliers. The traffic data is very diverse and spread out, meaning
+that the mean would look very different from the median.