# Exercise 4

## 2. Metadata and Univariate Analysis

Discovered TCP-Flags and their percentages (rounded):

| TCP Flag | %    |
|----------|-----:|
| S        | 77.8 |
| A        | 9.8  |
| RA       | 5.3  |



#### Check carefully the top TCP-flag values discovered and their percentages. Does it make sense for you? Why? Make sure that you understand flag values, their use and meaning.
TODO


#### Does the TTL plot show mountain-like shapes? (see plot team13_ex4_2.jpeg). If so, can you figure out why?
Since the TTL can be implemented differently, it is normal, that the used TTLs differ. The TTL should be decremented after every HOP
(stations between source and target).


## 3. Bivariate Analysis

#### 

    Think about it...

    Check both flows required in [rep-23]. Can you indentify what kind of traffic it is in each case? Do you think that any of them might be malicious?

    Important! Carefully consider the AGM vector again. Think the kind of flow values/profiles that you would get in the follow scenarios (remember that the AGM-vector can be configured to profile destinations as well as surces):

        Horizontal scan.
        Vertical scan.
        Brute Force attack.
        DDoS attack.
        Backscatter.
        Normal server.
        Vulnerable, flooded server

    You should be able to see that some of the previous traffic scenarios are quite easy to spot by using AGM vector, but not all of them.

TODO