40 lines
1.7 KiB
Markdown
40 lines
1.7 KiB
Markdown
# Exercise 3
|
|
|
|
## Analyzing Darkspace Evolution
|
|
|
|
>>>
|
|
Check results from [rep-14] again. Are they correlated? Think for a second
|
|
about the possible meaning of the analyzed time series being correlated. What
|
|
could be the reason why the drop in the number of unique IP sources after Jan
|
|
16 does not cause a proportional drop in the other signals?
|
|
>>>
|
|
|
|
The results are mostly either strongly or somewhat correlated. Looking at the
|
|
different correlations, it could be that the drop happened because someone was
|
|
scanning the network or performing some kind of attack on a lot of different
|
|
hosts. This hypothesis is supported by the high correlation of unique
|
|
destination IPs with the amount of packets and the amount of bytes sent. It
|
|
follows that, since the unique source IPs dropped, one IP address had a lot of
|
|
outflow of traffic to a lot of unique destination IPs.
|
|
|
|
>>>
|
|
Check results from [rep-15] again. Do the results make sense for you? Would you
|
|
expect a different ratio in a normal network (no darkspace)?
|
|
>>>
|
|
|
|
In a normal network I would expect the ratio to be much closer to one, albeit
|
|
still higher than one. Thinking about my traffic at home, most requests have a
|
|
response associated with them and thus the ratio should be much closer to one.
|
|
This ratio is easily offset by doing a horizontal scan on the network for
|
|
example.
|
|
|
|
>>>
|
|
You used the median in [rep-15], but you could have used the mean. Does it make
|
|
any difference? What's better in your opinion? When to use mean and when
|
|
median? Can you figure out pros and cons for both measures of central tendency?
|
|
>>>
|
|
|
|
The median definitely makes more sense in this case since it has a strong
|
|
rejection of outliers. The traffic data is very diverse and spread out, meaning
|
|
that the mean would look very different from the median.
|