RE: Aberrant behaviour -- any experience?

Subject: RE: Aberrant behaviour -- any experience?
From: Jake Brutlag (jakeb@microsoft.com)
Date: Tue May 21 2002 - 17:47:47 CDT

• Next message: Lim, Jason: "RE: flow from GSR12000"
• Previous message: Stanislav Sinyagin: "RE: Aberrant behaviour -- any experience?"
• Maybe in reply to: Stanislav Sinyagin: "Aberrant behaviour -- any experience?"
• Maybe reply: Jake Brutlag: "RE: Aberrant behaviour -- any experience?"

> Of course, there are other proactive tools to notify the 
> operator, but wasn't this all Aberrant detection designed to give the 
> operator a signal when something goes wrong?

I guess it depends how real-time you need your alerts to be. In our
deployments, our network engineers use this algorithm in conjuction with
more convetional fixed thresholds (i.e. traffic > x). This algorithm is
used detect more subtle changes in behavior and they find the 30-45 time
frame acceptable for that application.

You may be to able to use tuning to improve the effectiveness of the
algorithm for closer to real-time alerts. I suspect this involves
increasing the adaption parameters as I indicated and probably
increasing the width of the confidence bands.

Jake

Jake Brutlag
Network Analyst
TV Services -- Network Operations
Microsoft MSN 

--
Help        mailto:majordomo@net.doit.wisc.edu and say "help" in message body
Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
"unsubscribe flowscan" in message body
Archive     http://net.doit.wisc.edu/~plonka/list/flowscan/archive/

• Next message: Lim, Jason: "RE: flow from GSR12000"
• Previous message: Stanislav Sinyagin: "RE: Aberrant behaviour -- any experience?"
• Maybe in reply to: Stanislav Sinyagin: "Aberrant behaviour -- any experience?"
• Maybe reply: Jake Brutlag: "RE: Aberrant behaviour -- any experience?"

This archive was generated by hypermail 2b25 : Tue May 21 2002 - 17:48:55 CDT