Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Hello,

perhaps someone could help me.

I have read the paper about TIM (adaptive real-time anomaly detection using
iductively generated sequential patterns) from Henry S. Teng and Kaihu Chen.

The authors have following idea:
They create a profile by learning sequences. An example

A-B-C-S-T-S-T-A-B-C-A-B-C

is a given sequence. The rules look likes this:

R1: A-B -> (C,100 %) // that means after the sequence A,B event C if
                      // following with 100 % prob.
R2: C -> (S, 50%; A, 50%)
R3: S -> (T, 100%)
R4: T -> (A, 50%; S, 50%)

Thats ok. And now my question.
Is it possible that the events (A,B ...) are independent when the systems only
scans from event to event. In the above example I also can say:
B -> (C,100%), or? So why are they using the sequence A-B and not only B?

So, is it possible that the Sequence A-B -> (C,100%) only depents on the
event B? Thats a markov Model, or? (Markov only works, when the events are
independent, I am wrong?).

Perhaps, someone has any good ideas.
Where is my mistake?

Greetings
Marc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]