Identifying attacks
Flow-based analysis (categorical)
- Keyed on victim IP address and protocol
- Flow duration defined by explicit parameters (min. threshold, timeout)
Event-based analysis (intensity)
- Attack event: backscatter packets from IP address in 1 minute window
- No notion of attack duration or “kind”
-