Victor Duchovni:
> On Mon, Jan 17, 2011 at 10:12:54PM -0500, Wietse Venema wrote:
>
> > > alpha smoothing should do the trick, in this case we can start with
> > >
> > > t_0 = 0,
> > >
> > > and set
> > >
> > > t_{n+1} = 0.95*t_{n} + 0.05*delta
> >
> > There are many ways to arrive at a moving average. Where do these
> > magic numbers come from?
>
> The 0.05, 0.95 magic numbers give you an average over a few tens of sample
> points, that is not overly sensitive to a single spike, and purge stale
> state reasonably quickly. TCP alpha smoothing uses 0.1 IIRC, I found
> this to be a bit too fast.
Taking 100ms as the threshold, this would limit postscreen to 10
database operations/second. A moving average over 20 samples would
cover a few seconds of traffic. This would be sufficient to get
rid of the false alarms that are now logged as isolated events.
Wietse
