Test Set question

Does anyone know what the ratio of "attack traffic" to "normal traffic"
is in a "representative" network? It's a pretty open-ended question, but
I need to construct a (decent) data set for an internal evaluation I'm
doing. I'd like to make sure (to the extent possible) that the attack
data isn't unfairly represented in the set.


Dave Sames

I think that really depends on way too many things (size of net, host
population, IP range, background traffic, firewalling, organizational
policies, the aim of your eval, etc) to be answerable in general. Try
asking on SecrurityFocus' focus-ids list instead?

Good luck,