Does anyone know what the ratio of "attack traffic" to "normal traffic"
is in a "representative" network? It's a pretty open-ended question, but
I need to construct a (decent) data set for an internal evaluation I'm
doing. I'd like to make sure (to the extent possible) that the attack
data isn't unfairly represented in the set.