Wots this?
Traffic captures from the ECSC 2023 A/D, grouped by service and similarity.
The capture numbers, what do they mean?
The captures in each group are ranked by how similar they are to the center of the group, i.e. the higher the number, the more the capture differs from the rest of the group.
Here, only the top 10 and bottom 10 captures are shown for each group.
Whats group -1?
Group -1 contains all captures that didn't fit into any other group, i.e. the anomalies.
How does sorting work?
By attribute
Correlation
The captures from each group are bucketed into some interval (e.g. 5 minutes) and counted.
The resulting time series shows how many captures there were for this group per e.g. five minutes.
The correlation between each time series and the time series of the group that is currently selected is then calculated and used for sorting.
As a result, the groups that behaved similarly over time as the currently selected group will be at the top.
Size
Groups are sorted by how many captures they contain.
Similarity
Groups are sorted by similar they are to the currently selected group, calculated with the distance of the embeddings.
By similarity to
Sorts the groups by how similar they are to a given search term, calculated with the distance of the embeddings.
What do the colors of the groups mean?
They indicate the correlation over time between the selected group and the colored group.
Red means a positive correlation while blue means a negative correlation.
See "How does sorting work?" ⇒ "By attribute" ⇒ "Correlation" for more information.