Streaming analytics in general and streaming analytics for intrusion detection in particular seems to be experiencing a relative surge in popularity. Perhaps this is because of the increasing availability and use of platforms like Apache Storm and Spark Streaming.

But streaming analytics for analyzing endpoints and users for intrusive behavior has been around for about a quarter century, probably most heavily promoted by SRI with their extensive publications on their NIDES intrusion detection system.

However, I had an issue with part of NIDES' analytics - as a user of systems I also developed, the NIDES exponential decay approach did not make sense to me because the streaming analytics variable did not jive with my intuitive sense of what was going on.

With a little analysis of their publications, I realized SRI did not include a denominator in their calculations. From the computer model point of view, this didn't matter much. As I wrote in my notes:

Note: a computer can "deal with" (e.g., profile) An just fine. However, when presenting the number to the user, it makes sense to divide it by the appropriate denominator.

Below are pages from my notebook from March 9, 1998 where I describe the issue and my resolution. I also found some use from my old calculus book. 😄

(note: I found a "typo" noted here)