"... In PAGE 7: ....2.1. Evaluation of Bursty Attacks. Our experiments were first performed on the attack bursts, and the obtained burst detection rates (bdr) for all four anomaly detection schemes are reported in Table5 . We consider a burst to be detected if the corresponding burst detection rate is greater than 50%.... In PAGE 7: ... We consider a burst to be detected if the corresponding burst detection rate is greater than 50%. Since we have a total of 19 bursty attacks, overall detection rate in Table5 was computed using this rule. Experimental results from Table 5 show that the two most successful outlier detection schemes were nearest neighbor (NN) and LOF, where the NN approach was able to detect 14 attack bursts and the LOF approach was able to detect 13 attack bursts.... In PAGE 7: ... Since we have a total of 19 bursty attacks, overall detection rate in Table 5 was computed using this rule. Experimental results from Table5 show that the two most successful outlier detection schemes were nearest neighbor (NN) and LOF, where the NN approach was able to detect 14 attack bursts and the LOF approach was able to detect 13 attack bursts. The Mahalanobis-based approach was consistently inferior to the NN approach and was able to detect only 11 multiple- connection attacks.... In PAGE 9: ... However, there are also scenarios when these two schemes have different detecting behavior. For example, the burst shaded gray in Table5 corresponds to the attack that was not detected with the LOF approach using the standard detection rate metric, but it was detected with the NN approach. Figure 7 illustrates the detecting of burst 2 from week 2 using NN and LOF.... In PAGE 10: ... For example, the burst 4 from week 2 involves 1000 connections, but within the attack time interval there are also 171 normal connections (Figure 8). Table5 shows that for this attack the LOF approach was able to detect 752 connections associated with the attack, while the NN approach detected only 62 of them. In such situations the presence of normal connections usually causes the low peaks in score values for connections from attack bursts, thus reducing the burst detection rate and increasing the surface area (Figure 8).... ..."

"... In PAGE 7: ....2.1. Evaluation of Bursty Attacks. Our experiments were first performed on the attack bursts, and the obtained burst detection rates (bdr) for all four anomaly detection schemes are reported in Table5 . We consider a burst to be detected if the corresponding burst detection rate is greater than 50%.... In PAGE 7: ... We consider a burst to be detected if the corresponding burst detection rate is greater than 50%. Since we have a total of 19 bursty attacks, overall detection rate in Table5 was computed using this rule. Ex- perimental results from Table 5 show that the two most successful outlier detection schemes were nearest neighbor (NN) and LOF approaches, where the NN approach was able to detect 14 attack bursts and the LOF approach was able to detect 13 attack bursts.... In PAGE 7: ... Since we have a total of 19 bursty attacks, overall detection rate in Table 5 was computed using this rule. Ex- perimental results from Table5 show that the two most successful outlier detection schemes were nearest neighbor (NN) and LOF approaches, where the NN approach was able to detect 14 attack bursts and the LOF approach was able to detect 13 attack bursts. The unsupervised SVMs were only slightly worse than the previous two approaches, showing a great promise in detecting network intrusions.... In PAGE 9: ... However, there are also scenarios when these two schemes have different detecting behavior. For example, the burst shaded gray in Table5 (burst 2, week 2) corre- sponds to the attack that, when using the standard detec- tion rate metric, was not detected with the LOF approach, but it was detected with the NN approach. Figure 7 illus- trates the detecting of this burst using NN and LOF.... In PAGE 9: ... For example, the burst 4 from week 2 involves 1000 connections, but within the attack time interval there are also 171 normal connections (Figure 8). Table5 shows that the LOF ap- proach was able to detect 752 connections associated with this attack, while the NN approach detected only 62 of them. In such situations the presence of normal connec- tions usually causes the low peaks in score values for connections from attack bursts, thus reducing the burst detection rate and increasing the surface area (Figure 8).... ..."

"... In PAGE 7: ....2.1. Evaluation of Bursty Attacks. Our experiments were first performed on the attack bursts, and the obtained burst detection rates (bdr) for all four anomaly detection schemes are reported in Table5 . We consider a burst to be detected if the corresponding burst detection rate is greater than 50%.... In PAGE 7: ... We consider a burst to be detected if the corresponding burst detection rate is greater than 50%. Since we have a total of 19 bursty attacks, overall detection rate in Table5 was computed using this rule. Ex- perimental results from Table 5 show that the two most successful outlier detection schemes were nearest neighbor (NN) and LOF approaches, where the NN approach was able to detect 14 attack bursts and the LOF approach was able to detect 13 attack bursts.... In PAGE 7: ... Since we have a total of 19 bursty attacks, overall detection rate in Table 5 was computed using this rule. Ex- perimental results from Table5 show that the two most successful outlier detection schemes were nearest neighbor (NN) and LOF approaches, where the NN approach was able to detect 14 attack bursts and the LOF approach was able to detect 13 attack bursts. The unsupervised SVMs were only slightly worse than the previous two approaches, showing a great promise in detecting network intrusions.... In PAGE 9: ... However, there are also scenarios when these two schemes have different detecting behavior. For example, the burst shaded gray in Table5 (burst 2, week 2) corre- sponds to the attack that, when using the standard detec- tion rate metric, was not detected with the LOF approach, but it was detected with the NN approach. Figure 7 illus- trates the detecting of this burst using NN and LOF.... In PAGE 9: ... For example, the burst 4 from week 2 involves 1000 connections, but within the attack time interval there are also 171 normal connections (Figure 8). Table5 shows that the LOF ap- proach was able to detect 752 connections associated with this attack, while the NN approach detected only 62 of them. In such situations the presence of normal connec- tions usually causes the low peaks in score values for connections from attack bursts, thus reducing the burst detection rate and increasing the surface area (Figure 8).... ..."

"... In PAGE 6: ... The other three EGRET-detected BATSE-triggered bursts were not strong enough to be independently detected. For comparison, these bursts and their character- istics are listed in Table5 . Several independent detections were made, the most signi cant occur- ring on 1994 April 27.... ..."

"... In PAGE 9: ... Considered as a binary (21,15) code, it is easy to verify that this code reaches the Reiger Bound: it can correct all binary burst erasures of length up to 6 or detect all binary burst errors of length up to 6. Example 3 Modified (7,5,3) Reed-Solomon code The code shown in Table5 is the dual of the code shown in Table 4, thus it is an (7,5,3) MDS code in GF(a55 a103 ) with its binary burst erasure correction and burst error detection capability maximized: it can correct any binary burst erasures or detect burst errors of length up to 6.... In PAGE 9: ...Table 5: A modified array representation of a (7,5,3) Reed-Solomon code over GF(a55a106a103 ), which can correct binary burst erasures or detect binary burst errors of length up to 6. The 6 binary symbols in the first and the last columns in Table5 are parity check symbols and the other symbols are original information symbols, where a189 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a191 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a190 a192 a50a114a126a21a26a120a125 a103 a33a92a43a89a126a110a33 a130 a126a2a33 a130 a103 a33a92a25a46a126a134a33a92a25 a107 a33a92a188a106a126a2a33a92a188 a107 a50 a107 a26a120a125a46a126a2a33a92a125 a107 a33a118a43 a103 a33 a130 a107 a33a92a25 a107 a33a92a25 a103 a33a92a188a106a126 a50 a103 a26a120a125 a107 a33a92a125 a103 a33a118a43a89a126a110a33a118a43 a107 a33 a130 a126a134a33 a130 a107 a33a118a25 a103 a33a118a188 a103 a42a77a126a21a26a22a125a46a126a134a33a92a43 a107 a33 a130 a126a110a33a118a25 a103 a33a118a188 a107 a42 a107 a26a22a125 a107 a33a92a43a89a126a2a33 a130 a103 a33a118a25a83a126a134a33a118a25 a103 a33a118a188a106a126a110a33a118a188 a103 a42 a103 a26a22a125 a103 a33a92a43 a103 a33 a130 a107 a33 a130 a103 a33a92a25 a107 a33a92a188 a107 a33a92a188 a103 a91 Finally, we briefly discuss decoding complexity of such modified MDS codes. When such a mod- ified (a28a38a37a39a32 ) MDS code over GF(a50 a10 ) are used to correct a burst erasure of length a43 in GF(a50 ) (where... In PAGE 11: ...Table5 is an (7,5) MDS code correcting a76a21a26a166a35 error over GF(a55 a103 ), thus trivially as a (21,15) binary code over GF(2), it can correct burst errors of length up to 1. The upper bound on the length of all binary burst errors it can correct is 3 by the Reiger Bound, but 2 by the Fire Bound.... ..."