the normal database
Using a window size of 6, running sendmail through its paces produced a database of only 1500 entries and was stable!
This is only 5x10-5% of all possible entries
The small size of the database is critical:
- Big database = variability in “normal” = difficulty in detecting anomalies
- Big database = no realtime monitoring