problems with my idea
Still not a useful way for finding things like stolen passwords
The variations in protocol implementations on the Net may mean that normal behavior will not exhibit self-similarity
Might miss things that could be more reliably detected by a pattern-matcher -- but why not run Bro and SIS at the same time (contrived acronym: Segment Initiated Security)
Probably a significant effort to build and characterize the system and I don’t have the time to do it :-)