Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep

MediumCompare Metric

SimpleCompare does not account for highly-unique duration values. MediumCompare was created as an alternative to deal more intelligently with such duration values. Intuitively, if two prints both use duration values that are globally unique (i.e. illegal values generated by prism2-based implementations) then this should count more than matching very common values such as 0.

Like SimpleCompare, the MediumCompare metric compares an input pcap with every print in the database except that for each print in the database, it also considers global duration uniqueness by examining the rest of the database. It computes one of two weights, either duration uniqueness, or packet type duration uniqueness, depending on the data set as follows.

When computing duration uniqueness the metric counts the total number of unique (implementation, duration value) pairs in the entire database. This does not take into account how often an individual duration value appears in packets for a given implementation. Rather, it counts how often a duration value is used across all implementations. If two implementations both use duration value 314, but one uses it 1% of the time, and the other uses it 80% of the time, both of these implementations will contribute the same amount to duration uniqueness.

{duration\_uniqueness(d)}= {\text{\char93  of unique (implementati...
...r{\text{\char93  of unique (implementation, duration
= d) tuples}}}
\end{math}% WIDTH=475 HEIGHT=26

Similarly packet type duration uniqueness is computed by counting the total number of unique (implementation, packet type duration) values across the entire database.

{duration\_uniqueness(p, d)}= {\text{\char93  of unique (implement...
...f unique
(implementation, packet\_type = p, duration = d) tuples}}}
\end{math}% WIDTH=588 HEIGHT=26

Once these two values have been computed MediumCompare is very similar to SimpleCompare.

Figure 4.3: MediumCompare duration-value only analysis

sum = 0;
for every duration-value d $\in (L \cap R)$% WIDTH=71 HEIGHT=32  
sum += duration_uniqueness(d) \begin{math}*\end{math}% WIDTH=6 HEIGHT=8 $1.0 - \vert L.duration\_ratio(d) - R.duration\_ratio(d) \vert$% WIDTH=350 HEIGHT=32 
return sum;

Figure 4.4: MediumCompare (packet_type, duration) analysis

sum = 0;
for every packet_type p, duration-value d $\in (L \cap R)$% WIDTH=71 HEIGHT=32  
sum += duration_uniqueness(p,d) \begin{math}*\end{math}% WIDTH=6 HEIGHT=8  $1.0 - \vert L.duration\_ratio(p,d) - R.duration\_ratio(p,d) \vert$% WIDTH=380 HEIGHT=32 
return sum;