Constellation

Project quad chart. (Powerpoint)

Anomaly detection is the core technology of intrusion detection. Constellation's premise is that no anomaly detector will detect all anomalies at the same level of confidence. At the present time no one knows, with high confidence, how well a given anomaly-detection algorithm performs over the range of anomalies that may be present in a dataset. Constellation's primary objective is to map the detection boundaries of anomaly detectors to show the extent to which one can have confidence that detectors are effective throughout the dataspace. Even if a detector does not detect anomalies in some portions of the dataspace, it's useful to know this, because then one can have confidence for the regions in which detection is good, and can either deploy other detectors in the sub-par regions, or avoid including those regions in the operating space of the system that's under possible attack.