Global connection count graph
Using data retrieved from the Measurement Lab platform, outbound connections from countries are counted and compared with expected connections to determine a likely connection state for a country
The following graph shows incoming connections to the Measurement Lab platform from a selection of countries.
Click and drag here to zoom
Goals and methodology
Goals
- Measuring regional network connection states allowing monitoring of disconnection events.
- Quickly identifying disconnection events to augment the information sets required by on the ground actors and improve the quality of consequent decisions.
- Access to an historical overview of disconnection events improving the quality of behavioral pattern analysis.
Caveats
- Currently only one platform is polled for connection data : measurement lab. “One source is no source‘ should be applied until a second data source is polled.
- The size of the current data-set is relatively small, as accuracy increases with the size of the data-set the current iteration of the platform should be treated as having a suspect measure of accuracy.
- Even when an “event” is identified, no definitive statement can be made regarding the cause of the event. Malicious intent will probably look identical to human error or natural disasters.
Assumptions
- By counting inbound connections to, preferably, large distributed systems, it should be possible to detect the connection state of the region connecting to the large distributed system.
- Processing these counts to generate an intermediate data-set containing averaged “count chunks” should make in possible to then define thresholds outside of which ”events’ should be visible.
Methodology
- Collecting connections to a platform (mlab).
- Grouping the connections by region+datetime
- Calculating averages in a range : (hour0 on day0 in week0) + (hour0 on day day0) in week1 during 10 weeks will create an average against which (hour0 on day0 in week1) will be checked.
- Defining a upper and lower “connection threshold” beyond which an “event” is extrapolated.
- Applying a “weight” to the datasource, where the size of the datasource and the social spread of the usergroup generating the connection are used to adjust the relative relevancy of the connection bundles.