On Mon, Jan 19, 2015 at 11:47 AM, Philipp Winter phw@nymity.ch wrote:
On Thu, Jan 15, 2015 at 06:11:25PM -0500, grarpamp wrote:
FYI, between here there was thread tor-talk 'many new relays' of possible event around end 2009-06 to begining 2009-07. Along with usual posts of people about potential things to detect.
Interesting, thanks for pointing this out. This event is visible in the diagram but not as a sudden spike but more as a temporary increase in the base rate: http://www.nymity.ch/new_fingerprints/2009_new_fingerprints.png
Cool, nice to see this graphed, really obvious something happened.
This event also shows why a simple threshold-based detection mechanism is insufficient: Sybils can be added slowly over several hours or days in order to stay under the threshold.
Re detection methods, consider some examination of exceeded bounds within first and second derivatives of various data you are collection, RRD, etc.