H: what's the suspicious outside ips --> abnormal things in network flow and a look into intrusion data

[c-zhong]

H1: there is a change in the number of connections between outside ip with subnet 2/3 H2: there is a change in the number of connections between outside ip with subnet 1 H3: there is a change in the number of connections from subnet1 to subnet2. H4: large payload between outside ip with subnet 1/2/3