In the current implementation, when computing the most targeted service, the first most frequent service is taken, so that the result is deterministic (see PR #10).
On the other hand, there are "unknown" services, which are used when SAGE cannot infer the service based on IANA port-mapping.
A potential improvement to the tie-breaker might be to explicitly not choose "unknown" as the most targeted service in case of a tie, or to add a small margin (for example, if http has a count of 3 and unknown has a count of 4, then http can still be used). This way a security analyst might get better insights from the AGs since a specific service might reveal more information than an "unknown" service.
In the current implementation, when computing the most targeted service, the first most frequent service is taken, so that the result is deterministic (see PR #10).
On the other hand, there are "unknown" services, which are used when SAGE cannot infer the service based on IANA port-mapping.
A potential improvement to the tie-breaker might be to explicitly not choose "unknown" as the most targeted service in case of a tie, or to add a small margin (for example, if
http
has a count of 3 andunknown
has a count of 4, thenhttp
can still be used). This way a security analyst might get better insights from the AGs since a specific service might reveal more information than an "unknown" service.