= Entity Dictionary =

A description of the attributes for all of the entities in the [wiki:ERDiagram ER diagram]

== INTERVALS ==

  * ''interval'': the timestamp representation of the ''start'' time of the interval which is a five minute aggregation of flows
  * ''epoch'': a representation of the ''start'' time as an epoch, which is useful for plotting timeseries
  * ''filename'': the original filename of the [http://www.qosient.com/argus/ Argus] flow level data
  * ''flows_out_internet'': the approximate number of flows that were outbound to the Internet
  * ''flows_in_internet'': the approximate number of flows that were inbound from the Internet
  * ''flows_intranet'': the approximate number of flows that were not bound to or from the Internet (few)

== FLOWS ==

  * ''interval'': the five minute aggregate interval that the flow belongs to
  * ''flow_id'': an identification number for each flow ''unique to the interval''
  * ''start_time'': flow start time (precision in seconds)
  * ''finish_time'': flow finish time (precision in seconds)
  * ''protocol'': the protocol used (udp,tcp...)
  * ''src_ip'': source IP address of the flow
  * ''dst_ip'': destination IP address of the flow
  * ''src_port'': the port bound to the source
  * ''dst_port'': the port bound to the destination
  * ''src_packets'': the number of packets generated by the source
  * ''dst_packets'': the number of packets generated by the destination
  * ''src_bytes'': the number of bytes generated by the source
  * ''dst_bytes'': the number of bytes generated by the destination
  * ''state'': the state of the connection when it was considered finished (RST,FIN...)
  * ''dir_unknown'': a flag set if the directionality of the flow is unknown, src/dst are to then be interpreted as left/right

== METRICS ==
  * ''metric'': integer representation of the traffic metric used for referencing
  * ''name'': human readable text of the metric name (addr_src, fsd...)

== INTERVAL_STATS ==
  * ''interval'': the interval for which the statistics belong to
  * ''metric'': the metric that the statistics were generated using
  * ''entropy'': the normalized entropy
  * ''sdev_score'': the standard deviation score
  * ''wavelet_score'': the wavelet deviation score

== INTERVAL_ALARMS ==
  * ''interval'': the interval the alarm belongs to
  * ''metric'': the metric used while generating the alarm
  * ''alarm_type'': the type of alarm, typically a method with a deviation score (ie. sdev_score>3)

== ALARMS ==
  * ''alarm_type'': an integer representation of the alarm classification
  * ''name'': human readable text form of the alarm type (wavelet3, sdev2...)

== LABELED_FLOWS ==
  * ''label_id'': reference to the label which describes the attack
  * ''interval'': the interval in which the label belongs to
  * ''flow_id'': the flow within the interval that is being labeled

== LABELS ==
  * ''label_id'': a unique identifier for the label
  * ''description'': human readable description of the label, describing the attack in detail

== ANOMALIES ==
  * ''type'': an integer representation of the anomaly type for reference
  * ''description'': human readable description of the type of anomaly, such as "flood" or "horizontal scan"