/*********************** Classifies based on statistics *****************/
------------------------------------------------------------------------
/* Classifies flows */
------------------------------------------
function classify_flow(flow_stats fs)
------------------------------------------
{
  /* First assume that there is no attack */
  int isAttack = NO_ATTACK
  /* This part we added for increasing rate and pulsing attacks 
     you might wanna skip to END NEW */
  /* BEGIN NEW */
  /* Find amount of bytes that are not part of good connections */
  float diff = fs.sent_bytes - fs.good_bytes;
  /* If this is less than minimum for this flow, update the minimum */
  if (diff < fs.min)
    	fs.min = diff
  increment fs.avg_time
  /* Check if buffer has been filled and remember
     minimum difference within the window */
  if (fs.avg_time == AVG_TIME)
  {
      fs.track = fs.min;
      reset fs.min
      fs.avg_time = 0;
    }
  /* Do the sampling for pulsing attacks */
  if (random() < SAMPLING_PROB)
    insert diff in fs.stats 	/* note: fs.stats is circular array */
  /* Detect the increasing rate or pulsing attack */
  if (fs.track > 0 or minimum(fs.stats) > 0)
    isAttack = OTHER_ATTACK
  /* END NEW */
  /* Now do the old checking */
  /* Check different parts of protocol for compliance */
  /* Calculate current ratios */
  if (fs.TCP_received_from > 0)
	  tcprto = fs.TCP_sent_to/fs.TCP_received_from
  else
	  tcprto = fs.TCP_sent_to
  if (fs.ICMP_received_from > 0)
	  icmprto = fs.ICMP_sent_to/fs.ICMP_received_from
  else
	  icmprto = fs.ICMP_sent_to
  /* Update statistics in smoothed manner */
  fs.tcprto = fs.tcprto * ALPHA + (1-ALPHA) * tcprto
  fs.icmprto = fs.icmprto * ALPHA + (1-ALPHA) * icmprto
  /* Detect various attacks */
  if (fs.tcprto > MAX_TCP_RTO)
      isAttack = TCP_ATTACK
  else if (fs->icmprto > MAX_ICMP_RTO)
    isAttack = ICMP_ATTACK
  else 
    {
      /* Detect only spoofing and aggressive UDP attacks */
      /* Note: spoofing could be detected in other protocols too, but
         currently we don't do that */
      /* This check detects many UDP connections with small number of packets
         per connection */
      if (fs.UDP_conns > MAX_UDP_CONNS and
          fs.UDP_sent_to/fs.UDP_conns < MIN_PACKS_PER_UDP_CONN)
	isAttack = UDP_ATTACK
    }
  /* Update compliant counter and flow classification */
  if (isAttack != NO_ATTACK) /* Attack is detected */
  {
      fs->classification = ATTACK
      fs->compliant = 0
  }
  else /* Attack is not detected */
  {
	if (fs.rate_limit does not exist)
	      fs.classification = NORMAL
	else if (fs.compliant >= COMPLIANT_PERIOD and
	 	fs.dropped_bytes == 0 and
		fs.classification == SUSPICIOUS)
	      {
		fs.classification = NORMAL
	 	if (fs.rate_limit == MAX_RATE)
			delete fs.rate_limit
	      }
	 else
	      {
		fs.classification = SUSPICIOUS
		fs.compliant ++
	      }
	  }
    } /* end if attack is not detected */
}
------------------------------------------------------------------------
/* Classify connection by looking at specific protocol behavior */
------------------------------------------
function classify_connection(conn_stats cs)
------------------------------------------
{
  /* Calculate current packet ratio */
  if (cs.received_from == 0)
    rto = cs.sent_to
  else 
    rto = cs.sent_to/cs.received_from
  /* Update smoothed packet ratio */
  cs.rto = cs.rto*ALPHA + (1-ALPHA)*rto
  /* If this connection has sent very few packets */
  if (cs.sent_to < 3 and cs.new_connection == 1)
    cs.classification = TRANSIENT
  else
  {
	cs.new_connection = 0
	if (cs.protocol == TCP)
    	{
      	if (cs.rto <= MAX_TCP_RTO)	    
          cs.classification = GOOD
      	else    
	  cs.classification = BAD
	 }
   	else if (cs.protocol == ICMP)
    	{
      	if (cs.rto <= MAX_ICMP_RTO)	    
          cs.classification = GOOD
      	else    
	  cs.classification = BAD
   	}
  	else
  	{
		/* Here we need to add some checks for UDP connections,
	   	currently we don't have them */
 	}
    } 
}


