Devise a rule based on failed login episodes that would indi

Devise a rule based on failed log-in episodes that would indicate that we are experiencing a network attack. The rule should have a false alarm rate of only 1%.

We use failed log-in attempts on our non-classified server as an intensity indicator of the likelihood of attacks on the secure systems. The time between failed log-in episodes (one episode might include several attempts by the same user until he is locked out) is well modeled by the exponential distribution with a mean of forty minutes.

Solution