I am a researcher working on developing a new on-the-fly telemetry system that potentially takes a flow chart as input to describe a particular detection task (rather than just features or information elements as in IPFIX). For an example of what I mean by "flow chart" see the figure here: https://ieeexplore.ieee.org/mediastore_new/IEEE/content/media/8048782/8048856/8048939/8048939-fig-4-source-hires.gif.
Might anyone have pointers to a source of more such flow charts?
The other issue I'm worried about is that it might take a couple rounds before an event is detected (since the system has to step through the flow chart and possibly look at different traffic features in the process). What is a typical duration of the types of events people might want to catch with a telemetry system like this? Do these kind of events generate the same type of traffic throughout their durations, or do traffic features change as the event progresses?