A better tie-breaker for the most targeted service

[jzelenjak]

In the current implementation, when computing the most targeted service, the first most frequent service is taken, so that the result is deterministic (see PR #10).

On the other hand, there are "unknown" services, which are used when SAGE cannot infer the service based on IANA port-mapping.

A potential improvement to the tie-breaker might be to explicitly not choose "unknown" as the most targeted service in case of a tie, or to add a small margin (for example, if http has a count of 3 and unknown has a count of 4, then http can still be used). This way a security analyst might get better insights from the AGs since a specific service might reveal more information than an "unknown" service.