Abstract:SUMMARYIn this paper, we study the effects of anomalies on the distribution of TCP flow interarrival time process. We show empirically that despite the variety of data networks in size, number of users, applications, and load, the interarrival times of normal flows comply with the Weibull distribution, whereas specific irregularities (anomalies) causes deviations from the distribution. We first estimate the scale and shape parameters and then check the discrepancy of the data from a Weibull distribution with t… Show more
“…By examining this feature and other statistical forms of IAT such as the mean, minimum, maximum and standard deviation of IAT of a network flow, benign traffic can be modelled to conform to the Weibull distribution. By modelling benign traffic to the Weibull distribution, anomalous traffic can therefore be identified as it will cause irregularities and deviations in the distribution [29]. This correlation is identifiable across packets, flows and sessions for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) transport protocols in internet traffic [30].…”
Section: Inter-arrival Time and Feature Selectionmentioning
Protecting the networks of tomorrow is set to be a challenging domain due to increasing cyber security threats and widening attack surfaces created by the Internet of Things (IoT), increased network heterogeneity, increased use of virtualisation technologies and distributed architectures. This paper proposes SDS (Software Defined Security) as a means to provide an automated, flexible and scalable network defence system. SDS will harness current advances in machine learning to design a CNN (Convolutional Neural Network) using NAS (Neural Architecture Search) to detect anomalous network traffic. SDS can be applied to an intrusion detection system to create a more proactive and end-to-end defence for a 5G network. To test this assumption, normal and anomalous network flows from a simulated environment have been collected and analyzed with a CNN. The results from this method are promising as the model has identified benign traffic with a 100% accuracy rate and anomalous traffic with a 96.4% detection rate. This demonstrates the effectiveness of network flow analysis for a variety of common malicious attacks and also provides a viable option for detection of encrypted malicious network traffic.
“…By examining this feature and other statistical forms of IAT such as the mean, minimum, maximum and standard deviation of IAT of a network flow, benign traffic can be modelled to conform to the Weibull distribution. By modelling benign traffic to the Weibull distribution, anomalous traffic can therefore be identified as it will cause irregularities and deviations in the distribution [29]. This correlation is identifiable across packets, flows and sessions for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) transport protocols in internet traffic [30].…”
Section: Inter-arrival Time and Feature Selectionmentioning
Protecting the networks of tomorrow is set to be a challenging domain due to increasing cyber security threats and widening attack surfaces created by the Internet of Things (IoT), increased network heterogeneity, increased use of virtualisation technologies and distributed architectures. This paper proposes SDS (Software Defined Security) as a means to provide an automated, flexible and scalable network defence system. SDS will harness current advances in machine learning to design a CNN (Convolutional Neural Network) using NAS (Neural Architecture Search) to detect anomalous network traffic. SDS can be applied to an intrusion detection system to create a more proactive and end-to-end defence for a 5G network. To test this assumption, normal and anomalous network flows from a simulated environment have been collected and analyzed with a CNN. The results from this method are promising as the model has identified benign traffic with a 100% accuracy rate and anomalous traffic with a 96.4% detection rate. This demonstrates the effectiveness of network flow analysis for a variety of common malicious attacks and also provides a viable option for detection of encrypted malicious network traffic.
“…While the statistical models of selected metrics do not have to be based on any assumed distributions (as argued by Denning [52]), many researchers noticed some metrics taken from non-malicious network traffic follow some known distributions closely but those from malicious deviate significantly [19]- [28]. Those distributions studied include Zipf's law, the Pareto distribution, the Weibull distribution and also Benford's law.…”
Section: B Idsmentioning
confidence: 99%
“…Arshadi and Jahangir also studied the source of Benford's law and attributed it to the fact that normal TCP flows' inter-arrival time closely follows the Weibull distribution, which can derive Benford's law. In [28], Arshadi and Jahangir also studied using the Weibull distribution with the inter-arrival time for IDS purposes, and provided some results on the actual performance of such an IDS.…”
Section: B Idsmentioning
confidence: 99%
“…A lot of network-based IDSs have employed statistical approaches to detecting signs of attacks, and some natural statistical laws such as Zipf's law, Benford's law, the Pareto distribution and the Weibull distribution [15]- [18] have been explored to generate statistical features for IDS purposes [19]- [28]. The term "natural" refers to the fact that many natural processes often follow them while artificially created ones tend to not.…”
Statistical characteristics of network traffic have attracted a significant amount of research for automated network intrusion detection, some of which looked at applications of natural statistical laws such as Zipf's law, Benford's law and the Pareto distribution. In this paper, we present the application of Benford's law to a new network flow metric "flow size difference", which have not been studied before by other researchers, to build an unsupervised flow-based intrusion detection system (IDS). The method was inspired by our observation on a large number of TCP flow datasets where normal flows tend to follow Benford's law closely but malicious flows tend to deviate significantly from it. The proposed IDS is unsupervised, so it can be easily deployed without any training. It has two simple operational parameters with a clear semantic meaning, allowing the IDS operator to set and adapt their values intuitively to adjust the overall performance of the IDS. We tested the proposed IDS on two (one closed and one public) datasets, and proved its efficiency in terms of AUC (area under the ROC curve). Our work showed the "flow size difference" has a great potential to improve the performance of any flow-based network IDSs.
“…Lee proposed in a spatial traffic model, which generates large‐scale spatial traffic variations by a sum of sinusoids that captures the characteristics of log‐normally distributed and spatially correlated cellular traffic. Arshadi proposed in a window‐based anomaly detection method as a possible application of their findings in which they first estimated the Weibull parameters of interarrival times in each window and then checked the discrepancy of the data with a Weibull distribution with the estimated parameters and set an alarm whenever the difference is significant. A study of the capacity of IEEE 802.16 wireless networks in mesh mode by using M/G/1/L queuing model that represented each network node by incorporating the features of the standard in order to calculate the average delay and throughput in the node was presented in .…”
SUMMARYFor the emerging applications such as Google Talk, Facebook, Skype and QQ, to mention a few, which run on smartphones, background traffic has become one of the significant issues in system design and optimization. Because of the complicated user behavior and interaction, the assumptions underlying the Poisson process model cannot be met; the Poisson distribution cannot approximate the distribution of background traffic arrivals accurately. In this paper, we propose a model, which can better fit the background traffic arrivals of smartphones than the Poisson distribution. The proposed model is a linear transformation of the Poisson distribution and is specified by three parameters, .a; b; /, which can be estimated from the measured sample's mean, variance, and third central moment. Simulation results have corroborated the fitness of the proposed model in both single and mixed applications scenarios. In addition, we have also observed that the normalized parameters, .a; b 0 ; 0 /, of each application is independent of the user number and completely characterized by the type of application. Hence, with the given trace cumulative distribution functions of all applications, the proposed modified Poisson distribution can be used as a tool for modeling and analyzing background traffic arrivals with arbitrary user numbers and mixed applications.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.