An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic

Arshadi, Laleh; Jahangir, Amir Hossein

doi:10.1002/dac.2881

Cited by 12 publications

(9 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By examining this feature and other statistical forms of IAT such as the mean, minimum, maximum and standard deviation of IAT of a network flow, benign traffic can be modelled to conform to the Weibull distribution. By modelling benign traffic to the Weibull distribution, anomalous traffic can therefore be identified as it will cause irregularities and deviations in the distribution [29]. This correlation is identifiable across packets, flows and sessions for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) transport protocols in internet traffic [30].…”

Section: Inter-arrival Time and Feature Selectionmentioning

confidence: 99%

Machine Learning based Anomaly Detection for 5G Networks

Lam¹,

Abbas²

2020

Preprint

View full text Add to dashboard Cite

Protecting the networks of tomorrow is set to be a challenging domain due to increasing cyber security threats and widening attack surfaces created by the Internet of Things (IoT), increased network heterogeneity, increased use of virtualisation technologies and distributed architectures. This paper proposes SDS (Software Defined Security) as a means to provide an automated, flexible and scalable network defence system. SDS will harness current advances in machine learning to design a CNN (Convolutional Neural Network) using NAS (Neural Architecture Search) to detect anomalous network traffic. SDS can be applied to an intrusion detection system to create a more proactive and end-to-end defence for a 5G network. To test this assumption, normal and anomalous network flows from a simulated environment have been collected and analyzed with a CNN. The results from this method are promising as the model has identified benign traffic with a 100% accuracy rate and anomalous traffic with a 96.4% detection rate. This demonstrates the effectiveness of network flow analysis for a variety of common malicious attacks and also provides a viable option for detection of encrypted malicious network traffic.

show abstract

Section: Inter-arrival Time and Feature Selectionmentioning

confidence: 99%

Machine Learning based Anomaly Detection for 5G Networks

Lam¹,

Abbas²

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…While the statistical models of selected metrics do not have to be based on any assumed distributions (as argued by Denning [52]), many researchers noticed some metrics taken from non-malicious network traffic follow some known distributions closely but those from malicious deviate significantly [19]- [28]. Those distributions studied include Zipf's law, the Pareto distribution, the Weibull distribution and also Benford's law.…”

Section: B Idsmentioning

confidence: 99%

“…Arshadi and Jahangir also studied the source of Benford's law and attributed it to the fact that normal TCP flows' inter-arrival time closely follows the Weibull distribution, which can derive Benford's law. In [28], Arshadi and Jahangir also studied using the Weibull distribution with the inter-arrival time for IDS purposes, and provided some results on the actual performance of such an IDS.…”

Section: B Idsmentioning

confidence: 99%

“…A lot of network-based IDSs have employed statistical approaches to detecting signs of attacks, and some natural statistical laws such as Zipf's law, Benford's law, the Pareto distribution and the Weibull distribution [15]- [18] have been explored to generate statistical features for IDS purposes [19]- [28]. The term "natural" refers to the fact that many natural processes often follow them while artificially created ones tend to not.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

"Flow Size Difference" Can Make a Difference: Detecting Malicious TCP Network Flows Based on Benford's Law

Iorliam,

Tirunagari,

et al. 2016

Preprint

View full text Add to dashboard Cite

Statistical characteristics of network traffic have attracted a significant amount of research for automated network intrusion detection, some of which looked at applications of natural statistical laws such as Zipf's law, Benford's law and the Pareto distribution. In this paper, we present the application of Benford's law to a new network flow metric "flow size difference", which have not been studied before by other researchers, to build an unsupervised flow-based intrusion detection system (IDS). The method was inspired by our observation on a large number of TCP flow datasets where normal flows tend to follow Benford's law closely but malicious flows tend to deviate significantly from it. The proposed IDS is unsupervised, so it can be easily deployed without any training. It has two simple operational parameters with a clear semantic meaning, allowing the IDS operator to set and adapt their values intuitively to adjust the overall performance of the IDS. We tested the proposed IDS on two (one closed and one public) datasets, and proved its efficiency in terms of AUC (area under the ROC curve). Our work showed the "flow size difference" has a great potential to improve the performance of any flow-based network IDSs.

show abstract

“…Lee proposed in a spatial traffic model, which generates large‐scale spatial traffic variations by a sum of sinusoids that captures the characteristics of log‐normally distributed and spatially correlated cellular traffic. Arshadi proposed in a window‐based anomaly detection method as a possible application of their findings in which they first estimated the Weibull parameters of interarrival times in each window and then checked the discrepancy of the data with a Weibull distribution with the estimated parameters and set an alarm whenever the difference is significant. A study of the capacity of IEEE 802.16 wireless networks in mesh mode by using M/G/1/L queuing model that represented each network node by incorporating the features of the standard in order to calculate the average delay and throughput in the node was presented in .…”

Section: Introductionmentioning

confidence: 99%

A modified poisson distribution for smartphone background traffic in cellular networks

Zhang

Zhao

Guan

et al. 2016

Int J Communication

View full text Add to dashboard Cite

SUMMARYFor the emerging applications such as Google Talk, Facebook, Skype and QQ, to mention a few, which run on smartphones, background traffic has become one of the significant issues in system design and optimization. Because of the complicated user behavior and interaction, the assumptions underlying the Poisson process model cannot be met; the Poisson distribution cannot approximate the distribution of background traffic arrivals accurately. In this paper, we propose a model, which can better fit the background traffic arrivals of smartphones than the Poisson distribution. The proposed model is a linear transformation of the Poisson distribution and is specified by three parameters, .a; b; /, which can be estimated from the measured sample's mean, variance, and third central moment. Simulation results have corroborated the fitness of the proposed model in both single and mixed applications scenarios. In addition, we have also observed that the normalized parameters, .a; b 0 ; 0 /, of each application is independent of the user number and completely characterized by the type of application. Hence, with the given trace cumulative distribution functions of all applications, the proposed modified Poisson distribution can be used as a tool for modeling and analyzing background traffic arrivals with arbitrary user numbers and mixed applications.

show abstract

An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic

Cited by 12 publications

References 53 publications

Machine Learning based Anomaly Detection for 5G Networks

Machine Learning based Anomaly Detection for 5G Networks

"Flow Size Difference" Can Make a Difference: Detecting Malicious TCP Network Flows Based on Benford's Law

A modified poisson distribution for smartphone background traffic in cellular networks

Contact Info

Product

Resources

About