An Investigation of Power Law Probability Distributions for Network Anomaly Detection
It has been previously determined that SYN packet inter arrival times are conformant with Benford’s law, which predicts the frequency of the leading digits in naturally occurring collections of numbers, and suggested that conformity or non-conformity to Benford’s law could be used to detect network...
| Main Authors: | , , , , |
|---|---|
| Format: | Conference Paper |
| Published: |
IEEE
2017
|
| Online Access: | http://ieeexplore.ieee.org/ http://hdl.handle.net/20.500.11937/65570 |
| _version_ | 1848761158317637632 |
|---|---|
| author | Prandl, S. Lazarescu, M. Pham, DucSon Soh, Sie Teng Kak, S. |
| author_facet | Prandl, S. Lazarescu, M. Pham, DucSon Soh, Sie Teng Kak, S. |
| author_sort | Prandl, S. |
| building | Curtin Institutional Repository |
| collection | Online Access |
| description | It has been previously determined that SYN packet inter arrival times are conformant with Benford’s law, which predicts the frequency of the leading digits in naturally occurring collections of numbers, and suggested that conformity or non-conformity to Benford’s law could be used to detect network anomalies. This paper expands upon that suggestion by making three contributions. First, we verify that conformity to Benford’s law of inter arrival times is also true for certain types of both TCP and UDP packets. Second, we discover that packet length could also be another alternative to inter arrival times, with the advantage that it follows both Benford’s and Zipf’s laws, implying its reliability in detecting network traffic anomaly. Finally, we explore the potential application of power laws in the specific detection of denial-of-service (DoS) attacks using both inter arrival times and packet length. Extensive experiments on the MAWI benchmark dataset and two additional datasets support our claims and demonstrate that whilst Benfordian analysis of inter arrival times can identify DoS attacks, the combination of Benfordian and Zipfian analysis of packet length gives more reliable detection. |
| first_indexed | 2025-11-14T10:27:13Z |
| format | Conference Paper |
| id | curtin-20.500.11937-65570 |
| institution | Curtin University Malaysia |
| institution_category | Local University |
| last_indexed | 2025-11-14T10:27:13Z |
| publishDate | 2017 |
| publisher | IEEE |
| recordtype | eprints |
| repository_type | Digital Repository |
| spelling | curtin-20.500.11937-655702018-02-19T08:06:17Z An Investigation of Power Law Probability Distributions for Network Anomaly Detection Prandl, S. Lazarescu, M. Pham, DucSon Soh, Sie Teng Kak, S. It has been previously determined that SYN packet inter arrival times are conformant with Benford’s law, which predicts the frequency of the leading digits in naturally occurring collections of numbers, and suggested that conformity or non-conformity to Benford’s law could be used to detect network anomalies. This paper expands upon that suggestion by making three contributions. First, we verify that conformity to Benford’s law of inter arrival times is also true for certain types of both TCP and UDP packets. Second, we discover that packet length could also be another alternative to inter arrival times, with the advantage that it follows both Benford’s and Zipf’s laws, implying its reliability in detecting network traffic anomaly. Finally, we explore the potential application of power laws in the specific detection of denial-of-service (DoS) attacks using both inter arrival times and packet length. Extensive experiments on the MAWI benchmark dataset and two additional datasets support our claims and demonstrate that whilst Benfordian analysis of inter arrival times can identify DoS attacks, the combination of Benfordian and Zipfian analysis of packet length gives more reliable detection. 2017 Conference Paper http://hdl.handle.net/20.500.11937/65570 10.1109/SPW.2017.20 http://ieeexplore.ieee.org/ IEEE restricted |
| spellingShingle | Prandl, S. Lazarescu, M. Pham, DucSon Soh, Sie Teng Kak, S. An Investigation of Power Law Probability Distributions for Network Anomaly Detection |
| title | An Investigation of Power Law Probability Distributions for Network Anomaly Detection |
| title_full | An Investigation of Power Law Probability Distributions for Network Anomaly Detection |
| title_fullStr | An Investigation of Power Law Probability Distributions for Network Anomaly Detection |
| title_full_unstemmed | An Investigation of Power Law Probability Distributions for Network Anomaly Detection |
| title_short | An Investigation of Power Law Probability Distributions for Network Anomaly Detection |
| title_sort | investigation of power law probability distributions for network anomaly detection |
| url | http://ieeexplore.ieee.org/ http://hdl.handle.net/20.500.11937/65570 |