Article


Article Code : 1396102514371950285(DOI : 10.7508/jist.2018.02.003)

Article Title : Modeling the Inter-arrival Time of Packets in Network Traffic and Anomaly Detection Using the Zipf’s Law

Journal Number : 22 Spring 2018

Visited : 815

Files : 990 KB


List of Authors

  Full Name Email Grade Degree Corresponding Author
1 Ali Naghash-Asadi aliasadi@comp.iust.ac.ir Graduate M.Sc
2 Mohammad Abdollahi Azgomi azgomi@iust.ac.ir Associate Professor PhD

Abstract

In this paper, a new method based on the Zipf’s law for modeling the features of the network traffic is proposed. The Zipf's law is an empirical law that provides the relationship between the frequency and rank of each category in the data set. Some data sets may follow from the Zipf’s law, but we show that each data set can be converted to the data set following from the Zipf’s law by changing the definition of categories. We use this law to model the inter-arrival time of packets in the normal network traffic and then we show that this model can be used to simulate the inter-arrival time of packets. The advantage of this law is that it can provide high similarity using less information. Furthermore, the Zipf’s law can model different features of the network traffic that may not follow from the mathematical distributions. The simple approach of this law can provide accuracy and lower limitations in comparison to existing methods. The Zipf's law can be also used as a criterion for anomaly detection. For this purpose, the TCP_Flood and UDP_Flood attacks are added to the inter-arrival time of packets and they are detected with high detection rate. We show that the Zipf’s law can create an accurate model of the feature to classify the feature values and obtain the rank of its categories, and this model can be used to simulate the feature values and detect anomalies. The evaluation results of the proposed method on MAWI and NUST traffic collections are presented in this paper.