Modeling the Inter-arrival Time of Packets in Network Traffic and Anomaly Detection Using the Zipf’s Law
Subject Areas : Network ManagementAli Naghash Asadi 1 , Mohammad Abdollahi Azgomi 2 *
1 - Iran University of Science and Technology
2 - Iran University of Science and Technology
Keywords: Network traffic modeling , Inter-arrival time , Anomaly detection , DoS attack , The Zipf’s law,
Abstract :
In this paper, a new method based on the Zipf’s law for modeling the features of the network traffic is proposed. The Zipf's law is an empirical law that provides the relationship between the frequency and rank of each category in the data set. Some data sets may follow from the Zipf’s law, but we show that each data set can be converted to the data set following from the Zipf’s law by changing the definition of categories. We use this law to model the inter-arrival time of packets in the normal network traffic and then we show that this model can be used to simulate the inter-arrival time of packets. The advantage of this law is that it can provide high similarity using less information. Furthermore, the Zipf’s law can model different features of the network traffic that may not follow from the mathematical distributions. The simple approach of this law can provide accuracy and lower limitations in comparison to existing methods. The Zipf's law can be also used as a criterion for anomaly detection. For this purpose, the TCP_Flood and UDP_Flood attacks are added to the inter-arrival time of packets and they are detected with high detection rate. We show that the Zipf’s law can create an accurate model of the feature to classify the feature values and obtain the rank of its categories, and this model can be used to simulate the feature values and detect anomalies. The evaluation results of the proposed method on MAWI and NUST traffic collections are presented in this paper.
[1] G. Zipf, "Human behavior and the principle of least effort," The Economical Journal, vol. 60, no. 3, pp. 808-810, 1950.
[2] A. I. Saichev, Y. Malevergne and D. Sornette, Theory of Zipf's Law and Beyond, Springer-Verlag Berlin Heidelberg, 2010.
[3] S. Arshad, S. Hu and B. N. Ashraf, "Zipf's law and city size distribution: A survey of the literature and future research agenda," Statistical Mechanics and its Applications, vol. 492, no. 15, pp. 75-92, 2018.
[4] S. Arshad, S. Hu and B. N. Ashraf, "Zipf’s law, the coherence of the urban system and city size distribution: Evidence from Pakistan," Physica A (2018), https://doi.org/10.1016/j.physa.2018.08.065.
[5] D. Wang, H. Cheng, P. Wang and G. Jian, "Zipf's Law in Passwords," IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776-2791, 2017.
[6] A. Liu, V. Lau and G. Caire, "Capacity scaling of wireless device-to-device caching networks under the physical model," in IEEE International Symposium on Information Theory, Germany, 2017.
[7] A. Iorliam, A. T. Ho, N. Poh, S. Tirunagari and P. Bours, "Data forensic techniques using Benford's law and Zipf's law for keystroke dynamics," in International Workshop on Biometrics and Forensics, Norway, 2015.
[8] M. Jauhari, A. Saxena and J. Gautom, "Zipf’s Law and Number of hits on the World Wide Web," Annals of Library and Information Studies, vol. 54, no. 2, pp. 81-84, 2007.
[9] L. Adamic and B. Huberman, "Zipf’s Law and the Internet," in Glottometrics, 2007. [10] B. R. Chang and H. F. Tsai, "Improving network traffic analysis by foreseeing data packet- flow with hybrid fuzzy-based model prediction," Expert Systems with Applications, vol. 36, no. 3, pp. 6960-6965, 2009.
[11] J. Sommers and P. Barford, "Self-Configuring Network Traffic Generation," in the 4th ACM SIGCOMM conference on Internet measurement, Italy, 2004.
[12] A. Botta, A. Dainotti and A. Pescape, "A tool for the generation of realistic network workload for emerging networking scenarios," Computer Networks, vol. 56, no. 1, pp. 3531-3547, 2012.
[13] "TCPReplay," [Online]. Available: http://tcpreplay.synfin.net/wiki. [Accessed 23 08 2018].
[14] "Network, devices & services testing-Spirent," [Online]. Available: http://www.spirent.com/. [Accessed 23 08 2018].
[15] W. M. Shbair, A. R. Bashandy and S. I. Shaheen, "A New Security Mechanism to Perform Traffic," in International Conference on Computational Science and Engineering, 2004.
[16] F. Sally and P. Vern, "Difficulties in simulating the internet," IEEE/ACM Transactions on Networking, vol. 9, no. 4, pp. 392-403, 2001.
[17] V. Paxon, "Strategies for sound internet measurement," in the 4th ACM SIGCOMM conference on Internet measurement, Italy, 2004.
[18] V. Chandola, A. Banerjee and V. Kumar, "Anomaly detection: a survey," ACM Computing Surveys, vol. 41, no. 3, pp. 1-58, 2009.
[19] A. Patcha and J. M. Park, "An overview of anomaly detection techniques: existing solutions and latest technological trends," Computer Networks, vol. 51, no. 12, pp. 3448-3470, 2009.
[20] P. Barford, J. Kline, D. Plonka and A. Ron, "A signal analysis of network traffic anomalies," in the 2nd ACM SIGCOMM Workshop on Internet measurement, France, 2002.
[21] S. Luo and G. A. Marin, "Generating Realistic Network Traffic for Security Experiments," in IEEE SoutheastCon, USA, 2004.
[22] E. Garsva, N. Paulauskas, G. Grazulevicius and L. Gulbinovic, "Packet Inter-arrival Time Distribution in Academic Computer Network," ELEKTRONIKA IR ELEKTROTECHNIKA, vol. 20, no. 3, pp. 87-90, 2014.
[23] M. Fras, J. Mohorko and Z. Cucej, "Packet Size Process Modeling of Measured Self-similar Network Traffic with Defragmentation Method," in 15th International Conference on Systems, Signals and Image Processing, Slovakia, 2008.
[24] W. E. Leland, M. S. Taqqu, W. Willinger and D. V. Wilson, "the self-similar nature of Ethernet traffic (extended version)," IEEE/ACM Transactions on Networking, vol. 2, no. 1, pp. 1-15, 1994.
[25] X. An and L. Qu, "A Study Based on Self-Similar Network Traffic Model," in Sixth International Conference on Intelligent Systems Design and Engineering Applications, China, 2015.
[26] A. Pashko and V. Tretynyk, "Methods of the statistical simulation of the self-similar traffic," Advances in Intelligent Systems and Computing, vol. 754, no. 1, pp. 54-64, 2018.
[27] V. I. Strelkovskaya, T. I. Grygoryeva and I. N. Solovskaya, "Self-similar traffic in G/M/1 queue defined by the Weibull distribution," Radioelectronics and Communications Systems, vol. 61, no. 3, pp. 128-134, 2018.
[28] M. A. Arfeen, K. Pawlikowski, D. McNickle and A. Willig, "The Role of the Weibull Distribution in Internet Traffic Modeling," in 25th International Conference on Teletraffic Congress, China, 2013.
[29] L. Arshadi and A. H. Jahangir, "An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic," International Journal of Communication Systems, vol. 30, no. 1, pp. 1-19, 2017.
[30] T. K. Bandhopadhya, M. Saxena and A. Tiwari, "Jitter’s Alpha-Stable Distribution Behavior," Computer Technology and Electronics Engineering, vol. 3, no. 1, pp. 13-16, 2013.
[31] G. J. Fernandes, J. P. Rodrigues, L. F. Carvalho, J. F. Al-Muhtadi and M. J. Proença, "A comprehensive survey on network anomaly detection," Telecommunication Systems (2018), https://doi.org/10.1007/s11235-018-0475-8. [32] "IDS Distribution," [Online]. Available: http://cs.fit.edu/~mmahoney/dist/. [Accessed 23 08 2018].
[33] L. Arshadi and A. H. Jahangir, "Benford's law behavior of Internet traffic," Journal of Network and Computer Applications, vol. 40, no. 1, pp. 194-205, 2014.
[34] A. N. Asadi, "An approach for detecting anomalies by assessing the inter-arrival time of UDP packets and flows using Benford’s law," in 2nd International Conference on Knowledge-Based Engineering and Innovation, Tehran, 2015.
[35] Y. Gu, A. McCallum and D. Towsley, "Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation," in the 5th ACM SIGCOMM conference on Internet measurement, USA, 2005.
[36] S. Honda, T. Nakashima and S. Oshima, "Entropy Based Analysis of Anomaly Access of IP Packets," in 3rd International Conference on Innovative Computing Information and Control, China, 2008.
[37] L. I. Han, "Research of K-MEANS Algorithm based on Information Entropy in Anomaly Detection," in Fourth International Conference on Multimedia Information Networking and Security, China, 2012.
[38] S. K. Gautam and H. Om, "Anomaly detection system using entropy based technique," in First International Conference on Next Generation Computing Technologies, India, 2015.
[39] A. A. Waskita, H. Suhartanto and L. T. Handoko, "A performance study of anomaly detection using entropy method," in International Conference on Computer, Control, Informatics and its Applications, Indonesia, 2016.
[40] D. Hong, D. Zhao and Y. Zhang, "The Entropy and PCA Based Anomaly Prediction in Data Streams," Procedia Computer Science, vol. 96, no. 1, pp. 139-146, 2016.
[41] "NUST," [Online]. Available: http://wisnet.seecs.nust.edu.pk/downloads.php. [Accessed 13 06 2013].
[42] "MAWI Working Group Traffic Archive," [Online]. Available: http://mawi.wide.ad.jp/mawi/. [Accessed 13 10 2016].
[43] A. E. Kossovsky, Benford's Law: Theory, the General Law of Relative Quantities, and Forensic Fraud Detection Applications, NewYork: WorldScientific, 2014.
[44] C. E. Shannon, "A mathematical theory of communication," Bell System Technical Journal, vol. 27, no. 4, pp. 623-656, 1948.