2014
DOI: 10.1002/dac.2881
|View full text |Cite
|
Sign up to set email alerts
|

An empirical study on TCP flow interarrival time distribution for normal and anomalous traffic

Abstract: SUMMARYIn this paper, we study the effects of anomalies on the distribution of TCP flow interarrival time process. We show empirically that despite the variety of data networks in size, number of users, applications, and load, the interarrival times of normal flows comply with the Weibull distribution, whereas specific irregularities (anomalies) causes deviations from the distribution. We first estimate the scale and shape parameters and then check the discrepancy of the data from a Weibull distribution with t… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
9
0

Year Published

2016
2016
2021
2021

Publication Types

Select...
3
2
2

Relationship

0
7

Authors

Journals

citations
Cited by 12 publications
(9 citation statements)
references
References 53 publications
0
9
0
Order By: Relevance
“…By examining this feature and other statistical forms of IAT such as the mean, minimum, maximum and standard deviation of IAT of a network flow, benign traffic can be modelled to conform to the Weibull distribution. By modelling benign traffic to the Weibull distribution, anomalous traffic can therefore be identified as it will cause irregularities and deviations in the distribution [29]. This correlation is identifiable across packets, flows and sessions for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) transport protocols in internet traffic [30].…”
Section: Inter-arrival Time and Feature Selectionmentioning
confidence: 99%
“…By examining this feature and other statistical forms of IAT such as the mean, minimum, maximum and standard deviation of IAT of a network flow, benign traffic can be modelled to conform to the Weibull distribution. By modelling benign traffic to the Weibull distribution, anomalous traffic can therefore be identified as it will cause irregularities and deviations in the distribution [29]. This correlation is identifiable across packets, flows and sessions for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) transport protocols in internet traffic [30].…”
Section: Inter-arrival Time and Feature Selectionmentioning
confidence: 99%
“…While the statistical models of selected metrics do not have to be based on any assumed distributions (as argued by Denning [52]), many researchers noticed some metrics taken from non-malicious network traffic follow some known distributions closely but those from malicious deviate significantly [19]- [28]. Those distributions studied include Zipf's law, the Pareto distribution, the Weibull distribution and also Benford's law.…”
Section: B Idsmentioning
confidence: 99%
“…Arshadi and Jahangir also studied the source of Benford's law and attributed it to the fact that normal TCP flows' inter-arrival time closely follows the Weibull distribution, which can derive Benford's law. In [28], Arshadi and Jahangir also studied using the Weibull distribution with the inter-arrival time for IDS purposes, and provided some results on the actual performance of such an IDS.…”
Section: B Idsmentioning
confidence: 99%
See 1 more Smart Citation
“…Lee proposed in a spatial traffic model, which generates large‐scale spatial traffic variations by a sum of sinusoids that captures the characteristics of log‐normally distributed and spatially correlated cellular traffic. Arshadi proposed in a window‐based anomaly detection method as a possible application of their findings in which they first estimated the Weibull parameters of interarrival times in each window and then checked the discrepancy of the data with a Weibull distribution with the estimated parameters and set an alarm whenever the difference is significant. A study of the capacity of IEEE 802.16 wireless networks in mesh mode by using M/G/1/L queuing model that represented each network node by incorporating the features of the standard in order to calculate the average delay and throughput in the node was presented in .…”
Section: Introductionmentioning
confidence: 99%