arXiv:1609.04214v2 [cs.CR], last accessed February 6, 2017.
ISSN/ISBN: Not available at this time. DOI: Not available at this time.
Abstract: Statistical characteristics of network traffic have attracted a significant amount of research for automated network intrusion detection, some of which looked at applications of natural statistical laws such as Zipf's law, Benford's law and the Pareto distribution. In this paper, we present the application of Benford's law to a new network flow metric "flow size difference", which have not been studied before by other researchers, to build an unsupervised flow-based intrusion detection system (IDS). The method was inspired by our observation on a large number of TCP flow datasets where normal flows tend to follow Benford's law closely but malicious flows tend to deviate significantly from it. The proposed IDS is unsupervised, so it can be easily deployed without any training. It has two simple operational parameters with a clear semantic meaning, allowing the IDS operator to set and adapt their values intuitively to adjust the overall performance of the IDS. We tested the proposed IDS on two (one closed and one public) datasets, and proved its efficiency in terms of AUC (area under the ROC curve). Our work showed the "flow size difference" has a great potential to improve the performance of any flow-based network IDSs.
Bibtex:
@article{,
author = {Aamo Iorliam and
Santosh Tirunagari and
Anthony Tung Shuen Ho and
Shujun Li and
Adrian Waller and
Norman Poh},
title = {"Flow Size Difference" Can Make a Difference: Detecting Malicious
{TCP} Network Flows Based on Benford's Law},
journal = {CoRR},
volume = {abs/1609.04214},
year = {2017},
url = {http://arxiv.org/abs/1609.04214},
timestamp = {Mon, 03 Oct 2016 17:51:10 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/journals/corr/IorliamTHLWP16},
bibsource = {dblp computer science bibliography, http://dblp.org}
}
Reference Type: Preprint
Subject Area(s): Computer Science, Statistics