On the TCP Flow Inter-arrival Times Dsitribution

2011 UKSim 5th European Symposium on Computer Modeling and Simulation Pub Date : 2011-11-16 DOI:10.1109/EMS.2011.34

L. Arshadi, A. Jahangir

{"title":"On the TCP Flow Inter-arrival Times Dsitribution","authors":"L. Arshadi, A. Jahangir","doi":"10.1109/EMS.2011.34","DOIUrl":null,"url":null,"abstract":"IP packets are known to have long range dependence and show self-similar properties. However, TCP flows-a set of related IP packets that form a TCP connection-which are considered to be generated by a large population of users and consequently mutually independent, seem to be best modeled by either Poisson processes with exponential inter-arrival times or some distributions with heavy tails such as Weibull distribution. In this paper, we show that despite the number of active nodes in a network, the inter-arrival times of TCP flows in the \"normal traffic\" conform to the Weibull distribution and any irregularity in the traffic causes deviations in the distribution of the inter-arrival times and so can be detected. This leads to a straightforward method for anomaly detection by which we are able to identify the anomalous part(s) of the traffic. We first apply the median-rank method to estimate the Weibull distribution parameters of the traffic and then check the conformity of the data against a Weibull distribution with the estimated parameters and determine whether the traffic is normal or not based on the chi-square test.","PeriodicalId":131364,"journal":{"name":"2011 UKSim 5th European Symposium on Computer Modeling and Simulation","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 UKSim 5th European Symposium on Computer Modeling and Simulation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EMS.2011.34","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

IP packets are known to have long range dependence and show self-similar properties. However, TCP flows-a set of related IP packets that form a TCP connection-which are considered to be generated by a large population of users and consequently mutually independent, seem to be best modeled by either Poisson processes with exponential inter-arrival times or some distributions with heavy tails such as Weibull distribution. In this paper, we show that despite the number of active nodes in a network, the inter-arrival times of TCP flows in the "normal traffic" conform to the Weibull distribution and any irregularity in the traffic causes deviations in the distribution of the inter-arrival times and so can be detected. This leads to a straightforward method for anomaly detection by which we are able to identify the anomalous part(s) of the traffic. We first apply the median-rank method to estimate the Weibull distribution parameters of the traffic and then check the conformity of the data against a Weibull distribution with the estimated parameters and determine whether the traffic is normal or not based on the chi-square test.

查看原文本刊更多论文

关于TCP流到达时间分配

众所周知，IP数据包具有长距离依赖性并显示自相似属性。然而，TCP流——一组形成TCP连接的相关IP数据包——被认为是由大量用户生成的，因此是相互独立的，似乎最好是通过具有指数级到达间隔时间的泊松过程或一些具有重尾的分布(如威布尔分布)来建模。在本文中，我们证明了无论网络中有多少活动节点，在“正常流量”中TCP流的到达间隔时间都符合威布尔分布，流量中的任何不规则都会导致到达间隔时间分布的偏差，因此可以被检测到。这导致了一种直接的异常检测方法，通过该方法我们能够识别流量的异常部分。我们首先使用中位秩法估计流量的威布尔分布参数，然后根据威布尔分布检查数据与估计参数的符合性，并根据卡方检验确定流量是否为正态。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 UKSim 5th European Symposium on Computer Modeling and Simulation

自引率

0.00%

发文量