Statistical Analysis of Time Series for Portscan and DDoS Detection
Study of Factors Influencing Z-score Based Sliding Windows Algorithm
Abstract
In the course of this study, statistical methods for time series analysis-specifically, the Z-score and the modified Z-score-were investigated for the detection of PortScan and DDoS attacks. Six time series were constructed based on the following traffic features: the average number of packets transmitted from sources to destinations, the data transfer rate from source to destination, the response data transfer rate, the connection duration between the source and the destination, the entropy calculated based on the destination ports of each source IP, and the number of unique destination ports accessed by each source IP. To evaluate the aforementioned statistical methods, the metrics of accuracy, precision, recall, and F1-score were used. The numerical results show that the modified Z-score yields fewer false positives compared to the standard Z-score in detecting the studied network threats, which influences the evaluation of these metrics. The F1-scores achieved by the modified Z-score for detecting DDoS attacks range between 93% and 98%, depending on the traffic feature used. However, the F1-score for detecting PortScan attacks does not exceed 58% at best. A detailed analysis showed that all detected PortScan instances correspond to fast port scanning, as this type of scanning causes a spike in traffic. This effect is reflected in the local violation of the stationarity of the time series. These conclusions were confirmed by ADF and KPSS statistical tests, which were conducted to test different hypotheses regarding the stationarity of the series.

This work is licensed under a Creative Commons Attribution 4.0 International License.
Publication policy of the journal is based on traditional ethical principles of the Russian scientific periodicals and is built in terms of ethical norms of editors and publishers work stated in Code of Conduct and Best Practice Guidelines for Journal Editors and Code of Conduct for Journal Publishers, developed by the Committee on Publication Ethics (COPE). In the course of publishing editorial board of the journal is led by international rules for copyright protection, statutory regulations of the Russian Federation as well as international standards of publishing.
Authors publishing articles in this journal agree to the following: They retain copyright and grant the journal right of first publication of the work, which is automatically licensed under the Creative Commons Attribution License (CC BY license). Users can use, reuse and build upon the material published in this journal provided that such uses are fully attributed.