Statistical Analysis of Time Series for Portscan and DDoS Detection

Abstract

In the course of this study, statistical methods for time series analysis-specifically, the Z-score and the modified Z-score-were investigated for the detection of PortScan and DDoS attacks. Six time series were constructed based on the following traffic features: the average number of packets transmitted from sources to destinations, the data transfer rate from source to destination, the response data transfer rate, the connection duration between the source and the destination, the entropy calculated based on the destination ports of each source IP, and the number of unique destination ports accessed by each source IP. To evaluate the aforementioned statistical methods, the metrics of accuracy, precision, recall, and F1-score were used. The numerical results show that the modified Z-score yields fewer false positives compared to the standard Z-score in detecting the studied network threats, which influences the evaluation of these metrics. The F1-scores achieved by the modified Z-score for detecting DDoS attacks range between 93% and 98%, depending on the traffic feature used. However, the F1-score for detecting PortScan attacks does not exceed 58% at best. A detailed analysis showed that all detected PortScan instances correspond to fast port scanning, as this type of scanning causes a spike in traffic. This effect is reflected in the local violation of the stationarity of the time series. These conclusions were confirmed by ADF and KPSS statistical tests, which were conducted to test different hypotheses regarding the stationarity of the series.