Statistical Analysis of Time Series for Portscan and DDoS Detection

Study of Factors Influencing Z-score Based Sliding Windows Algorithm

  • Djeguede Adeyemi Marc Aurele Emmanuel Peoples’ Friendship University of Russia named after Patrice Lumumba

Abstract

In the course of this study, statistical methods for time series analysis-specifically, the Z-score and the modified Z-score-were investigated for the detection of PortScan and DDoS attacks. Six time series were constructed based on the following traffic features: the average number of packets transmitted from sources to destinations, the data transfer rate from source to destination, the response data transfer rate, the connection duration between the source and the destination, the entropy calculated based on the destination ports of each source IP, and the number of unique destination ports accessed by each source IP. To evaluate the aforementioned statistical methods, the metrics of accuracy, precision, recall, and F1-score were used. The numerical results show that the modified Z-score yields fewer false positives compared to the standard Z-score in detecting the studied network threats, which influences the evaluation of these metrics. The F1-scores achieved by the modified Z-score for detecting DDoS attacks range between 93% and 98%, depending on the traffic feature used. However, the F1-score for detecting PortScan attacks does not exceed 58% at best. A detailed analysis showed that all detected PortScan instances correspond to fast port scanning, as this type of scanning causes a spike in traffic. This effect is reflected in the local violation of the stationarity of the time series. These conclusions were confirmed by ADF and KPSS statistical tests, which were conducted to test different hypotheses regarding the stationarity of the series.

Author Biography

Djeguede Adeyemi Marc Aurele Emmanuel, Peoples’ Friendship University of Russia named after Patrice Lumumba

Postgraduate Student of the Department of Mathematical Modeling and Artificial Intelligence, Faculty of Science

Published
2025-07-21
How to Cite
MARC AURELE EMMANUEL, Djeguede Adeyemi. Statistical Analysis of Time Series for Portscan and DDoS Detection. Modern Information Technologies and IT-Education, [S.l.], v. 21, n. 2, july 2025. ISSN 2411-1473. Available at: <http://sitito.cs.msu.ru/index.php/SITITO/article/view/1198>. Date accessed: 21 oct. 2025.
Section
Theoretical and Practical Aspects of Cybersecurity