Statistical Analysis of Time Series for Port Scan and DDoS Detection
DOI:
https://doi.org/10.17072/1993-0550-2026-1-72-91Ключевые слова:
time series analysis, anomaly detection, Port Scan, DDoS, Z-scoreАннотация
In this paper, statistical methodologies for time series analysis – specifically the Z-score and the modified Z-score – are examined in the context of detecting Port Scan and Distributed Denial of Service (DDoS) attacks. Six different time series were constructed using the following traffic characteristics: the average number of packets transmitted from sources to destinations, the data transfer rate, the response data transfer rate, the duration of the connection between the source and destination, the entropy computed based on destination ports associated with each IP source, and the number of unique destination ports available to each IP source. To evaluate the statistical methodologies under study, the indicators such as reliability, accuracy, response time, and F1-score were used. The obtained numerical results show that when detecting the network threats in question, the modified Z-score reduces the number of false positives compared to the Z-score standard, thereby influencing the evaluation of these performance metrics. The F1-scores achieved using the modified Z-score for DDoS detection ranged from 93% to 98%, depending on the specific traffic characteristics analyzed. Conversely, in the case of Port Scan detection, the F1-score did not exceed 58% even under optimal conditions. A comprehensive analysis showed that all the identified Port Scan instances refer to fast port scanning since this scanning method causes a sharp increase in network traffic. This phenomenon is manifested in a local violation of the stationarity of the time series. These findings were confirmed by Augmented Dickey-Fuller (ADF) and Kwiatkowski–Phillips–Schmidt–Shin (KPSS) statistical tests conducted to evaluate various hypotheses regarding the stationarity of the time series.Библиографические ссылки
Scaranti, G. F., Carvalho, L. F., Barbon, S., Lloret, J. and Proença, M. L. (2022), "Unsupervised online anomaly detection in software defined network environments", Expert Systems with Applications, vol. 191, pp. 4–6.
Birkinshaw, C., Rouka, E. and Vassilakis, V. G. (2019), "Implementing an intrusion detection and prevention system using software‑defined networking: defending against port‑scanning and denial‑of‑service attacks", Journal of Network and Computer Applica-tions, vol. 136, pp. 71–85.
Abrantes, R., Mestre, P. and Cunha, A. (2022), "Exploring dataset manipulation via machine learning for botnet traffic", Procedia Computer Science, vol. 196, pp. 133–141.
Ono, D., Guillen, L., Izumi, S., Abe, T. and Suganuma, T. (2021), "A proposal of port scan detection method based on Packet‑In messages in OpenFlow networks and its evaluation", International Journal of Network Management, vol. 31, pp. 5–8.
Hartpence, B. and Kwasinski, A. (2020), "Combating TCP port scan attacks using sequential neural networks", in 2020 International Conference on Computing, Networking and Communications (ICNC).
Al‑Haija, Q. A., Saleh, E. and Alnabhan, M. (2021), "Detecting port scan attacks using logistic regression", in 2021 4th International Symposium on Advanced Electrical and Communication Technologies (ISAECT).
Almseidin, M., Al‑Kasassbeh, M. and Kovacs, S. (2019), "Detecting slow port scan using fuzzy rule interpolation", in 2019 2nd International Conference on New Trends in Compu-ting Sciences (ICTCS).
Nisa, M. U. and Kifayat, K. (2020), "Detection of slow port scanning attacks", in 2020 International Conference on Cyber Warfare and Security (ICCWS).
Sagatov, E. S., Mayhoub, S., Sukhov, A. M., Esposito, F. and Calyam, P. (2021), "Proactive detection for countermeasures on port scanning based attacks", in 2021 17th International Conference on Network and Service Management (CNSM)
Baah, E. K., Yirenkyi, D., Oppong, S. O., Opoku‑Mensah, E., Partey, B. T., Sackey, A. K., Kornyo, O. and Obu, E. (2022), "Enhancing port scans attack detection using principal component analysis and machine learning algorithms", in Frontiers in Cyber Security, Singapore.
Ring, M., Landes, D. and Hotho, A. (2018), "Detection of slow port scans in flow‑based network traffic", PLOS ONE, vol. 13, pp. 1–18.
Загрузки
Опубликован
Как цитировать
Выпуск
Раздел
Лицензия
Copyright (c) 2026 Адейеми Марк Ауреле Эммануэль Джегюеде
Это произведение доступно по лицензии Creative Commons «Attribution» («Атрибуция») 4.0 Всемирная.
Публикация статьи в журнале осуществляется на условиях лицензии Creative Commons Attribution 4.0 International (CC BY 4.0).
