Statistical Modelling of Computer Network Traffic Event Times

TL;DR

This paper develops statistical models for network connection event times, capturing normal patterns like seasonality and bursts, to detect anomalies that may indicate malicious activity in computer networks.

Contribution

It introduces four new models for self-exciting point processes tailored to network traffic, with comparative analysis using real-world data.

Findings

Models effectively capture normal network behavior.

Comparison shows varying performance of models.

Potential for real-time anomaly detection.

Abstract

This paper introduces a statistical model for the arrival times of connection events in a computer network. Edges between nodes in a network can be interpreted and modelled as point processes where events in the process indicate information being sent along that edge. A model of normal behaviour can be constructed for each edge in the network by identifying key network user features such as seasonality and self-exciting behaviour, where events typically arise in bursts at particular times of day. When monitoring the network in real time, unusual patterns of activity could indicate the presence of a malicious actor. Four different models for self-exciting behaviour are introduced and compared using data collected from the Imperial College and Los Alamos National Laboratory computer networks.