"Flow Size Difference" Can Make a Difference: Detecting Malicious TCP Network Flows Based on Benford's Law

Statistical characteristics of network traffic have attracted a significant amount of research for automated network intrusion detection, some of which looked at applications of natural statistical laws such as Zipf’s law, Benford’s law and the Pareto distribution. In this paper, we present the application of Benford’s law to a new network flow metric “flow size difference”, which have not been studied by other researchers, to build an unsupervised flow-based intrusion detection system (IDS). The method was inspired by our observation on a large number of TCP flow datasets where normal flows tend to follow Benford’s law closely but malicious flows tend to deviate significantly from it. The proposed IDS is unsupervised so no training is needed thus can be easily deployed. It has two simple parameters with a clear semantic meaning, allowing the human operator to set and adapt their values intuitively to adjust the overall performance of the IDS. We tested the proposed IDS on one closed and two public datasets and proved its efficiency in terms of AUC (area under the ROC curve). Being a simple and fast standalone IDS itself, the proposed method can also be easily combined with other network IDSs e.g. added as an additional component into another existing IDS to enhance its performance.