PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond

Distributed denial of service attacks (DDoS) are a constant problem of network operators today. Thanks to low cost of entry, high effectiveness, and the difficulty present in filtering out such attacks from inbound network traffic, DDoS attacks are relatively common and difficult to mitigate against. Recent discoveries regarding the conformity of network traffic to certain power law distributions, namely Benfords and Zipfs laws, has allowed us to develop a new method of denial of service detection based entirely on packet header inspection. Power law distributions are fascinating artefacts of natural processes, applications of which can be found in anywhere from word counts in books through to numbers used in bank statements. Our research can detect DDoS attacks by using such distributions to detect strongly unnatural network traffic scenarios with only minimal metadata. This however, is not the whole story. Power law potential in IDS is largely un-researched, and could be applied for more general anomaly based IDS purposes. It can even be used to filter for denial of service packets in live streams of data. What makes Power Laws both fascinating and interesting is that they have an inbuilt resistance to attempts to tamper or subvert the data analysis. Given the low computational cost associated with Power law processing and the foolproof security inherent to the methods, Power law distributions make perfect tools for cyber defense, especially in the areas of DoS and intrusion detection. In this talk we will introduce and discuss the significance and power of power law distributions, how they relate to computers, and how this can be used to develop new anomaly detection systems.