Benford's law behavior of Internet traffic

In this paper, we analyze the Internet traffic from a different point of view based on Benford's law, an empirical law that describes the distribution of leading digits in a collection of numbers met in naturally occurring phenomena. We claim that Benford's law holds for the inter-arrival times of TCP flows in case of normal traffic. Consequently, any type of anomalies affecting TCP flows, including intentional intrusions or unintended faults and network failures in general, can be detected by investigating the first-digit distributions of the inter-arrival times of TCP SYN packets. In this paper we apply our findings to the detection of intentional attacks, and leave other types of anomalies for future works. We support our claim with related researches that indicate the TCP flow inter-arrival times can be modeled by Weibull distribution with shape parameter less than 1, and show the relation between Weibull distributed data and Benford's law. Finally, we validate our findings on real traffic and achieve encouraging results. (C) 2013 Elsevier Ltd. All rights reserved.