Detecting Anomalies in Network Traffic: A Tool Integrating Newcobm-Benford's and Kolmogorov- Smirnov's Test for DDoS Detection
Denial of Service (DoS) attacks, particularly the distributed variant known as DDoS, are easily initiated but pose significant challenge in terms of mitigation, especially in the case of DDoS. These attacks involve the use of a vast number of packets, often generated by specialized programs and scripts, crafted for specific attack types like SYN flood, ICMP Smurf, and similar. Malicious DoS packets share similar attributes, such as packet length, interval time, destination port, TCP flags, and the number of connections to the same host or service. To rapidly identify anomalous packets amidst legitimate traffic, we propose a system that incorporates the Newcombe-Benford power law and Kolmogorov-Smirnov test. This approach enables the detection of matching first occurrences of leading digits, such as packet size indicating the use of automated scripts for malicious purposes, and the count of connections to the same host or service.