Self‐similar characteristics of network intrusion attempts and the implications for predictability

Abstract One way of proactively detecting multistage attacks such as Distributed Denial of Service (DDoS), worms and coordinated spamming is to profile hosts that engage in scanning activity and predict their future actions, which is a difficult challenge. We attempt to better understand this challenge by hypothesising that network intrusion attempts exhibit self‐similar characteristics. We analyse logs from the DShield repository of globally distributed IDS alerts corresponding to the first 2 weeks of January 2005 and present three pieces of evidence in favour of this hypothesis. First, we observed that the persistence of hosts that attempt network intrusions obey a power‐law relationship such that the overwhelming majority of hosts are short‐lived whereas a small number are highly persistent. Second, the distribution of hosts in the IP address space is broadly identical regardless of different categories of lifetimes and intrusion attempts. Finally, there is a scale invariant diurnal cycle with long‐range dependence in the number of unique hosts observed per unit time. The overall implication of these findings is that any predictive model must account for identical statistical characteristics regardless of the volumetric, spatiotemporal and categorical resolution of the observations used to build and train that model. Copyright © 2010 John Wiley & Sons, Ltd.