Statistical and probabilistic analysis of interarrival and waiting times of Internet2 anomalies

  • Piotr KokoszkaEmail author
  • Hieu Nguyen
  • Haonan Wang
  • Liuqing Yang
Original Paper


Motivated by the need to introduce design improvements to the Internet network to make it robust to high traffic volume anomalies, we analyze statistical properties of the time separation between arrivals of consecutive anomalies in the Internet2 network. Using several statistical techniques, we demonstrate that for all unidirectional links in Internet2, these interarrival times have distributions whose tail probabilities decay like a power law. These heavy-tailed distributions have varying tail indexes, which in some cases imply infinite variance. We establish that the interarrival times can be modeled as independent and identically distributed random variables, and propose a model for their distribution. These findings allow us to use the tools of of renewal theory, which in turn allows us to estimate the distribution of the waiting time for the arrival of the next anomaly. We show that the waiting time is stochastically substantially longer than the time between the arrivals, and may in some cases have infinite expected value. All our findings are tabulated and displayed in the form of suitable graphs, including the relevant density estimates.


Heavy-tailed distributions Interarrival times Internet anomalies Renewal theory 



This research has been partially supported by NSF grants DMS–1737795, DMS 1923142 and CNS 1932413. We thank Professor Anura P. Jayasumana of the CSU’s Department of Electrical and Computer Engineering for sharing the Internet2 anomalies data.

Supplementary material


  1. Adler R, Feldman R, Taqqu MS (1998) A practical guide to heavy tails: statistical techniques for analyzing heavy tailed distributions. Birkhauser, BostonzbMATHGoogle Scholar
  2. Bandara VW, Pezeshki A, Jayasumana AP (2014) A spatiotemporal model for internet traffic anomalies. IET Netw 3:41–53CrossRefGoogle Scholar
  3. Bhuyan MH, Bhattacharyya DK, Kalita JK (2014) Network anomaly detection: methods, systems and tools. IEEE Commun Surv Tutor 16:303–336CrossRefGoogle Scholar
  4. Chandolla V, Benerjee A, Kumar V (2009) Anomaly detection: a survey. ACM Comput Surv 41(15):58Google Scholar
  5. Good PI (2013) Permutation, parametric, and bootstrap tests of hypotheses. Springer, BerlinzbMATHGoogle Scholar
  6. Hall P (1990) Using the bootstrap to estimate mean squared error and select smoothing parameter in nonparametric problems. J Multivar Anal 32:177–203MathSciNetCrossRefGoogle Scholar
  7. Kallitsis M, Stoev S, Bhattacharya S, Michailidis G (2016) AMON: an open source architecture for online monitoring, statistical analysis and forensics of multi-gigabit streams. IEEE J Sel Areas Commun 34:1834–1848CrossRefGoogle Scholar
  8. Kulkarni VG (2017) Modeling and analysis of stochastic systems. Chapman and Hall, AtlantazbMATHGoogle Scholar
  9. Leland WE, Taqqu MS, Willinger W, Wilson DV (1994) On the self-similar nature of ethernet traffic (extended version). IEEE/ACM Trans Netw 2:1–15CrossRefGoogle Scholar
  10. Liao H-J, Lin C-HR, Lin Y-C, Tung K-Y (2013) Intrusion detection system: a comprehensive review. J Netw Comput Appl 36:16–24CrossRefGoogle Scholar
  11. Park K, Willinger W (2000) Self-similar network traffic and performance evaluation. Wiley, HobokenCrossRefGoogle Scholar
  12. Paschalidis IC, Smaragdakis G (2009) Spatio-temporal network anomaly detection by assessing deviations of empirical measures. IEEE/ACM Trans Netw 17:685–697CrossRefGoogle Scholar
  13. Peng L, Qi Y (2017) Inference for heavy-tailed data analysis: applications in insurance and finance. Academic Press, CambridgezbMATHGoogle Scholar
  14. Resnick SI (1997) Heavy tail modeling and teletraffic data. Ann Stat 25:1805–1869MathSciNetCrossRefGoogle Scholar
  15. Resnick SI (2007) Heavy-tail phenomena: probabilistic and statistical modeling. Springer, BerlinzbMATHGoogle Scholar
  16. Shumway RH, Stoffer DS (2017) Time series analysis and its applications with R examples. Springer, BerlinCrossRefGoogle Scholar
  17. Tsai C-F, Hsu Y-F, Lin C-Y, Lin W-Y (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 39:11994–12000CrossRefGoogle Scholar
  18. Vaughan J, Stoev S, Michailidis G (2013) Network-wide statistical modeling, prediction and monitoring of computer traffic. Technometrics 55:79–93MathSciNetCrossRefGoogle Scholar
  19. Xie M, Han S, Tian B, Parvin S (2011) Anomaly detection in wireless sensor networks: a survey. J Netw Comput Appl 34:1302–1325CrossRefGoogle Scholar
  20. Zarpelao BB, Miani RS, Kawakani CT, de Alvarenga SC (2017) A survey of intrusion detection in internet of things. J Netw Comput Appl 84:25–37CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  • Piotr Kokoszka
    • 1
    Email author
  • Hieu Nguyen
    • 1
  • Haonan Wang
    • 1
  • Liuqing Yang
    • 2
  1. 1.Department of StatisticsColorado State UniversityFort CollinsUSA
  2. 2.Electrical and Computer EngineeringColorado State UniversityFort CollinsUSA

Personalised recommendations