{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T07:45:09Z","timestamp":1740123909171,"version":"3.37.3"},"reference-count":40,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2020,4,24]],"date-time":"2020-04-24T00:00:00Z","timestamp":1587686400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,4,24]],"date-time":"2020-04-24T00:00:00Z","timestamp":1587686400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100000761","name":"Imperial College London","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100000761","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Stat Comput"],"published-print":{"date-parts":[[2020,9]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Periodic patterns can often be observed in real-world event time data, possibly mixed with non-periodic arrival times. For modelling purposes, it is necessary to correctly distinguish the two types of events. This task has particularly important implications in computer network security; there, separating automated polling traffic and human-generated activity in a computer network is important for building realistic statistical models for normal activity, which in turn can be used for anomaly detection. Since automated events commonly occur at a fixed periodicity, statistical tests using Fourier analysis can efficiently detect whether the arrival times present an automated component. In this article, sequences of arrival times which contain automated events are further examined, to separate polling and non-periodic activity. This is first achieved using a simple mixture model on the unit circle based on the angular positions of each event time on the<jats:italic>p<\/jats:italic>-clock, where<jats:italic>p<\/jats:italic>represents the main periodicity associated with the automated activity; this model is then extended by combining a second source of information, the time of day of each event. Efficient implementations exploiting conjugate Bayesian models are discussed, and performance is assessed on real network flow data collected at Imperial College London.<\/jats:p>","DOI":"10.1007\/s11222-020-09943-9","type":"journal-article","created":{"date-parts":[[2020,4,24]],"date-time":"2020-04-24T05:15:27Z","timestamp":1587705327000},"page":"1241-1254","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Classification of periodic arrivals in event time data for filtering computer network traffic"],"prefix":"10.1007","volume":"30","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4571-6681","authenticated-orcid":false,"given":"Francesco","family":"Sanna Passino","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8767-0810","authenticated-orcid":false,"given":"Nicholas A.","family":"Heard","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2020,4,24]]},"reference":[{"key":"9943_CR1","volume-title":"The Statistical Analysis of Time-Series","author":"TW Anderson","year":"1971","unstructured":"Anderson, T.W.: The Statistical Analysis of Time-Series. Wiley, New York (1971)"},{"issue":"4","key":"9943_CR2","doi-asserted-by":"publisher","first-page":"435","DOI":"10.1016\/j.jare.2013.11.005","volume":"5","author":"B AsSadhan","year":"2014","unstructured":"AsSadhan, B., Moura, J.M.F.: An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic. J. Adv. Res. 5(4), 435\u2013448 (2014)","journal-title":"J. Adv. Res."},{"key":"9943_CR3","doi-asserted-by":"crossref","unstructured":"Barbosa, R.R.R., Sadre, R., Pras, A.: Towards periodicity based anomaly detection in SCADA networks. In: Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies Factory Automation (ETFA 2012), pp. 1\u20134 (2012)","DOI":"10.1109\/ETFA.2012.6489745"},{"key":"9943_CR4","doi-asserted-by":"crossref","unstructured":"Bartlett, G., Heidemann, J., Papadopoulos, C.: Low-rate, flow-level periodicity detection. In: 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 804\u2013809 (2011)","DOI":"10.1109\/INFCOMW.2011.5928922"},{"key":"9943_CR5","volume-title":"Bayesian Theory. Wiley Series in Probability and Statistics","author":"JM Bernardo","year":"1994","unstructured":"Bernardo, J.M., Smith, A.F.M.: Bayesian Theory. Wiley Series in Probability and Statistics. Wiley, New York (1994)"},{"key":"9943_CR6","unstructured":"Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: DISCLOSURE: detecting botnet command and control servers through large-scale netflow analysis. In: ACSAC 2012, 28th Annual Computer Security Applications Conference, December 3\u20137, 2012, Orlando, Florida, USA (2012)"},{"issue":"4","key":"9943_CR7","doi-asserted-by":"publisher","first-page":"1326","DOI":"10.1109\/JSYST.2014.2348567","volume":"10","author":"LM Chen","year":"2016","unstructured":"Chen, L.M., Hsiao, S.W., Chen, M.C., Liao, W.: Slow-paced persistent network attacks analysis and detection using spectrum analysis. IEEE Syst. J. 10(4), 1326\u20131337 (2016)","journal-title":"IEEE Syst. J."},{"issue":"2","key":"9943_CR8","doi-asserted-by":"publisher","first-page":"666","DOI":"10.1086\/305564","volume":"498","author":"A Cicuttin","year":"1998","unstructured":"Cicuttin, A., Colavita, A.A., Cerdeira, A., Mutihac, R., Turrini, S.: A simple method for detecting periodic signals in sparse astronomical event data. Astrophys. J. 498(2), 666\u2013670 (1998)","journal-title":"Astrophys. J."},{"issue":"7","key":"9943_CR9","doi-asserted-by":"publisher","first-page":"1164","DOI":"10.1093\/bioinformatics\/bti093","volume":"21","author":"U de Lichtenberg","year":"2005","unstructured":"de Lichtenberg, U., Jensen, L.J., Fausb\u00f8ll, A., Jensen, T.S., Bork, P., Brunak, S.: Comparison of computational methods for the identification of cell cycle-regulated genes. Bioinformatics 21(7), 1164\u20131171 (2005)","journal-title":"Bioinformatics"},{"issue":"1","key":"9943_CR10","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1111\/j.2517-6161.1977.tb01600.x","volume":"39","author":"AP Dempster","year":"1977","unstructured":"Dempster, A.P., Laird, N.M., Rubin, D.B.: Maximum likelihood from incomplete data via the EM algorithm. J. R. Stat. Soc. B 39(1), 1\u201338 (1977)","journal-title":"J. R. Stat. Soc. B"},{"issue":"3","key":"9943_CR11","doi-asserted-by":"publisher","first-page":"425","DOI":"10.1093\/biomet\/81.3.425","volume":"81","author":"DL Donoho","year":"1994","unstructured":"Donoho, D.L., Johnstone, I.M.: Ideal spatial adaptation by wavelet shrinkage. Biometrika 81(3), 425\u2013455 (1994)","journal-title":"Biometrika"},{"issue":"430","key":"9943_CR12","doi-asserted-by":"publisher","first-page":"577","DOI":"10.1080\/01621459.1995.10476550","volume":"90","author":"MD Escobar","year":"1995","unstructured":"Escobar, M.D., West, M.: Bayesian density estimation and inference using mixtures. J. Am. Stat. Assoc. 90(430), 577\u2013588 (1995)","journal-title":"J. Am. Stat. Assoc."},{"key":"9943_CR13","doi-asserted-by":"crossref","unstructured":"Eslahi, M., Rohmad, M.S., Nilsaz, H., Naseri, M.V., Tahir, N.M., Hashim, H.: Periodicity classification of HTTP traffic to detect HTTP botnets. In: 2015 IEEE Symposium on Computer Applications Industrial Electronics (ISCAIE), pp. 119\u2013123 (2015)","DOI":"10.1109\/ISCAIE.2015.7298339"},{"issue":"796","key":"9943_CR14","first-page":"54","volume":"125","author":"RA Fisher","year":"1929","unstructured":"Fisher, R.A.: Tests of significance in harmonic analysis. Proc. R. Soc. Lond. Ser. A Contain. Pap. Math. Phys. Charact. 125(796), 54\u201359 (1929)","journal-title":"Proc. R. Soc. Lond. Ser. A Contain. Pap. Math. Phys. Charact."},{"issue":"4","key":"9943_CR15","doi-asserted-by":"publisher","first-page":"711","DOI":"10.1093\/biomet\/82.4.711","volume":"82","author":"PJ Green","year":"1995","unstructured":"Green, P.J.: Reversible Jump Markov Chain Monte Carlo computation and Bayesian model determination. Biometrika 82(4), 711\u2013732 (1995)","journal-title":"Biometrika"},{"key":"9943_CR16","unstructured":"Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)"},{"issue":"3","key":"9943_CR17","doi-asserted-by":"publisher","first-page":"279","DOI":"10.1016\/j.comnet.2008.10.001","volume":"53","author":"X He","year":"2009","unstructured":"He, X., Papadopoulos, C., Heidemann, J., Mitra, U., Riaz, U.: Remote detection of bottleneck links using spectral and statistical methods. Comput. Netw. 53(3), 279\u2013298 (2009)","journal-title":"Comput. Netw."},{"key":"9943_CR18","doi-asserted-by":"crossref","unstructured":"Heard, N.A., Rubin-Delanchy, P.T.G., Lawson, D.J.: Filtering automated polling traffic in computer network flow data. In: Proceedings\u20142014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014, pp. 268\u2013271 (2014)","DOI":"10.1109\/JISIC.2014.52"},{"key":"9943_CR19","first-page":"151","volume-title":"Monitoring a Device in a Communication Network, Chapter 6","author":"N Heard","year":"2014","unstructured":"Heard, N., Turcotte, M.: Monitoring a Device in a Communication Network, Chapter 6, pp. 151\u2013188. Imperial College Press, London (2014)"},{"issue":"442","key":"9943_CR20","doi-asserted-by":"publisher","first-page":"585","DOI":"10.1080\/01621459.1998.10473712","volume":"93","author":"DM Higdon","year":"1998","unstructured":"Higdon, D.M.: Auxiliary variable methods for Markov Chain Monte Carlo with applications. J. Am. Stat. Assoc. 93(442), 585\u2013595 (1998)","journal-title":"J. Am. Stat. Assoc."},{"issue":"4","key":"9943_CR21","doi-asserted-by":"publisher","first-page":"2037","DOI":"10.1109\/COMST.2014.2321898","volume":"16","author":"R Hofstede","year":"2014","unstructured":"Hofstede, R., \u010celeda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., Pras, A.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. IEEE Commun. Surv. Tutor. 16(4), 2037\u20132064 (2014)","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"9943_CR22","doi-asserted-by":"publisher","first-page":"695","DOI":"10.1007\/978-3-642-45062-4_98","volume-title":"Pattern Recognition and Machine Intelligence","author":"N Hubballi","year":"2013","unstructured":"Hubballi, N., Goyal, D.: FlowSummary: summarizing network flows for communication periodicity detection. In: Maji, P., Ghosh, A., Murty, M.N., Ghosh, K., Pal, S.K. (eds.) Pattern Recognition and Machine Intelligence, pp. 695\u2013700. Springer, Berlin (2013)"},{"key":"9943_CR23","unstructured":"Huynh, N.A., Ng, W.K., Ulmer, A., Kohlhammer, J.: Uncovering periodic network signals of cyber attacks. In: 2016 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1\u20138 (2016)"},{"key":"9943_CR24","doi-asserted-by":"crossref","unstructured":"Jaynes, E.T.: Maximum entropy and Bayesian spectral analysis and estimation problems. In: Bayesian Spectrum and Chirp Analysis, pp. 1\u201337. Dordrecht (1987)","DOI":"10.1007\/978-94-009-3961-5_1"},{"issue":"1","key":"9943_CR25","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1111\/j.2517-6161.1957.tb00240.x","volume":"19","author":"GM Jenkins","year":"1957","unstructured":"Jenkins, G.M., Priestley, M.B.: The spectral analysis of time-series. J. R. Stat. Soc. Ser. B (Methodol.) 19(1), 1\u201312 (1957)","journal-title":"J. R. Stat. Soc. Ser. B (Methodol.)"},{"issue":"2","key":"9943_CR26","doi-asserted-by":"publisher","first-page":"182","DOI":"10.1093\/bioinformatics\/bts672","volume":"29","author":"M Kocak","year":"2013","unstructured":"Kocak, M., George, E.O., Pyne, S., Pounds, S.: An empirical Bayes approach for analysis of diverse periodic trends in time-course gene expression data. Bioinformatics 29(2), 182\u2013188 (2013)","journal-title":"Bioinformatics"},{"issue":"3","key":"9943_CR27","doi-asserted-by":"publisher","first-page":"526","DOI":"10.1198\/106186007X238855","volume":"16","author":"JW Lau","year":"2007","unstructured":"Lau, J.W., Green, P.J.: Bayesian model-based clustering procedures. J. Comput. Graph. Stat. 16(3), 526\u2013558 (2007)","journal-title":"J. Comput. Graph. Stat."},{"key":"9943_CR28","doi-asserted-by":"crossref","unstructured":"Li, Z., Ding, B., Han, J., Kays, R., Nye, P.: Mining periodic behaviors for moving objects. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. KDD \u201910, ACM, New York, NY, USA, pp. 1099\u20131108 (2010)","DOI":"10.1145\/1835804.1835942"},{"issue":"427","key":"9943_CR29","doi-asserted-by":"crossref","first-page":"958","DOI":"10.1080\/01621459.1994.10476829","volume":"89","author":"J Liu","year":"1994","unstructured":"Liu, J.: The collapsed Gibbs sampler in Bayesian computations with applications to a gene regulation problem. J. Am. Stat. Assoc. 89(427), 958\u2013966 (1994)","journal-title":"J. Am. Stat. Assoc."},{"key":"9943_CR30","doi-asserted-by":"crossref","unstructured":"McPherson, S., Ortega, A.: Detecting low-rate periodic events in internet traffic using renewal theory. In: 2011 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 4336\u20134339 (2011)","DOI":"10.1109\/ICASSP.2011.5947313"},{"issue":"2","key":"9943_CR31","doi-asserted-by":"crossref","first-page":"249","DOI":"10.1080\/10618600.2000.10474879","volume":"9","author":"RM Neal","year":"2000","unstructured":"Neal, R.M.: Markov Chain sampling methods for Dirichlet process mixture models. J. Comput. Graph. Stat. 9(2), 249\u2013265 (2000)","journal-title":"J. Comput. Graph. Stat."},{"key":"9943_CR32","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511622762","volume-title":"Spectral Analysis for Physical Applications","author":"DB Percival","year":"1993","unstructured":"Percival, D.B., Walden, A.T.: Spectral Analysis for Physical Applications. Cambridge University Press, Cambridge (1993)"},{"key":"9943_CR33","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/s11222-019-09875-z","volume":"30","author":"M Price-Williams","year":"2020","unstructured":"Price-Williams, M., Heard, N.A.: Nonparametric self-exciting models for computer network traffic. Stat. Comput. 30, 209\u2013220 (2020)","journal-title":"Stat. Comput."},{"key":"9943_CR34","doi-asserted-by":"crossref","unstructured":"Price-Williams, M., Heard, N.A., Turcotte, M.J.M.: Detecting periodic subsequences in cyber security data. In: 2017 European Intelligence and Security Informatics Conference (EISIC), pp. 84\u201390 (2017)","DOI":"10.1109\/EISIC.2017.40"},{"key":"9943_CR35","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1007\/978-3-642-31912-9_9","volume-title":"Information Security and Cryptology\u2014ICISC 2011","author":"Y Qiao","year":"2012","unstructured":"Qiao, Y., Yang, Y., He, J., Liu, B., Zeng, Y.: Detecting parasite P2P botnet in eMule-like networks through quasi-periodicity recognition. In: Kim, H. (ed.) Information Security and Cryptology\u2014ICISC 2011, pp. 127\u2013139. Springer, Berlin (2012)"},{"issue":"9","key":"9943_CR36","doi-asserted-by":"publisher","first-page":"682","DOI":"10.1631\/jzus.C1300053","volume":"14","author":"Y Qiao","year":"2013","unstructured":"Qiao, Y., Yang, Y.X., He, J., Tang, C., Zeng, Y.Z.: Detecting P2P bots by mining the regional periodicity. J. Zhejiang Univ. Sci. C 14(9), 682\u2013700 (2013)","journal-title":"J. Zhejiang Univ. Sci. C"},{"issue":"4","key":"9943_CR37","doi-asserted-by":"publisher","first-page":"731","DOI":"10.1111\/1467-9868.00095","volume":"59","author":"S Richardson","year":"1997","unstructured":"Richardson, S., Green, P.J.: On Bayesian analysis of mixtures with an unknown number of components. J. R. Stat. Soc. B 59(4), 731\u2013792 (1997)","journal-title":"J. R. Stat. Soc. B"},{"issue":"370","key":"9943_CR38","doi-asserted-by":"publisher","first-page":"345","DOI":"10.1080\/01621459.1980.10477474","volume":"75","author":"AF Siegel","year":"1980","unstructured":"Siegel, A.F.: Testing for periodicity in a time series. J. Am. Stat. Assoc. 75(370), 345\u2013348 (1980)","journal-title":"J. Am. Stat. Assoc."},{"key":"9943_CR39","first-page":"1","volume-title":"Unified Host and Network Data Set, Chapter 1","author":"MJM Turcotte","year":"2018","unstructured":"Turcotte, M.J.M., Kent, A.D., Hash, C.: Unified Host and Network Data Set, Chapter 1, pp. 1\u201322. World Scientific, Singapore (2018)"},{"key":"9943_CR40","unstructured":"West, M., M\u00fcller, P., Escobar, M.D.: Hierarchical priors and mixture models, with applications in regression and density estimation. Aspects of Uncertainty: A Tribute to D. V. Lindley, pp. 363\u2013386 (1994)"}],"container-title":["Statistics and Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11222-020-09943-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11222-020-09943-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11222-020-09943-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,4]],"date-time":"2024-08-04T16:28:38Z","timestamp":1722788918000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11222-020-09943-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,4,24]]},"references-count":40,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2020,9]]}},"alternative-id":["9943"],"URL":"https:\/\/doi.org\/10.1007\/s11222-020-09943-9","relation":{},"ISSN":["0960-3174","1573-1375"],"issn-type":[{"type":"print","value":"0960-3174"},{"type":"electronic","value":"1573-1375"}],"subject":[],"published":{"date-parts":[[2020,4,24]]},"assertion":[{"value":"22 May 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 April 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 April 2020","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}