{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T16:05:25Z","timestamp":1778083525520,"version":"3.51.4"},"reference-count":54,"publisher":"MDPI AG","issue":"15","license":[{"start":{"date-parts":[[2024,7,23]],"date-time":"2024-07-23T00:00:00Z","timestamp":1721692800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Mathematics"],"abstract":"<jats:p>The increasing proliferation of cyber-attacks threatening the security of computer networks has driven the development of more effective methods for identifying malicious network flows. The inclusion of statistical laws, such as Benford\u2019s Law, and distance functions, applied to the first digits of network flow metadata, such as IP addresses or packet sizes, facilitates the detection of abnormal patterns in the digits. These techniques also allow for quantifying discrepancies between expected and suspicious flows, significantly enhancing the accuracy and speed of threat detection. This paper introduces a novel method for identifying and analyzing anomalies within computer networks. It integrates Benford\u2019s Law into the analysis process and incorporates a range of distance functions, namely the Mean Absolute Deviation (MAD), the Kolmogorov\u2013Smirnov test (KS), and the Kullback\u2013Leibler divergence (KL), which serve as dispersion measures for quantifying the extent of anomalies detected in network flows. Benford\u2019s Law is recognized for its effectiveness in identifying anomalous patterns, especially in detecting irregularities in the first digit of the data. In addition, Bayes\u2019 Theorem was implemented in conjunction with the distance functions to enhance the detection of malicious traffic flows. Bayes\u2019 Theorem provides a probabilistic perspective on whether a traffic flow is malicious or benign. This approach is characterized by its flexibility in incorporating new evidence, allowing the model to adapt to emerging malicious behavior patterns as they arise. Meanwhile, the distance functions offer a quantitative assessment, measuring specific differences between traffic flows, such as frequency, packet size, time between packets, and other relevant metadata. Integrating these techniques has increased the model\u2019s sensitivity in detecting malicious flows, reducing the number of false positives and negatives, and enhancing the resolution and effectiveness of traffic analysis. Furthermore, these techniques expedite decisions regarding the nature of traffic flows based on a solid statistical foundation and provide a better understanding of the characteristics that define these flows, contributing to the comprehension of attack vectors and aiding in preventing future intrusions. The effectiveness and applicability of this joint method have been demonstrated through experiments with the CICIDS2017 public dataset, which was explicitly designed to simulate real scenarios and provide valuable information to security professionals when analyzing computer networks. The proposed methodology opens up new perspectives in investigating and detecting anomalies and intrusions in computer networks, which are often attributed to cyber-attacks. This development culminates in creating a promising model that stands out for its effectiveness and speed, accurately identifying possible intrusions with an F1 of nearly 80%, a recall of 99.42%, and an accuracy of 65.84%.<\/jats:p>","DOI":"10.3390\/math12152299","type":"journal-article","created":{"date-parts":[[2024,7,23]],"date-time":"2024-07-23T11:40:36Z","timestamp":1721734836000},"page":"2299","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":11,"title":["Unveiling Malicious Network Flows Using Benford\u2019s Law"],"prefix":"10.3390","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6026-4687","authenticated-orcid":false,"given":"Pedro","family":"Fernandes","sequence":"first","affiliation":[{"name":"Department of Information Technology, Technological University of the Shannon, Moylish Campus, Moylish Park, V94 EC5T Limerick, Ireland"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3207-8668","authenticated-orcid":false,"given":"S\u00e9amus \u00d3","family":"Ciardhu\u00e1in","sequence":"additional","affiliation":[{"name":"Department of Information Technology, Technological University of the Shannon, Moylish Campus, Moylish Park, V94 EC5T Limerick, Ireland"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3448-6726","authenticated-orcid":false,"given":"M\u00e1rio","family":"Antunes","sequence":"additional","affiliation":[{"name":"School of Technology and Management, Polytechnic University of Leiria, 2411-901 Leiria, Portugal"},{"name":"INESC TEC, CRACS, 4200-465 Porto, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2024,7,23]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Yurtseven, I., and Bagriyanik, S. (2020, January 7\u20139). A Review of Penetration Testing and Vulnerability Assessment in Cloud Environment. Proceedings of the 2020 Turkish National Software Engineering Symposium (UYMS), \u0130stanbul, Turkey.","DOI":"10.1109\/UYMS50627.2020.9247071"},{"key":"ref_2","unstructured":"Norton (2022). 115 Cybersecurity Statistics + Trends to Know in 2024, Norton. Technical report."},{"key":"ref_3","unstructured":"RFC (2024, May 27). RFC 2722: Traffic Flow Measurement: Architecture. Technical Report. Available online: https:\/\/datatracker.ietf.org\/doc\/rfc2722\/."},{"key":"ref_4","unstructured":"RFC (2004). RFC 3697: Specification of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers, Internet Engineering Task Force (IETF). Technical Report."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"2741","DOI":"10.1109\/TSG.2020.3042897","article-title":"Detection of Cyber-Attacks of Power Systems Through Benford\u2019s Law","volume":"12","author":"Milano","year":"2021","journal-title":"IEEE Trans. Smart Grid"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"69822","DOI":"10.1109\/ACCESS.2022.3187116","article-title":"Detecting Zero-Day Intrusion Attacks Using Semi-Supervised Machine Learning Approaches","volume":"10","author":"Mbona","year":"2022","journal-title":"IEEE Access"},{"key":"ref_7","unstructured":"Erickson, J. (2007). Hacking, No Starch Press."},{"key":"ref_8","unstructured":"Stallings, W. (2016). Network Security Essentials Applications and Standards, Pearson."},{"key":"ref_9","unstructured":"Jaswal, N. (2019). Hands-On Network Forensics, Packt Publishing Limited."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Khraisat, A., Gondal, I., Vamplew, P., and Kamruzzaman, J. (2019). Survey of intrusion detection systems: Techniques, datasets and challenges. Cybersecurity, 2.","DOI":"10.1186\/s42400-019-0038-7"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"102258","DOI":"10.1016\/j.cose.2021.102258","article-title":"Cybercrime threat intelligence: A systematic multi-vocal literature review","volume":"105","author":"Cascavilla","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_12","unstructured":"Carrier, B. (2005). File System Forensic Analysis, Addison-Wesley."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Casey, E. (2009). Handbook of Digital Forensics and Investigation, Elsevier Science & Technology Books.","DOI":"10.1016\/B978-0-12-374267-4.00004-5"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"382","DOI":"10.3390\/jcp4020019","article-title":"Diverse Intrusion and Malware Detection: AI-Based and Non-AI-Based Solutions","volume":"4","author":"Wang","year":"2024","journal-title":"J. Cybersecur. Priv."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"560","DOI":"10.2991\/ijcis.d.210105.001","article-title":"Intrusion Detection Systems, Issues, Challenges, and Needs","volume":"14","author":"Aljanabi","year":"2021","journal-title":"Int. J. Comput. Intell. Syst."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Dini, P., Elhanashi, A., Begni, A., Saponara, S., Zheng, Q., and Gasmi, K. (2023). Overview on Intrusion Detection Systems Design Exploiting Machine Learning for Networking Cybersecurity. Appl. Sci., 13.","DOI":"10.3390\/app13137507"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"194","DOI":"10.1016\/j.jnca.2013.09.007","article-title":"Benford\u2019s law behavior of Internet traffic","volume":"40","author":"Arshadi","year":"2014","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Sun, L., Anthony, T.S., Xia, H.Z., Chen, J., Huang, X., and Zhang, Y. (2017, January 12\u201315). Detection and classification of malicious patterns in network traffic using Benford\u2019s law. Proceedings of the 2017 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Kuala Lumpur, Malaysia.","DOI":"10.1109\/APSIPA.2017.8282154"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Sethi, K., Kumar, R., Prajapati, N., and Bera, P. (2020, January 7\u201311). A Lightweight Intrusion Detection System using Benford\u2019s Law and Network Flow Size Difference. Proceedings of the 2020 International Conference on COMmunication Systems & NETworkS (COMSNETS), Bengaluru, India.","DOI":"10.1109\/COMSNETS48256.2020.9027422"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Nigrini, M.J. (2012). Benford\u2019s Law: Applications for Forensic Accounting, Auditing, and Fraud Detection, John Wiley & Sons.","DOI":"10.1002\/9781119203094"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"110740","DOI":"10.1016\/j.chaos.2021.110740","article-title":"Data validity and statistical conformity with Benford\u2019s Law","volume":"144","author":"Cerqueti","year":"2021","journal-title":"Chaos Solitons Fractals"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"2191","DOI":"10.1109\/TSP.2003.814797","article-title":"Anomaly detection in IP networks","volume":"51","author":"Thottan","year":"2003","journal-title":"IEEE Trans. Signal Process."},{"key":"ref_23","unstructured":"Wang, Y. (2008). Statistical Techniques for Network Security, Information Science Reference."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1016\/j.jnca.2015.11.016","article-title":"A survey of network anomaly detection techniques","volume":"60","author":"Ahmed","year":"2016","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Hero, A., Kar, S., Moura, J., Neil, J., Poor, H.V., Turcotte, M., and Xi, B. (2023). Statistics and Data Science for Cybersecurity. Harv. Data Sci. Rev., 5.","DOI":"10.1162\/99608f92.a42024d0"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Iorliam, A. (2019). Natural Laws (Benford\u2019s Law and Zipf\u2019s Law) for Network Traffic Analysis. Cybersecurity in Nigeria, Springer International Publishing.","DOI":"10.1007\/978-3-030-15210-9_2"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Sun, L., Ho, A., Xia, Z., Chen, J., and Zhang, M. (2019). Development of an Early Warning System for Network Intrusion Detection Using Benford\u2019s Law Features. Communications in Computer and Information Science, Springer.","DOI":"10.1007\/978-981-15-0758-8_5"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"527","DOI":"10.18421\/TEM112-05","article-title":"Improving Learning Skills in Detection of Denial of Service Attacks with Newcombe\u2014Benford\u2019s Law using Interactive Data Extraction and Analysis","volume":"11","author":"Hajdarevic","year":"2022","journal-title":"TEM J."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"369","DOI":"10.1016\/j.ins.2021.09.038","article-title":"Feature selection using Benford\u2019s law to support detection of malicious social media bots","volume":"582","author":"Mbona","year":"2022","journal-title":"Inf. Sci."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"451","DOI":"10.1080\/03610926.2022.2082480","article-title":"On the Euclidean distance statistic of Benford\u2019s law","volume":"53","author":"Campanelli","year":"2022","journal-title":"Commun. Stat. Theory Methods"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"419","DOI":"10.3390\/stats4020027","article-title":"On the Mistaken Use of the Chi-Square Test in Benford\u2019s Law","volume":"4","author":"Kossovsky","year":"2021","journal-title":"Stats"},{"key":"ref_32","first-page":"301515","article-title":"Benford\u2019s law applied to digital forensic analysis","volume":"45","author":"Fernandes","year":"2023","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"779","DOI":"10.1007\/s10260-020-00532-8","article-title":"The mathematics of Benford\u2019s law: A primer","volume":"30","author":"Berger","year":"2020","journal-title":"Stat. Methods Appl."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Wang, L., and Ma, B.Q. A concise proof of Benford\u2019s law. Fundam. Res., 2023. in press.","DOI":"10.1016\/j.fmre.2023.01.002"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Bunn, D.W., Gianfreda, A., and Kermer, S. (2018). A Trading-Based Evaluation of Density Forecasts in a Real-Time Electricity Market. Energies, 11.","DOI":"10.3390\/en11102658"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Andriulli, M., Starling, J.K., and Schwartz, B. (2022, January 11\u201314). Distributional Discrimination Using Kolmogorov-Smirnov Statistics and Kullback-Leibler Divergence for Gamma, Log-Normal, and Weibull Distributions. Proceedings of the 2022 Winter Simulation Conference (WSC), Singapore.","DOI":"10.1109\/WSC57314.2022.10015286"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"921","DOI":"10.1016\/S0895-7177(01)00109-1","article-title":"The mean and median absolute deviations","volume":"34","author":"Hung","year":"2001","journal-title":"Math. Comput. Model."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Fernandes, P., Ciardhu\u00e1in, S.\u00d3., and Antunes, M. (2023). Uncovering Manipulated Files Using Mathematical Natural Laws. Lecture Notes in Computer Science, Springer Nature.","DOI":"10.1007\/978-3-031-49018-7_4"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Bulinski, A., and Dimitrov, D. (2021). Statistical Estimation of the Kullback\u2013Leibler Divergence. Mathematics, 9.","DOI":"10.3390\/math9050544"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Li, J., Fu, H., Hu, K., and Chen, W. (2023). Data Preprocessing and Machine Learning Modeling for Rockburst Assessment. Sustainability, 15.","DOI":"10.3390\/su151813282"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"1675","DOI":"10.1007\/s11276-009-0221-y","article-title":"Real-time detection of traffic anomalies in wireless mesh networks","volume":"16","author":"Zaidi","year":"2009","journal-title":"Wirel. Netw."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"10474","DOI":"10.1109\/JSEN.2024.3354110","article-title":"Detection of Spoofing Attacks on Global Navigation Satellite Systems Using Kolmogorov\u2013Smirnov Test-Based Signal Quality Monitoring Method","volume":"24","author":"Zhou","year":"2024","journal-title":"IEEE Sens. J."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"1435","DOI":"10.1007\/s10586-020-03203-1","article-title":"Detecting network cyber-attacks using an integrated statistical approach","volume":"24","author":"Bouyeddou","year":"2020","journal-title":"Clust Comput."},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Bouyeddou, B., Harrou, F., Sun, Y., and Kadri, B. (2018, January 3\u20135). Detection of smurf flooding attacks using Kullback-Leibler-based scheme. Proceedings of the 2018 4th International Conference on Computer and Technology Applications (ICCTA), Istanbul, Turkey.","DOI":"10.1109\/CATA.2018.8398647"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Romo-Chavero, M.A., Cantoral-Ceballos, J.A., P\u00e9rez-D\u00edaz, J.A., and Martinez-Cagnazzo, C. (2024). Median Absolute Deviation for BGP Anomaly Detection. Future Internet, 16.","DOI":"10.3390\/fi16050146"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Ham, H., and Park, T. (2022). Combining p-values from various statistical methods for microbiome data. Front. Microbiol., 13.","DOI":"10.3389\/fmicb.2022.990870"},{"key":"ref_47","unstructured":"Borenstein, M., Hedges, L., Higgins, J., and Rothstein, H. (2011). Introduction to Meta-Analysis, Wileyl."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Chen, Z. (2021). Optimal Tests for Combining p-Values. Appl. Sci., 12.","DOI":"10.3390\/app12010322"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., and Ghorbani, A.A. (2018, January 22\u201324). Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. Proceedings of the International Conference on Information Systems Security and Privacy, Madeira, Portugal.","DOI":"10.5220\/0006639801080116"},{"key":"ref_50","unstructured":"UNB (2024, July 01). Intrusion Detection Evaluation Dataset. Available online: https:\/\/www.unb.ca\/cic\/datasets\/ids-2017.html."},{"key":"ref_51","unstructured":"Lashkari, A.H. (2021). CICFlowMeter, Github."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Davis, J., and Goadrich, M. (2006, January 25\u201329). The relationship between Precision-Recall and ROC curves. Proceedings of the 23rd International Conference on Machine Learning\u2014ICML \u201906, Pittsburgh, PA, USA.","DOI":"10.1145\/1143844.1143874"},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1613\/jair.953","article-title":"SMOTE: Synthetic Minority Over-sampling Technique","volume":"16","author":"Chawla","year":"2002","journal-title":"J. Artif. Intell. Res."},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Ferreira, S., Antunes, M., and Correia, M.E. (2021). A Dataset of Photos and Videos for Digital Forensics Analysis Using Machine Learning Processing. Data, 6.","DOI":"10.3390\/data6080087"}],"container-title":["Mathematics"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2227-7390\/12\/15\/2299\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T15:21:29Z","timestamp":1760109689000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2227-7390\/12\/15\/2299"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,23]]},"references-count":54,"journal-issue":{"issue":"15","published-online":{"date-parts":[[2024,8]]}},"alternative-id":["math12152299"],"URL":"https:\/\/doi.org\/10.3390\/math12152299","relation":{},"ISSN":["2227-7390"],"issn-type":[{"value":"2227-7390","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,23]]}}}