# 1
We can conclude that DoS transacation size is on average bigger than the other attacks. On average the benign packet size is smaller than the total average of the non-benign attack packet size.
Average source to destination packet size is dominated highly by DoS attacks, following by Worms, and then Normal.
Total Load on the network (source to destination) is higher when the attacks are happening compared to when there are benign network communications happening
Average Source packet loss on the network is shown to have the explots as the highest followed by DoS.
Conclusion: Network attacks that puts the largest strains the network based on the packet size is DoS as it also has the second highest average packet loss, meaning that the packets are sent out but may not have reached the recipient.
Therefore, we can conclude that based on the data in the dataset, DoS impacts the network really heavily because of the average source packet loss, average packet size sent out, and the destination packet transaction sizes.
## Parallel Coordinate
Conclusion: Attacks with backdoor category generally have very low sload, 0 dload, sloss, dloss, sinpkt, and dinpkt. They however have generally high values in sttl. This would mean that in general backdoor attacks would have a stable connection as there is very low sloss and dloss, and there is minimum interval for the packets to be sent over as there is minimum sinpkt and dinpkt values. The trend shows that a backdoor attack would not affect the network load heavily compared to other methods but due to the generally high count of sttl backdoor attacks it can be detected by using this pattern.
## Weka
We normalised the value to create a more
- Dark Blue : Normal
- Red : Recon
- Light Blue : Backdoor
- Dark green : DoS
- Pink : Exploit
- Light Green : Fuzzers
- Yellow : Worms
- Dark Pink : Shellcode
We can see that tcprtt (tcp return time) has a majority of Normal packets at 0. The rest are scattered to an above 0 value meaning that the attacks create an rtt delay.
# 2
Assuming Strongly correlated is defined when > 0.85 or < -0.85 then we can see that the following are strongly correlated:
- sbytes and spkts
- dbytes and dpkts
- sloss and spkts
- dloss and dpkts
- sbytes and sloss
- dbytes and dpkts
- tcprtt and dttl
- ackdat and dttl
- tcprtt and synack
- tcprtt and ackdat
- synack and ackday
We can see that the top 3 highest ranked attributes have the closest correlated features.
Highest Ranked Attribute:
1. 0.299497 7 dttl
2. 0.187483 6 sttl
To make it easy: Data is first sorted.
#### Attacks
Null Hypothesis: there is no significant correlation between sttl and dttl, or in short dttl does not affect sttl.
Alt hypothesis: There is significant correlation between sttl and dttl, or in short dttl does affect sttl.
since p-value < 0.05, we can reject the null hypothesis
#### Benign
Null Hypothesis: there is no significant correlation between sttl and dttl, or in short dttl does not affect sttl.
Alt hypothesis: There is significant correlation between sttl and dttl, or in short dttl does affect sttl.
since p-value < 0.05, we can reject the null hypothesis
### 2-Factor ANOVA without replication on sttl and dttl
ANOVA 2 factor test screenshot
We can see that the p-value is < 0.05
Null Hypothesis: there is no significant correlation between sttl and dttl, or in short dttl does not affect sttl.
Alt hypothesis: There is significant correlation between sttl and dttl, or in short dttl does affect sttl.
The conclusion that we can derive from it, is that there is significant relationship between sttl and dttl, which is the same as the previous conclusion because we are using the same data.
Sign in with Wallet
Connect another wallet