Simulating Application Behavior for Network Monitoring and Security
Murugaraj Odiathevar, Kim Chung Yup
TL;DR
The paper addresses the realism gap in network simulations by modeling application-layer behavior and deriving network traffic from those patterns. It introduces a fully statistical framework that uses probability distributions to generate realistic PCAPs suitable for network monitoring, anomaly detection, and security testing. Payload sizes are modeled via a transformed Beta distribution, $a + b \cdot \text{Beta}(\alpha, \beta)$, and HTTP method usage follows a Uniform distribution; the approach can simulate multiple applications concurrently. The system is lightweight, scalable, and open-source, enabling replication and extension on commodity hardware. This framework supports rigorous testing of monitoring tools and can be adapted to diverse network environments.
Abstract
Existing network simulations often rely on simplistic models that send packets at random intervals, failing to capture the critical role of application-level behaviour. This paper presents a statistical approach that extracts and models application behaviour using probability density functions to generate realistic network simulations. By convolving learned application patterns, the framework produces dynamic, scalable traffic representations that closely mimic real-world networks. The method enables rigorous testing of network monitoring tools and anomaly detection systems by dynamically adjusting application behaviour. It is lightweight, capable of running multiple emulated applications on a single machine, and scalable for analysing large networks where real data collection is impractical. To encourage adoption and further testing, the full code is provided as open-source, allowing researchers and practitioners to replicate and extend the framework for diverse network environments.