Markov model based experiment comparison

Network and cyber-security experiments are stochastic in nature, that is, experiment output is not deterministic due to dynamic network state. Comparing two correct experiment runs in these conditions is a domain that has not been completely explored yet. We propose a method to construct a first-order Markov model to capture and subsequently compare two runs of an experiment. Our model is based on transitions between different network events, and to create this first-order Markov model, we find all states from observed data and compute transition probabilities amongst them. Consequently, the model is saved in a repository. To compare two runs, we find the Euclidean Distance between this saved model and the observed model. We illustrate this concept on the DETER testbed by comparing different variations of the Kaminsky DNS cache poisoning attack experiment. Our observations show that comparison between similar experiments have negligible euclidean distances as compared to those between different experiment variations. Thus, we demonstrate that this methodology is promising and provides a principled approach for comparing two experiment runs.