To identify which attacks (i.e., the corresponding snort alerts) are generated by someone executing a script or some sort of automated program, we wrote a tool[14] to calculate the time differences between alerts of the same connection. In most cases, automated tasks are highly predictable. Authors of attack scripts hardly ever build randomness into their tools. This normally reflects in the network traffic from those attack tools. Especially scanners often leave packet traces that are very monotonous. They can often be identified inside traffic trace by looking at timestamps of packets. Packets of the same connection arriving at constant intervals are probably related to some kind of automated behavior.
An attempt to detect automated activity was made by looking at the target machines, target ports, source machines and their packet inter arrival times. The source ports are neglected as they change during a connection. The time resolution we chose was one second. Anything below one second would have included too much noise and not resulted in clean deltas. For the following analysis we decided to drop the target ports as well and just looked at the connections between machines and their packet inter arrival times.