# Technical Document Extraction: Network Traffic Flow Length Distribution
## 1. Image Overview
This image is a stacked bar chart representing the frequency of different network traffic categories based on their "Flow Length" in seconds. The Y-axis uses a logarithmic scale to accommodate a wide range of frequency values, from $10^0$ to $10^8$.
## 2. Component Isolation
### A. Header / Legend
* **Location:** Top-center, enclosed in a black-bordered box.
* **Categories (Color-Coded):**
* **Theft:** Bright Pink
* **Reconnaissance:** Light Pink / Lavender
* **DDoS:** Blue
* **DoS:** Red
* **Benign:** Green
### B. Main Chart Area (Axes)
* **Y-Axis (Vertical):**
* **Label:** Frequency
* **Scale:** Logarithmic ($10^0, 10^2, 10^4, 10^6, 10^8$)
* **X-Axis (Horizontal):**
* **Label:** Flow Length (Seconds)
* **Range:** 0 to 120 seconds.
* **Markers:** Major ticks every 5 units (0, 5, 10, 15, 20, 25, 30, 35, 40, 45, 50, 55, 60, 65, 70, 75, 80, 85, 90, 95, 100, 105, 110, 115, 120).
## 3. Data Analysis and Trends
### General Trends by Category
1. **Theft (Bright Pink):** Concentrated heavily at the very beginning of the timeline (0-5 seconds) with a peak frequency near $10^3$. It appears sporadically and at very low frequencies (near $10^0$) across the rest of the timeline.
2. **Reconnaissance (Light Pink):** Primarily occurs in the 0-10 second range. It shows a significant presence at 0 seconds (approx. $10^6$) and tapers off rapidly.
3. **Benign (Green):** Shows a relatively consistent baseline frequency between $10^1$ and $10^2$ across the entire 120-second duration, with a notable spike at the 115-120 second mark.
4. **DDoS (Blue):** Dominates the mid-range flow lengths. It rises sharply after 5 seconds, peaks between 10 and 25 seconds (reaching frequencies above $10^6$), and remains a major component until approximately 55 seconds. It shows isolated spikes later (e.g., at 65, 90, and 110 seconds).
5. **DoS (Red):** Becomes prominent starting around 15 seconds. It maintains high frequency (approx. $10^5$ to $10^6$) between 20 and 55 seconds, often stacked on top of DDoS traffic. It drops significantly after 60 seconds.
### Key Data Points (Estimated from Log Scale)
| Flow Length (s) | Primary Category | Approx. Total Frequency | Observations |
| :--- | :--- | :--- | :--- |
| **0** | Reconnaissance / Theft | $> 10^6$ | Highest concentration of Reconnaissance. |
| **10-15** | DDoS | $\approx 10^6$ | Sharp increase in DDoS activity. |
| **25-40** | DDoS / DoS | $\approx 10^6$ | Sustained high-volume attack traffic. |
| **50-55** | DoS / DDoS | $\approx 10^6$ | Final peak of sustained DoS/DDoS before drop-off. |
| **60-110** | Mixed / Benign | $10^1 - 10^4$ | Significant drop in overall traffic; sporadic spikes. |
| **110** | DDoS | $\approx 10^5$ | Late-stage isolated DDoS spike. |
| **120** | Benign | $\approx 10^3$ | Significant Benign traffic at the end of the window. |
## 4. Summary of Findings
The chart illustrates that different types of network events have distinct temporal signatures. **Reconnaissance** and **Theft** are "quick" events occurring almost instantaneously. **DDoS** and **DoS** attacks are characterized by sustained flows lasting between 10 and 60 seconds. **Benign** traffic is the most temporally diverse, appearing consistently across the entire measured spectrum but representing a lower volume compared to the peak of attack traffic.
