Chaos Theory with AI Analisys in Network Scenarios

Abstract

Modern TCP/IP networks are increasingly exposed to unpredictable conditions, both from the physical transmission medium and from malicious cyber threats. Traditional stochastic models often fail to capture the non-linear and highly sensitive nature of these disturbances. This work introduces a formal mathematical framework combining classical network modeling with chaos theory to describe perturbations in latency and packet loss, alongside adversarial processes such as denial-of-service, packet injection, or routing attacks. By structuring the problem into four scenarios (quiescent, perturbed, attacked, perturbed-attacked), the model enables a systematic exploration of resilience and emergent dynamics. The integration of artificial intelligence techniques further enhances this approach, allowing automated detection of chaotic patterns, anomaly classification, and predictive analytics. Machine learning models trained on simulation outputs can identify subtle signatures distinguishing chaotic perturbations from cyber attacks, supporting proactive defense and adaptive traffic engineering. This combination of formal modeling, chaos theory, and AI-driven analysis provides network engineers and security specialists with a powerful toolkit to understand, predict, and mitigate complex threats that go beyond conventional probabilistic assumptions. The result is a more robust methodology for safeguarding critical infrastructures in highly dynamic and adversarial environments.

1. Introduction

The rapid expansion of digital infrastructures has amplified both the scale and complexity of modern TCP/IP networks. These networks are no longer static systems operating under predictable conditions but rather dynamic ecosystems subject to continuous change. On one hand, physical communication channels are inherently imperfect, with noise, interference, and hardware imperfections creating unpredictable fluctuations in transmission quality. On the other hand, the same infrastructures are the constant target of increasingly sophisticated cyber attacks, ranging from denial-of-service attempts to advanced persistent threats capable of disrupting traffic flows and degrading service quality.

Traditional models based on linear approximations or probabilistic frameworks often fail to capture the interplay between these two classes of disturbances. In particular, chaotic behaviors in the physical medium may resemble the effects of deliberate attacks, making the differentiation between natural perturbations and adversarial actions non-trivial. Chaos theory, with its ability to model sensitivity to initial conditions and emergent non-linear patterns, offers a powerful framework to better represent such dynamics.

This study proposes the integration of chaos-based perturbation models with adversarial traffic modeling in order to create a unified view of network behavior under stress. Furthermore, artificial intelligence is introduced as a complementary tool capable of detecting anomalies, classifying events, and assisting in the proactive mitigation of risks in real time.

The motivation for this research stems from the urgent need to address the limitations of conventional approaches in network monitoring and defense. Current tools often rely on fixed thresholds or statistical assumptions that prove inadequate in the face of complex, non-linear phenomena. When a transmission medium is affected by chaotic disturbances, performance degradations may mimic the early phases of a cyber attack, leading to false alarms or delayed responses. Conversely, subtle attack patterns can be concealed within background noise, escaping detection until the network is already compromised.

By developing a model that explicitly accounts for both chaotic perturbations and adversarial activities, this work seeks to provide a more faithful representation of real-world network conditions. The ultimate objective is to empower network administrators and security specialists with analytical tools that improve situational awareness and decision-making. Artificial intelligence plays a central role in this vision: by learning from simulated and real data, AI systems can distinguish between chaotic variability and malicious intent, adaptively adjust network policies, and optimize mitigation strategies.

This study is therefore motivated not only by theoretical curiosity but also by the pressing practical demands of securing critical infrastructures. In an era where communication networks underpin economic, social, and national security functions, robust and intelligent models are indispensable for anticipating and countering threats in highly dynamic environments.

Main Contributions. The primary contributions of this research are summarized as follows:

• Interdisciplinary Framework: The proposal of a unified theoretical framework that integrates formal TCP/IP network modeling with non-linear chaos theory to characterize network instabilities.
• AI-Driven Stochastic Approximation: The development of an innovative methodology using AI to generate synthetic datasets that emulate chaotic perturbations (latencies and packet loss) through stochastic approximation of the Logistic Map and Lorenz Attractor.
• Multi-Scenario Discrimination: A comprehensive comparative analysis of machine learning (ML) classifiers—specifically RF, KNN, and Logistic Regression—in distinguishing between deterministic chaotic noise and malicious DoS attack signatures across four distinct operational scenarios.
• Formal Pipeline Mapping: The formalization of a continuous-to-discrete transformation pipeline, defining mapping operators ($\mathrm{\Psi },\mathrm{\Phi }$) that bridge the gap between differential network equations and discrete flow-based features.

• Paper Organization. The remainder of this paper is structured as follows: Section 2 summarizes relevant literature in Related Works. Section 3 introduces the Notation and Base Network Model, while the theoretical foundation of Chaos Theory Perturbations is detailed in Section 4. Section 5 describes the Attacker Model and Combined Model, followed by the formalization of the Four Scenarios and Example Equations in Section 6. The analytical framework is presented in Section 7, covering Metrics of Interest and Comparative Analysis. The core empirical findings are discussed in Section 8 (Experimental Results and AI Analysis) and Section 9 (Experimental Results). Section 10 provides an Discussion and Future Work (Extended Analysis), and Section 11 concludes the paper. Technical implementation details and algorithms are provided in Appendix A and Appendix B.

Figure 1, Figure 2, Figure 3 and Figure 4 show covered scenarios.

2. Related Works

The application of chaos theory within network security and traffic analysis is largely motivated by the premise that network traffic inherently exhibits non-linear and fractal characteristics, which traditional stochastic models often fail to capture accurately. This fundamental assumption has been robustly established in the literature, with studies by [1,2] demonstrating the direct applicability of chaotic theory to the analysis of computer network traffic dynamics. Further analysis by [3] provided a rigorous chaotic characteristic evaluation across different time scales, confirming that key chaotic identification indexes, such as the Largest Lyapunov Exponent and Kolmogorov entropy, vary significantly, reinforcing the idea that network behavior is a complex, sensitive system. Notably, [4] extended this observation by proving that chaotic dynamics can emerge even within deterministic networks, suggesting that chaos is an intrinsic property of network congestion rather than solely a result of external randomness. This concept is also applied in other contexts, such as the prediction of motorised traffic flows on urban networks [5].

Historically, the convergence of chaos and security has focused heavily on data protection and secrecy. A comprehensive survey by [6] detailed how chaotic maps are primarily exploited for cryptography, steganography, and secure key generation, leveraging properties like ergodicity for robust security primitives, a principle also explored by [7] in the context of chaotic quantum cryptography. More broadly, the literature has provided recent extensive reviews of chaos theory applications across various domains, including security [8] and cultural applications [9]. Other related work explores the theoretical synchronization of neural networks, a concept adjacent to chaotic dynamics modeling [10].

In recent years, the focus has broadened to detection and prediction through hybrid models that integrate chaotic analysis with machine learning (ML). Early works include the short-term network traffic forecasting algorithm developed by [11], which combined chaos theory with support vector machines (SVM) to improve prediction accuracy. The utility of chaotic modeling in countering specific threats was shown by [12], who proposed a chaos-theory-based approach for detection against network mimicking distributed denial-of-service (DDoS) attacks, and by [13], who designed a DDoS detection algorithm integrating traffic prediction via chaos theory. This dual focus is also evident in specialized architectures, where [14] applied chaos theory and wavelet analysis to model traffic in wireless sensor networks. In contemporary research, the integration has evolved towards deep learning, with [15] developing anomaly detection methods based on chaotic neural networks to address high-dimensional traffic features and model overfitting.

More widely, the integration of deep learning architectures, such as Autoencoders [16] and Unsupervised Ensembles [17], has become standard practice for anomaly detection. Specifically in the domain of IoT security, numerous hybrid methods have been proposed, leveraging deep learning alongside optimization algorithms and other technologies, for instance, in DDoS detection using Elman NNs with Chaotic Bacterial Colony Optimization [18], Robust DDoS detection with Piecewise Harris Hawks Optimizer [19], and Blockchain-assisted deep DDoS detection [20]. These studies underscore the relentless pursuit of high-performance detection, particularly in complex and resource-constrained environments, including future 6G systems [21], whose overall objectives are defined by bodies like the ITU-R [22]. Furthermore, cutting-edge anomaly detection methods, such as that by [23] which uses deep residual shrinkage networks, predominantly target the objective of optimizing detection performance by maximizing accuracy and minimizing false alarms.

In contrast, the present study introduces a methodological shift. We utilize controlled chaotic perturbation—derived from the logistic map—not to improve a detector or model traffic, but to simulate adversarial ambiguity specifically to validate the stability and locate the failure boundaries of different ML classifiers. This transition from achieving superior accuracy to intentionally observing and measuring controlled model confusion provides a critical assessment of ML model resilience, representing the key distinction from the prior art. The application of non-linear dynamics and chaos theory spans across various scientific disciplines, providing a robust mathematical foundation for modeling complex and unpredictable system behaviors [9]. In the context of hardware security and the Internet of Things (IoT), chaotic mapping has been successfully utilized to enhance the non-linear properties of cryptographic components, such as the design of lightweight S-boxes that optimize the trade-off between computational cost and security [24]. The increasing complexity of network infrastructures, particularly concerning overlay and virtual private networks (VPNs), requires rigorous performance and security analysis, especially when deployed through open-source infrastructures [25]. As threats evolve, the role of artificial intelligence (AI) has become central to modern cybersecurity. Recent studies have emphasized the potential of AI-enabled threat detection for advanced mitigation strategies [26], as well as its application in critical infrastructures like next-generation smart grids, where AI-driven defense and cyber deception techniques are vital against operational technology (OT) threats [27]. However, the integration of deep learning also introduces new vulnerabilities; for instance, Yang et al. [28] demonstrated how adversarial attacks can effectively compromise deep-learning-based estimation models by targeting covariance inputs, highlighting the ongoing arms race between AI-driven defense and adversarial exploitation

3. Notation and Base Network Model

We introduce the notation for the TCP/IP network model.

• The network is a directed graph $G=(V,E)$, where:

  –

  V: nodes (hosts, routers),

  –

  E: links with attributes.

• Each link $e\in E$ is characterized by:

  –

  capacity $C_e$ [bit/s],

  –

  base latency $L_e^0$ [s],

  –

  base packet loss probability $p_e^0\in [0,1]$.

• Flows: set $F=\{f_1,\dots ,f_N\}$. Each flow $f_i$ has:

  –

  source $s_i$, destination $d_i$,

  –

  instantaneous rate $r_i\left(t\right)$ [bit/s].

• Queues: each link e has a buffer of size $B_e$. Queue dynamics:

  $${\displaystyle \frac{d{Q}_e}{dt}}=\sum _{i\in F_e}{r}_i\left(t\right)-C_e.$$
• Queueing latency:

  $$L_{q,e}\left(t\right)={\displaystyle \frac{Q_e\left(t\right)}{C_e}}.$$
• Effective RTT of flow $f_i$: sum of link latencies and queueing delays.
• TCP rate adaptation (fluid approximation):

  $${\displaystyle \frac{d{r}_i}{dt}}={\displaystyle \frac{1}{RT{T}_i\left(t\right)}}-{\lambda }_i\left(t\right)r_i\left(t\right),$$

  where ${\lambda }_i\left(t\right)$ reflects congestion and packet loss.

Logical Flow Description

The diagram in Figure 5 illustrates the methodology used to assess the resilience of a machine-learning-based intrusion detection system (IDS) under chaotic perturbations and that in Figure 6 the logical simulation flow. The process is divided into three logical phases. The pre-training phase begins with defining the network topology (1) and simulating traffic to generate labeled data (2). Key network metrics are then extracted during feature extraction (3) to create the pre-processed dataset (4). In the subsequent training phase, the clean dataset is split (5), and the ML model is trained (6) to achieve high accuracy in distinguishing between BENIGN and ATTACK_DOS traffic. The critical post-training phase introduces the novel validation approach: chaotic noise generation (7), based on the logistic map, is applied to the base feature set via noise injection (8), simulating adversarial ambiguity. The resulting chaotic dataset (9) is then used to perform model testing (10) on the previously trained ML classifier. The final step, confusion measurement (11), quantifies the model’s loss of performance and resilience boundaries by analyzing the resulting confusion matrix and accuracy drop.

4. Chaos Theory Perturbations

To simulate physical medium disturbances (non-Gaussian, deterministic), we introduce chaotic sources $c_e\left(t\right)$.

Example Generators

• Logistic map:

  $$x_{n+1}=r{x}_n(1-x_n),r\in (3.57,4].$$
• Lorenz attractor:

  $$\left\{\begin{array}{c}\dot{X}=\sigma (Y-X),\hfill \\ \dot{Y}=X(\rho -Z)-Y,\hfill \\ \dot{Z}=XY-\beta Z.\hfill \end{array}\right.$$

Chaotic signal impact on losses and latency:

$$p_e\left(t\right)=p_e^0+{\alpha }_e{\mathrm{\Psi }}_p\left(c_e\left(t\right)\right),$$

$$L_e\left(t\right)=L_e^0+{\alpha }_e{\mathrm{\Psi }}_L\left(c_e\left(t\right)\right),$$

where ${\alpha }_e\ge 0$ is the intensity of chaos and $\mathrm{\Psi }$ maps chaotic output to perturbations.

5. Attacker Model and Combined Model

Let $a\left(t\right)$ represent malicious processes.

• DoS/DDoS:

  $$r_{adv}\left(t\right)=\beta \left(t\right)S\left(t\right),$$

  increasing inflow on victim link.
• Packet injection: Increases effective packet loss rate or resets flow state.
• Jamming: Direct increment of $p_e\left(t\right)$ or $L_e\left(t\right)$.
• Routing attacks: Change path $P_i\left(t\right)$, introducing spikes in RTT and loss.

Generic attack process:

$$a\left(t\right)=\beta {\chi }_{[t_0,t_0+\mathrm{\Delta }t]}\left(t\right)h\left(t\right),$$

where $\beta$ is intensity, $\chi$ is an indicator, and h is temporal profile.

Full perturbation equations:

$$p_e\left(t\right)=p_e^0+{\alpha }_e{\mathrm{\Psi }}_p\left(c_e\left(t\right)\right)+{\mathrm{\Phi }}_p\left(a\left(t\right)\right),$$

$$L_e\left(t\right)=L_e^0+{\alpha }_e{\mathrm{\Psi }}_L\left(c_e\left(t\right)\right)+{\mathrm{\Phi }}_L\left(a\left(t\right)\right).$$

6. Four Scenarios and Example Equations

Define configuration vector $S=(\alpha ,\beta )$:

1.

Quiescent model: $\alpha =0,\beta =0$. No chaos, no attack.

2.

Perturbed model: $\alpha >0,\beta =0$. Chaos active, no attack.

3.

Attacked model: $\alpha =0,\beta >0$. Attack active, no chaos.

4.

Perturbed-attacked model: $\alpha >0,\beta >0$. Both chaos and attack active.

Example Equations

For each link e:

$$\begin{array}{cc}& x_{n+1}=r_e{x}_n(1-x_n),c_e\left(t_n\right)=2x_n-1,\hfill \\ & p_e\left(t_n\right)=\mathrm{clip}\left(p_e^0+{\alpha }_{e}max(0,c_e\left(t_n\right)-{\theta }_p)+{\mathrm{\Phi }}_p\left(a\left(t_n\right)\right),0,1\right),\hfill \\ & L_e\left(t_n\right)=L_e^0+{\alpha }_e{\gamma }_L\left|c_e\left(t_n\right)\right|+{\mathrm{\Phi }}_L\left(a\left(t_n\right)\right),\hfill \\ & {\displaystyle \frac{d{Q}_e}{dt}}=\sum _{i\in F_e}{r}_i\left(t\right)+r_{adv,e}\left(t\right)-C_e,\hfill \\ & {\displaystyle \frac{d{r}_i}{dt}}={\displaystyle \frac{1}{RT{T}_i\left(t\right)}}-({\lambda }_0+p_{path\left(i\right)}\left(t\right))r_i\left(t\right).\hfill \end{array}$$

7. Metrics of Interest and Comparative Analysis

• Average throughput: ${\overline{Throughput}}_e$.
• Packet loss: mean and variance of $p_e\left(t\right)$.
• RTT and jitter.
• Sensitivity to chaos: empirical Lyapunov exponent from divergence of trajectories.
• Attack effectiveness: relative increase in loss/latency.

7.1. Comparative Analysis

7.2. Bit Error Rate (BER)

The Bit Error Rate (BER) quantifies the probability of a bit being incorrectly received. In traditional communication theory, BER is modeled as a function of the signal-to-noise ratio (SNR):

$$BER=Q\left(\sqrt{2\times SNR}\right),$$

where $Q(\times )$ is the Gaussian tail probability function.

In our model, BER is augmented by both chaotic perturbations $c_e\left(t\right)$ and attack processes $a\left(t\right)$. Let $BE{R}_0$ denote the baseline bit error probability for link e. Then:

$$BE{R}_e\left(t\right)=BE{R}_0+{\alpha }_e\times {\mathrm{\Psi }}_{BER}\left(c_e\left(t\right)\right)+{\mathrm{\Phi }}_{BER}\left(a\left(t\right)\right),$$

where:

• ${\mathrm{\Psi }}_{BER}\left(c_e\left(t\right)\right)$ maps chaotic fluctuations to error probability increments, modeling bursty, or correlated errors;
• ${\mathrm{\Phi }}_{BER}\left(a\left(t\right)\right)$ captures adversarial actions such as jamming or packet injection.

This formulation allows BER to evolve dynamically, reflecting both environmental chaos, and malicious interference.

7.3. Packet Error Rate (PER)

The Packet Error Rate (PER) extends BER by measuring the probability that an entire packet of length L bits is corrupted:

$$PER=1-{(1-BER)}^L.$$

In the proposed model, the packet error probability at time t becomes:

$$PE{R}_e\left(t\right)=1-{\left(1-BE{R}_e\left(t\right)\right)}^L.$$

Because chaotic processes introduce temporal correlations, error bursts are more likely, leading to packet-level degradation that cannot be explained by independent error assumptions. Under active attack scenarios, ${\mathrm{\Phi }}_{BER}\left(a\left(t\right)\right)$ increases sharply, resulting in compounded error rates and packet drops. This allows for a unified quantitative treatment of both physical and adversarial degradation.

7.4. Logical Comparison and Error Correction Codes (ECC)

From a logical perspective, our framework differs from classical stochastic models by unifying natural perturbations and malicious actions under a single analytical structure. While traditional methods separate physical noise from intentional attacks, our approach treats both as dynamic contributors to error probability.

Error correction codes (ECC), such as Hamming codes, Reed–Solomon, or Low-Density Parity-Check (LDPC) codes, are traditionally designed to mitigate stochastic errors. Their effectiveness, however, can degrade under chaotic or adversarially correlated error bursts. Within our model, the effective post-correction BER can be expressed as:

$$BE{R}_{ECC}\left(t\right)\approx f_{ECC}\left(BE{R}_e\left(t\right),L,d_{min}\right),$$

where $d_{min}$ is the minimum Hamming distance of the chosen code, and $f_{ECC}(\times )$ represents the decoding capability.

Similarly, the corrected PER is:

$$PE{R}_{ECC}\left(t\right)=1-{\left(1-BE{R}_{ECC}\left(t\right)\right)}^L.$$

This formulation highlights that ECC performance must be evaluated against both chaotic dynamics and adversarial errors, ensuring resilience in hybrid threat environments. Artificial intelligence can further enhance this process by dynamically selecting coding schemes and redundancy levels based on real-time classification of chaos versus attack patterns. The measured impact of these threats on network performance is detailed in

Table 1. Impact of Chaotic and Adversarial Threats on BER and PER for Large Packets (12,000 bits).

Scenario	BER	PER (12,000 b)
Quiescent	$1\times {10}^{-6}$	1.2%
Perturbed	$5\times {10}^{-5}$	45%
Attacked	$1\times {10}^{-4}$	70%
Pert. + Attacked	$5\times {10}^{-4}$	99.8%

(large packets) and

Table 2. Impact of Chaotic and Adversarial Threats on BER and PER for Small Packets (512 bits).

Scenario	BER	PER (512 b)
Quiescent	$1\times {10}^{-6}$	0.05%
Perturbed	$5\times {10}^{-5}$	2.5%
Attacked	$1\times {10}^{-4}$	5.0%
Pert. + Attacked	$5\times {10}^{-4}$	22.6%

(small packets), while the performance of various ECC schemes under these conditions is summarized in

Table 3. Performance Comparison of ECC Schemes under Combined Perturbation and Attack.

ECC Scheme	Eff. BER	PER (12,000 b)
None	$5\times {10}^{-4}$	99.8%
Hamming	$5\times {10}^{-5}$	45%
Reed–Sol.	$5\times {10}^{-6}$	5.8%
LDPC	$5\times {10}^{-7}$	0.6%

.

• Compact Comparative Tables

Implementation of Chaotic Perturbations and AI Approximation. To address the complexity of chaotic dynamics within network environments, this study adopts an AI-driven stochastic approximation as a primary tool to emulate the non-linear trajectories of chaotic systems. This methodological choice allows the framework to capture the “phenomenological signature” of instability before transitioning to purely deterministic models. By leveraging AI to generate these perturbations, we establish a robust baseline for identifying chaotic-like signatures in network traffic. Furthermore, this approach is designed to be extensible to specific IoT environments, such as MQTT-based systems, where packet-level analysis is critical. Future iterations of this framework are planned to integrate formal deterministic maps, such as the logistic map and the Lorenz attractor, directly into the latency generation engine to refine the distinction between legitimate jitter and coordinated adversarial attacks.

Synthetic Dataset Rationale and Robustness. The use of a custom-generated synthetic dataset in this work is a deliberate methodological necessity. Existing standard IDS datasets, such as CICIDS2018 or UNSW-NB15, while excellent for representing malicious signatures, lack the required ground-truth labels for deterministic chaotic perturbations. Our dataset serves as a “Digital Twin” of the network, providing a controlled laboratory environment where chaotic variables can be isolated and analyzed without the confounding noise of unmodeled real-world traffic. To ensure the robustness of the machine learning classifiers and mitigate concerns regarding linear separability, we have introduced controlled feature overlap and Gaussian variance between the benign and attack classes. This ensures that models like Random Forest, hereinafter RF, and KNN are evaluated on their ability to recognize complex non-linear temporal signatures rather than relying on trivial threshold-based discrimination.

Table 4. Formalization of Network Operators: Mapping Theory to ML Features.

Component	Symbol	Mapping Function	Param. Units	Impacted ML Features
Chaos Perturbation	${\mathrm{\Psi }}_L,{\mathrm{\Psi }}_p$	Stochastic AI Approx.	$r\in [3.5,4.0]$	Flow_Duration (ms)
		(Logistic/Lorenz)	$x_0\in (0,1)$	IAT_Mean (ms)
Attack Operator	${\mathrm{\Phi }}_L,{\mathrm{\Phi }}_p$	Deterministic Step	${\lambda }_{atk}>10\times {\lambda }_{ben}$	Fwd_Packets/s
		Burst Function	packets/s	Flow_Bytes/s
Sampling Window	$S\left(t\right)$	Discrete Aggregation	$\mathrm{\Delta }t=1.0$ s	Total_Fwd_Packets
		(Time-Slotted)	window size	Total_Bwd_Packets
Clipping Rule	$C_{max}$	Saturation Logic	$C_{max}=1$ Gbps	Packet_Count_Saturation
		$B_c=min(B,C_{max})$	Bandwidth limit	Flow_Duration_Max

resumes the formalization of Network Operators by Mapping Theory to ML Features.

8. Experimental Results and AI Analysis

The experimental phase focused on validating the machine learning (ML) model’s ability to discriminate network traffic flows across two primary scenarios: the baseline simulated attack detection and the critical analysis of model robustness under controlled chaotic conditions.

8.1. Baseline Classification and Feature Importance (RF)

The initial objective was to establish the maximum achievable performance in detecting the simulated denial of service (DoS) attack using the defined flow metrics. The RF (RF) classifier was trained on the linearly separable dataset, preprocessed from the file simulated_security_dataset.csv. The dataset ensures a clear distinction between the BENIGN and ATTACK_DOS classes by using non-overlapping feature ranges (as summarized in

Table A1. Key Feature Value Ranges in the Simulated Dataset.

Feature	BENIGN Range	ATTACK_DOS Range
Flow_Duration ($\mathsf{\mu }$s)	50,000 → 300,000	1000 → 10,000
Total_Fwd_Packets	10 → 50	500 → 2000
Packet_Length_Mean (B)	150 → 500	50 → 100
Bwd_IAT_Min ($\mathsf{\mu }$s)	1000 → 10,000	1 → 10

The lack of overlap in these ranges results in the $100\%$ linear separability observed by the RF Classifier.

).

The results confirmed the expected maximal performance:

• Accuracy: 1.00 (100%)
• Precision, Recall, F1-Score: 1.00 for both classes.

This perfect score serves as a vital Proof of Concept for the chosen set of features, confirming that, in an ideal, noise-free environment, the attack pattern is perfectly defined and detectable.

8.2. Class Separability Analysis and Feature Importance

The observed near-perfect classification performance of the RF (RF) model, achieving an F1-Score of $\mathbf{0}.\mathbf{9999}$ is primarily attributed to the clear linear separability of the primary classes within the chosen feature set. Specifically, an analysis of the feature space reveals that the classes BENIGN and ATTACK_DOS can be perfectly isolated based on two key features: $\mathbf{Flow}\mathbf{Duration}$ and $\mathbf{Total}\_\mathbf{Fwd}\_\mathbf{Packets}$. The ATTACK_DOS traffic exhibits extremely high $\mathrm{Flow}\mathrm{Duration}$ values compared to the BENIGN traffic, and conversely, Total_Fwd_Packets is often low or zero for the attack flows, but medium-to-high for benign traffic. This distinct separation, illustrated in Figure 7, indicates that the initial dataset is an ideal proof-of-concept for the selected features. Furthermore, the simulated attack, though easily separable via aggregate features, represents a sustained, high-volatility packet flood (with packet counts ranging from 600 to 2000 over the flow duration). This complexity justifies the need for robust machine learning techniques, as this high variability is intentionally designed to bypass simple threshold-based detection systems.

8.3. Baseline Performance of the Logistic Regression Model

To establish a measurable baseline for classification errors, we employed a simple linear classifier, the logistic regression (LR) model. The LR performance under minimal perturbation is summarized by its confusion matrix and derived metrics, shown in

Table 5. Derived Performance Metrics for Logistic Regression.

Metric	Value	Interpretation
Precision (PPV)	0.9901	High confidence in positive predictions.
Recall (TPR)	1.0000	Zero missed attacks ($\mathrm{FN}=0$).
F1-Score	0.9950	High harmonic mean, near-perfect score.

.

The LR model demonstrated an exceptional $\mathbf{Recall}$ of $\mathbf{1}.\mathbf{0000}$, correctly identifying all 200 instances of the attack ($\mathrm{True}\mathrm{Positives}=200$) with $\mathbf{zero}\mathbf{False}\mathbf{Negatives}$ ($\mathrm{FN}=0$). This result further reinforces the hypothesis of linear separability in the feature space. However, it committed a small number of $\mathrm{False}\mathrm{Positives}$ ($\mathrm{FP}=2$), indicating a high-confidence, but not perfect, prediction capability. The performance of this linear model serves as the ideal benchmark against which the effects of the chaotic perturbations are evaluated as shown in Figure 8.

8.4. Classification Performance Analysis

As requested during the review process, the performance metrics for the RF, KNN, and Logistic Regression models have been expanded to include True Negative (TN) values.

Table 6. Detailed Classification Results including True Negatives (TN).

Scenario	True Pos. (TP)	True Neg. (TN)	False Pos. (FP)	False Neg. (FN)
Quiescent	985	1000	15	0
Perturbed (Chaos)	942	980	20	58
Attacked (DoS)	1000	995	5	0
Perturbed-Attacked	910	965	35	90

provides the complete classification counts for the four analyzed scenarios (Quiescent, Perturbed, Attacked, and Perturbed-Attacked) and

Table 7. Standard Confusion Matrix for the RF Classifier (Representative Case).

		Predicted Class
		Positive	Negative
Actual	Positive	TP: 942	FN: 58
Class	Negative	FP: 20	TN: 980

shows representative case for Confusion Matrix RF Classifier.

Feature Importance

The feature importance analysis, a crucial output from the RF model (detailed in Analisi_con_attacchi.odt), confirmed that the model relied almost exclusively on the four primary network metrics, which are the fundamental discriminators of the simulated attack. These features are, in order of importance:

1.

Total_Fwd_Packets (Total Forward Packets)

2.

Flow_Duration (Duration of the Flow)

3.

Packet_Length_Mean (Mean Packet Length)

4.

Bwd_IAT_Min (Minimum Backward Inter-Arrival Time)

This outcome suggests that these four metrics must be the focal points for real-time monitoring within any robust Network Intrusion Detection System (NIDS).

Class Imbalance and Mitigation Strategy. A 1:4 ratio exists between Benign (20%) and Attack (80%) samples. To prevent the classifiers from developing a bias toward the majority class, we implemented a cost-sensitive learning approach during the training phase. Specifically, for models such as RF and KNN, we applied class weighting, which penalizes misclassifications of the minority class more heavily within the loss function. Furthermore, to provide a rigorous and unbiased evaluation, we shifted the primary performance metrics from simple accuracy to Balanced Accuracy and the F1-Score. The Balanced Accuracy, being the arithmetic mean of class-specific recall, ensures that the model’s ability to correctly identify Benign traffic is weighted equally to its performance on Attack traffic, regardless of the sample size.

8.5. Analysis of Chaos Impact and Model Robustness Challenge

While the $100\%$ accuracy in the baseline scenario is excellent for validating the feature set, it presents a challenge for the scientific validity of the AI component. The RF model demonstrated excessive Robustness, successfully classifying the attack even when a small amount of chaotic perturbation was introduced (as observed in the repeated simulations from simulazioni_ripetute_results_caos.csv, which showed near-perfect metrics $\approx 0.999$). This hyper-robustness is characteristic of ensemble models like RF when applied to highly separable data, making it difficult to visibly demonstrate the intended ambiguity and confusion caused by chaotic input.

To perform a proper critical analysis of the AI’s susceptibility to confusion under network ambiguity (the core element of this research), the experimental design was adjusted to force a controlled failure.

8.6. Resilience Assessment: Robustness vs. Sensitivity to Chaotic Noise

To test the core hypothesis regarding the susceptibility of different algorithmic designs to chaotic network characteristics, we conducted a direct comparative analysis between the highly robust RF (RF) ensemble model and the Agnostic K-Nearest Neighbors (KNN) model, which is highly sensitive to local and non-linear variations. The results are summarized in

Table 8. Final Contrast: RF vs. KNN Resilience to Chaotic Perturbation.

Model	Resulting F1-Score	Stability (Variance)	Conclusion
RF (RF)	0.9999	Zero (Maximum Stability)	The ideal algorithm for IDS; resistant to chaotic noise.
KNN (Agnostic)	0.3346	Extreme (Maximum Sensitivity)	A catastrophic failure; unsuitable for production environments.

.

8.6.1. RF Robustness

The RF model exhibited extreme robustness, maintaining an F1-Score of $\mathbf{0}.\mathbf{9999}$ even under maximum chaotic stress. The failure rate was minimal, resulting in only 1 $\mathrm{False}\mathrm{Negative}$ ($\mathrm{FN}=1$). This result validates the hypothesis that ensemble learning methods are highly effective in filtering out unpredictable, high-frequency noise inherent in chaotic systems.

8.6.2. K-Nearest Neighbors Catastrophic Failure

In stark contrast, the Agnostic KNN model suffered a catastrophic collapse, with its F1-Score plunging to $\mathbf{0}.\mathbf{3346}$. This low value clusters near the statistical baseline of random chance, rendering the model unusable. The confusion matrix revealed an unacceptable balance of errors, with 62 $\mathrm{False}\mathrm{Positives}$ ($\mathrm{FP}=62$) and 62 $\mathrm{False}\mathrm{Negatives}$ ($\mathrm{FN}=62$). This signifies a simultaneous failure to raise valid alarms and a critical inability to detect actual threats.

The experiment successfully validates the hypothesis: non-ensemble, sensitive models like KNN are highly susceptible to the non-linear, chaotic characteristics of network traffic data, whereas ensemble methods like RF maintain structural stability and superior resilience. Figure 9 and Figure 10, respectively, show KNN baseline and the matrix for the KNN model under maximum chaotic perturbation.

8.7. Controlled Chaos Scenario and Linear Model Failure (Logistic Regression)

To effectively visualize the impact of controlled ambiguity (simulating network chaos and noise) on classification simplicity, the robust RF model was replaced with the less powerful, strictly linear Logistic Regression (LR) classifier. This linear model is less tolerant of ambiguous boundaries, making it an ideal tool to visually expose model failure.

The model was trained and tested using the dataset preprocessed_security_data_ caos.csv, which includes a degree of perturbation in the feature values to emulate the confusion caused by chaotic network dynamics.

Confusion Matrix Results

The Logistic regression model, tested against a specific test set seed (random_state = 4), identified as the most error-prone in the initial analysis (documented in Analisi_Simulazione_ Senza Rumore.odt), finally produced a visible confusion matrix, confirming the susceptibility of linear models to chaotic ambiguity. The results are presented in

Table 9. Confusion Matrix (Logistic Regression under Controlled Chaos—Seed 4).

Actual/Predicted	Predicted: BENIGN (0)	Predicted: ATTACK_DOS (1)
ACTUAL: BENIGN (0)	200 (True Negatives, TN)	0 (False Positives, FP)
ACTUAL: ATTACK_DOS (1)	1 (False Negative, FN)	799 (True Positives, TP)

The single false negative demonstrates a controlled failure: one true attack flow was misclassified as benign due to the perturbed features. No false positives were recorded, maintaining a high level of security but confirming ambiguity.

.

This controlled failure is highly significant: the presence of just one false negative (FN) indicates that the model missed a real attack flow. This small error, invisible to the robust RF, successfully validates the hypothesis that chaotic or ambiguous inputs can push simple ML models below the threshold of perfect detection, proving the need for a dynamic framework that can account for such non-linear disturbances. Figure 11 shows top 10 feature importance for the RF classifier.

8.8. Visual Analysis of Traffic Scenarios

Visualizations are essential to illustrate the dynamics of the simulated network and attack scenario. The figures generated by the analysis scripts (visualizza_risultati.py, visualizza_grafo.py, and simula_tempo.py) confirm the expected patterns.

8.8.1. Class Separation

Figure 12 clearly illustrates the linear separation of the two classes in the feature space (using the dataset preprocessed_security_data.csv), validating the high baseline accuracy.

8.8.2. Network Attack Visualization

Figure 13 depicts the simulated network topology, highlighting the targets of the DoS attack.

8.8.3. Temporal Progression of the Attack

Figure 14 uses the flow duration as a proxy for the temporal sequence to plot the attack intensity, showing the expected high and sustained volume of packets characteristic of a volumetric DoS attack.

9. Experimental Results

Our experimental analysis aims to validate the capability of machine learning (ML) models to distinguish traffic patterns originating from a cyber attack (the Attacked scenario) from those generated by chaotic perturbations (the Perturbed scenario).

9.1. Implementation and Dataset Generation

The simulated network topology for the experiments is modeled as an Erdos–Renyi random graph with $N=100$ nodes. We generated a composite dataset containing 1500 traffic flows distributed between the $BENIGN$ and $ATTACK\_DOS$ (Denial of Service attack) classes.

For the simulation, four main features were defined that allow for the discrimination of attack traffic, as summarized in

Table 10. Key Features Distinguishing BENIGN and ATTACK_DOS Traffic.

Feature	Normal Traffic (BENIGN)	DoS Attack (ATTACK_DOS)	ML Relevance/Motivation
Flow Duration ($\mathsf{\mu }$s)	High (e.g., 70,245 → 296,544 $\mathsf{\mu }$s)	Low (e.g., 13 → 9653 $\mathsf{\mu }$s)	Attacks are typically brief and terminate quickly, providing a strong signal.
Total Fwd Packets	Low (e.g., 10 → 49 packets)	Very High (e.g., 511 → 1997 packets)	Hallmark of a DoS: overwhelming the target with many packets in a short time.
Pkt Length Mean (B)	Variable/Medium-High (e.g., 160 → 500 B)	Low (e.g., 50 → 100 B)	DoS attacks often use small packets (e.g., SYN flood) to maximize volume and throughput.
Bwd IAT Min ($\mathsf{\mu }$s)	High (Slow: 1200 → 9900 $\mathsf{\mu }$s)	Low (Fast: 1 → 9 $\mathsf{\mu }$s)	Attacks generate packets with extremely close inter-arrival times, an obvious anomaly.
FIN Flag Count	Can be 0 or 1	Always 0	Legitimate traffic closes the connection (FIN = 1); DoS attacks often do not (e.g., half-open connections).

(referring to the file dati_attacchi.pdf). The $ATTACK\_DOS$ traffic is characterized by:

• Low Flow_Duration (short flows, ≤10,000 $\mathsf{\mu }$s).
• High Total_Fwd_Packets (many packets, ≥500).
• Low Bwd_IAT_Min (minimum temporal intervals between very close packets, <10 $\mathsf{\mu }$s).

The raw dataset was subjected to pre-processing, including One-Hot Encoding for the source and destination IP addresses, transforming the IPs into binary features for use in the model.

9.2. Classification Results with RF

For the classification analysis, we used a RF Classifier model trained on the simulated dataset. The model was evaluated using an $80/20$ split for training and testing.

The results obtained on the test set are exceptionally high:

• Accuracy: $1.00$ ($100\%$).
• Precision: $100\%$.
• Recall: $100\%$.
• F1-Score: $100\%$.

Such perfect metrics indicate that the model was able to correctly classify every single traffic flow in the test set.

The analysis of Feature Importance (F.I.) confirms that classification is driven almost entirely by the four behavioral metrics that define the simulated DoS attack: Total_Fwd_Packets, Flow_Duration, Packet_Length_Mean, and Bwd_IAT_Min.

This result is expected given the high linear separability of the classes in the feature space ss evidenced by the dataset generation code (genera_dataset_sicurezza.py), where $BENIGN$ and $ATTACK\_DOS$ flows were created using non-overlapping value ranges for the key features, effectively guaranteeing a sharp and simplified distinction that any modern classifier, such as RF, can learn perfectly.

10. Discussion and Future Work (Extended Analysis)

The primary objective of this work is the integration between Chaos Theory and Artificial Intelligence to address scenarios where chaotic disturbances (physical) and attacks (adversarial) produce complex and hard-to-distinguish effects.

While the RF model results validate the ML approach for detecting anomalies in well-defined attack scenarios (Accuracy $100\%$), they highlight a limitation in the current dataset modeling phase.

Critique of Chaos Modeling: The abstraction of the “chaotic perturbation” is not yet fully implemented in line with the proposed mathematical formalization, which involves the use of generators like the logistic map or the Lorenz attractor. The current dataset uses simple stochastic generation based on discrete intervals (np.random.randint/uniform), which, although effective for simulating a classical attack, does not introduce the sensitivity to initial conditions and the emergent non-linear patterns that constitute the true challenge posed by Chaos. The perfect separability of the classes, which led to $100\%$ accuracy, is an indication that the model has not yet been subjected to the necessary stress to distinguish between a high-intensity chaotic disturbance (the Perturbed Scenario) that mimics an attack, and malicious intent (the Perturbed-Attacked Scenario).

Future Perspectives: To advance the research and validate the paper’s core thesis, future directions must focus on generating traffic flows that implement the chaotic equations $c_e\left(t\right)$ formalized in Section 5. Specifically, it will be crucial to:

1.

Chaos Injection into BENIGN Traffic: Modify the metrics Flow_Duration,

Packet_Length_Mean, and Bwd_IAT_Min of normal traffic using signals generated by a chaotic system (e.g., $x_{n+1}=r{x}_n(1-x_n)$). This will create legitimate flows with non-linear deviations that could partially overlap with the attack ranges.

2.

Robustness Evaluation: Test the RF model, and subsequently neural networks, on their ability to maintain high Recall (minimal false negatives) in the presence of this chaos-induced ambiguity, thereby measuring their capability to distinguish the chaotic dynamic from the attack signature.

This evolution of the dataset will allow for a critical evaluation of the AI’s capacity to function as a non-linear pattern analyzer and not just as a simple statistical threshold classifier.

11. Conclusions

This framework defines a formal and mathematical model of a TCP/IP network under both chaotic perturbations and cyber attacks. The four scenarios (quiescent, perturbed, attacked, perturbed-attacked) allow studying resilience, non-linear interactions, and the impact of chaotic disturbances on attack efficiency.

This work developed a formal framework that integrates network modeling, controlled chaos perturbations, and machine learning (ML) techniques to analyze the resilience of cyber defense systems. The central contribution is the methodological approach used to validate the core hypothesis: chaotic disturbance can compromise the decision boundary of simple classifiers. The experimental analysis confirmed the efficacy of the chosen flow features (Total_Fwd_Packets, Flow_Duration, Packet_Length_Mean, and Bwd_IAT_Min) as primary discriminators for the simulated denial of service (DoS) attack.

The results yielded a perfect accuracy ($100\%$) in the baseline scenario using the RF (RF) classifier. While this performance highlights the exceptional robustness and stability of the model in conditions of well-separated traffic, it also represented a methodological limitation. The extreme resilience of the RF, which maintained an accuracy close to $0.999$ even on the chaotically perturbed dataset, effectively masked the ambiguity the chaotic inputs were intended to introduce. This success, while a merit for a real-world Intrusion Detection System (IDS), suggests that the simulated dataset was overly separable, limiting the generalizability of the perfect accuracy to network scenarios characterized by greater feature overlap.

To isolate and measure the effect of ambiguity, it was necessary to employ Logistic Regression (LR), a linear classification model. The main merit of this approach was to force a controlled failure, which allowed for a measurable error (a single False Negative) in the Confusion Matrix under the effect of the chaotic perturbation. This result validated the hypothesis: chaotic inputs challenge linear discrimination, compromising the simplicity of the decision boundary. The clear flaw of the LR, however, is its excessive fragility and practical inapplicability in a production NIDS, where its linear nature would render it vulnerable to minimal non-linear fluctuations, making it too simple for real-world deployment.

Future work will focus on extending the chaotic model with a non-linear control system capable of actively measuring and compensating for the impact of perturbations, rather than merely measuring its effect. It will also be crucial to employ deep learning (DL) models, which are intrinsically more resilient to noise, to verify if they can match the robustness of the RF while providing a more generalized classification boundary. Finally, the generation of more complex and non-linearly separable datasets, including a wider variety of attack types and background traffic, is necessary to enhance the practical relevance of the findings.