I have the following situation. I'm studying how malicious host on the internet choose their victims. I must discover if a number of host are acting an in independent way or not. I'm using an hypothesis testing approach:
- The null hypothesis is that the host scan the internet in a independent fashion
- The alternative hypothesis is that they scan coordinately
Stating that the first is true (independent scan) we can calculate the distribution of the number of destination ip addresses that receive no scanning. My question is, given that distribution how can I prove that the host scan in an independent fashion? In particular, I am observing a certain number of ip addresses. From this observation I can say what is the number of addresses that have not received any scanning. Using only that number and the given distribution can I use some type of test to prove the null hypothesis?
Another idea was to divide the addresses I'm observing in a series of groups and use the chi square goodness fit test. Do you think that this approach will be formally correct?