Prediction of dynamics of suspicious network activity based on network traffic analysis

Abstract

The article considers the possibility of early prediction of cyberattacks based on the analysis of suspicious activity in the network, which will provide additional opportunities for information protection services in countering such attacks. A feature of a slow DDoS attack is the use of a vulnerability in the TCP protocol, where interruptions can be caused intentionally or unintentionally as a result of delays in the communication channel. It is well known that detection of slow DDoS attacks is significantly different from volume-based attacks, as slow attacks do not increase network traffic. The general problem is to detect the start time of such an attack, since traffic parameters do not change dramatically. An assumption is made about the dependence of the slow attack on the user’s behavior. Using machine learning methods based on the analysis of similar situations in the past, it is possible to create an integrated system for transforming large volumes of publicly available data to predict the behavior of attackers in the network. A method of detecting such attacks based on research and prediction of suspicious user activity is proposed. The possibilities of using this method have been proven on the basis of modeling RUDY attacks on HTTP services. The characteristics of forecasting accuracy depending on the accumulated traffic and attack statistics are given. It is concluded that this method can be used to detect different types of slow DDoS attacks. Predicting suspicious traffic provides a solution to the problem of detecting slow DDoS attacks based on an algorithm for finding unknown future values for a time series of traffic parameters. The proposed method combines the advantages of artificial intelligence and statistical analysis and is capable of self-learning in case of replenishment of attack statistics. This approach allows you to accurately determine the random process at the control points and ensure a minimum of the mean square error of approximation in the intervals between these points.

Keywords: cyber security; suspicious activity; prediction of non-stationary processes; machine learning.

References
1. Dhanapal A., Nithyanandam P. The Slow Http Distributed Denial of Service Attack Detection in Cloud // Scalable Computing: Practice and Experience. 2019. Vol. 20, N. 2. P. 285–298. URL: https://doi.org/10.12694/scpe.v20i2.1501
2. Dhanapal A., Nithyanandam P. The Slow HTTP DDOS Attacks: Detection, Mitigation and Prevention in the Cloud Environment // Scalable Computing: Practice and Experience. 2019. Vol. 20, N. 4. P. 669–685. URL: https://doi.org/10.12694/scpe.v20i4.1569
3. Lukaseder T., Ghosh S., Kargl F. Mitigation of Flooding and Slow DDoS Attacks in a Software-Defined Network. 16 August 2018. URL: https://arxiv.org/pdf/1808.05357.pdf
4. Abusaimeh H., Atta H., Shihadeh H. Survey on Cache-Based Side-Channel Attacks in Cloud Computing // International Journal of Emerging Trends in Engineering Research. April 2020. Vol. 8, No. 4. P. 1019–1026.
5. Calvert C. L., Khoshgoftaar T. M. Impact of class distribution on the detection of slow HTTP DoS attacks using Big Data // Journal of Big Data. 2019. 6, 67. URL: https://doi.org/10.1186/s40537-019-0230-3
6. Cusack B., Tian Z. Detecting and tracing slow attacks on mobile phone user service. In Valli, C. (Ed.) // The Proceedings of 14th Australian Digital Forensics Conference, 5-6 December 2016, Edith Cowan University, Perth, Australia. 2016. P. 4–10.
7. Дуравкін Є. В., Карлссон А., Локтіонова А. С. Метод виявлення повільної атаки // Системи обробки інформації. 2014. Вип. 8 (124). C. 102–106.
8. Рубан І. В., Прибильнов Д. В., Лошаков Е. С. Метод виявлення низькошвидкісної атаки типу «відмова в обслуговуванні» // Наука і техніка Повітряних Сил ЗС України. 2013. № 4(13). С. 85–88.
9. Тарасов Я. В. Дослідження застосування нейронних мереж для виявлення низькоінтенсивних DDоS-атак прикладного рівня // Питання кібербезпеки. 2017. №5(24). С. 23–29. URL: https://doi.org/10.21681/2311-3456-2017-5-23-29
10. Краковський Ю. М., Лузгін А. Н. Прогнозування інтенсивності кібератак на інформаційні системи критичних інфраструктур. Проблеми розумних міст та сталого розвитку територій // БЕЗПЕКА 2018. Єкатеринбург, 4-5 жовтня, 2018. 34-42. С. 180–187.
11. Лисенко С., Ткачук В. Методика та програмне забезпечення виявлення р.у.д.й. атака на основі використання алгоритму визначення самоподібності трафіку // Вісник Хмельн. нац. ун-ту. 2019. Вип. 3. С. 273.
12. Idhammad M., Afdel K., Belouch M. Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest // Security and Communication Networks. Vol. 2018, Article ID 1263123. 13 p. URL: https://doi.org/10.1155/2018/1263123
13. Network traffic forecasting based on the canonical expansion of a random process / V. Savchenko, O. Matsko, O. Vorobiov [et al.] // Eastern European J. of Enterprise Technologies. 2018. V. 3, No 2 (93). P. 33–41. URL: https://doi.org/10.15587/1729-4061.2018.131471
14. Detection of Slow DDoS Attacks based on User’s Behavior Forecasting / V. Savchenko, O. Ilin, N. Hnidenko [et al.] // International J. of Emerging Trends in Engineering Research. May 2020. Vol. 8, No. 5. P. 2019–2025.