In the academic paper for network trac analysis concerning risk assessment of network nodes infosecurity fractal analysis is used which takes into consideration system past history and makes it possible troandomly determine probable network attack typeosn the system of interest. There has been developed a network tra c analysis technique based on fractal measures set with a focus on network state analysis and probabilistic attack type determination. Following on from the thesis resulttshere is possible the creation of network tra c analyzer (sni er) for time estimateof infosecurity state as well as further computation of previously attacked devices and network nodes.
Any organization when operating is liable to various infosecurity risks which one way or another a ect particular business processes characteristics and can negatively in uence on nancial data as well as the opportunity for the organization to go on its activity. Current business requirements necessitate using well-grounded technical-and-economic methods and means in operation providing quantitative and qualitative infosecurity (IS) level determination both with assessing infosecurity cost e ciency. For the purpose of e cient organization infosecurity a serious, systematic and integrated approach is required.
Almost any infosecurity system building must start form risks analysis. Before infosecurity system designing one should specify what threatening (in other words conditions and factors which can become the reason for breaking system integrity, its security and privacy and also facilitating unauthorized access to it) exists for the given infosystem and to what extent it is potentially critical.
Telecommunications networks have numerous vulnerabilities arising both in system software development and in miscon guration and equipment operation. The presence of security threat makes it possible for intruders to put into operation various types of network attack. Nowadays software tools development for infosecurity risks analysis by means of network tra c online analysis is of great interest. Clearing up possible threat aims makes the basis for providing safety-related system design. The threat aims show what should be protected. As a rule network state is analyzed with a focus on network administration problem solving, routing device monitoring, etc. To become aware of abnormal system behavior there is often used various statistic information collection and analysis via IP-tra c. In this paper for network tra c data accessing a free given software Zabbix under GNU GPL license was used. The monitoring system in this case builds software set for current tra c measuring and software system of its analysis constructed with computing entries so called fractal measures which will be speci ed in the given paper.
The research objective is network tra c analysis technique development based on fractal measures set aimed at network state analysis and probabilistic attack type determination. Resting upon the research described in this paper the authors are planning to create a network tra c analyzer (sni er) currently left on a company server for its time estimate, consecutive de ning of previously attacked devices and network nodes (network vulnerabilities) and as a result further IS risks assessment.
The paper [
In the work [
To take the set goal in the academic paper the following challenges are met: running the process analysis of the infosystem in question (the infosystem of an academic institution was taken as a basis) as an object to protect; Hurst exponent assessment, power-density spectrum and network tra c fractal measures in normal state and in the time of attack on the infosystem resources; executing the attack on the system resources.
Fractal analysis is statistic in its nature and in addition it gives the possibility to nd selfsimilarity markers in the tra c of interest. The fact permits rst to become aware of minimal required time for making the experiment. Second, it makes it possible to rely on the opportunity to forecast the system behavior dynamics in the nearest future. Fractal model is a set of fractal parameters (measures) put in accordance with the current network tra c state. The fractal measures changes dynamics when involving a series of measurements of one and the same telecommunication node lets us estimate tra c condition dynamics that is about the presence or absence of attacks on infosystem resources. Jumping ahead we can mention that as a result of the performed experiment it was brought to light that in case of DoS-attacks the self-similarity network tra c level reduces as well as there takes place power-density spectrum transformation.
The experiment idea is the following: there is some telecom tra c which is network load to timing dependency diagram ( gure 1). From mathematical analysis perspective the tra c in question represents univariate time series the observations of which are channel occupancy levels at di erent moments. The current series can be analyzed with various fractal measures calculating (Hurst exponent, etc.) as well as power-density spectrum.
At the rst stage Hurst exponent and power-density spectrum were calculated for the normal network condition.
First they determine Hurst exponent for calculating network tra c self-similarity level. For
its determination they nd average channel occupancy value hU iN for N tick marks [
N n=1 n X(n; N ) = X fU (p) p=1 hU iN g;
Then they de ne X(n; N ) which is accumulated divergency U (n) from average value hU iN, which is determined with the help of the following total (union): (1) (2) where the average value hU iN is de ned by the formula (1).
According to standardized Hurst range [
The standard divergence S (N ) can be computed with the following known formula via
dispersivity [
R(N ) = max X(n; N ) 1 n N
min X(n; N ): 1 n N S (N ) = ( 1
N
X [U (n) N n=1 hU iN ] 2 )1=2 :
For most timing series the observed standardized range R=S is described by empiric relation
and with the help of (3) and (4) appears as [
R=S = ( N )H ; where H is the Hurst exponent; is an arbitrary parameter (constant).
The described procedure in scienti c literature got the name of R=S-analysis.
In gure 2 there is shown R=S telecom tra c dependency in normal state upon N in log-log scale. The axis of ordinate shows the value of lg(R=S), on the x-axis | lg N .
Hurst exponent value for the tra c in question in normal condition turned out to be equal 0.68. In accordance with the theory of fractals if the got Hurst exponent value H < 0:5 then the under study series has "short" memory. In other words it is antipersistent. It means that recent events in the begetter system produce much more in uence on the following system behavior than less recent events. If H > 0:5 the timing series is persistent and has fractal nature. With the value H = 0:5 the signal represents stochastic noise and doesnt have any useful information. As can be seen from the above, it was proved that the tra c in question in normal state is self-similar and has fractal nature.
Further in the paper there was made power-density spectrum estimation which represents rapid inverse Fourier transform of autocorrelation function.
The network tra c autocorrelation function is determined by the following formula: R (j) =
N
i=1 1 N j
X U (i) U (i + j); (3) (4) (5) (6) where N is the total number of network tra c tic marks. The signal power-density spectrum is de ned by direct inverse Fourier transform of autocorrelation function (6):
Sk = 1 XN NXi U (p) U (p + i) exp N 2 i=1 p=1 j 2 ki
N ; k = 0; N 1 : (7)
In gure 3 there is introduced network tra c power-density spectrum S (f ) = Sk (U ) in normal state (with no network attack).
On the second stage there were studied fractal measures and network tra c power-density spectrum with DoS-attack.
During the DoS attack, the channel was fully loaded at 70 MB per second. It is worth noting here that the use of fractal measures (in particular, the parameter R=S) allows to guarantee the scalability of the obtained results in the case of higher channel utilization.
For this a before vulnerable web-system which before-known IP-address was developed. To perform DoS-attack there was used the software which is similar to LOIC program that allows to execute an attack of the given in advance IP-address with variable transactions amount. In addition to that simultaneously with this there was executed an attack on MySQL-server using SQL-injection implementation through get-parameter of the vulnerable system.
To do that they used an enquiry with SQL-function benchmark (n, q) that gives the possibility
to do n times function q [
For attacking SQL-server there was written a script which given number of times issued such requests in cycle. After executing DoS-attack network tra c was taken during its time which was again analyzed about fractal measures and power-density spectrum. Hurst exponent for the tra c in question in the time of attack equaled 0.54 that speaks of sharp decrease self-similarity level of the tra c of interest.
Currently, experiments are being conducted on the backbone network with a load of 1.2 GB per second with a time sample duration of 24 hours (86,000 calculated values of the channel load).
In gure 4 there is shown power-density spectrum for the case in question which allows to visually classify the signal in question as "brown" noise.
Consequently as a result of the experiment in real network fractal measures changing and power-density spectrum were proved with DoS-attack.
Not without interest are studying of fractal measures and network tra c power-density spectrum while various network attacks are that can lead to creation of some on-line "patterns" database (library) of power-density spectra and fractal measures values. In other words it is referred to the opportunity to make some fractal network-status indicator for the time of high probability to determine the threat type. Worth making a point in this regard is that subtle fractal analysis allows to reveal minimal tra c changing despite full channel occupancy in case of network attack. However, here we need further experimental research aimed at revealing speci c attacks and building "patterns" of fractal characteristics.
Note that Hurst exponent computing of network tra c with 10000 time samples takes around 1,5 seconds when using Intel Core i5 and power-density spectrum calculation takes about 4 seconds.
In conclusion, let us dwell on the main conclusions of the work done. Fractal network indicator led has to perform the following functions:
saving channel occupancy entries sampling for certain time windows that are enough for network condition diagnostics;
fractal measures and power-density spectrum calculation for every set timing series for the de nite interval times for the purpose of further comparison with <<patterns>> from the information base (using neural networks);
nding of network state totally in the current and precedent time points; probability forecast about the network attack nature in the future.
Thus, in the paper for network tra c state analysis (including DoS-attacks) there is o ered to use fractal measures and power-density spectrum which allow by indirect hints for agreeable time limit to determine threat level.
The algorithms developed in this work may be useful for the analysis of "smartlink connections" [
In conclusion, we note that the proposed method is the basis for creating a fractal indicator for analyzing the state of the network, while specialized software (iptables, ipwf, etc.) should be used to determine the sources of the DoS attack.