=Paper=
{{Paper
|id=Vol-2212/paper43
|storemode=property
|title=The using of fractal measures for network state monitoring and probabilistic network attack type determination
|pdfUrl=https://ceur-ws.org/Vol-2212/paper43.pdf
|volume=Vol-2212
|authors=Olga Gubareva,Oleg Osipov,Andrey Pocheptsov,Vladimir Pugin
}}
==The using of fractal measures for network state monitoring and probabilistic network attack type determination ==
https://ceur-ws.org/Vol-2212/paper43.pdf
The using of fractal measures for network state monitoring
and probabilistic network attack type determination
O Yu Gubareva1, O V Osipov1, A O Pocheptsov1 and V V Pugin1
1
Povolzhskiy State University of Telecommunications and Informatics, L. Tolstoy Street 23,
Samara, Russia, 443010
Abstract. In the academic paper for network traffic analysis concerning risk assessment of
network nodes infosecurity fractal analysis is used which takes into consideration system past
history and makes it possible to randomly determine probable network attack types on the
system of interest. There has been developed a network traffic analysis technique based on
fractal measures set with a focus on network state analysis and probabilistic attack type
determination. Following on from the thesis results there is possible the creation of network
traffic analyzer (sniffer) for time estimate of infosecurity state as well as further computation of
previously attacked devices and network nodes.
1. Introduction
Any organization when operating is liable to various infosecurity risks which one way or another
affect particular business processes characteristics and can negatively influence on financial
data as well as the opportunity for the organization to go on its activity. Current business
requirements necessitate using well-grounded technical-and-economic methods and means in
operation providing quantitative and qualitative infosecurity (IS) level determination both with
assessing infosecurity cost efficiency. For the purpose of efficient organization infosecurity a
serious, systematic and integrated approach is required.
Almost any infosecurity system building must start form risks analysis. Before infosecurity
system designing one should specify what threatening (in other words conditions and factors
which can become the reason for breaking system integrity, its security and privacy and also
facilitating unauthorized access to it) exists for the given infosystem and to what extent it is
potentially critical.
Telecommunications networks have numerous vulnerabilities arising both in system software
development and in misconfiguration and equipment operation. The presence of security threat
makes it possible for intruders to put into operation various types of network attack. Nowadays
software tools development for infosecurity risks analysis by means of network traffic online
analysis is of great interest. Clearing up possible threat aims makes the basis for providing
safety-related system design. The threat aims show what should be protected. As a rule
network state is analyzed with a focus on network administration problem solving, routing
device monitoring, etc. To become aware of abnormal system behavior there is often used
various statistic information collection and analysis via IP-traffic. In this paper for network
traffic data accessing a free given software Zabbix under GNU GPL license was used. The
IV International Conference on "Information Technology and Nanotechnology" (ITNT-2018)
�Data Science
O Yu Gubareva, O V Osipov, A O Pocheptsov and V V Pugin
monitoring system in this case builds software set for current traffic measuring and software
system of its analysis constructed with computing entries so called fractal measures which will
be specified in the given paper.
2. The research objective and solution method
The research objective is network traffic analysis technique development based on fractal
measures set aimed at network state analysis and probabilistic attack type determination.
Resting upon the research described in this paper the authors are planning to create a network
traffic analyzer (sniffer) currently left on a company server for its time estimate, consecutive
defining of previously attacked devices and network nodes (network vulnerabilities) and as a
result further IS risks assessment.
The paper [1] gives an overview of scientific research in the field of analysis real-time network
traffic, and specific hardware and software solutions are considered.
In the work [2] the use of the Hurst index for the analysis of the traffic subject to anomalous
intrusions in the form of DoS-attacks is considered. The studies conducted in [2] showed that
traffic has the property of self-similarity during abnormal intrusions, which proves the possibility
of determining traffic anomalies in real time.
To take the set goal in the academic paper the following challenges are met: running the
process analysis of the infosystem in question (the infosystem of an academic institution was
taken as a basis) as an object to protect; Hurst exponent assessment, power-density spectrum
and network traffic fractal measures in normal state and in the time of attack on the infosystem
resources; executing the attack on the system resources.
Fractal analysis is statistic in its nature and in addition it gives the possibility to find self-
similarity markers in the traffic of interest. The fact permits first to become aware of minimal
required time for making the experiment. Second, it makes it possible to rely on the opportunity
to forecast the system behavior dynamics in the nearest future. Fractal model is a set of fractal
parameters (measures) put in accordance with the current network traffic state. The fractal
measures changes dynamics when involving a series of measurements of one and the same
telecommunication node lets us estimate traffic condition dynamics that is about the presence
or absence of attacks on infosystem resources. Jumping ahead we can mention that as a result of
the performed experiment it was brought to light that in case of DoS-attacks the self-similarity
network traffic level reduces as well as there takes place power-density spectrum transformation.
The experiment idea is the following: there is some telecom traffic which is network load
to timing dependency diagram (figure 1). From mathematical analysis perspective the traffic
in question represents univariate time series the observations of which are channel occupancy
levels at different moments. The current series can be analyzed with various fractal measures
calculating (Hurst exponent, etc.) as well as power-density spectrum.
At the first stage Hurst exponent and power-density spectrum were calculated for the normal
network condition.
First they determine Hurst exponent for calculating network traffic self-similarity level. For
its determination they find average channel occupancy value hU iN for N tick marks [3, 4]:
N
1 X
hU iN = U (n). (1)
N
n=1
Then they define X(n, N ) which is accumulated divergency U (n) from average value hU iN ,
which is determined with the help of the following total (union):
n
X
X(n, N ) = {U (p) − hU iN }, (2)
p=1
IV International Conference on "Information Technology and Nanotechnology" (ITNT-2018) 323
�Data Science
O Yu Gubareva, O V Osipov, A O Pocheptsov and V V Pugin
Figure 1. Network load to timing dependency diagram.
where the average value hU iN is defined by the formula (1).
According to standardized Hurst range [3, 4], the divergence range is determined via minimal
and maximal values of the accumulated divergence X(n, N ) (2):
R(N ) = max X(n, N ) − min X(n, N ). (3)
1≤n≤N 1≤n≤N
The standard divergence S (N ) can be computed with the following known formula via
dispersivity [3, 4]:
( N
)1/2
1 X 2
S (N ) = [U (n) − hU iN ] . (4)
N
n=1
For most timing series the observed standardized range R/S is described by empiric relation
and with the help of (3) and (4) appears as [3, 4]:
R/S = (αN )H , (5)
where H is the Hurst exponent; α is an arbitrary parameter (constant).
The described procedure in scientific literature got the name of R/S-analysis.
In figure 2 there is shown R/S telecom traffic dependency in normal state upon N in log-log
scale. The axis of ordinate shows the value of lg(R/S), on the x-axis — lg N .
Hurst exponent value for the traffic in question in normal condition turned out to be equal
0.68. In accordance with the theory of fractals if the got Hurst exponent value H < 0.5 then the
under study series has ”short” memory. In other words it is antipersistent. It means that recent
events in the begetter system produce much more influence on the following system behavior
than less recent events. If H > 0.5 the timing series is persistent and has fractal nature. With
the value H = 0.5 the signal represents stochastic noise and doesnt have any useful information.
As can be seen from the above, it was proved that the traffic in question in normal state is
self-similar and has fractal nature.
Further in the paper there was made power-density spectrum estimation which represents
rapid inverse Fourier transform of autocorrelation function.
The network traffic autocorrelation function is determined by the following formula:
N −j
1 X
R (j) = U (i) U (i + j), (6)
N
i=1
IV International Conference on "Information Technology and Nanotechnology" (ITNT-2018) 324
�Data Science
O Yu Gubareva, O V Osipov, A O Pocheptsov and V V Pugin
Figure 2. The R/S dependency of telecom traffic on the number of timing counts.
where N is the total number of network traffic tic marks. The signal power-density spectrum is
defined by direct inverse Fourier transform of autocorrelation function (6):
N N −i � �
1 XX 2πki �
Sk = 2 U (p) U (p + i) exp −j , k = 0, N − 1 . (7)
N N
i=1 p=1
In figure 3 there is introduced network traffic power-density spectrum S (f ) = Sk (U ) in
normal state (with no network attack).
On the second stage there were studied fractal measures and network traffic power-density
spectrum with DoS-attack.
During the DoS attack, the channel was fully loaded at 70 MB per second. It is worth noting
here that the use of fractal measures (in particular, the parameter R/S) allows to guarantee the
scalability of the obtained results in the case of higher channel utilization.
For this a before vulnerable web-system which before-known IP-address was developed. To
perform DoS-attack there was used the software which is similar to LOIC program that allows
to execute an attack of the given in advance IP-address with variable transactions amount. In
addition to that simultaneously with this there was executed an attack on MySQL-server using
SQL-injection implementation through get-parameter of the vulnerable system.
To do that they used an enquiry with SQL-function benchmark (n, q) that gives the possibility
to do n times function q [5].
For attacking SQL-server there was written a script which given number of times issued such
requests in cycle. After executing DoS-attack network traffic was taken during its time which
was again analyzed about fractal measures and power-density spectrum. Hurst exponent for the
traffic in question in the time of attack equaled 0.54 that speaks of sharp decrease self-similarity
level of the traffic of interest.
Currently, experiments are being conducted on the backbone network with a load of 1.2 GB
IV International Conference on "Information Technology and Nanotechnology" (ITNT-2018) 325
�Data Science
O Yu Gubareva, O V Osipov, A O Pocheptsov and V V Pugin
Figure 3. Network traffic power-density spectrum in normal condition.
per second with a time sample duration of 24 hours (86,000 calculated values of the channel
load).
In figure 4 there is shown power-density spectrum for the case in question which allows to
visually classify the signal in question as ”brown” noise.
Figure 4. Network traffic power-density spectrum at the time of attack.
Consequently as a result of the experiment in real network fractal measures changing and
power-density spectrum were proved with DoS-attack.
Not without interest are studying of fractal measures and network traffic power-density
IV International Conference on "Information Technology and Nanotechnology" (ITNT-2018) 326
�Data Science
O Yu Gubareva, O V Osipov, A O Pocheptsov and V V Pugin
spectrum while various network attacks are that can lead to creation of some on-line ”patterns”
database (library) of power-density spectra and fractal measures values. In other words it is
referred to the opportunity to make some fractal network-status indicator for the time of high
probability to determine the threat type. Worth making a point in this regard is that subtle
fractal analysis allows to reveal minimal traffic changing despite full channel occupancy in case
of network attack. However, here we need further experimental research aimed at revealing
specific attacks and building ”patterns” of fractal characteristics.
Note that Hurst exponent computing of network traffic with 10000 time samples takes around
1,5 seconds when using Intel Core i5 and power-density spectrum calculation takes about 4
seconds.
3. Conclusion
In conclusion, let us dwell on the main conclusions of the work done. Fractal network indicator
led has to perform the following functions:
• saving channel occupancy entries sampling for certain time windows that are enough for
network condition diagnostics;
• fractal measures and power-density spectrum calculation for every set timing series for
the definite interval times for the purpose of further comparison with ¡¡patterns¿¿ from the
information base (using neural networks);
• finding of network state totally in the current and precedent time points;
• probability forecast about the network attack nature in the future.
Thus, in the paper for network traffic state analysis (including DoS-attacks) there is offered
to use fractal measures and power-density spectrum which allow by indirect hints for agreeable
time limit to determine threat level.
The algorithms developed in this work may be useful for the analysis of "smartlink connections" [6].
Another object of the fractal technique is the stochastic network [7].
In conclusion, we note that the proposed method is the basis for creating a fractal indicator
for analyzing the state of the network, while specialized software (iptables, ipwf, etc.) should be
used to determine the sources of the DoS attack.
4. References
[1] Get’man A I , Markin Yu V, Evstropov E F and Obydenkov D O 2017 Analysis of network traffic
in the mode real-time: overview of applied tasks, approaches and solutions Trudy I SP RAN
29(3) 117-150 ( in Russian)
[2] Shelukhin O I and Antonyan A A 2014 Analysis of changes in the fractal properties of
telecommunications traffic caused by abnormal intrusions T-COMM: Telecommunications and
transport 8(6) 61-64 (in Russian)
[3] Feder J 1991 Fractals (Springer Science + Business Media, LLC) 305 p
[4] Golovko V A 2005 Neural network methods for processing chaotic processes VII All-Russian
scientific-technical conference "Neuroinformatics" 43-91 (in Russian)
[5] Nizamutdinov M F 2005 The tactics of protecting and attacking WEB applications (SPb.: BHV-
Peterburg Publisher) p 432 (in Russian)
[6] Nikitin V S, Semyonov E I, Solostin A V, Sharov V G and Chayka S V 2016 Modeling the "smartlink
connection" performance Computer Optics 40(1) 64-72 DOI: 10.18287/2412-6179-2016-40-1-64-72
[7] Agafonov A A, Myasnikov V V 2016 Method for the reliable shortest path search in timedependent
stochastic networks and its application to GIS-based traffic control Computer Optics 40(2) 275-283 DOI:
10.18287/2412-6179-2016-40-2-275-28
IV International Conference on "Information Technology and Nanotechnology" (ITNT-2018) 327
�