Markov Model of Unsteady Profile of Normal Behavior of Network Objects of Computer Systems Ihor Tereikovskyi 1 [0000-0003-4621-9668], Lyudmila Tereykovska 2 [0000-0002-8830-0790], Shynar Mussiraliyeva 3 [0000-0001-5794-3649], Mikola Tsiutsiura 2 [0000-0002-1946-9242] and Jugoslav Achkoski 4 [0000-0003-2782-3739] 1 National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Insti- tute”, Kyiv, Ukraine 2 Kyiv National University of Construction and Architecture, Kyiv, Ukraine 3 Al-Farabi Kazakh National University, Almaty, Kazakhstan 4 Military Academy “General Mihailo Apostolski”, Skopje, North Macedonia terejkowski@ukr.net, tereikovskal@ukr.net, mussirali- yevash@gmail.com, teodenor@gmail.com Abstract. The article is devoted to the ongoing scientific and applied issue on improvement of systems of detection of cyberattacks on net- work objects of computer systems. Detection systems are considered based on determining the tolerance of deviations of the current values of the controlled functional parameters of the computer system from the profiles of normal behavior. It is established that one of the main disad- vantages of network cyberattack detection systems is the imperfection of normal behavior profiles, which are insufficiently adapted to the typ- ical non-stationary nature of the dynamics of the controlled functional parameters. It is proposed to form non-stationary profiles of normal be- havior of network objects of computer systems on the basis of multipe- riodic Markov model, which allows to take into account the typical na- ture of the dynamics of functional parameters that reflect the state of se- curity of network objects of computer systems. The peculiarity of the model is the modeling of each of the stationary sections of the dynamics of the functional parameter using a homogeneous Markov chain with successive transitions. It is experimentally established that the applica- tion of the developed multiperiodic model allows to increase the accu- racy of forecasting the dynamics of functional parameters up to 2 times. Moreover, it is shown that the prospects for further research are associ- ated with the development of methods for applying the solutions of the theory of spectral analysis of data to determine the significant periods of the process of changing functional parameters. Keywords: recognition of network cyberattacks, normal behavior pro- file, Markov’s model, dynamics of functional parameters. Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attrib- ution 4.0 International (CC BY 4.0) CMiGIN-2019: International Workshop on Conflict Management in Global Information Networks. 1 Introduction The importance of improving the means of recognizing network cyberattacks is in- creasing due to the constant danger of cybercrime, the dynamic growth of various and diverse cyber threats, and the increase in the complexity and responsibility of com- puter networks (CN) [1, 5, 11]. The basis of these tools is the data analysis module, the main task of that is to generate a decision on the presence or absence of a cyberat- tack on the object of protection at a given time [8, 10, 16]. It is generally recognized that one of the most promising areas for improving the quality of data analysis is the use of the anomaly detection method in recognition systems. An important advantage of this method is the ability to recognize new types of attacks with unknown signa- tures. In this case, the work of data analyzers is based on the assumption that the sign of a network cyberattack is a deviation of the specified parameters of the CN from the so-called normal behavior profile (NBP). Although a lot of scientific and practical works are devoted to the development of NBP, however, successful attempts of net- work attacks on a number of domestic and foreign institutions indicate the need for their significant improvement, which explains the relevance of research in this direc- tion. 2 Literature Review and Problem Postulation As evidenced by the literature review, control cards Shuhart, EWMA, CUSUM, simu- lation and neural network models mainly used for the construction of modern PNP, as well as models based on classical methods of statistical analysis [5, 6, 18, 19]. It should be noted that in most cases, these profiles describe the dynamics of the func- tional parameters of the CN. The method and experimental system of detection of attacks on resources of CN is developed in work [9]. The method uses the patterns of normal behavior based on the simulation model of the functioning of network objects of CN. It should be mentioned that the construction of this simulation model for real CS is associated with great difficulties. The aim of the work [1] was to develop a mathematical model of CS network behavior and a method of anomaly detection based on the statistical study of changes in the characteristics of this system. This paper proposes to divide the entire space of the performance on the indicators charac- terizing the use of local system resources and indicators of interaction with the outside world. The introduced mathematical model based on the assumption the use of the sample homogeneity criterion to identify anomalies. In addition, the literature review allows us to determine that the methods of statistical data processing can be addition- ally used to clarify the obtained NBP. Thus, the article [4] describes the process of developing templates for fixing abnormal behavior of CN on the basis of BDS-tests. It is argued that such tests are effective methods for identifying dependencies in time series in the framework of their nonlinear analysis and have been widely used for analysis of financial markets. In the article the mathematical apparatus of testing is developed, and the results of numerical experiments are shown, confirming the possi- bility of using such templates to define the malicious software by heuristic analyzers. Article [13] is devoted to the development of adaptive patterns of fixation of abnor- mal behavior of CN. The fact of possibility of use for these purposes of control cards of Shuhart is confirmed. For the development and experimental studies, a software model has been developed that allows to obtain a database of CN state templates and to fix abnormal behavior of network objects. The possibility of using the developed adaptive patterns in heuristic analyzers of intrusion detection systems is stated. However, as studies have shown, these means of forming patterns are not devoid of a number of drawbacks. SO EWMA control cards are insensitive to short manifesta- tions of anomalies. At the same time, CUSUM maps detect small but constant chang- es with a higher probability but have low accuracy (high probability of false positives) under dynamic changes in the computer system display [2-5]. The analyzed patterns, which are based on classical methods of statistical analysis, are characterized by a high level of false positives when used in local networks, where the behavior of ob- jects does not have a smooth, averaged character [8, 10]. Based on authors view, it is possible to eliminate these shortcomings by using the theory of Markov processes, which is successfully used to build statistical models of complex processes [7]. It should be noted that the expediency of using Markov chains in the field of recognition of cyberattacks has already been proved in the works [9, 19, 20]. Thus, the work [9] is devoted to the use of hidden Markov chains for modeling the mental state of the CN operator in the implementation of cyberattacks. The paper [14] describes in detail the methodology of CN protection based on the game theory using the Markov model. The possibility of choosing the most effective protection strategy is shown in the pre- cases of a certain time window. A similar problem is considered in work [15], where the Markov model is developed to determine the strategy of protection of a moving target. In work [17] the algorithm of step-by-step detection of attacks on a computer network on the basis of the hidden Markov model is offered. In work [20] the possi- bility of formation of templates of normal behavior of network objects of CN on the basis of a homogeneous Markov chain with consecutive transitions is proved. It is determined that for the formation of patterns of normal behavior it is advisable to use a Markov chain with the number of States equal to 20. The graph of process transi- tions is developed, the corresponding mathematical support allowing to calculate the basic parameters of the Markov link underlying the specified template is formed. The results are experimental, confirming the effectiveness of the developed Markov model for conditionally stationary dynamics of controlled parameters of protection. Moreo- ver, the expediency of further studies in the field of justification of the nomenclature of controlled parameters and adaptation of the Markov model of the typical non- stationary nature of the functional parameters of the CN is shown. It should be noted that the possibility of creating a Markov model of unsteady NBP is confirmed in theo- retical works devoted to the Markov approximation of multiperiodic unsteady pro- cesses [7, 19]. Thus, as a result of the analysis of scientific and practical works [2-4, 7-17, 19, 20], the prospects of using Markov chains for the formation of NBP are determined. In addition, it is shown that the known mathematical models of NBP do not fully consid- er the typical non-stationary nature of the dynamics of the functional parameters of network CN. 3 Purposes and Objectives of the Study The main purpose of this study is to develop a Markov model of the non-stationary profile of the normal behavior of network objects of computer systems, which is adapted to the typical non-stationary nature of the dynamics of the auxiliary parame- ters of such objects. 4 Development of the Markov model In the construction of the Markov model, the position of the theory of dynamic data series is used, according to which the multiperiodic NBP can be represented as a sum of single-period profiles. The graph of single-period NBP is shown in Fig. 1, and the graph of multiperiodic PNP is shown in Fig. 2. Fig. 1. Single-period NBP graph. Fig. 2. Graph of multiperiodic NBP. The actual NBP corresponds to the function X=f(t). In Fig. 1, the letters A and B de- note the transition (extreme) points of the function X=f (t)., the maxima of the func- tion are denoted as A2, A4, ... AD, and the minima as B1, B2, ... BD-1. Indices 1,2, ... D correspond to the numbers of transition points. At intervals of type Bd Ad 1 and Ad 1 Bd  2 single-period NBP has a stationary character. On intervals of type Bd Ad 1 the function X=f (t) increases, and on intervals of type Ad 1 Bd  2 the function X=f (t) decreases. According to theoretical studies in the field of the theory of Markov processes, the basis of NBP on a stationary interval of the dynamics of operational parameters of CN is a homogeneous Markov chain described by a system of Kolmogorov-Chapman equations and a normalization condition that can be written using expressions:  P1 (t )  P1 (t  1)  P1 (t  1) p1,i ...  P1 (t  1) p1, N  Pi (t  1) pi ,1...  PN (t  1) p N ,1     , (1)  Pi (t )  Pi (t  1)  Pi (t  1) pi ,1...  Pi (t  1) pi , N  P1 (t  1) p1,i ...  PN (t  1) p N ,i     PN (t )  PN (t  1)  PN (t  1) p N ,1...  PN (t  1) p N ,i  P1 (t  1) p1, N ...  Pi (t  1) pi , N N  Pi (t )  1 (2) i 1 where Pi(t) is the probability of finding the functional parameter in the i-th state at time t[0, tmax], pi,j - is the probability of transition from state i to state j in one step of the process, N is the number of States of the Markov chain. If we accept the postulate that at the initial moment of time the simulated parame- ter is in the first state of the Markov chain, then the initial conditions of modeling can be written as follows: P1 (0)  1 (3) The disadvantages of the described Markov chain is the complexity of the calcula- tion of transition probabilities, which is determined primarily by the fully connected character of possible transitions of the process by states. Therefore, based on the results of [7, 8, 19], the assumption is made about the pos- sibility of using a Markov chain in which only successive transitions are possible between states, the number of which is equal to 10. At the same time, the accuracy of the model remains sufficient for the task of forming the NBP. Due to the accepted simplification, expression (1) is modified as follows:  P1 (t )  P1 (t  1)  P1 (t  1) p1, 2  P2 (t  1) p2,1     , (4)  Pi (t )  Pi (t  1)  Pi (t  1) pi ,i 1  Pi 1 (t  1) pi 1,i     PN (t )  PN (t  1)  PN (t  1) p N , N 1  PN 1 (t  1) p N 1, N where N =10 is the number of states of the Markov chain. In case of approximation of dynamics of operational parameters of computer networks it is recommended that the states with numbers from 1 to (N-1) correspond to such values of parameters at which the software and hardware of a network will be in a working state, and the N-th state corresponds to a non-working state 7. In a one-sided region of operability, the first (N-1) states will be defined by the lower and upper bounds, and the last N state by the lower bound only. Using the procedure of uniform quantization of the region of operability, the state boundaries are defined as follows: Lbi    i , (5) Lei    (i  1) , (6) L , (7) N 1 L  Lb  Le , (8) where , L b i , L is the upper and lower bound of the i-th state,  –is the width of the e i b e state, L –- width of the region of operability, L , L - upper and lower limit of the region of operability. An illustration of the described quantization procedure is Fig. 3, which shows graphs of the dynamics of some operational parameter X for the same type of con- trolled objects. In Fig. 3, the following notations are accepted: tk – moments of regis- tration; 1...N – numbers of states of a Markov chain; ni – borders of states; O1, O2, O3, O4, O5 -realizations of X. The calculation of the probabilities of transition of the controlled parameter from state i to state j in one step of the process is implemented as follows: p(tk )i 1,i  R(tk )i / R(tk )r , (9) I pi 1,i   p (t k ) i 1,i / I , (10) i 1 where p(tk)i-1,i – is the probability of transition between (i-1)-th and i-th state in one step of calculation of Markov chains R(t k)i – the number of controlled objects that are moved from (i-1)-th to i-th state for the time interval tk, which corresponds to one step of the Markov chain. R(tk)r –– the total number of operable objects at the time tk, pi-1,i -the probability of transition between (i-1)-th and i-th state, I-the number of registra- tions of the parameter. Fig. 3. The graphs of dynamics of values of operational parameter for controlled ob- jects In the simplest case, to simulate one period of a single-period process of changing the operational parameter X, the graph of which is shown in Fig. 3, the model will consist of two homogeneous Markov chains given by expressions (2, 3, 4). The first circuit is designed to simulate the AB section, the second-for the BC section. In this case, the probabilities of the first Markov chain at time B are the initial distribution of the form (1) for the second Markov chain. For a two-period process, the graph of which is shown in Fig. 4, the Mars model will be more complex. In such a model, it is necessary to consider that the BF section is non-stationary only in the CE section. In this case, the half-periods CD and DE are nested in the half-period BF. Fig. 3. The half-life graph of a single-period process Fig. 4. The graph of two-period process To construct a multiperiodic Markov model, the authors developed an approach based on the Markov model described in [19, 20] of a one-periodic nonstationary NBP process X  f t  , which increases sequentially at stationary intervals of type Bd Ad 1 and decreases at stationary intervals of type Ad 1Bd  2 , where d is the number of the transition point (see Fig. 1). The Markov model of one-period NBP M BAB consists of two homogeneous Markov chains M BA and M AB , designed to simulate the dynamics of functional parameters at stationary intervals of type Bd Ad 1 and Ad 1Bd  2 . By analogy with [2, 3] in the model of multiperiodic NBP, it is also assumed that each of the stationary sites is modeled by its own homogeneous Markov chain. For example, the NBP of a two-period process, the graph of which is shown in fragments in Fig. 4, a sequential simulation of each of the stationary intervals AB, BC, CD, DE, and EF is provided by a proper homogeneous Markov chain. As for the case of a one-period NBP, the finite probability distribution of the stay of the previous Markov chain is the initial conditions for the subsequent chain.. Thus, the Markov  model of multiperiodic NBP M BAB , the structure of which is shown in Fig. 5, con- 1 2  K  sists of modules M BAB , M BAB ,..., M BAB designed to simulate K significant periods of the dynamics of the functional parameter under study. In this case, an arbitrary K- k  th module M BAB is a Markov model of a one-period NBP developed in [19, 20], de- k  signed for modeling the k-th periodic component. In turn M BAB , it consists of two k  k  LM- M BA and M AB , designed to model the k-th periodic component of the NBP.. k  The output of the k-th module M BAB at the τ -th step of the calculation is Pk   the probability distribution vector for the k-th periodic component of the NBP. The number of states and state boundaries of the Markov chain of each of the modules should be calculated individually using the expressions (5-8). Also, the val- ues of transition probabilities should be calculated separately for each Markov chain. For this purpose, it is possible to use expressions (9, 10), having modified them a little for processing of statistics on the corresponding interval of functioning (half-life): pz (tk )i 1,i  Rz (tk )i /Rz (tk )r  tk , (11) Iz p z ,i 1,i   p z (t k )i 1,i / I z , (12) i 1 where z is the half-period in question. Other symbols (11, 12) correspond to expressions (9, 10). Fig. 5. Markov model of multiperiodic NBP  The output of the model M BAB at the τ t-th step of calculation is the probability dis- tribution vector of the form: P    P1  , P2  ,..., PN   , (13) where Pi    is the integral probability of finding the parameter in the i-th state of the Markov chain at the τ -th step of the calculation. Pi    it is calculated as follows: K Pi     K 1  Pi k   , (14) k 1 where Pi k   is the probability of the functional parameter staying in the i-th state of the K-th Markov chain at the τ-th calculation step. Using the proposed Markov model, the software package MarkPr was developed, which allows to simulate Markov processes of various types. So, in Fig.6 shows the simulation results of a two-period Markov process with 10 states. The graph shown in Fig. 6. corresponds to the mathematical expectation of the controlled parameter. Fig. 6. The graphs of the dynamics of the mathematical expectation of the number of requests On the basis of the described Markov model, given by the expressions (2-14), a two-period NBP of a Web server is developed. Statistical data were used to construct the model [19, 20]. The simulation was carried out using the mentioned MarkPr pro- gram. As a security parameter, the number of web server accesses per 1 minute is used. The simulation results are partially presented in Fig.7, on which 1 denotes a graph based on statistical data, 2 If based on a one-period model [20], and 3 based on the proposed two-period model. Fig. 7. The graphs of the dynamics of the mathematical expectation of the number of requests It is important to mention that for a one-period model, the average modeling error is 0.09 [19-22], for a two - period (author's) model-0.04, and for common polynomial models [1, 4] - 0,140,18. Therefore, the application of the proposed two-period model allowed to reduce the error of modeling with respect to the one-period model by about 2 times, and with respect to common polynomial models-by about 4 times. Consequently, the results of the experiments confirm the effectiveness of the pro- posed two-period Markov model of NBP. At the same time, the issue of determining the number of significant periods that need to be taken into account in the NBP re- mains unresolved. Based on the results [12], it can be assumed that this deficiency can be corrected by using the theory of spectral analysis of data. 5 Conclusion As a result of the conducted researches, it is justified expediency forming of multipe- riodic profiles of normal behavior of network objects of computer systems on the basis of a Markov chain with consecutive transitions is proved. The developed Mar- kov model of the non-stationary profile of normal behavior allows to consider the typical multi periodic nature of the dynamics of functional parameters, which reflect the state of security of network objects of computer systems. As a result of experi- mental studies, it was found that the application of the developed multiperiodic model allowed to increase the accuracy of forecasting the dynamics of functional parameters up to 2 times relative to the best known models of similar purpose. It is shown that the prospects for further research are associated with the development of methods for applying solutions of the theory of spectral analysis of data to determine the signifi- cant periods of the process of change of functional parameters. References 1. Baranov P. A. Detection of anomalies based on an analysis of the uniformity of parameters of computer systems: the dissertation ...Candidate of Technical Sci- ences: 05.13.19 St. Petersburg, 2007 155 p. 2. Choudhury, H., Mandal, S., Prasanna, S.R.M. Comparative study of Markov Model based synthesis and recognition systems. (2017). IEEE Region 10 Annual International Conference, Proceedings/TENCON pp. 272-276. 3. Choudhury, H., Mandal, S., Prasanna, S.R.M. Comparative study of Markov Model based synthesis and recognition systems. (2017). IEEE Region 10 Annual International Conference, Proceedings/TENCON pp. 272-276. 4. Design templates for identification state of computer systems are based on BDS- test / Semenov S.G, S. Yu. Gavrilenko, V.V Chelak // Herald of the National Technical University "KhPI". Subject issue: Information Science and Modelling. – Kharkov: NTU "KhPI". – 2016. – No 21 (1193). – Р . 118 – 127. 5. Dychka, I., Tereikovskyi, I., Tereikovska, L., Pogorelov, V., Mussiraliyeva, S.(2018), Deobfuscation of computer virus malware code with value state de- pendence graph, Advances in Intelligent Systems and Computing, pp 370-379. 6. Dychka, I., Chernyshev, D., Tereikovskyi, I., Tereikovska, L., Pogorelov, V. Malware Detection Using Artificial Neural Networks Advances in Computer Sci- ence for Engineering and Education II. ICCSEEA 2019. Advances in Intelligent Systems and Computing, vol 938. Springer, Cham. Pages 3-12. 7. Ignatov V.A., Manshin G.G., Traynev V.A. Statistical optimization of the quality of functioning of electronic systems. M .: Energy, 1974, 264 p. (In Russian). 8. Gavrilenko S.Yu., Gornostal A.A. Development of adaptive patterns for fixing abnormal behavior of a computer system. Information Processing Systems, 2016, issue 3. p. 11-14. 9. Gamayunov D. Falsifiability of network security research: The good, the bad, and the ugly. In Proceedings of the 1st ACM SIGPLAN Workshop on Reproducible Research Methodologies and New Publication Models in Computer Engineering, TRUST ’14, pages 4:1–4:3. ACM New York, NY, USA, 2014. 10. Gnatyuk S. Critical Aviation Information Systems Cybersecurity, Meeting Secu- rity Challenges Through Data Analytics and Decision Support, NATO Science for Peace and Security Series, D: Information and Communication Security. - IOS Press Ebooks, Vol.47, №3, рр. 308-316, 2016. 11. Gnatyuk S., Sydorenko V., Aleksander M. Unified data model for defining state critical information infrastructure in civil aviation, Proceedings of the 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT), Kyiv, Ukraine, May 24-27, 2018, pp. 37-42. 12. Hu, Z., Tereikovskyi, I., Tereikovska, L., Tsiutsiura, M., Radchenko, K. Applying Wavelet Transforms for Web Server Load Forecasting. Advances in Computer Science for Engineering and Education II. ICCSEEA 2019. Advances in Intelli- gent Systems and Computing, vol 938. Springer, Cham. Pages 13-22. 13. Kuznetsov G.V., Ivanov A.M. Data analysis methods for detecting attacks in computer systems and networks of banking structures. - K .: Inf. security. Sat. NAU, 2004, S. 45-50. 14. Liu, S.-Z., Liao, Z.-F., Hu, J., Fan, X.-P. (2014) Classified time homogeneous Markov model for recommendation based on implicit feedback Tien Tzu Hsueh Pao/Acta Electronica Sinica 42(4), pp. 703-710. 15. Mustafayev AG (2016) Neyrosetevaya sistema obnaruzheniya komp'yuternykh atak na osnove analiza setevogo trafika. Voprosy bezopasnosti, 2:1-7. Access mode: URL: http://nbpublish.com/library_read_article.php?id=18834 (reference date: August 22, 17). 16. Pavlov D., Chertov O. (2019) How Click-Fraud Shapes Traffic: A Case Study. In: Chertov O., Mylovanov T., Kondratenko Y., Kacprzyk J., Kreinovich V., Stefa- nuk V. (eds) Recent Developments in Data Science and Intelligent Analysis of In- formation. ICDSIAI 2018. Advances in Intelligent Systems and Computing, vol 836. Springer, Cham 17. Penagarikano, M., Bordel, G. (2004) Layered Markov models: A New architec- tural approach to automatic speech recognition. Machine Learning for Signal Processing XIV - Proceedings of the 2004 IEEE Signal Processing Society Work- shop pp. 305-314. 18. Taran, V., Gordienko, N., Kochura, Y., Gordienko, Y., Rokovyi, A., Alienin, O., Stirenko, S.: Performance evaluation of deep learning networks for semantic segmentation of traffic stereo-pair images. In: Proceedings of the 19th Interna- tional Conference on Computer Systems and Technologies, pp. 73–80. ACM, September 2018. 19. Yu. Danik, R. Hryschuk, S. Gnatyuk, Synergistic effects of information and cy- bernetic interaction in civil aviation, Aviation, Vol. 20, №3, рр. 137-144, 2016. 20. Tereikovskiy, I., Parkhomenko, I., Toliupa, S., Tereikovska, L. Markov model of normal conduct template of computer systems network objects // 14th Interna- tional Conference on Advanced Trends in Radioelectronics, Telecommunications and Computer Engineering, TCSET 2018 – Proceedings. pp. 498 – 501. 21. A. Tikhomirov, N. Kinash, S. Gnatyuk, A. Trufanov, O. Berestneva et al, Net- work Society: Aggregate Topological Models, Communications in Computer and Information Science. Verlag: Springer International Publ, Vol. 487, рр. 415-421, 2014. 22. Toliupa, S., Tereikovska, L., Toliupa, S., Tereikovska, L., Korystin, O., Na- konechnyi, V. One-periodic template marks model of normal behavior of the safety parameters of information systems networking resources // 2019 Interna- tional Scientific-Practical Conference Problems of Infocommunications. Science and Technology, PIC S&T′2019. 08-11 October 2019 Kyiv, Ukraine, pp. 774 – 779.