The main requirement for modern systems of intrusion detection is the possibility of identifying deviations in information processes in order to detect unknown attack types. An overview of existing approaches to identifying network deviations based on multifractal analysis methods is given. The results of the calculation of the Hurst exponent for the time series of CPU usage for different types of user activity are presented.
Signature methods of analysis used in modern intrusion detection systems aimed at identifying known and more specific methods of attacks, appear not to be able to detect their modifications or new types, which makes the use of such systems ineffective. Existing solutions to individual cases of detection of network deviations to this time do not allow to develop a single universal mechanism for detecting previously unknown attack types.
The current task at the moment is to find more effective universal methods for detecting network
deviations that are a consequence of technical failures or unauthorized impacts. The main requirement
for these methods is the possibility of identifying arbitrary types of intruders, including distributed in
time. Statistical studies of network traffic indicate that it has the properties of fractality or
selfsimilarity, as well as the variability of these characteristics in the event of deviations in the network,
which allows the use of fractal analysis to detect attacks [
The purpose of this study is an overview of modern existing approaches to identifying network deviations based on the method of fractal analysis.
of attacks and modifications that exist without a clear formalization of keywords of network traffic and updating the signature database.
Behavioral methods are intended to identify unknown attacks and are based on detection of deviations from normal operation mode. Advantages of behavioral methods comprise the possibility of analyzing the dynamics of processes and the possibility of identifying new types of attacks. Disadvantages of behavioral methods include higher requirements for computing resources and capacities and lower probability of detection.
The time series is a sequence of values of the studied magnitude measured at regular intervals. The central concepts of fractal analysis are fractal dimension (D) and the Hurst exponent (H). The fractal dimension of the set (according to Hausdorff) is determined by:
D = − εl→im∞ lgl[gN((εε))] , (1) where N(ε) – the minimum number of non-empty cells ε that cover a given set.
The Hurst exponent characterizes the degree of similarity of the process: 1. 0 <H <0.5 – random process, which does not have self-similarity and is characterized by a tendency for average value; 2. H = 0.5 – a completely random process without a pronounced tendency; 3. H> 0.5 – a trend-resistant process that has a long memory and is self-similar.
The fractal dimension is directly related to the Hurst exponent: D = 2 – H.
This ratio is fair when the structure of the curve that describes the fractal function is investigated
with high resolution, that is, in the local limits. One of the popular methods of finding fractal dimension
is R / S analysis [
M [RS((nn))] ~cnH, n → ∞ (2) where n – high resolution; с – a positive finite constant that does not depend on n; Н – the Hurst exponent; R(n) – the scope of the time series.
R(n) = 1m≤ja≤nx∆j − 1m≤ji≤nn ∆j ∆j = ∑in=n xi − kx̅, k = ⃗1⃗⃗,⃗⃗⃗n x̅ = n1 ∑in=1 xi
S(n) = n−11 ∑in=1(xi − x̅)2
In [
The output signal f (t) is decomposed by means of a wavelet transform by the mother wavelet Ψ (t) into the corresponding coefficients:
The partition function is calculated:
S(q, j) = ∑p|Wf(up, j| For each value of q∈R it is necessary to calculate the scale indicator: τ(q, j) = logj→0inflnS(q,j) ln2j
Wf(u, i) = (f(t), Ψu,s(t)) = 2−2j ∫ t−2u
j dt q fl(a) = mq∈iRn[q (a + 12) − τ(q)] For each octave j, the multifractal dimension of the order q is calculated:
Dq,j = q−11 [q(a(q, j) − f(a(q), j))] (11)
When q <0, the value of S (q, j) depends on small maxima of the amplitude | W_f (u_p, j) |, as a result, the calculations may not be stable.
In order to avoid the emergence of false maxima of modules created by computing errors in areas where f is almost constant, wavelet-maxima are combined in a chain to form a maximum curve depending on the scale.
If Ψ = (−1)Pθ(p), where θ = 1 e−2t2 – Gaussian function, then all lines of maxima up(j) are √2π determined by curves that are limited by j = 0. Therefore, all maximum lines that do not extend to the smallest scale are deleted when calculating S (q, j).
Formalizing the difference in traffic spectra with certain deviations and without them, it is possible to compare the fractal dimensions D1, correlation dimensions D2 and intervals characterizing the “width” of the Lezhandr spectrum for each of the implementations for each octave of decomposition of j.
Information dimensions of the comparative implementations D1 are distinguished by a small stable value and practically do not depend on the number of levels of sampling. This allows us to conclude that the presence of long-term attacks in the signal and non-predicted activity changes the self-similar nature of traffic, and this property can be used in the future to detect attacks.
In [
For each set, a histogram is built for 24 equal intervals. For each group there are a packet number and the average package length for the same time intervals. At the next stage, the Hurst exponent is calculated by the method of periodogram that use the slope of the power spectrum. The Hurst exponent is calculated from the ratio:
β − 1 = 1 − 2Н, (12) where β -the slope of the line on a logarithmic scale.
In practice, you must first analyze traffic in the regular network operation mode during the day. When the deviation detection mode is turned on, at first the Hurst exponent is calculated and compared with the corresponding reference value calculated in normal mode, for each parameter separately.
In the paper [
The main advantage of the discrete stationary wavelet transform over a classic one is the preservation of the time information of the output signal at each level. In the second step, the time series is bypassed by two adjacent windows R and S. For each window, a fractal dimension is calculated according to the algorithm:
lg(da) where L – the length of the time series, d – the distance between the first point of the series and the farthest from it, a - the average distance between two adjacent points of the series.
Changes in the statistical parameters of the signal are reflected in the fractal dimension, to account for which the following function is introduced:
Gk = |FDk+1 − FDk|, k = 1, … , n (14) where n = number of points G.
The third step is the search for local maxima G that exceed a given threshold, which are considered as deviations from normal behavior. The accuracy of the method is significantly affected by the length of the window. For the analyzed window of length l, the energy of the functionGl is calculated as: 2 FD =
lg(aL) Gl = ∑ k|Glk|
N
In [
For the signal x (t) the fractional Fourier transform is determined as:
Xa(u) = Fa(u) = ∫−∞∞ x(t)Ka(t, u)dt (16) Ka(t, u) = √1 − i ∙ cot(α) ∙ exp[iπ(t2cot(α) − 2ut∙ csc(α) + u2cot(α))], α ≠ nπ (17) Ka(t, u) = δ(t − u), a = (2 ∓ 1)π (18) n ∈ Z, α = a2π (19) where a – the order of fractional Fourier transformation, provided that a=1, then the formula changes to the usual Fourier transformation.
Using a discrete wavelet transform and a multi-scale method of analysis, we can calculate the Hurst exponent if we analyze the expression:
G(j) ↔ (2H + 1)j + constan,twhere j – scale.
Next, the optimal selection of the range of scale intervals is made, using the method of
onedimensional weighted estimation of least squares [
Experimental verification of the proposed method showed its high accuracy, which reduced the number of false positives and omissions during the detection of the attack.
It was stated that network traffic is divided into several disjoint segments. The Hurst exponent for each segment is estimated. When the threshold values are exceeded, the traffic loses the property of self-similarity, which is regarded as a DDoS attack. But the intensity of the DDoS attack can change, which leads to a change in the Hurst exponent, so detection methods based on a fixed threshold require flexibility and adaptability.
This article proposes a method consisting of two stages: 1. Statistical analysis of the time series of network traffic using discrete wavelet transform and the Schwartz information criterion to find the change point of the Hurst exponent, which signals the start of a DDoS attack.
2. Adaptive regulation of the intensity of a DDoS-attack on the basis of fuzzy logic, by analyzing the Hurst exponent and the rate of its change. The Schwartz information criterion is based on the maximum likelihood function for the model and can be used to detect the presence of a threshold point by comparing the probability of a null hypothesis (no point) and an alternative (point of presence).
The Hurst exponent is estimated using a discrete wavelet transform, because in practice this method is one of the most reliable, as it is more resistant to gentle polynomial trends and noise.
For the time series of network traffic X in real time, the wavelet coefficients d (j, k) are calculated for each scale j and position k. Next, it is necessary to perform a detailed assessment of the dispersion at each scale j:
Sj = ∑nk=j1 d2(j, k) (20) where nj– the number of wavelet coefficients that are available in scale j
We assume that a new sample of traffic is received, then the amount will be updated as follows: nj ≠ nj + 1 (21)
Sj = Sj + d2(j, nj) (22) Estimation of variance in scale j:
performed for the linear section, α is calculated.You do not need to build this dependency every time you receive a new segment of traffic, this action is performed only when necessary.
Then the Hurst exponent is calculated (23) (24) εj =
Sj nj H = α+21
Let X be a time series of normal traffic, Y is a time series of traffic with deviations, Z - a time series of deviations, i.e. the relation Y = X + Z holds. Based on the theorems, we can conclude that regardless of the presence of self-similarity in Z, if X is a stationary self-similar process of the second order, then Y will still be a self-similar process. But the degree of self-similarity may change.
the attack, and ry = rx + rz. For each value of H ∈ (0.5,1] there is only one autocorrelation function on self-similarity. Thus, we examine ‖Hy − Hx‖, where Hxand Hx is an average values of the Hurst exponents Y and X, respectively.
The disadvantage of this method is that the wavelet transform coefficients and statistics based on the Schwartz information criterion are updated at the moment when new traffic values arrive, and the detection of the traffic self-similarity threshold will be restarted for each scale. Thus, a signal of the change in the point of self-similarity will be given, even if this change occurred on a different scale at the same moment.
After an attack is detected, close to the detection time the traffic is divided into parts. By analyzing the Hurst exponent and the speed of its change (the difference between the Hurst exponents of traffic parts before and after the moment of detection), we can determine the intensity of DDoS-attack, using the rules of fuzzy logic.
Determining the point of change of traffic self-similarity by the Schwartz information criterion which is based on the assumption that the entropy of a sequence with a variable self-similarity boundary point is greater than the entropy of the sequence in which this point is fixed. Suppose there is a sequence of length M. It is assumed that there is only one point of the self-similarity boundary at position 1 <g <M. In order to calculate the presence and location of this point, you need to calculate the entropy of the whole sequence, as well as parts f1 = (1, … , g) and f2 = (g + 1, … , M), compare their values and conclude whether the point g is marginal. If the entropy of the individual parts is much less than the entropy of the whole sequence, the point g is considered to be marginal.
General scheme of attack detection is presented in Fig.1.
New data of network traffic
Renewal of network traffic
Renewal of wavelet coefficients No
Renewal of Schwartz criterion
Determination of intensity Search of critical points
Fuzzy adaptive rules Too many boundary points? yes
Assessment of Hurst exponent
and speed of action
In the paper the Hurst exponents for four metrics of traffic by the iterative method in real time are calculated. Next, the collection and normalization of the results of anomaly detection to assess the security of network traffic is carried out.
The following scheme of traffic network security assessment is proposed (Fig. 2). Reference model of traffic
Detection of deviations
Assessment of security Evaluation of Hurst exponent
Statistical analysis
Traffic analysis
The algorithm for assessing traffic safety is divided into five stages: 1. Traffic collection. 2. Statistical analysis. 3. Assessment of the Hurst exponent Hearst index. 4. Detection of anomalies. 5. Security assessment.
To reduce the impact on the normal functioning of the network, traffic is duplicated on a special server that collects traffic. The software for collecting traffic on the server includes a hardware and technica complex, which has excellent performance when collecting network packets.
From the packets received from the router, information about the packet type is extracted, as well as four traffic metrics: the total number of packets, the number of TCP packets, UDP packets, ARP packets per unit of time. The Hurst exponent Hearst indices for four traffic metrics are calculated by an iterative real-time estimation method. These values are used to detect deviations and update the normal traffic model.
The current calculated value of the Hurst exponent is compared with the value from the normal model of traffic behavior. If the value is outside the allowable range, the traffic is considered abnormal. A normal traffic model is built by analyzing the normal operation of the network over a period of time.
The model includes a normal value of the Hurst exponent Hearst index and a confidence interval, and can be updated when a deviation is detected.
The criterion for assessing safety is the level of risk, which is calculated by the method of weighted averages, which takes into account the results of detection of deviations from the four traffic metrics. The level of risk provides administrators with the current state of data transmission in the network in terms of security.
Let Xn(n = 1,2,3, … ) - discrete stochastic process, and it is performed as follows:
Xi(m) = m1 ∑ikm=(i−1)m+1 Xk (25) Then X(m) is called aggregated processes Xn of the order m with autocorrelation function pm(k) of i the order m.
The stationary in a broad sense stochastic process Xn(n = 1,2, … ) is called self-similar, provided Xn and its aggregated processes X(m), of the order m which have the same autocorrelation functions n pm(k) = p(k)(m = 1,2, … ).
similarity function during the ith period of time, and its autocorrelation function satisfies: pK = H(2H − 1)K2H−2, K → ∞ (26) where H(0,5<H<1) - the Hurst exponent, which increases with increasing degree of self-similarity of the process.
more relevance a time series has . The iterative formula for calculating H:
Hi+1 = √(pkk2−2Hi) ∙ 0,5, k → ∞ For a given time series Х1, … , Хn it is calculated as: 1) expected value: 2) co-variance: 3) the autocorrelation function: μ̂= ̅X = n1 ∑in=1 Xi
1 ŷk= n−k ∑in=−1k(Xi − ̅X)(Xi+k − ̅X) p̂k= ŷk, k = 0,1, … (30)
ŷ0
The estimate of the autocorrelation function (p_k) serves as a replacement for p_k, then the iterative formula for calculating H takes the form:
Ĥi+1 = √(p̂kk2−2Ĥi+ Ĥi) ∙ 0.5,k → ∞
The results of the experiment showed that the iterative estimation of the Hurst exponent has a high speed and accuracy and also smaller confidence intervals for normal values compared to the methods of VarianceTime Plot. For a long-term large-scale correlation process is considered as Ĥ0= 0,5.
results of the experiment show that at k = 1 using this formula you can get the Hurst exponent with sufficient accuracy, reducing a significant number of calculations. In addition, the result is imperfect, even if k is large enough, so we take k = 1, and the formula takes the simplified form:
Ĥi+1 = √(p̂1+ Hi) ∙ 0,5 (32)
In normal operating mode, network traffic satisfies the pattern of daytime use. To reduce the impact of network traffic periodicity on the Hurst exponent, it is necessary to process traffic at different periods of time.
In practice, the four above-mentioned normal traffic metrics are at first calculated during the week. Then the average weekly normal values of the Hurst exponents for four traffic metrics are calculated for each day.
After that it is necessary to use the effective method of Ketani and Gubner to calculate 98% of the confidence intervals of the Hurst exponent (0,5 ≤ Н ≤ 0,95).
It is necessary to establish the initial state of the normal traffic model. When detected in real time mode, the value of the current calculated Hurst exponent is checked to fall into the confidence interval of the normal traffic model for each metric. If the value falls within the confidence interval, the traffic is considered normal, the detection result is 0, otherwise the traffic is considered with a deviation, and the detection result is 1. In the first case it is necessary to update the Hurst exponent and the confidence interval in the normal traffic model
The method of normalized security assessment is based on the weighted average method for accounting of all four traffic metrics. The level of risk is calculated as follows:
Ftraffic = ∑i4=1 w(i) ∙ Fobs(i),∑i4=1 w(i) = 1 obs= {1 − allpacket,s2 − TCPpacket,s3 − udppacket,s4arppacket}s In order to conduct the study, software was used for fractal analysis of time series (Fig. 3). (33) (27) (28) (29) (31)
Also, a graphical image of the Hurst exponent for the time series of processor's load and user expectations were modelled as you can see it in Fig. 4.
In this review we are talking mainly about network traffic, for which numerous studies have shown that it has the property of self-similarity, which allows us to use this fact to create a model of normal behavior.
In this article, an experiment was performed for a time series of CPU usage, the fractal properties of which are unknown.
The results show that the Hurst exponent of the time series of this parameter changes when changing the type of user activity in a wide range, which does not allow to make a conclusion about the presence or absence of self-similarity and makes it impossible to detect anomalies using only this method for this parameter.
[10] Bondarenko, S., Liliya, B., Krynytska, O., Inna, G. Modelling instruments in risk management (2019) International Journal of Civil Engineering and Technology, 10 (1), pp. 1561-1568 [11] Dobrynin, I., Radivilova, T., Maltseva, N., Ageyev, D. Use of Approaches to the Methodology of Factor Analysis of Information Risks for the Quantitative Assessment of Information Risks Based on the Formation of Cause-And-Effect Links (2019) 2018 International Scientific-Practical Conference on Problems of Infocommunications Science and Technology, PIC S and T 2018 Proceedings, art. no. 8632022, pp. 229–232.