Introduction

Signature methods of analysis used in modern intrusion detection systems aimed at identifying known and more specific methods of attacks, appear not to be able to detect their modifications or new types, which makes the use of such systems ineffective. Existing solutions to individual cases of detection of network deviations to this time do not allow to develop a single universal mechanism for detecting previously unknown attack types.

The current task at the moment is to find more effective universal methods for detecting network deviations that are a consequence of technical failures or unauthorized impacts. The main requirement for these methods is the possibility of identifying arbitrary types of intruders, including distributed in time. Statistical studies of network traffic indicate that it has the properties of fractality or selfsimilarity, as well as the variability of these characteristics in the event of deviations in the network, which allows the use of fractal analysis to detect attacks [1,2].

The purpose of this study is an overview of modern existing approaches to identifying network deviations based on the method of fractal analysis.

Methods of Detecting Attacks

Attacks are deliberate actions of the offender, leading to violation of confidentiality, integrity or accessibility of the system.

Methods of detection of attacks are divided into: 1. Signature. 2. Behavioral. Signature methods are intended to detect known and clearly described attacks and founded on a reference verification of symbol sequences and events with the database of attack signatures. Advantages of signature methods include low demands for computing power and probability of detection of attacks. Disadvantages of signature methods are the impossibility of identifying new types of attacks and modifications that exist without a clear formalization of keywords of network traffic and updating the signature database.

Behavioral methods are intended to identify unknown attacks and are based on detection of deviations from normal operation mode. Advantages of behavioral methods comprise the possibility of analyzing the dynamics of processes and the possibility of identifying new types of attacks. Disadvantages of behavioral methods include higher requirements for computing resources and capacities and lower probability of detection.

Fractal Analysis

The time series is a sequence of values of the studied magnitude measured at regular intervals. The central concepts of fractal analysis are fractal dimension (D) and the Hurst exponent (H). The fractal dimension of the set (according to Hausdorff) is determined by:

D = − lim ε→∞ lg [N(ε)] lg (ε) ,(1)

where N(ε)the minimum number of non-empty cells ε that cover a given set. The Hurst exponent characterizes the degree of similarity of the process: 1. 0 <H <0.5random process, which does not have self-similarity and is characterized by a tendency for average value;

2. H = 0.5a completely random process without a pronounced tendency; 3. H> 0.5a trend-resistant process that has a long memory and is self-similar. The fractal dimension is directly related to the Hurst exponent: D = 2 -H. This ratio is fair when the structure of the curve that describes the fractal function is investigated with high resolution, that is, in the local limits. One of the popular methods of finding fractal dimension is R / S analysis [2]:

M [ R(n) S(n) ] ~cn H , n → ∞(2)

where nhigh resolution; сa positive finite constant that does not depend on n; Нthe Hurst exponent; R(n)the scope of the time series.

R(n) = max 1≤j≤n ∆ j − min 1≤j≤n ∆ j(3)∆ j = ∑ x i − kx ̅ n i=n , k = 1, n ⃗⃗⃗⃗⃗⃗ (4) x ̅ = 1 n ∑ x i n i=1

(5)

S(n) = 1 n−1 ∑ (x i − x ̅) 2 n i=1 (6)

Review of Existing Methods and Approaches

In [1], a method of maximum modules of wavelet transform (MMWT) is used to detect traffic deviations, which allows us to detect the singularity of the signal. The network traffic collected on the boundary router of the university network was taken as the analyzed data. Each sequence is about 24 hours long with a sampling step of 1 second. Samples of "pure" traffic without attacks, and also with various deviations are presented: at DDoS-attacks of different types of scanning. The algorithm for estimating the parameters of the multifractal spectrum is as follows:

The output signal f (t) is decomposed by means of a wavelet transform by the mother wavelet Ψ (t) into the corresponding coefficients:

W f (u, i) = (f(t), Ψ u,s (t)) = 2 − j 2 ∫ t−u 2 j dt(7)

The partition function is calculated: S(q, j) = ∑ |W f (u p , j| q p (8) For each value of q∈R it is necessary to calculate the scale indicator: τ(q, j) = log j→0 inf lnS(q,j) ln2 j (9) Then the multifractal spectrum f l (a), using the Legendre transformation is calculated:

f l (a) = min q∈R [q (a + 1 2 ) − τ(q)](10)

For each octave j, the multifractal dimension of the order q is calculated: D q,j = 1 q−1 [q(a(q, j) − f(a(q), j))]

When q <0, the value of S (q, j) depends on small maxima of the amplitude | W_f (u_p, j) |, as a result, the calculations may not be stable.

In order to avoid the emergence of false maxima of modules created by computing errors in areas where f is almost constant, wavelet-maxima are combined in a chain to form a maximum curve depending on the scale.

If Ψ = (−1) P θ (p) , where θ = 1 √2π e −t 2 2 -Gaussian function, then all lines of maxima u p (j) are determined by curves that are limited by j = 0. Therefore, all maximum lines that do not extend to the smallest scale are deleted when calculating S (q, j).

Formalizing the difference in traffic spectra with certain deviations and without them, it is possible to compare the fractal dimensions D1, correlation dimensions D2 and intervals characterizing the "width" of the Lezhandr spectrum for each of the implementations for each octave of decomposition of j.

Information dimensions of the comparative implementations D1 are distinguished by a small stable value and practically do not depend on the number of levels of sampling. This allows us to conclude that the presence of long-term attacks in the signal and non-predicted activity changes the self-similar nature of traffic, and this property can be used in the future to detect attacks.

In [3] it is proposed to determine the deviations, based on their identity and distribution of "heavy tails". Network deviations may occur as a result of overloads, errors by network devices, DDOS attacks, attempts of unauthorized access. To reduce the impact of the periodicity of network traffic on the estimation of the Hurst exponent, the time series is divided into 24 sets of values.

For each set, a histogram is built for 24 equal intervals. For each group there are a packet number and the average package length for the same time intervals. At the next stage, the Hurst exponent is calculated by the method of periodogram that use the slope of the power spectrum. The Hurst exponent is calculated from the ratio:

β − 1 = 1 − 2Н,(12)

where β -the slope of the line on a logarithmic scale.

In practice, you must first analyze traffic in the regular network operation mode during the day. When the deviation detection mode is turned on, at first the Hurst exponent is calculated and compared with the corresponding reference value calculated in normal mode, for each parameter separately.

In the paper [4], an algorithm for detecting deviations based on a discrete stationary wavelet transform and fractal dimension is used. As the first step, a time series filtering with a discrete stationary wavelet transform is performed. This preliminary processing is necessary to increase the accuracy of the proposed method: the main components are allocated, the details are filtered.

The main advantage of the discrete stationary wavelet transform over a classic one is the preservation of the time information of the output signal at each level. In the second step, the time series is bypassed by two adjacent windows R and S. For each window, a fractal dimension is calculated according to the algorithm:

FD = lg ( L a ) lg( d a ) (13)

where Lthe length of the time series, dthe distance between the first point of the series and the farthest from it, a -the average distance between two adjacent points of the series.

Changes in the statistical parameters of the signal are reflected in the fractal dimension, to account for which the following function is introduced:

G k = |FD k+1 − FD k |, k = 1, … , n(14)

where n = number of points G.

The third step is the search for local maxima G that exceed a given threshold, which are considered as deviations from normal behavior. The accuracy of the method is significantly affected by the length of the window. For the analyzed window of length l, the energy of the functionG l is calculated as:

G l = ∑ k|G l k | 2 N (15)

The window length is calculated the minimum of the standard energy function E G l . In [5], a method for detecting DDOS attacks is offered based on the estimation of the Hurst exponent using the Fourier fractional transformation, which makes the transition to the frequency-time area.

For the signal x (t) the fractional Fourier transform is determined as:

X a (u) = F a (u) = ∫ x(t)K a (t, u)dt ∞ −∞ (16) K a (t, u) = √1 − i • cot(α) • exp [iπ(t 2 cot (α) − 2ut • csc(α) + u 2 cot (α))], α ≠ nπ (17) K a (t, u) = δ(t − u), a = (2 ∓ 1)π (18) n ∈ Z, α = aπ 2 (19)

where athe order of fractional Fourier transformation, provided that a=1, then the formula changes to the usual Fourier transformation.

Using a discrete wavelet transform and a multi-scale method of analysis, we can calculate the Hurst exponent if we analyze the expression: G(j) ↔ (2H + 1)j + constant, where jscale. Next, the optimal selection of the range of scale intervals is made, using the method of onedimensional weighted estimation of least squares [8].

Experimental verification of the proposed method showed its high accuracy, which reduced the number of false positives and omissions during the detection of the attack.

It was stated that network traffic is divided into several disjoint segments. The Hurst exponent for each segment is estimated. When the threshold values are exceeded, the traffic loses the property of self-similarity, which is regarded as a DDoS attack. But the intensity of the DDoS attack can change, which leads to a change in the Hurst exponent, so detection methods based on a fixed threshold require flexibility and adaptability.

This article proposes a method consisting of two stages:

1. Statistical analysis of the time series of network traffic using discrete wavelet transform and the Schwartz information criterion to find the change point of the Hurst exponent, which signals the start of a DDoS attack.

2. Adaptive regulation of the intensity of a DDoS-attack on the basis of fuzzy logic, by analyzing the Hurst exponent and the rate of its change. The Schwartz information criterion is based on the maximum likelihood function for the model and can be used to detect the presence of a threshold point by comparing the probability of a null hypothesis (no point) and an alternative (point of presence).

The Hurst exponent is estimated using a discrete wavelet transform, because in practice this method is one of the most reliable, as it is more resistant to gentle polynomial trends and noise.

The Evaluation is Performed According to the Following Algorithm

For the time series of network traffic X in real time, the wavelet coefficients d (j, k) are calculated for each scale j and position k. Next, it is necessary to perform a detailed assessment of the dispersion at each scale j:

S j = ∑ d 2 (j, k) n j k=1

(20) where n jthe number of wavelet coefficients that are available in scale j

We assume that a new sample of traffic is received, then the amount will be updated as follows: n j ≠ n j + 1 (21) S j = S j + d 2 (j, n j ) (22) Estimation of variance in scale j:

ε j = S j n j(23)

Next, the dependence of log 2 (ε j ) on scaling j is constructed and a weighted linear regression is performed for the linear section, α is calculated.You do not need to build this dependency every time you receive a new segment of traffic, this action is performed only when necessary.

Then the Hurst exponent is calculated H = α+1 2

(24)

The Principle of Detecting Attacks

Let X be a time series of normal traffic, Y is a time series of traffic with deviations, Z -a time series of deviations, i.e. the relation Y = X + Z holds. Based on the theorems, we can conclude that regardless of the presence of self-similarity in Z, if X is a stationary self-similar process of the second order, then Y will still be a self-similar process. But the degree of self-similarity may change.

Let r y , r z be autocorrelation functions X, Y, Z, respectively. Then a ‖r y − r x ‖, is of interest during the attack, and r y = r x + r z . For each value of H ∈ (0.5,1] there is only one autocorrelation function on self-similarity. Thus, we examine ‖H y − H x ‖, where H x and H x is an average values of the Hurst exponents Y and X, respectively.

The disadvantage of this method is that the wavelet transform coefficients and statistics based on the Schwartz information criterion are updated at the moment when new traffic values arrive, and the detection of the traffic self-similarity threshold will be restarted for each scale. Thus, a signal of the change in the point of self-similarity will be given, even if this change occurred on a different scale at the same moment.

After an attack is detected, close to the detection time the traffic is divided into parts. By analyzing the Hurst exponent and the speed of its change (the difference between the Hurst exponents of traffic parts before and after the moment of detection), we can determine the intensity of DDoS-attack, using the rules of fuzzy logic.

Determining the point of change of traffic self-similarity by the Schwartz information criterion which is based on the assumption that the entropy of a sequence with a variable self-similarity boundary point is greater than the entropy of the sequence in which this point is fixed. Suppose there is a sequence of length M. It is assumed that there is only one point of the self-similarity boundary at position 1 <g <M. In order to calculate the presence and location of this point, you need to calculate the entropy of the whole sequence, as well as parts f 1 = (1, … , g) and f 2 = (g + 1, … , M), compare their values and conclude whether the point g is marginal. If the entropy of the individual parts is much less than the entropy of the whole sequence, the point g is considered to be marginal.

General scheme of attack detection is presented in Fig. 1. In the paper the Hurst exponents for four metrics of traffic by the iterative method in real time are calculated. Next, the collection and normalization of the results of anomaly detection to assess the security of network traffic is carried out.

Search of critical points

The following scheme of traffic network security assessment is proposed (Fig. 2). The algorithm for assessing traffic safety is divided into five stages: 1. Traffic collection.

2. Statistical analysis.

3. Assessment of the Hurst exponent Hearst index. 4. Detection of anomalies. 5. Security assessment.

To reduce the impact on the normal functioning of the network, traffic is duplicated on a special server that collects traffic. The software for collecting traffic on the server includes a hardware and technica complex, which has excellent performance when collecting network packets.

From the packets received from the router, information about the packet type is extracted, as well as four traffic metrics: the total number of packets, the number of TCP packets, UDP packets, ARP packets per unit of time. The Hurst exponent Hearst indices for four traffic metrics are calculated by an iterative real-time estimation method. These values are used to detect deviations and update the normal traffic model.

The current calculated value of the Hurst exponent is compared with the value from the normal model of traffic behavior. If the value is outside the allowable range, the traffic is considered abnormal. A normal traffic model is built by analyzing the normal operation of the network over a period of time.

The model includes a normal value of the Hurst exponent Hearst index and a confidence interval, and can be updated when a deviation is detected.

The criterion for assessing safety is the level of risk, which is calculated by the method of weighted averages, which takes into account the results of detection of deviations from the four traffic metrics. The level of risk provides administrators with the current state of data transmission in the network in terms of security.

Let X n (n = 1,2,3, … ) -discrete stochastic process, and it is performed as follows:

X i (m) = 1 m ∑ X k im k=(i−1)m+1(25)

Then X i (m) is called aggregated processes X n of the order m with autocorrelation function p m (k) of the order m. The stationary in a broad sense stochastic process X n (n = 1,2, … ) is called self-similar, provided X n and its aggregated processes X n (m) , of the order m which have the same autocorrelation functions p m (k) = p(k)(m = 1,2, … ).

Algorithm for Iterative Evaluation of the Hurst Exponent

If the stationary mode, in a broad sense, is the time seriesХ i of network traffic acquires selfsimilarity function during the i th period of time, and its autocorrelation function satisfies:

p K = H(2H − 1)K 2H−2 , K → ∞(26

) where H(0,5<H<1) -the Hurst exponent, which increases with increasing degree of self-similarity of the process.

∑ k p k → ∞ self-similar process is often called long-scale correlation. The greater is K, the more relevance a time series has . The iterative formula for calculating H:

H i+1 = √(p k k 2−2H i ) • 0,5, k → ∞ (27) For a given time series Х 1 , … , Х n it is calculated as: 1) expected value: μ ̂= X ̅ = 1 n ∑ X i n i=1 (28) 2) co-variance: y k ̂= 1 n−k ∑ (X i − X ̅ )(X i+k − X ̅ ) n−k i=1

(29) 3) the autocorrelation function:

p k ̂= y k ŷ0 ̂, k = 0,1, …(30)

The estimate of the autocorrelation function (p_k) serves as a replacement for p_k, then the iterative formula for calculating H takes the form:

H i+1 ̂= √ (p k ̂k2−2H i ̂+ H i ̂) • 0.5,k → ∞(31)

The results of the experiment showed that the iterative estimation of the Hurst exponent has a high speed and accuracy and also smaller confidence intervals for normal values compared to the methods of VarianceTime Plot. For a long-term large-scale correlation process is considered as H 0 ̂= 0,5.

An important condition for the execution of the iterative formula for H i+1 ̂ is that k → ∞, but the results of the experiment show that at k = 1 using this formula you can get the Hurst exponent with sufficient accuracy, reducing a significant number of calculations. In addition, the result is imperfect, even if k is large enough, so we take k = 1, and the formula takes the simplified form:

H i+1 ̂= √(p 1 ̂+ H i ) • 0,5(32)

In normal operating mode, network traffic satisfies the pattern of daytime use. To reduce the impact of network traffic periodicity on the Hurst exponent, it is necessary to process traffic at different periods of time.

In practice, the four above-mentioned normal traffic metrics are at first calculated during the week. Then the average weekly normal values of the Hurst exponents for four traffic metrics are calculated for each day.

After that it is necessary to use the effective method of Ketani and Gubner to calculate 98% of the confidence intervals of the Hurst exponent (0,5 ≤ Н ≤ 0,95).

It is necessary to establish the initial state of the normal traffic model. When detected in real time mode, the value of the current calculated Hurst exponent is checked to fall into the confidence interval of the normal traffic model for each metric. If the value falls within the confidence interval, the traffic is considered normal, the detection result is 0, otherwise the traffic is considered with a deviation, and the detection result is 1. In the first case it is necessary to update the Hurst exponent and the confidence interval in the normal traffic model

The method of normalized security assessment is based on the weighted average method for accounting of all four traffic metrics. The level of risk is calculated as follows:

F traffic = ∑ w(i) • F obs (i), In order to conduct the study, software was used for fractal analysis of time series (Fig. 3).

Conclusions

In this review we are talking mainly about network traffic, for which numerous studies have shown that it has the property of self-similarity, which allows us to use this fact to create a model of normal behavior.

In this article, an experiment was performed for a time series of CPU usage, the fractal properties of which are unknown.

The results show that the Hurst exponent of the time series of this parameter changes when changing the type of user activity in a wide range, which does not allow to make a conclusion about the presence or absence of self-similarity and makes it impossible to detect anomalies using only this method for this parameter.

References