=Paper=
{{Paper
|id=Vol-3200/paper6
|storemode=property
|title=Detection of Slow DDoS Attacks Based on Time Delay Forecasting
|pdfUrl=https://ceur-ws.org/Vol-3200/paper6.pdf
|volume=Vol-3200
|authors=Vitalii Savchenko,Valeriia Savchenko,Oleksandr Laptiev,Oleksander Matsko,Ivan Havryliuk,Kseniia Yerhidzei,Iryna Novikova
}}
==Detection of Slow DDoS Attacks Based on Time Delay Forecasting ==
https://ceur-ws.org/Vol-3200/paper6.pdf
Detection of Slow DDoS Attacks Based on Time Delay Forecasting
Vitalii Savchenko1, Valeriia Savchenko2, Oleksandr Laptiev3, Oleksander Matsko4, Ivan
Havryliuk5, Kseniia Yerhidzei6 and Iryna Novikova7
1,2
State University of Telecommunications, Solomianska str.7, Kyiv, 03110, Ukraine
3
Taras Shevchenko National University of Kyiv, 24 Bogdana Gavrilishina str., Kyiv, 04116,Ukraine,
4,5,6,7
The National Defense University of Ukraine named after Ivan Cherniakhovskyi, Povitroflotsky av. 28, Kyiv,
03049, Ukraine
Abstract
The article deals with the problem of detecting low and slow distributed DDoS attacks.
Detecting such DDoS attacks is challenging because slow attacks do not significantly increase
traffic. The authors suggest that detecting slow DDoS attacks will be effective based on
analyzing and predicting host response latency in the network. The article proposes an original
method for detecting such attacks, based on statistics of host interaction and predicting the
individual trajectory of the traffic parameter behavior. The host response time delay is taken as
a traffic parameter. An algorithm for calculating the individual trajectory of the time delay is
proposed. The possibilities of using this method are shown based on the simulation of RUDY
attacks on HTTP services. The parameters of the forecast accuracy are investigated depending
on the accumulated information on the response delays.
Keywords 1
Slow and low DDoS attacks, slow attack detection, network response prediction, latency,
individual trajectory.
1. Introduction filling. The attacker opens many endless
connections and, when a certain threshold is
exceeded, causes a denial of service in the victim's
Recently, DDoS attacks are rapidly increasing
network. It uses transport (TCP) or application
in scale, frequency and technical complexity. For
(HTTP) protocols. Detection and
organizations that rely on Internet resources and
countermeasures must be built based on the
applications for their activities (for example, for
characteristics of the attack.
e-commerce enterprises), the consequences of
Countering such attacks should include two
DDoS attacks can be devastating. Inaccessible
main measures: 1) diagnose the attack at the
websites and servers can cast a shadow on a
earliest stages; 2) separate malicious traffic from
company's reputation and customers turn to
normal traffic. By understanding which user
competitors' resources [1].
requests are the result of a DDoS attack, you can
One type of DDOS attack is slow denial of
configure appropriate settings for firewalls,
service attacks. Their feature is that denial of
routers, or implement other security measures.
service is achieved in a hidden way using a small
amount of traffic and does not require bandwidth
III International Scientific And Practical Conference “Information
Security And Information Technologies”, September 13–19, 2021,
Odesa, Ukraine
EMAIL: savitan@ukr.net (A. 1); savchenko.valeriya@gmail.com
(A. 2); alaptev64@ukr.net (A. 3); macko2006@ukr.net (A. 4);
ivan.havryliuk@gmail.com (A. 5); ergidzey@ukr.net (A. 6);
irina_nov@ukr.net (A. 7)
ORCID: 0000-0002-3014-131X (А.1); 0000-0003-1921-
2698 (A. 2); 0000-0002-4194-402X (A. 3); 0000-0003-3415-
3358 (A. 4); 0000-0002-3514-0738 (A. 5); 0000-0003-4634-133X
(A. 6); 0000-0003-4854-0682( A. 7)
©️ 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
�1.1. Problem Statement characteristics of malicious TCP streams by
classifying them by decision trees. The studies are
conducted using a combination of two datasets,
Methods for detecting slow DDoS attacks fall
one generated from a simulated network and the
into two categories:
other from a publicly available CIC DoS dataset.
1. Signature methods, which are based on the
Since this approach includes elements of artificial
construction of a model of "abnormal behavior"
intelligence, a significant amount of statistics is
[2]. This model builds signatures of "abnormal"
required to train the system.
traffic behavior (a huge number of simultaneously
In [5], the authors tried to measure the impact
arriving SYN + ACK packets, an inadequately
of different variants of pulsating distributed
long packet lifetime, too long a packet route
denial-of-service attacks on the self-similar nature
"length", and so on). The model is most effective
of network traffic and see if changing the H index
against attacks that fill the network bandwidth, or
can be used to distinguish them from a normal
on local networks, where you can make a list of
network. This approach is quite effective in the
source addresses whose packets are guaranteed to
case of traffic self-similarity elements. Otherwise,
be "normal". But such a model is ineffective
detecting low and slow DoS attacks is very
against low-intensity DDoS, when it is difficult to
difficult.
reliably distinguish ordinary user requests from
Paper [6] proposes Canopy, a novel approach
“malicious” ones.
to detecting LSDDoS attacks by using machine
2. Based on anomalies. This method is the
learning techniques to extract meaning from
opposite of signature. A general model of
observed TCP state transition patterns. At the
"normal" behavior is built, then the incoming
same time, as in other models based on artificial
traffic is compared with it, and if the differences
intelligence, the detection system requires a large
exceed an acceptable threshold, an "alarm" is
sample of training and significant resources for
triggered. Research is conducted in the areas of
processing the results.
statistical (parametric and nonparametric)
The work [7] compares machine learning
methods, as well as data mining and neural
methods for recognizing slow DDoS attacks:
networks. The last two approaches are being
multilayer perceptron (MLP), backpropagation
actively developed to detect low-intensity attacks.
neural network, K-Nearest Neighbors (K-NN),
Disadvantages of the model: a large number of
Support Vector Machine (SVM) and polynomial
errors of the first kind due to the individuality of
naive Bayesian (MNB) algorithm. As in the
networks and traffic; long-term calculation of data
previous cases, the application of the methods
on "normal" behavior; sensitive to the choice of
requires a large number of patterns for
statistical distributions.
recognition.
In any case, the problem of early detection of
In [8-9], a new classification method and
low or slow DDoS attacks remains relevant. The
model is proposed to protect against slow HTTP
sooner the traffic parameters are found to be
attacks in the cloud. The solution detects slow
inconsistent with their normal values, the faster it
HTTP header attacks (Slowloris), slow HTTP
will be possible to take measures to neutralize the
body attacks (RUDY), or slow HTTP read attacks.
attack. In this case, it is necessary to add
At the same time, such approaches do not
parameter prediction modules to the existing
guarantee effective detection of attacks at the
detection systems.
early stages of their development.
The papers [10-11] show a system that can
1.2. Related Works Overview detect and mitigate attacks in the network
infrastructure. The main identification parameters
There is a huge number of publications on the in both models are the packet transmission rate
detection of slow DDoS attacks. and the uniform distance between packets, which
Reference [3] proposes an architecture that does not allow to forestall the actions of intruders.
mitigates low and slow DDoS attacks by Reference [12] discusses sampling data to create
leveraging the capabilities of a software-defined different class distributions to counteract the
infrastructure. At the same time, this approach effects of highly imbalanced slow HTTP DoS
requires a significant amount of computing datasets. At the same time, a significant number
resources, which will be involved in diagnostics. of samples (the authors use 1.89 million copies of
The article [4] proposes a methodology for attacks) in reality is quite difficult to achieve. The
detecting LDDoS attacks based on the study [13] developed a metric-based system for
�detecting traditional slow attacks, which can be The most expedient for detecting slow DDoS
effective with limited resources, based on the attacks is the architecture proposed in [18]. Such
study of similarities and the introduction of the an IDS should consist of four modules: 1) traffic
Euclidean metric. This approach is only effective collection module; 2) module for calculating
enough for a large number of such slow attack traffic parameters; 3) forecasting module; 4)
patterns, and for a large variety of such an module for classifying attacks (Fig. 1).
approach is unlikely to be effective. The system works as follows:
The most practical for implementation is the 1. For some time, the Traffic Collection
method proposed in [14,26], which determines the Module records the main traffic parameters
quality parameters of TCP connections, typical required for further calculations: IP addresses of
for slow HTTP attacks. This allows you to the sender and recipient; TCP window size;
estimate the likelihood and time of the web server package arrival time.
going into overload mode. However, such attack
detection is based on observation statistics and
uses predictions. The article [15] proposes an Traffic Collection Module
algorithm for detecting slow DDoS attacks based
on traffic patterns depending on the server load
state. This does not consider the decision-making Traffic Parameters Calculation
process. In [16], various scenarios are considered Module
and a hybrid neural network for detecting DDoS
attacks is proposed. However, the method and
Forecasting Module
general technique for detecting low intensity
DDoS attacks are not considered. In [17], the
authors consider interval forecasting based on a
probabilistic neural network with a dynamic Attack Classification Module
update of the smoothing parameter. But the
problem of the dynamics of the model remains Figure 1: IDS structure
unresolved.
Thus, most of the works devoted to countering 2. In the module for calculating traffic
slow DDoS attacks are based on statistical parameters for each IP address, the average delay
models, do not address the issues of predicting between transmitted packets is calculated
host behavior, and therefore are not effective
enough to detect attacks at early stages. 1 k
The aim of this work is to form a system for T= ( ti +1 − ti )
k − 1 i =1
(1)
detecting slow DDoS attacks based on predicting
traffic elements in the network. To successfully where:
solve the identified problem, it is necessary to t i – the i-th package arrival time;
build a model and technology for predicting the ti +1 – the i+1-th package arrival time;
behavior of traffic parameters taking into account
k – the number of packets received during the
the history of host interaction in the network, as
analyzed period.
well as to propose a technology for recognizing
The beginning and end of the session are recorded
slow DDoS attacks.
by a built-in timer, after which the duration of
open connections is calculated.
2. Development of a method for 3. The decision on the presence of a possible
detecting slow DDOS attacks slow HTTP attack is made in the attack
classification module based on the comparison of
based on predicting of traffic the obtained indicators with the average statistical
parameters values.
2.1. Determining the traffic As it was shown in [18] the decision about the
presence of a slow DDoS attack should be made
parameter for detecting a slow based on the traffic parameters forecast, which
DDoS attack can be generated based on the study of statistics in
other systems. Thus, it is advisable to add a
�situation forecast block to the considered action of a specific implementation x ( t ) beyond the
algorithm.
limits S0 based on the definition of a posteriori
process X ( t ) [23].
2.2. Predicting the delay time
The probability that a particular trajectory of a
between transmitted packets parameter guaranteed to fall within the
acceptable range s tk , if by then tk including his
The interaction of computer systems in the
network forms an individual trajectory of changes condition was described as x ( t ) ,t1 t tk [24],
in traffic parameters for each pair of interaction. will be
Such trajectories have their own characteristics P ps ( s ) = P X ( s ) S0 x ( t ) ,
both in the normal mode of operation and during (2)
t1 t tk ,s tk
a slow DDoS attack. In order to start actions on
time to neutralize a slow DDoS attack, it is To solve the forecasting problem, the process
necessary to predict the time trajectory of traffic under study must be represented by the formula
parameters, which depends on the actions of the X ( t ) = m ( t ) + V ( t ) ,
(3)
interacting system.
Prediction of an individual traffic trajectory where m ( t ) – mean function of the process;
has already been studied in [19], in which traffic ( t ) – non-random (coordinate) time
parameters were determined at long intervals
(week, month). The same approach was used to functions;
predict slow DDoS attacks in [18]. At the same V – random, uncorrelated coefficients
time, in both cases, only direct indicators were M V = 0 , M V ,V = 0 , v .
investigated: in [19] - the amount of information
This representation, proposed in [18, 19],
per unit of time, in [18] - the average delay
between transmitted packets. allows it to be applied to any traffic parameter that
Slow DDoS attacks are characterized by the can be represented as a time series. Process X ( t )
fact that they are not characterized by significant can be written as a random sequence
deviations in traffic indicators and therefore X ( ti ) = X ( i ) ,i = 1,I in a discrete series of
different parameters must be used to detect them.
Along with direct indicators (the amount of observations ti [25]:
information and the average delay time), when i
X ( i ) = m ( i ) + Vvv ( i ),i = 1,I , (4)
using the method of canonical decomposition of a
v =1
random process, the values of the correlation
where V – random coefficient with parameters
function are also calculated for each of the
measurements, which makes the method more M V = 0 , M V ,V = 0 , v ; M Vv2 = Dv ;
effective for predicting weak disturbances.
To monitor the traffic parameters, as before in ( i ) – non-random coordinate function,
[18], it is advisable to use the average time v ( v ) = 1 , v ( i ) = 0 while v i .
interval of the delay between packets in the The formulas for variance and correlation
session, which can be represented as a vector of function can be written as
parameters X = ( X1 , X 2 ,..., X H ) [20]. Condition i
D ( i ) = Dvv2 ( i ) ,i = 1,I , (5)
fulfillment X S0 , where S0 this is the tolerance v =1
area of the vector X. Random process X ( t ) inf ( i, j )
D ( i, j ) = Dvv ( i )v ( j ) , i, j = 1,I . (6)
reflects the change in delays between traffic v =1
packets over time [21]. Process X ( t ) statistically Thus, the representation of random processes
defined in the range t t1 , where t1 is the of traffic parameters (2) allows solving the
beginning of observations and tk t1 [22]. problem of detecting a slow DDoS attack based
on predicting the delay between transmitted
The forecasting problem is posed as follows: packets.
for the parameter x ( t ) S0 , which is observed in
the interval t1 t tk , determine the release time
�2.3. Slow DDoS Attack detection 22. For i = 2 to i T
23. For l = 1 to l = L
algorithm based on delay time i −1
prediction 24. Vl ,i = Xˆ l ,i − Vl ,k k ,i ‒ determination of
k =1
To detect slow DDoS attacks within the random coefficients.
framework of approach (1) - (6), the following 25. for l
algorithm for predicting delays between 26. for i
transmitted packets is proposed. 27. ps Length x ( ) ‒ size of the array of
0. Start control results.
1. X ( t ) X ( t ) ,t = 1,T ‒ formation of an array of 28.
M1 = Table mi + ( x1 − m1 ) 1,i , i = 1,T ‒
process observations X ( t ) . determination of the initial predicted
2. x ( ) x ( ) , = 1,k ‒ formation of an array of trajectory.
control results. 29. For h = 2 to h = ps
3. L Length X ( t ) ‒ determining the number M h−1,i + ( xh − M h−1,h ) h,i ,
30. M h = Table ‒
of trajectories observed.
4. m (t ) = Mean X (t ) ‒ calculating the mean of a
i = 1,T
calculation of forecast control points.
random function X ( t ) . 31. for h
5. c = Covariance X (t ) ‒ calculating the i
M k ,i + Vk , jk , j ,
covariance matrix for X ( t ) . 32. X forecast = Table j = k +1 ‒
6. d = Variance X (t ) ‒ calculating an array of
k = 1, ps ,i = 1,T
variances of a process X ( t ) . calculation of predicted trajectory.
7. = Table 0,T ,T ‒ determining the initial 33. End
value of the coordinate functions.
8. X̂ ( t ) = X ( t ) − m ( t ) ,t = 1,T ‒ centering the source The application of the algorithm makes it possible
to construct a forecast of the system response
data. delay time and determine the moment when this
9. V ( t ) = X l ( t ) − m ( t ) ,t = 1,T ; l = 1,L ‒ parameter goes beyond the critical values. In the
determination of initial values of random event that latency is classified as a slow DDoS
coefficients. attack, security measures must be taken. A slow
c DDoS attack decision must be made for each
10. 1 = 1, j , j = 1,T ‒ definition of the first sender IP address based on a comparison of
d1
predicted latency parameters with critical values
coordinate function.
to determine when the parameter enters the
11. For i = 1 to i = T
critical zone. This approach takes into account the
i −1
12. di = ci,i − i,2 j d j ‒ variance override. statistics of the behavior of the interacting hosts,
j =1 as well as the behavior of other hosts in similar
13. For j = 1 to j = T situations in the event of a slow DDoS attack.
1 i −1
14. i = ci, j − dl i,l j ,l ‒ redefining 3. Application of the algorithm for
d1 l =1
coordinate functions.
detecting slow DDOS attacks
15. for j based on predicting the response
16. for i delay time
17. For i = 2 to i T
18. For k = 1 to k i Slow DDOS attack detection simulations are
19. i,k = 0 ‒ redefining the coordinate performed for the RUDY attack. RUDY is a
functions of a random process. network server attack designed to crash a web
20. for k server by sending long requests. The attack is
21. for i carried out using a tool that scans the target
�website and detects embedded web forms. Once characteristics that lead to abnormal traffic, as
the forms have been detected, RUDY sends valid well as on the observed frequency of anomalies.
HTTP POST requests with an abnormally long Thus, the method “selects” the required trajectory
content-length header field, and then begins depending on the entry point and the average
entering information, one byte per packet. This trajectory.
type of attack is difficult to detect due to small For this example, the important question is
fluctuations in incoming traffic. how the forecasting accuracy depends on the
For clarity, only one case of an attack against number of a priori observations. This issue has
the background of normal traffic was taken, as already been considered in [18], where it was
shown in Figure 2. The average delay between shown that in 60...90 s the deviation of the
transmitted packets is considered as the parameter predicted trajectory from the control one
under study. decreases to 5...0%. This confirms the adequacy
The prediction algorithm was applied to the of the predictive model for identifying slow DDoS
process shown in Figure 2, taking as the initial attacks based on predicting network latency.
observation values individual points in the time
series that correspond to a partial trajectory (blue
line in Figure 2). Considering this line as a control
line, the first values of the time series were taken
as the initial observation data, corresponding to
t = 1, 30, 60 s of observations.
a) t = 1 s
Figure 2: Traffic patterns
Figure 3a shows the forecast results for t = 1 s.
Since there are few initial observational data, the
process is reproduced as a whole in terms of the
average value. In this case, the values of the
predicted traffic in the event of an attack will be b) t = 30 s
very different from the real ones (red curve).
Increasing the number of observations to
t = 30 s (Figure 3b) increases the reliability of
further prediction and at t = 60 s we can talk about
a fairly accurate prediction P ps ( s ) 0,99 . In
Figure 3b and 3c curves of other colors show how
forecasting will be carried out when receiving
data from other control points t , = 1,k,k I ,
preceding the moment tk . That is, the probability
of error in choosing the correct trajectory depends
on the amount of raw data observed. It is logical c) t = 60 s
to assume that in this case the forecast accuracy
will be too dependent on the trajectory behavior
�Figure 3. Delay Time forecasting with observation the intervals between these points.
time t = 1, 30, 60 s: ― forecast value; ― 3. Further research in the field of countering
compared value; --- mean value slow DDoS attacks can be devoted to the issues of
forecasting at intervals that are not covered by
statistics or the operation of the method in the
absence of some observations or strong data noise.
5. References
[1] Enrico Cambiaso, & Gianluca Papaleo, &
Giovanni Chiola, & Maurizio Aiello. (2013).
Slow DOS Attacks: Definition and
Categorisation. International Journal of Trust
Management in Computing and
Figure 4: Coordinate functions Communications. 1. 300-319.
10.1504/IJTMCC.2013.056440.
Even more interesting is the question of the [2] David Holmes. Mitigating DDoS Attacks with
behavior of the coordinate functions (Fig. 4). F5 Technology. [Electronic Resource]
These functions are recalculated at each stage of URL: https://www.f5.com/pdf/white-
calculating the predicted value and at the final papers/mitigating-ddos-attacks-tech-brief.pdf
stage are constant for a certain statistical series. [3] Vasileios Theodorou, & Mark Shtern, &
They describe the relationship of the current Roni Sandel, & Marin Litoiu, & Chris
parameter at the time of observation with its Bachalo. (2014). Towards Mitigation of Low
statistical data obtained during previous and Slow Application DDoS Attacks.
observations. As can be seen from Figure 3 a)‒c), Proceedings - 2014 IEEE International
the coordinate functions respond to changes in the Conference on Cloud Engineering, IC2E
trajectory over time somewhat more than the 2014. 10.1109/IC2E.2014.38
average or forecast lines, which can be an [4] Michael Siracusano, & Stavros Shiaeles, &
additional factor in forecasting. B.V. Ghita. (2018). Detection of LDDoS
Attacks Based on TCP Connection
Parameters. Conference: 2018 Global
4. Conclusions Information Infrastructure and Networking
Symposium (GIIS). 1-6.
1. Low and slow DDoS attacks are difficult 10.1109/GIIS.2018.8635701
enough to detect due to minor changes in traffic [5] Gagandeep Kaur, Vikas Saxena, J.P. Gupta,
parameters. Existing methods for detecting slow Detection of TCP targeted high bandwidth
DDoS attacks require significant statistical attacks using self-similarity, Journal of King
material for training artificial intelligence Saud University - Computer and Information
systems. More promising, according to the Sciences,Volume 32, Issue 1, 2020, Pages 35-
authors, are methods based on predicting traffic 49, ISSN 1319-1578,
parameters, in particular, the packet delay time in https://doi.org/10.1016/j.jksuci.2017.05.004.
the network. [6] Lucas Cadalzo, Christopher H. Todd, Banjo
2. Predicting the delay time of packets in the Obayomi, W. Brad Moore and Anthony C.
network allows you to solve the problem of Wong. Canopy: A Learning-based Approach
detecting slow DDoS attacks based on an algorithm for Automatic Low-and-Slow DDoS
for finding unknown future values for a time series Mitigation. ICISSP 2021 - 7th International
of traffic parameters. The proposed method is a Conference on Information Systems Security
combination of artificial intelligence and statistical and Privacy
analysis and uses a self-learning algorithm [7] Vinícius de Miranda Rios, Pedro R.M. Inácio,
provided there are sufficient attack statistics. The Damien Magoni, Mário Freire. Detection of
developed algorithm of the method makes it reductionof-quality DDoS attacks using Fuzzy
possible to accurately determine the random Logic and machine learning algorithms.
process at control points and to provide a minimum Computer Networks, Elsevier, 2021, 186,
of the mean square of the approximation error in
� pp.107792. ff10.1016/j.comnet.2020.107792ff. Laptiev, Svitlana Lehominova, Detection of
ffhal-03182934f Slow DDoS Attacks based on User’s
[8] A. Dhanapal and P. Nithyanandam. The Behavior Forecasting. International Journal
Slow Http Distributed Denial of Service of Emerging Trends in Engineering Research
Attack Detection in Cloud. Scalable (IJETER) Volume 8. No. 5, May 2020.
Computing: Practice and Experience. Scopus Indexed - ISSN 2347 – 3983.
Volume 20, Number 2, pp. 285–298, 2019. pp.2019 – 2025.
[9] A. Dhanapal_and P. Nithyanandam. The [19] Vitalii Savchenko, O. Matsko, O. Vorobiov,
Slow HTTP DDOS Attacks: Detection, Y. Kizyak, L. Kriuchkova, Y. Tikhonov, A.
Mitigation and Prevention in the Cloud Kotenko. Network traffic forecasting based
Environment. Scalable Computing: Practice on the canonical expansion of a random
and Experience. Volume 20, Number 4, pp. process. Eastern European Journal of
669–685, 2019. Enterprise Technologies. VOL 3, NO 2 (93).
[10] T. Lukaseder, S. Ghosh, F. Kargl. Mitigation p. 33-41, 2018.
of Flooding and Slow DDoS Attacks in a [20] Vitalii Savchenko, Viktor Zaika, Maksym
Software-Defined Network. 16 August 2018. Trembovetskyi, German Shuklin, Liubov
https://arxiv.org/pdf/1808.05357.pdf Berkman, Kamila Storchak, Ihor Rolin.
[11] H. Abusaimeh, H. Atta, H. Shihadeh. Survey Composite Radioisotope Coating Parameters
on Cache-Based Side-Channel Attacks in and Reflecting Characteristics Calculation
Cloud Computing. International Journal of Selection Method. International Journal of
Emerging Trends in Engineering Research. Advanced Trends in Computer Science and
Volume 8, No.4, p.1019-1026, April 2020. Engineering. Volume 8, No.5, September -
[12] L. Calvert, T. M. Khoshgoftaar Impact of October 2019. ‒ P. 2246-2251.
class distribution on the detection of slow https://doi.org/10.30534/ijatcse/2019/60852019
HTTP DoS attacks using Big Data. Journal [21] Vitalii Savchenko, Oleh Vorobiov, Oksana
of Big Data. 6, 67, 2019. Tkalenko, Olha Polonevych, German
[13] B. Cusack, and Z. Tian. Detecting and tracing Shuklin, Maksym Trembovetskyi, Viktor
slow attacks on mobile phone user service. In Zaika, Marianna Konopliannykova.
Valli, C. (Ed.). The Proceedings of 14th Influense of Composit Materials Nonlinear
Australian Digital Forensics Conference, 5-6 Properties with Radioisotope Inclutions on
December 2016, Edith Cowan University, Reflected Radiations. International Journal
Perth, Australia. pp. 4-10, 2016. of Advanced Trends in Computer Science
[14] Ie. V. Duravkin, A. Carlsson, A. S. and Engineering. 2019. No.6. P. 2716-2720.
Loktionova. Method of Slow-Attack [22] Vitalii Savchenko, V. Akhramovych, A.
Detection. Information processing systems, Tushych, I. Sribna, I. Vlasov. Analysis of
issue 8 (124), pp. 102-106, 2014. Social Network Parameters and the
[15] I.V. Ruban, D.W. Pribylnov, Е.С. Loshakov. Likelihood of its Constraction. International
A method of detecting a low-speed denial-of- Journal of Emerging Trends in Engineering
service attack. Science and technology of the Research. Volume 8, No. 2, p. 271-276,
Air Force of the Armed Forces of Ukraine, February 2020.
№ 4(13). 85-88, 2013. [23] Serhii Yevseiev, Roman Korolyov, Andrii
[16] Ya. V. Tarasov. Investigation of the Tkachov, Oleksandr Laptiev, Ivan Opirskyy,
application of neural networks for the Olha Soloviova. Modification of the
detection of low-intensity DDоS-attacks of algorithm (OFM) S-box, which provides
the application level. Cybersecurity issues increasing crypto resistance in the post-
№5(24), 23-29, 2017. quantum period. International Journal of
[17] Y. M. Krakovsky, A. N. Luzgin. The Advanced Trends in Computer Science and
cyberattack intensity forecasting to Engineering (IJATCSE) Volume 9. No. 5,
information systems of critical September-Oktober 2020, pp. 8725-8729.
infrastructures. Problems of smart cities and [24] Oleg Barabash, Oleksandr Laptiev, Oksana
sustainable development of territories. Kovtun, Olga Leshchenko, Kseniia
SAFETY2018, Ekaterinburg, October 4-5, Dukhnovska, Anatoliy Biehun. The Method
34-42, pp. 180-187, 2018. dynavic TF-IDF. International Journal of
[18] Vitalii Savchenko, Oleh Ilin, Nikolay Emerging Trends in Engineering Research
Hnidenko, Olga Tkachenko, Oleksandr
� (IJETER), Volume 8. No. 9, September
2020. pp. 5713-5718.
[25] Oleg Barabash, Oleksandr Laptiev,
Volodymyr Tkachev, Oleksii Maystrov,
Oleksandr Krasikov, Igor Polovinkin. The
Indirect method of obtaining Estimates of the
Parameters of Radio Signals of covert means
of obtaining Information. International
Journal of Emerging Trends in Engineering
Research (IJETER), Volume 8. No. 8,
August 2020. Indexed- ISSN: 2278 – 3075.
pp.4133 – 4139.
[26] Oleksandr Laptiev, Savchenko Vitalii, Serhii
Yevseiev, Halyna Haidur, Sergii Gakhov,
Spartak Hohoniants. The new method for
detecting signals of means of covert
obtaining information. 2020 IEEE 2nd
International Conference on Advanced
Trends in Information Theory (IEEE ATIT
2020) Conference Proceedings Kyiv,
Ukraine, November 25-27. pp.176 –181.
�