Introduction

Ensuring information security is an important aspect of the development of modern society. Due to the fact that confidential and secret information is processed and stored in information systems, this problem is relevant in the design and operation of specialized information systems [1].

The difficulty of ensuring stable operation of modern specialized information systems (IS) has recently been constantly increasing due to more frequent cases of attacks implemented by malicious software [2,3]. These attacks are accompanied, as a rule, by information influences on IS elements. Information influences are carried out by the offender using computer attacks, which aim to make the functions implemented by specialized IS unavailable or difficult to access. The result of the influence of malicious software is the blocking of commands, work failures or the complete impossibility of IS operation [2].

In works [1, 4 -7], the most famous types of computer attacks are given, where DDoS attacks (Distributed Denial of Service) occupy a special place. The prevalence of this type of attacks is due to the simplicity of their implementation and the serious consequences of their implementation.

DDoS attacks can be implemented at almost any level of the ISO/OSI network protocol stack model used by computer systems for communication [8 -12].

DDoS attacks on levels 3-4 and 7 of the ISO/OSI model are the most popular among criminals [11,13]. This is explained by the following reasons.

At the 3rd and 4th levels of the ISO/OSI model, the object of attack is the elements of the network infrastructure, such as routers and others. A DDoS attack at the third level aims at the transmission of a large volume of data (flood). The attack at the fourth level is carried out with the aim of slowing down, and with the maximum effect -blocking the operation of the web server. Loading the access channels of the web server will eventually lead to the blocking of access of the client's automated workplaces to the resources provided by the specialized IS.

Even more dangerous is a DDoS attack at the 7th level of the ISO/OSI model [11]. The reason is that it is directed to the application server, which causes it to become overloaded and, to a large extent, makes the functions of the specialized IS unavailable for its automated workplaces. This type of attack is particularly difficult to implement and is characterized by high transparency for anti-virus software due to their similarity to useful traffic.

According to the National Cyber Security Coordination Center of Ukraine [1], in 2023, every fifth Ukrainian company or state organization experienced a DDoS attack. At the same time, attacks most often targeted large banks (27%), medium and small businesses (15%). DDoS attacks were aimed at creating problems in the operation of the main pages of the websites of both state institutions (including educational institutions -the authors of the article directly observed and investigated the actions of attackers on the electronic resources of the Khmelnytskyi National University), and businesses (39% of attacks), output failure of communication services, mail, communication, as well as functions that allow the user to enter the IS (19%).

Experts of the National Cyber Security Coordination Center note that last year Ukraine took the leading place in the world in terms of the number of DDoS attacks on its specialized systems for various purposes.

Thus, the task of assessing the capabilities of malicious software to carry out DDoS attacks on specialized IS is, along with others, one of the most pressing scientific tasks today.

One of the most difficult and important tasks for evaluating capabilities, detecting and countering the effects of malicious software is the selection of a mathematical model adequate for the purposes [14,15]. Today, a large number of cyber security models are used in information security tasks: models of a legitimate user and violator [12,20], models of attacks [3] and their detection [14], adaptive models of intrusion detection and countermeasures systems using methods of intelligent data analysis (multilayer direct propagation networks, radial base networks, recurrent networks and self-organizing maps, etc.) [15 -17].

This work is devoted to the construction and consideration of a model of the process of a computer attack of the type "Distributed Denial of Service" on the elements of a specialized information system. The resulting model allows you to estimate not only the potential capabilities of malicious software, but also the time it takes to implement a DDoS attack on network elements of information systems.

A problem to be solved

Today, one of the most convenient technologies for building computer networks of organizations and companies is the MPLS network technology [18,19]. It combines the technique of virtual channels with the functionality of the TCP/IP stack. This network property is achieved by having the same LSR (Label Switch Router) network device act as both an IP router and a virtual circuit switch. This makes it possible to combine territorially separated parts of information systems of companies into single local networks, which is extremely convenient. That is why the MPLS technology is chosen as the basic one when creating a mathematical model of a DDoS attack.

We conduct research for the MPLS network, which consists of routers, switches, servers and client automated workstations of some specialized IS, which functions under the influence of DDoS attacks.

A DDoS attack is preceded by some preparatory actions. To a large extent, the success of the attack depends on the number of computers that make up the Bot network. Unfortunately, today, such networks not only exist, but are also provided by criminals for rent. Therefore, today the attacker has the opportunity to immediately focus directly on the object of the attack.

As a rule, an attacker needs to conduct reconnaissance of the network of the information system chosen for the attack by performing a number of steps. For this, he needs to determine its active elements, type and versions of operating systems, as well as network services. We denote the average time spent on this as 𝑡𝑡 𝑑𝑑𝑑𝑑𝑑𝑑.𝑑𝑑𝑒𝑒𝑑𝑑𝑒𝑒 ,𝑡𝑡 𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 and 𝑡𝑡 𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑑𝑑.𝑠𝑠𝑑𝑑𝑠𝑠𝑠𝑠 with distribution functions M(t), D(t), L(t), respectively. The attacker successfully implements these actions with probabilities𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑑𝑑𝑒𝑒𝑑𝑑𝑒𝑒. , 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂. and 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑑𝑑.𝑠𝑠𝑑𝑑𝑠𝑠𝑠𝑠 . The calculation of these probabilities can be carried out according to the method proposed in the description of the mathematical model of the information security violator [20].

If the attacker failed to set at least one of the network parameters, then his attempts will be repeated with probabilities 1 − 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑑𝑑𝑒𝑒𝑑𝑑𝑒𝑒 , 1 − 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 and 1 − 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑑𝑑.𝑠𝑠𝑑𝑑𝑠𝑠𝑠𝑠 , respectively, where 𝑡𝑡 𝑎𝑎𝑠𝑠𝑑𝑑𝑠𝑠.𝑠𝑠𝑑𝑑𝑟𝑟𝑑𝑑𝑟𝑟 is the average repetition time with the distribution function Z(t).

In the next step, the attacker analyzes the received data and determines the vulnerabilities of the elements of the attacked network in the spent average time 𝑡𝑡 𝑖𝑖𝑑𝑑𝑑𝑑𝑖𝑖𝑟𝑟.𝑠𝑠𝑣𝑣𝑒𝑒 with the time distribution function K(t) and determines the connection requests to the server -attack targets in the average time 𝑡𝑡 𝑠𝑠𝑑𝑑𝑟𝑟𝑣𝑣𝑑𝑑𝑠𝑠𝑟𝑟 with the time distribution function Y(t) and the probability connecting to the target server 𝑃𝑃 𝑐𝑐𝑜𝑜𝑖𝑖𝑖𝑖𝑑𝑑𝑐𝑐𝑟𝑟. , and receiving a response about its status after time 𝑡𝑡 𝑔𝑔𝑑𝑑𝑟𝑟.𝑠𝑠𝑟𝑟𝑎𝑎𝑟𝑟𝑣𝑣𝑠𝑠 with a distribution function U(t). If access is not obtained, the attacker sends a second request in the average time 𝑡𝑡 𝑠𝑠𝑑𝑑𝑟𝑟.𝑠𝑠𝑑𝑑𝑔𝑔 with the distribution function V(t).

To launch a DDoS attack, the offender activates the Bot network , indicates the object of the attack (Fig. 1). Each bot computer starts sending service requests to the attack object with an average time 𝑡𝑡 𝑠𝑠𝑑𝑑𝑔𝑔.𝑠𝑠𝑑𝑑𝑔𝑔. with a time distribution function W(t).

In the case of successful implementation of all steps, the attacker sends a large number of anonymous false connection requests through the Bot-network controlled by him, which lead to the overflow of the server's RAM. Server overload, in turn, blocks the access of legitimate client automated jobs of the attacked specialized IS. Such blocking of IS servers is carried out during the average time 𝑡𝑡 𝑒𝑒𝑜𝑜𝑐𝑐𝑙𝑙. with the distribution function N(t).

The average time 𝑇𝑇 𝑖𝑖𝑒𝑒𝑟𝑟𝑒𝑒.𝑎𝑎𝑠𝑠𝑑𝑑𝑠𝑠. and the distribution function F(t) of the time of implementation by the offender of the DDoS attack are to be determined. At the same time, we will assume that the implementation time of all stages is random and characterized by an exponential distribution, and all probabilities take the same values.

DDoS attack scenario model

Let us present the process of organizing a DDoS attack in the form of a stochastic network (Fig. 2). The DDOS attack scenario may include a parcel in a special non-correal request server for an average time 𝑡𝑡 𝑖𝑖𝑖𝑖𝑠𝑠.𝑠𝑠𝑑𝑑𝑔𝑔 with probability 1 − 𝑃𝑃 𝑖𝑖𝑖𝑖𝑠𝑠.𝑠𝑠𝑑𝑑𝑔𝑔. . This scenario is carried out under the hypothesis that the attacked server contains configuration errors or vulnerabilities known to the attacker. Successful implementation of the attack script can cause the server to "hang" due to a buffer overflow, for example.

Taking into account the given scenario of a DDoS attack, its stochastic network will take the form shown in Fig. 3. Note that here: w(s), m(s), z(s), d(s), l(s), k(s), y(s), v(s), u(s), n(s) and o(s) are the Laplace-Stiltjes transformations of the corresponding distribution functions specified in the problem statement and defined as:

( ) [ ] s ri ri t Ri d st e S ri + = − = ∫ ∞ 0 ) ((1)

where: ri -the equivalent transformation function of the ith distribution function W(t), M(t),..., O(t); Ri(t) is the i-th distribution function of the average time t for the i-th stage of a Ddos attack; s is the change defined on the complex plane S, where the transformation ) (S ri exists.

To determine the equivalent function, we close the input and output of the stochastic network (Fig. 2 and Fig. 3) with a fictitious branch 𝑄𝑄𝑄𝑄(𝑠𝑠) =

𝑄𝑄(𝑠𝑠)

where: Q(s) is the equivalent function of the real resulting branch of the stochastic network (Fig. 2)

In our further steps, we will adhere to the DDoS attack scenario presented in the form of a stochastic network in Fig. 2.

Let's define loops of the first and second orders in the stochastic network model with the assumption that the values of all probabilities 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑑𝑑𝑒𝑒𝑑𝑑𝑒𝑒. , 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 , 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑠𝑠𝑑𝑑𝑠𝑠𝑠𝑠. , 𝑃𝑃 𝑠𝑠𝑟𝑟𝑎𝑎𝑟𝑟𝑑𝑑.𝑑𝑑𝑑𝑑𝑑𝑑𝑖𝑖𝑖𝑖 are equal and equal to some value n P . Then the loops of the first order Lk.n, where k = 1, n = 1 -4 will be defined as:

) ( ) 1 ( ) ( 1 . 1 s z n P s m L ⋅ − ⋅ = ; ) ( ) 1 ( ) ( ) ( 2 . 1 s z n P n P s d s m L ⋅ − ⋅ ⋅ ⋅ = ; ) ( ) 1 ( 2 ) ( ) ( ) ( 3 . 1 s z n P n P s l s d s m L ⋅ − ⋅ ⋅ ⋅ ⋅ = ; ) 1 ( ) ( 4 . 1 n P s y L − ⋅ = .

Accordingly, loops of the second order Lk.n, where k=2, n=1 -3:

) ( ) ( ) ( ) 2 1 ( ) ( 1 . 2 s v s y s z n P s m L ⋅ ⋅ ⋅ − ⋅ = ; ) ( ) ( ) ( ) 2 1 ( ) ( ) ( 2 . 2 s v s y s z n P n P s d s m L ⋅ ⋅ ⋅ − ⋅ ⋅ ⋅ = ; ) ( ) ( ) ( ) 2 1 ( 2 ) ( ) ( ) ( 3 . 2 s v s y s z n P n P s l s d s m L ⋅ ⋅ ⋅ − ⋅ ⋅ ⋅ ⋅ = . Using Mason's equation: 0 ) ( ) 1 ( 1 1 = ⋅ − + = ∑ = s k Q k H k i (2)

where 𝑄𝑄 𝑙𝑙 (𝑠𝑠) are the equivalent functions of loops of the kth order, we get the equivalent function of the stochastic network:

      ⋅ ⋅ + ⋅ + ⋅ ⋅         − ⋅ −       ⋅ ⋅ + ⋅ + ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ = n P s l s d n P s d s v n P s y P s l s d n P s Q 2 ) ( ) ( ) ( 1 ) ( 1 1 ) ( 2 ) ( ) ( n P d(s) 1 z(s) ) n P - (1 m(s) - 1 n 4 P n(s) u(s) y(s) k(s) l(s) d(s) m(s) w(s) ) , ((3)

By definition, this is a characteristic function, so its differentiation will allow finding the first and second initial moments of the random time of the implementation of a DDos attack:

0 ) ,0 ( ) , ( ) , ( 1 =            = − = s n P s Q n P s Q ds d n P s M ,(4) 0 ) , 0 ( ) , ( 2 2 ) , ( 2 =            = − = s n P s Q n P s Q ds d n P s M . (5)

From expressions ( 4) and ( 5), we get the formula for determining the average time of DDoS attack implementation:

0 ) , 0 ( ) , ( ) ( =             = − = s n P s Q n P s Q ds d n P p t . (6)

The variance of DDoS attack implementation time 𝐷𝐷(𝑡𝑡 𝑖𝑖𝑒𝑒𝑟𝑟𝑒𝑒. ), which is defined as the second central moment, is represented by the expression:

2 0 ) ,0 ( ) , ( 0 ) , 0 ( ) , ( 2 2 )(               =             = − − =             = − = s n P s Q n P s Q ds d s n P s Q n P s Q ds d p t D .(7)

The calculation of mathematical expectation and dispersion allows to determine the time distribution function of the successful implementation of a DDoS attack as an incomplete gamma function with sufficient accuracy for engineering calculations [21]:

       > ⋅ − ⋅ − ⋅ Γ < = ∫ t t if dt t e t t if t F 0 0 _ _ , 1 ) ( 0 _ _ , 0 ) ( µ α α α µ ,(8)

where 𝛼𝛼 =

Approbation of the model

Calculations were made using formula (8) in the environment of the MathCAD application program package, the results of which are presented in the graphs (Fig. 4). The values of the average time taken by the attacker to implement the steps of the DDoS attack are shown in Table 1 as the initial data.

The values of all of the probabilities are assumed to be equal to 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑑𝑑𝑒𝑒𝑑𝑑𝑒𝑒. , 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂. , 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑠𝑠𝑑𝑑𝑠𝑠𝑠𝑠 , 𝑃𝑃 𝑐𝑐𝑜𝑜𝑖𝑖𝑑𝑑𝑐𝑐𝑟𝑟. Therefore, in the future we will replace them with the notation Pn and, in the calculation, we will take its value equal to 0.75 -0.9.

In

Conclusions

The analysis of the obtained results shows that the developed model of the scenario of the implementation of a DDoS attack by an attacker on the elements of a specialized information system is sufficiently sensitive to changes in the initial data, allows obtaining consistent results, adequately reflects the course of the computer attack and makes it possible to determine the probability-time characteristics of the attacker's cyber influence system. The simulation results show that the main influence on the success of the offender's implementation of a DDoS attack on IS elements is carried out through the parameters that can become available to him as a result of intelligence of the IS network, through knowledge of methods of identification and authentication of legitimate users.

To increase the security of IS against the cyber influence of the violator, it is advisable to implement the organizational and technical measures outlined in [21,23 -26].

As can be seen from the analysis, today the main threat to information stored in IS comes from the global computer network.

Therefore, the structure of the computer network, on which the operation of the IS will be based, should provide for its division into local segments with access restrictions to them.

In such protected segments with controlled access, the server part of the IS and its client locations, which provide the basic functionality of the system, are placed. The use of managed switches with the function of creating virtual computer networks (VLAN) made it difficult for the attacker to explore the network he chose for the attack, increasing the probability of its negative termination 1 − 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑑𝑑𝑒𝑒𝑑𝑑𝑒𝑒. , 1 − 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 , 1 − 𝑃𝑃 𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑑𝑑.𝑠𝑠𝑑𝑑𝑠𝑠𝑠𝑠 , 1 − 𝑃𝑃 𝑐𝑐𝑜𝑜𝑖𝑖𝑖𝑖𝑑𝑑𝑐𝑐𝑟𝑟 and at the same time allowed:

1. Protect the network from outside interference. A managed network switch port will be able to ignore and drop packets coming from other subnets, regardless of the originating IP address. 2. Flexibly manage the separation of computers by virtual subnets, ensuring isolation from each other, while their topology does not depend on where the network components are physically located.