A model of a DDoS attack scenario on elements of specialized information technology and methods of combating cybercriminals Mykola Stetsyuk1,∗,†, Viktor Cheshun1,† ,Yuriy Stetsyuk1,† , Оleksandr Kozelskiy1,†,and Abdel- Badeeh M. Salem 2, † 1 Khmelnytskyi National University, 11 Institutska Street, Khmelnytskyi, 29000, Ukraine 2 Ain Shams University, Egypt Abstract In this article, we present a scenario model of a DDoS attack on elements of specialized information technology. The proposed model ensures the finding of initial data for a comprehensive assessment of the stability of the functioning of a specialized information system operating under the conditions of the action of malicious software on its network elements. The approbation of the model and the simulation of the DDoS attack process in the environment of the MathCAD application program allowed us to conclude that the proposed model allows adequately, with a sufficient level of detail and flexibility, to display the simulated process, is sensitive to changes in input data, and allows obtaining consistent simulation results. as well as identify appropriate directions for ensuring the viability of specialized information systems. The resulting model allows you to estimate not only the potential capabilities of malicious software, but also the time it takes to implement a DDoS attack on network elements of information systems. The work also provides practical advice regarding the inclusion in the architectures of developed specialized information systems of hardware to prevent malware attacks. Keywords сybersecurity, malware, DDoS attack, attack scenario, stochastic network, software vulnerability 1 Introduction Ensuring information security is an important aspect of the development of modern society. Due to the fact that confidential and secret information is processed and stored in information systems, this problem is relevant in the design and operation of specialized information systems [1]. The difficulty of ensuring stable operation of modern specialized information systems (IS) has recently been constantly increasing due to more frequent cases of attacks implemented by malicious software [2,3]. These attacks are accompanied, as a rule, by information influences on IS elements. Information influences are carried out by the offender using computer attacks, which aim to make the functions implemented by specialized IS unavailable or difficult to access. The result of the influence of malicious software is the blocking of commands, work failures or the complete impossibility of IS operation [2]. IntelITSIS’2024: 5th International Workshop on Intelligent Information Technologies and Systems of Information Security, March 28, 2024, Khmelnytskyi, Ukraine ∗ Corresponding author. † These authors contributed equally. mykola.stetsiuk@khmnu.edu.ua(M. Stetsiuk); cheshunvn@khmnu.edu.ua(V.Cheshun); yuriy.stetsuk@khmnu.edu.ua(Y.Stetsiuk); oleksandr.kozelskiy@khmnu.edu.ua(O. Kozelskiy); abmsalem@yahoo.com (Abdel-Badeeh M. Salem); 0000-0003-3875-0416 (M. Stetsiuk); 0000-0002-3935-2068 (V.Cheshun); 0000-0001-9880-2666 (Y.Stetsiuk) ; 0000-0002-4104-745X (O. Kozelskiy); 0000-0003-0268-6539 (Abdel-Badeeh M. Salem) © 2023 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). In works [1, 4 - 7], the most famous types of computer attacks are given, where DDoS attacks (Distributed Denial of Service) occupy a special place. The prevalence of this type of attacks is due to the simplicity of their implementation and the serious consequences of their implementation. DDoS attacks can be implemented at almost any level of the ISO/OSI network protocol stack model used by computer systems for communication [8 - 12]. DDoS attacks on levels 3-4 and 7 of the ISO/OSI model are the most popular among criminals [11, 13]. This is explained by the following reasons. At the 3rd and 4th levels of the ISO/OSI model, the object of attack is the elements of the network infrastructure, such as routers and others. A DDoS attack at the third level aims at the transmission of a large volume of data (flood). The attack at the fourth level is carried out with the aim of slowing down, and with the maximum effect - blocking the operation of the web server. Loading the access channels of the web server will eventually lead to the blocking of access of the client's automated workplaces to the resources provided by the specialized IS. Even more dangerous is a DDoS attack at the 7th level of the ISO/OSI model [11]. The reason is that it is directed to the application server, which causes it to become overloaded and, to a large extent, makes the functions of the specialized IS unavailable for its automated workplaces. This type of attack is particularly difficult to implement and is characterized by high transparency for anti-virus software due to their similarity to useful traffic. According to the National Cyber Security Coordination Center of Ukraine [1], in 2023, every fifth Ukrainian company or state organization experienced a DDoS attack. At the same time, attacks most often targeted large banks (27%), medium and small businesses (15%). DDoS attacks were aimed at creating problems in the operation of the main pages of the websites of both state institutions (including educational institutions - the authors of the article directly observed and investigated the actions of attackers on the electronic resources of the Khmelnytskyi National University), and businesses (39% of attacks), output failure of communication services, mail, communication, as well as functions that allow the user to enter the IS (19%). Experts of the National Cyber Security Coordination Center note that last year Ukraine took the leading place in the world in terms of the number of DDoS attacks on its specialized systems for various purposes. Thus, the task of assessing the capabilities of malicious software to carry out DDoS attacks on specialized IS is, along with others, one of the most pressing scientific tasks today. One of the most difficult and important tasks for evaluating capabilities, detecting and countering the effects of malicious software is the selection of a mathematical model adequate for the purposes [14,15]. Today, a large number of cyber security models are used in information security tasks: models of a legitimate user and violator [12, 20], models of attacks [3] and their detection [14], adaptive models of intrusion detection and countermeasures systems using methods of intelligent data analysis (multilayer direct propagation networks, radial base networks, recurrent networks and self-organizing maps, etc.) [15 - 17]. This work is devoted to the construction and consideration of a model of the process of a computer attack of the type "Distributed Denial of Service" on the elements of a specialized information system. The resulting model allows you to estimate not only the potential capabilities of malicious software, but also the time it takes to implement a DDoS attack on network elements of information systems. 2. A problem to be solved Today, one of the most convenient technologies for building computer networks of organizations and companies is the MPLS network technology [18, 19]. It combines the technique of virtual channels with the functionality of the TCP/IP stack. This network property is achieved by having the same LSR (Label Switch Router) network device act as both an IP router and a virtual circuit switch. This makes it possible to combine territorially separated parts of information systems of companies into single local networks, which is extremely convenient. That is why the MPLS technology is chosen as the basic one when creating a mathematical model of a DDoS attack. We conduct research for the MPLS network, which consists of routers, switches, servers and client automated workstations of some specialized IS, which functions under the influence of DDoS attacks. A DDoS attack is preceded by some preparatory actions. To a large extent, the success of the attack depends on the number of computers that make up the Bot network. Unfortunately, today, such networks not only exist, but are also provided by criminals for rent. Therefore, today the attacker has the opportunity to immediately focus directly on the object of the attack. As a rule, an attacker needs to conduct reconnaissance of the network of the information system chosen for the attack by performing a number of steps. For this, he needs to determine its active elements, type and versions of operating systems, as well as network services. We denote the average time spent on this as 𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑.𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒 ,𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 and 𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑜𝑜.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 with distribution functions M(t), D(t), L(t), respectively. The attacker successfully implements these actions with probabilities𝑃𝑃𝑑𝑑𝑒𝑒𝑓𝑓.𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒. , 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂. and 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑜𝑜.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 . The calculation of these probabilities can be carried out according to the method proposed in the description of the mathematical model of the information security violator [20]. If the attacker failed to set at least one of the network parameters, then his attempts will be repeated with probabilities 1 − 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒 , 1 − 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 and 1 − 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑜𝑜.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 , respectively, where 𝑡𝑡𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎.𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟 is the average repetition time with the distribution function Z(t). In the next step, the attacker analyzes the received data and determines the vulnerabilities of the elements of the attacked network in the spent average time 𝑡𝑡𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑣𝑣𝑣𝑣𝑣𝑣 with the time distribution function K(t) and determines the connection requests to the server - attack targets in the average time 𝑡𝑡𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟 with the time distribution function Y(t) and the probability connecting to the target server 𝑃𝑃𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐. , and receiving a response about its status after time 𝑡𝑡𝑔𝑔𝑔𝑔𝑔𝑔.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 with a distribution function U(t). If access is not obtained, the attacker sends a second request in the average time 𝑡𝑡𝑟𝑟𝑟𝑟𝑟𝑟.𝑟𝑟𝑟𝑟𝑟𝑟 with the distribution function V(t). To launch a DDoS attack, the offender activates the Bot network , indicates the object of the attack (Fig. 1). Each bot computer starts sending service requests to the attack object with an average time 𝑡𝑡𝑠𝑠𝑠𝑠𝑠𝑠.𝑟𝑟𝑟𝑟𝑟𝑟. with a time distribution function W(t). In the case of successful implementation of all steps, the attacker sends a large number of anonymous false connection requests through the Bot-network controlled by him, which lead to the overflow of the server's RAM. Server overload, in turn, blocks the access of legitimate client automated jobs of the attacked specialized IS. Such blocking of IS servers is carried out during the average time 𝑡𝑡𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙. with the distribution function N(t). The average time 𝑇𝑇𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎. and the distribution function F(t) of the time of implementation by the offender of the DDoS attack are to be determined. At the same time, we will assume that the implementation time of all stages is random and characterized by an exponential distribution, and all probabilities take the same values. 3. DDoS attack scenario model Let us present the process of organizing a DDoS attack in the form of a stochastic network (Fig. 2). Figure 1: The principle of organizing and running a DDoS attack. Figure 2: Stochastic network of a computer DDos attack. The DDOS attack scenario may include a parcel in a special non-correal request server for an average time 𝑡𝑡𝑖𝑖𝑖𝑖𝑖𝑖.𝑟𝑟𝑟𝑟𝑟𝑟 with probability 1 − 𝑃𝑃𝑖𝑖𝑖𝑖𝑖𝑖.𝑟𝑟𝑟𝑟𝑟𝑟. . This scenario is carried out under the hypothesis that the attacked server contains configuration errors or vulnerabilities known to the attacker. Successful implementation of the attack script can cause the server to "hang" due to a buffer overflow, for example. Taking into account the given scenario of a DDoS attack, its stochastic network will take the form shown in Fig. 3. Figure 3: Stochastic network of a computer DDos attack with an incorrect request. Note that here: w(s), m(s), z(s), d(s), l(s), k(s), y(s), v(s), u(s), n(s) and o(s) are the Laplace- Stiltjes transformations of the corresponding distribution functions specified in the problem statement and defined as: ∞ − st ri ri ( S ) = ∫ e d [Ri (t )] = (1) 0 ri + s where: ri - the equivalent transformation function of the ith distribution function W(t), M(t),..., O(t); Ri(t) is the i-th distribution function of the average time t for the i-th stage of a Ddos attack; s is the change defined on the complex plane S, where the transformation ri (S ) exists. To determine the equivalent function, we close the input and output of the stochastic 1 network (Fig. 2 and Fig. 3) with a fictitious branch 𝑄𝑄𝑄𝑄(𝑠𝑠) = where: 𝑄𝑄(𝑠𝑠) Q(s) is the equivalent function of the real resulting branch of the stochastic network (Fig. 2) In our further steps, we will adhere to the DDoS attack scenario presented in the form of a stochastic network in Fig. 2. Let's define loops of the first and second orders in the stochastic network model with the assumption that the values of all probabilities 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒. , 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 , 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠. , 𝑃𝑃𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠.𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑 are P equal and equal to some value n . Then the loops of the first order Lk.n, where k = 1, n = 1 - 4 will be defined as: L1.1 = m( s ) ⋅ (1 − P ) ⋅ z ( s ) ; n L1.2 = m( s ) ⋅ d ( s ) ⋅ P ⋅ (1 − P ) ⋅ z ( s ) ; n n 2 L1.3 = m( s ) ⋅ d ( s ) ⋅ l ( s ) ⋅ P ⋅ (1 − P ) ⋅ z ( s ) ; n n L1.4 = y ( s ) ⋅ (1 − P ) . n Accordingly, loops of the second order Lk.n, where k=2, n=1 - 3: 2 L 2.1 = m( s ) ⋅ (1 − P ) ⋅ z ( s ) ⋅ y ( s ) ⋅ v( s ) ; n 2 L 2.2 = m( s ) ⋅ d ( s ) ⋅ P ⋅ (1 − P ) ⋅ z ( s ) ⋅ y ( s ) ⋅ v( s ) ; n n 2 2 L 2.3 = m( s ) ⋅ d ( s ) ⋅ l ( s ) ⋅ P ⋅ (1 − P ) ⋅ z ( s ) ⋅ y ( s ) ⋅ v( s ) . n n Using Mason's equation: k k H = 1 + ∑ (−1) ⋅ Q ( s ) = 0 (2) i =1 k where 𝑄𝑄𝑘𝑘 (𝑠𝑠) are the equivalent functions of loops of the kth order, we get the equivalent function of the stochastic network: 4 w(s) ⋅ m(s) ⋅ d(s) ⋅ l(s) ⋅ k(s) ⋅ y(s) ⋅ u(s) ⋅ n(s) ⋅ P n Q ( s, P ) = ⋅ n  2   1 - m(s) ⋅ (1 - P ) ⋅ z(s) ⋅ 1 + d(s) ⋅ P + d ( s ) ⋅ l ( s ) ⋅ P  − y ( s ) ⋅ 1 − P  (3) n  n   n 1  2 v( s ) ⋅ 1 + d ( s ) ⋅ P + d ( s ) ⋅ l ( s ) ⋅ P   n n  By definition, this is a characteristic function, so its differentiation will allow finding the first and second initial moments of the random time of the implementation of a DDos attack:    Q ( s, P )  d n  , M ( s, P ) = −  (4) 1 n ds    Q( s = 0, P n)  s = 0   2    Q ( s , P n)  d . (5) M ( s, P ) = −   2 n 2  ds  Q( s = 0, P )  s = 0  n  From expressions (4) and (5), we get the formula for determining the average time of DDoS attack implementation:    Q ( s, P )  d n  . t (P ) = −  (6) p n ds    Q( s = 0, P n)  s = 0   The variance of DDoS attack implementation time 𝐷𝐷(𝑡𝑡𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖. ), which is defined as the second central moment, is represented by the expression: 2     2  Q ( s, P n)  d   Q ( s, P )  n  .  d  D (t ) = −   − −    (7) p 2  ds   ds  Q( s = 0, P )  s = 0   Q ( s = 0 , P ) s = 0   n    n   The calculation of mathematical expectation and dispersion allows to determine the time distribution function of the successful implementation of a DDoS attack as an incomplete gamma function with sufficient accuracy for engineering calculations [21]: 0, _ if _ t < 0  α  , F (t ) =  t µ  α − 1 − µ ⋅ t (8) ∫0 Γ(α ) ⋅t ⋅e dt , _ if _ t > 0 ̅ (𝑃𝑃𝑛𝑛 )]2 [𝑡𝑡𝑝𝑝 𝑡𝑡𝑝𝑝 (𝑃𝑃𝑛𝑛 ) where 𝛼𝛼 = ̅ ) 𝐷𝐷(𝑡𝑡𝑝𝑝 is the shape parameter and 𝜇𝜇 == 𝐷𝐷(𝑡𝑡 ) is the scale parameter Γ(α ) . 𝑝𝑝 4. Approbation of the model Calculations were made using formula (8) in the environment of the MathCAD application program package, the results of which are presented in the graphs (Fig. 4). The values of the average time taken by the attacker to implement the steps of the DDoS attack are shown in Table 1 as the initial data. The values of all of the probabilities are assumed to be equal to 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒. , 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂. , 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 , 𝑃𝑃𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐. Therefore, in the future we will replace them with the notation Pn and, in the calculation, we will take its value equal to 0.75 - 0.9. In turn, the average implementation time 𝑇𝑇𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 of a DDoS attack at different values of the probability Pn is: at Pn=0,75 𝑇𝑇𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 = 64, 332 min; Pn=0,85 𝑇𝑇𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 = 50,197 min; Pn= 0,9 𝑇𝑇𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 = 41,129 min. Table 1. Time parameters of DDos attack simulation. Step time Parameter Time, designation min Average time to determine active network 𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑.𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒 elements 7 Average time to determine OS type and versions of server and client automated 𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 5 workstations Average time to determine services 𝑡𝑡𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑜𝑜.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 6 Average service request time 𝑡𝑡𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠.𝑟𝑟𝑟𝑟𝑟𝑟. 2 Average time to identify vulnerabilities 𝑡𝑡𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑣𝑣𝑣𝑣𝑣𝑣 7 The average time to repeat the definition of 𝑡𝑡𝑟𝑟𝑟𝑟𝑟𝑟.𝑟𝑟𝑟𝑟𝑟𝑟 network elements 4 Average time to receive a response about the 𝑡𝑡𝑔𝑔𝑔𝑔𝑔𝑔.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠. server status 1 Average retry time of server connection 𝑡𝑡𝑟𝑟𝑟𝑟𝑟𝑟.𝑟𝑟𝑟𝑟𝑟𝑟 requests 4 Average server lock time 𝑡𝑡𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙. 3 Figure 4: Dependence of the integral function of probability distribution on the time of implementation of a DDoS attack when it is successfully implemented with probability Pn. Conclusions The analysis of the obtained results shows that the developed model of the scenario of the implementation of a DDoS attack by an attacker on the elements of a specialized information system is sufficiently sensitive to changes in the initial data, allows obtaining consistent results, adequately reflects the course of the computer attack and makes it possible to determine the probability-time characteristics of the attacker's cyber influence system. The simulation results show that the main influence on the success of the offender's implementation of a DDoS attack on IS elements is carried out through the parameters that can become available to him as a result of intelligence of the IS network, through knowledge of methods of identification and authentication of legitimate users. To increase the security of IS against the cyber influence of the violator, it is advisable to implement the organizational and technical measures outlined in [21,23 - 26]. As can be seen from the analysis, today the main threat to information stored in IS comes from the global computer network. Therefore, the structure of the computer network, on which the operation of the IS will be based, should provide for its division into local segments with access restrictions to them. In such protected segments with controlled access, the server part of the IS and its client locations, which provide the basic functionality of the system, are placed. Figure 5 : Simplified topology of a segmented computer network of a specialized IS. The use of managed switches with the function of creating virtual computer networks (VLAN) made it difficult for the attacker to explore the network he chose for the attack, increasing the probability of its negative termination 1 − 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑒𝑒𝑒𝑒𝑒𝑒𝑒𝑒. , 1 − 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑂𝑂𝑂𝑂 , 1 − 𝑃𝑃𝑑𝑑𝑑𝑑𝑑𝑑.𝑜𝑜𝑜𝑜.𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 , 1 − 𝑃𝑃𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐 and at the same time allowed: 1. Protect the network from outside interference. A managed network switch port will be able to ignore and drop packets coming from other subnets, regardless of the originating IP address. 2. Flexibly manage the separation of computers by virtual subnets, ensuring isolation from each other, while their topology does not depend on where the network components are physically located. 3. Ensuring the reduction of broadcasting traffic in the network. Each virtual subnet created is a separate broadcast domain whose broadcast traffic will not be broadcast between different subnets, reducing the load on network equipment. 4. The division of the network into virtual subnets allowed us to apply our own security rules for each of them, which reduces the likelihood of a DDoS attack. It is clear that it is almost impossible to get rid of the destructive influence of malicious software, but it is possible to significantly reduce its level using advanced countermeasures. As an example, the company "NVisionGroup" offers a comprehensive solution for protection against DDoS attacks based on Cisco Clean Pipes technology, which provides a quick response to DDoS attacks, is easily scalable, has high reliability and speed. Cisco Clean Pipes technology involves the use of Cisco Anomaly Detector and Cisco Guard modules, as well as various systems for statistical analysis of network traffic based on data received from routers using the Cisco Netflow protocol. At the same time, Anomaly Detector and statistical traffic analysis systems act as DDoS attack detection systems, and Cisco Guard as a means of countering an already detected attack. Along with using the functionality of the latest network hardware, one should not ignore a fairly effective countermeasure, which is the elimination of software vulnerabilities at all levels. This leads to a sharp increase in the average time to find 𝑡𝑡𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑣𝑣𝑣𝑣𝑣𝑣. vulnerabilities and, accordingly, a decrease in the probability of successful completion of 𝑃𝑃𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖.𝑣𝑣𝑣𝑣𝑣𝑣. . This approach is especially effective when used in conjunction with network monitoring. References [1] M. N. Alenezi, H.K. Alabdulrazzaq, A.A. Alshaher, M.M. Alkharang. Evolution of Malware Threats and Techniques: a Review. International Journal of Communication Networks and Information Security (IJCNIS). 12, 3 (Apr. 2022). pp. 326-337. URL: https://doi.org/10.17762/ijcnis.v12i3.4723. [2] A. Zimba. A. Bayesian Attack-Network Modeling Approach to Mitigating Malware-Based Banking Cyberattacks. International Journal of Computer Network and Information Security, 2022, Volume 14, Issue 1. pp. 25-39. DOI: https://doi.org/10.5815/ijcnis.2022.01.03 [3] Y. Li, Q. Liu. A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments. Energy Reports, 2021, Vol. 7.pp. 8176–8186. DOI: https://doi.org/10.1016/j.egyr.2021.08.126 [4] Ö. Aslan, S.S. Aktug, M. Ozkan-Okay, A.A. Yilmaz, E. Akin. A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions. Electronics, 2023, Volume 12, Issue 6, pp. 1333. DOI: https://doi.org/10.3390/electronics12061333 [5] J. M. Biju, N. Gopal, A.J. Prakash. Cyber attacks and its different types. International Research Journal of Engineering and Technology (IRJET), 2019, Volume 06, Issue 03, pp. 4849-4852. URL: https://www.irjet.net/archives/V6/i3/IRJET-V6I31244.pdf [6] Forbes Ukraine. "Monobank repels powerful DDoS attack" - Horokhovskyi. URL: https://forbes.ua/ru/news/monobank-zaznav-potuzhnoi-ddos-ataki-gorokhovskiy- 12122023-17834. [7] Enisa threat Landscape for DOS Attacks / Eurpean Union Agency for Cybersecurity, November, 2023. 34 р. URL: https://www.enisa.europa.eu/publications/enisa-threat- landscape-for-dos-attacks [8] J. Chahal, A. Bhandari, S. Behal. Distributed Denial of Service Attacks: A Threat or Challenge. New Review of Information Networking, 2019, 24. pp. 31-103. URL: https://doi.org/10.1080/13614576.2019.1611468 [9] S. Kotey, E.T. Tchao, D. Gadze. On Distributed Denial of Service Current Defense Schemes. Technologies, 2019, 7(1), 19. pp. 1-24. URL: https://doi.org/10.3390/technologies7010019 [10] M. Khambatta. Comparative Analysis Based on Survey of DDOS Attacks: Detection Techniques at Transport, Network, and Application Layers. Culminating Projects in Information Assurance, 2019, 91. 80 p. URL: https://repository.stcloudstate.edu/msia_etds/91 [11] A. Boyarchuk, N. Petliak, Y. Klots, V. Titova, V. Cheshun. Signature-based Approach to Detecting Malicious Outgoing Traffic. CEUR Workshop Proceedings, 2023, 3373. pp. 486– 506. URL: https://ceur-ws.org/Vol-3373/paper33.pdf [12] H. Alameen, A. Esamaddin. DoS and DDoS Attacks at OSI Layers. International Journal of Multidisciplinary Research and Publications (IJMRAP), Volume 2, Issue 8, 2020. pp. 1-9. URL: https://doi.org/10.5281/zenodo.3610833 [13] I. Dzhalladova, S. Škapa, V. Novotná, A. Babynyuk. Design and analysis of a model for detection of information attacks in computer networks. Economic Computation and Economic Cybernetics Studies and Research, 2019, Issue 3; Vol. 53.pp. 95-112. [14] Y. Klots, V. Titova, N. Petliak, V. Cheshun, A. Salem. Research of the Neural Network Module for Detecting Anomalies in Network Traffic. CEUR Workshop Proceedings, 3156, 2022. pp. 378–389. [15] D. Alomari, F. Anis, M. Alabdullatif, H. Aljamaan. A Survey on Botnets Attack Detection Utilizing Machine and Deep Learning Models. EASE '23: Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering, June 2023. pp. 493-498. [16] N. Ahuja, G. Singal, D. Mukhopadhyay, N. Kumar. Automated DDOS attack detection in software defined networking. Journal of Network and Computer Applications, Volume 187, 1 August 2021. pp. 103-108. URL: https://doi.org/10.1016/j.jnca.2021.103108 [17] M. Soneja, C.V. Ravi Kumar. Analyzing the Performance of Various Corporate Networks using Multi-Protocol Label Switching Technology, International journal of engineering research & technology (IJERT), Volume 09, Issue 06 (June 2020). pp. 1338-1343. [18] M.A. Ridwan, N.A. Mohamed Radzi, W.S.H.M. Wan Ahmad, F. Abdullah, M.Z. Jamaludin, M.N. Zakaria. Recent trends in MPLS networks: technologies, applications and challenges. IET Commun., 2020, Vol. 14 Iss. 2.pp. 177-185. URL: https://doi.org/10.1049/iet- com.2018.6129 [19] Y.M. Shcheblanin, D.I. Rabchun. Mathematical model of an information security violator / Cybersecurity: education, science, technology, No. 1, 2018, pp. 63-72. [20] N.O. Virchenko. Basic properties of generalized gamma functions. / National Technical University of Ukraine "KPI", Scientific News of NTUU "KPI", No. 4, 2016. - Kyiv p. 20-26. [21] M. Stetsyuk, L. Bedratyuk, B. Savenko, V. Stetsyuk, O. Savenko. Providing the Resilience and Survivability of Specialize d Information Technology Across Corporate Computer Networks. 1st International Workshop on Intelligent Information Technologies & Systems of Information Security. Khmelnytskyi, Ukraine, June 10-12, 2020; CEUR Workshop Proceedings, 2020; vol 2623, pp 219-238. [22] L. Yang, A. Obeidat, R. Yaqbeh. Smart Approach for Botnet Detection Based on Network Traffic Analysis. Journal of Electrical and Computer Engineering, Volume 2022, 2022. URL: https://doi.org/10.1155/2022/3073932 [23] J. Velasco-Mata, V. González-Castro, E. Fidalgo et al. Real-time botnet detection on large network bandwidths using machine learning. Scientific Reports 13, 4282 (2023). URL: https://doi.org/10.1038/s41598-023-31260-0 [24] R.S. Skandha Moorthy, N. Nathiya. Botnet Detection Using Artificial Intelligence. Procedia Computer Science Volume 218, 2023. pp. 1405-1413. URL: https://doi.org/10.1016/j.procs.2023.01.119.