In the modern digital world, where more aspects of life are transitioning online, cybercrime and cybersecurity have become urgent problems hindering societal development. These problems require adequate solutions through the collective efforts of specialists in various fields, from IT to law, since many cybercrimes, such as DDoS attacks on computer systems and networks (CSN), can have significant consequences for individuals, organizations, and even states [ 1, 2 ]. The scenarios used by cybercriminals are quite creative and constantly evolving, making cybercrime increasingly sophisticated and complex.

As demonstrated in [ 3, 4 ], DDoS attacks pose a significant danger to industrial control systems (ICS). These systems are often used in enterprises and critical infrastructure such as energy, water supply, transport, and manufacturing. Attacks on ICS, including DDoS attacks, can lead to severe consequences, such as operational disruptions, economic losses, and threats to human safety. For instance, in 2013, an attack targeted the U.S. water supply systems [ 5 ]. The attack could have caused equipment failures controlling water distribution and wastewater treatment, posing a serious public health threat. Cybersecurity specialists managed to prevent such a scenario at an early stage of the attack’s development. In 2016, a DDoS attack targeted the railway management systems in Sweden [ 6 ]. The attack caused system disruptions, leading to train delays and cancellations. In 2017, a DDoS attack on a semiconductor manufacturer caused failures in their production management system, resulting in significant production delays and economic losses. Even this brief overview demonstrates that DDoS attacks pose a serious threat to ICS, disrupting their normal operation and causing significant negative consequences. These attacks can halt production processes, lead to economic losses, and even pose safety threats [ 7 ]. Therefore, in this paper, we investigate the possibility of developing a Python software product that, based on the mathematical apparatus of Bayesian Networks (BN), helps automate the analysis and calculation of probabilistic estimates from collected evidence to confirm or refute hypothesis. Such a tool will be extremely useful for the effective investigation of DDoS attacks, facilitating the work of specialists and improving the accuracy of conclusions.

A key role in investigating unauthorized interference in CSN, such as organizing DDoS attacks, is the search for evidence in the non-material (digital) environment. From a software-technical perspective, the elements of CSN during an investigation at the site of a potential cyberattack, such as a DDoS attack, require extreme caution, considering factors such as the large volume of electronic information, the presence of intellectual property rights on parts of the information, hidden data inaccessible to the regular computer user, and the risks of data loss due to careless actions or the potential programmed automatic execution of data destruction algorithms.

As demonstrated in [ 8, 9 ], using the BN apparatus to prove the involvement of a specific computer in a DDoS attack is a powerful tool. Bayesian Networks (BN) allow for modeling complex cause-and-effect relationships between various aspects of digital evidence and drawing substantiated conclusions based on available data. This is especially important for establishing the fact of a specific computer’s involvement in carrying out a DDoS attack, which requires analyzing numerous factors and probabilities. As shown in [ 8 ], BN can effectively integrate data from various sources, including network activity logs, system configurations, and user information, significantly enhancing the accuracy and reliability of investigations. Thus, the use of BN in cybercrime investigations opens new prospects for improving the efficiency and reliability of identifying participants in DDoS attacks. All the above has prompted our interest in this topic.

A crucial aspect of finding and securing digital (electronic) evidence is adhering to the “best evidence rule” [ 10–14 ].

Compliance with this principle depends on using specialized knowledge in collecting electronic evidence, which IT specialists possess. This helps safeguard data from accidental deletion or damage and prevents cases of programmed self-destruction of files, for example, when an incorrect password is entered into the directory. Given the above, when searching for digital evidence, it is important to consider the identified evidence, such as tools for executing DDoS attacks. Suppose, during the investigation of a DDoS attack, a computer suspected of carrying out the attacks was seized. During the analysis of this computer’s contents, specialized programs (Low Orbit Ion Canon, HULK, PYLORIS, TORS HAMMER, etc.) or scripts for launching DDoS attacks may be found. The work history or logs may contain records of launching tools commonly used for DDoS attacks and connections to command servers used to manage botnets.

The development of the research outlined in [ 8 ] involves creating a practical Python-based software product. This product will automate the calculation of probabilistic estimates of collected evidence to confirm hypotheses based on the mathematical apparatus of Bayesian Networks. This program will significantly simplify the work of both IT specialists and forensic investigators involved in investigating DDoS attacks, providing accurate and reliable results comparable to those obtained with the GeNIe package.

Python is one of the most popular programming languages due to its simplicity and readability, allowing for the quick and efficient development of complex algorithms.

Additionally, Python has a rich set of libraries and frameworks for statistical analysis, machine learning, and working with Bayesian Networks. For example, libraries such as pgmpy (used in our product), scikit-learn, PyMC3, and networkx provide powerful tools for building, training, and visualizing BN. This greatly simplifies the development process and allows focusing on solving specific tasks rather than creating tools from scratch.

The development environment used was PyCharm, one of the most powerful and convenient development environments for Python, offering many tools that simplify the writing, debugging, and testing of code. It is worth noting that Python and PyCharm run on all major operating systems (Windows, macOS, Linux), ensuring the possibility of developing and using the program across different platforms. In our view, using Python and PyCharm to develop a software product automating evidence analysis with BN provides the optimal combination of convenience, power, and flexibility. This allows the creation of efficient, reliable, and easily maintainable solutions for cybersecurity tasks, including investigating DDoS attacks on ICS.

The main hypothesis (H), see Table 1 and Fig. 1, according to assumption (H_DDOS_T arg et), is that the seized computer could have been used to carry out a DDoS attack on the target CSN. This hypothesis may include at least two sub-hypotheses.

H1 is that the seized computer was used to gain access to the target CSN, а H2 is that the seized computer was used to organize the DDoS attack. Evidence (E) for each sub-hypothesis might include, for example, the presence of the target CSN’s IP address on the seized computer or the matching of the seized computer’s IP address with the attacker’s IP address identified by the provider.

Presenting the BN structure as shown in Fig. 1 offers many advantages. For example, visualization helps to more easily understand the complex probabilistic relationships between hypotheses and evidence. The connections between nodes (hypotheses and evidence) are visible, facilitating understanding of the structure and logic of reasoning. The graphical representation allowed us to intuitively evaluate the influence of each piece of evidence on the sub-hypotheses and the main hypothesis. In general, such a software product will help experts and users better understand the basis of their decisions and how various pieces of evidence affect the hypothesis’s probability. This will contribute to more reasoned and confident decisions in investigating such crimes. It is worth noting that graphical representation makes the information accessible to a wide audience, including those who may not have in-depth knowledge of mathematics and statistics. This facilitates discussion and explanation of conclusions among team members and stakeholders. Additionally, visualization helps identify gaps in the data and dependencies that may require further investigation or data collection, contributing to a more comprehensive and detailed analysis of the situation.

For implementing the Python program, we structured sub-hypotheses and corresponding evidence for the main hypothesis (see Table 1).

From a legal perspective, seized objects (computer equipment and its components) are considered potential sources of evidence, and any unprofessional actions involving them may result in the loss or inadmissibility of such evidence. In this regard, a well-justified position emphasizes the need for advanced specialized training for investigators involved in cybercrime investigations, aligned with modern challenges and the future development of the information technology sector.

Main Hypothesis H: A seized computer was used to launch a DDoS attack on the target computer Sub-hypothesis H1: The seized Sub-hypothesis H2: The seized computer was used to conduct the DDoS attack computer was used to access the target Evidence for Sub-hypothesis H2: computer E5: Evidence of the suspect's qualifications was found.

Evidence for Sub-hypothesis H1: E6: The IP address of the seized computer matches the attacker’s IP address at the time of E1: The IP address of the target the attack. computer was found on the seized E7: DDoS tools were found on the seized computer. computer. E8: Evidence of the user creating DDoS tools was found.

E2: The URL address of the target E9: Log entries of searching for DDoS tools on the Internet were found. computer was found on the seized E10: Log entries of downloading DDoS tools from the Internet were found. computer. E11: A botnet control program was found.

E3: The IP address of the target E12: Evidence of the user creating the botnet control program was found. computer matches the access IP address E13: Log entries of a DDoS attack launched on the target computer through the botnet were (as specified by the provider). found.

E4: Log entries of access to the target E14: Log entries of connecting to the botnet were found. computer at the relevant time were E15: The IP address of the seized computer matches the botnet control IP address at the found. time of the attack. Fig. 2 shows a general view of our software product with a results output block displaying the probabilistic assessments of the collected evidence to support various hypotheses (Main hypothesis—the seized computer (CSN) was used to launch a DDoS attack on the target computer, along with two subhypotheses described earlier). In addition to this output format, the obtained results can be visualized more clearly in the form of histograms, as shown in Fig. 3.

This format of visualizing conclusions in the form of histograms, obtained for the probabilities of various evidence during the investigation of DDoS attacks from the suspect’s computer, makes the process of analyzing evidence more convenient and easier to interpret.

Automation largely eliminates subjective errors and bias that can occur during manual analysis of evidence. The use of a Bayesian network (BN) allows for more precise consideration of the probabilities of various events and their interrelations, which often leads to objective conclusions. It is important to note that automated systems, such as the one proposed in this work, significantly accelerate the process of analyzing large volumes of data.

This is especially important in time-constrained environments during cybercrime investigations, as the use of Bayesian networks allows for the effective representation of complex dependencies between various pieces of evidence and hypotheses. Additionally, automation enables the use of advanced algorithms and analytical methods that may not be available during manual data processing. This leads to higher-quality and deeper evidence analysis, increasing the chances of successfully investigating crimes related to the implementation of DDoS attacks on ICS (industrial control systems). The development of a software product in Python using Bayesian networks, in our view, ensures the standardization of analysis methods. This allows practicing specialists in the field of cybercrime investigations to apply a unified approach to various investigations, simplifying the training and preparation of specialists and ensuring consistency in methods and approaches. Automated systems, similar to the one presented above, provide quantitative probabilistic assessments that assist investigators and experts in making well-informed decisions. In particular, modeling various scenarios and their probabilistic evaluations enables more accurate forecasting of outcomes and the development of strategies for investigating such crimes in the future. Finally, automation ensures the transparency of the analysis process, allowing the results to be easily reproduced and verified. This is critically important for the legal validity of conclusions and their presentation in court.

The prospect of further research lies in the addition of dialogue windows for expert interaction to the developed software product. This will significantly enhance the usability of the computational core based on the Bayesian network, which is particularly important for investigating applied cases related to DDoS attacks on industrial control systems (ICS). Expert dialogue windows will provide an intuitive and user-friendly interface, simplifying data entry and system interaction. This is crucial because experts investigating DDoS attacks are often not programming specialists. A simple and clear interface will allow them to effectively use the software product without requiring deep programming knowledge. Moreover, the introduction of dialogue windows will significantly reduce the time needed for data entry and processing. Experts will be able to interact with the system more quickly and efficiently, thereby accelerating the investigation process.

In this paper, the following main results were obtained:

It is shown that the use of Bayesian Networks (BN) in the developed Python software product will automate the process of analyzing collected evidence, eliminating subjective errors and bias often arising in the manual processing of data during cybercrime investigations.

It is demonstrated that automating the analysis will significantly reduce the time required to process large amounts of data, which is especially important in timelimited conditions when investigating cybercrimes, particularly DDoS attacks.

It is established that for the task of establishing responsibility for carrying out DDoS attacks, BN allows for accounting for the probabilities of various events and their relationships, leading to more accurate and objective conclusions. This is critically important for the legal justification of conclusions and their presentation in court.

It is demonstrated that developing a Python-based software product ensures the unification of analysis methods, allowing a consistent approach to different investigations, and simplifying the training and preparation of specialists.

It is shown that automation ensures the transparency of the analysis process, allowing for easy reproduction and verification of results, and enhancing trust in conclusions and their legal significance.

The presented approach and the developed software product can be effectively used to model various scenarios and their probabilistic assessments, allowing for more accurate predictions of cybercrime consequences and developing strategies for their investigation in the future. The work demonstrates that the proposed automation of cybercrime analysis using BN is an important step in improving the investigation and decision-making processes, particularly in the context of DDoS attacks on ICS.