Using anomaly detection method to detect network attacks

Keywords: anomaly detection, network attacks, finite state machines, verification, modeling, distributed information networks, probabilistic modeling, verification modeling

Abstract

The article is focused on the description of a model for detecting network intrusions in the network traffic based on the TCP/IP protocol stack. The main objects of a local area network have been analyzed. The main controlled parameters of each type of object have been described. The methods of anomaly detection based on both rule-based and probabilistic model analysis have been developed.

Relevance. Due to the intensive growth of information technologies and their implementation in various sectors of the municipal economy, the issue of information security becomes very relevant.

Research methods. In solving the tasks, the methods of control theory; methods of building security systems; graph theory; probability theory and mathematical statistics; methods of time series analysis; methods of predictive analytics and big data processing; methods of building high-load secure programs have been used. The main research methods used are probabilistic and verification modeling.

The results. Probabilistic and verification modeling of network attacks has confirmed the effectiveness of the proposed approach. The results of synthesis using CAD showed that the additional hardware costs do not exceed 20% compared to the standard description model.

Conclusions. The developed system model allows detection of attacks on key simulated objects. The results obtained during the tests showed a high efficiency of detecting anomalies in the numerical parameters of the model. In order to increase accuracy, it is planned to move on to the modeling of the concept of "service" and the modeling of HTTP, SMTP, and POP3 protocols. The session model also allows detecting existing and new TCP session-level attacks, as well as some types of denial-of-service attacks. The model of network traffic flows allows us to detect such types of attacks as: various types of system scanning, installation of Trojan programs (because the number of bytes in the output stream will increase), installation of ICMP shell (because the number of ICMP packets will increase). The time interval model allows detecting some types of system scanning, denial-of-service attacks, and web shell installation.

Downloads

Author Biographies

Svitlana Demenkova, National Technical University, Kharkiv Polytechnic Institute, Kharkiv, Kirpychova St.,2, 61002

Senior lecturer of the department of automation of chemical-technological systems and environmental monitoring

Kateryna Demchenko, State Biotechnology University, str. Alchevsky 44, Kharkiv, Ukraine, 61002

Аssociate professor of the Department of Automation and Computer-Integrated Technologies

Yana Koroleva, National Technical University, Kharkiv Polytechnic Institute, Kharkiv, Kirpychova St., 2, 61002

Associate professor of the department of multimedia and Internet technologies and systems

Yurii Pakhomov, Beketov Kharkiv National University of Urban Economy Kharkiv, str. 17, Marshala Bazhanov, Ukraine, 61002

Associate Professor of the Department of Computer Sciences and Information Technologies

References

/

References

Ruban I. V. Classification of anomaly detection methods in information systems / Ruban I. V., Martovytskyi V. O., Partika S. O. // Armament systems and military equipment. – 2016. – no. 3. – pp. 100-105. https://openarchive.nure.ua/server/api/core/bitstreams/7c434471-942c-40a7-b70c-0cc2655a42fe/content [in Ukrainian]

Miroshnyk M.A. A model of network planning with the use of multiparallel information processing methods / M.A. Miroshnyk, E.D. Tolstoluzkyi. // theses 23 International Scientific and Technical Conference "Problems of Informatics and Modeling", Kharkiv: NTU "KhPI", 2023. – pp. 75-76. https://repository.kpi.kharkov.ua/items/480d4c7b-d463-49dc-8521-c1162b16db88 [in Ukrainian]

Miroshnyk M.A.. Methods of automated design of heterogeneous computer systems and networks of critical application / Miroshnyk M.A., A.A. Mozhaev // Information and control systems on railway transport. – 2019. – No. 4. – P.40-46. DOI: https://doi.org/10.18664/ikszt.v0i4.178719.4 [in Ukrainian]

Miroshnyk M.A. Synthesis of easily testable two-dimensional networks / M. A. Myroshnyk, Y. Yu. Koroleva // Information and control systems in railway transport: abstracts of poster reports and speeches of the participants of the 31st international scientific and practical conference "Information and control systems in railway transport" ( Kharkiv, October 24-26, 2018). – 2018. – No. 4 (appendix). - pp. 20-21. http://lib.kart.edu.ua/handle/123456789/11689 [in Ukrainian]

Korobeynikova T.I. Analysis of modern open intrusion detection and prevention systems / T.I. Korobeynikova, O.O. Tsar // Lviv Polytechnic National University, Ukraine. May 2023, the grail of science. pp. 317-325. DOI:10.36074/grail-of-science.12.05.2023.050, License, CC BY-SA 4.0 [in Ukrainian]

Lukyanenko, T. Yu. Methodology for detecting network intrusions and signs of computer attacks based on an empirical approach. / Lukyanenko T. Yu., Ponochevny P. M., Legominova S. V. // Modern protection of information. – No. 2 (2022). - pp. 15-21.DOI: 10.31673/2409-7292.2022.021521 [in Ukrainian]

Chemeris K. M., Deinega L. Yu. Application of the wavelet analysis method to detect attacks in networks. Science and technology of the Air Force of the Armed Forces of Ukraine. 2022. No. 1(46). pp. 99-107. https://doi.org/10.30748/nitps.2022.46.14 [in Ukrainian]

M.V. Panchenko Identification of information security anomalies based on information system entropy analysis / M. V. Panchenko, A. M. Bigdan, T. V. Babenko, D. S. Timofeev. Energy and automation", No. 1, 2022. DOI 10.31548/energiya [in Ukrainian] http://journals.nubip.edu.ua/index.php/Energiya/article/viewFile/energiya2022.01.072/14743

Tolyupa S. Means of detecting cybernetic attacks on information systems / S. Tolyupa, N. Lukova-Chuiko, Ya. Shestak. Information communication technologies and electronic engineering. - #2 (2). 2021, pp. 19-31. [in Ukrainian] https://science.lpnu.ua/sites/default/files/journal-paper/2022/mar/27268/stattya3stolyupanlukova-chuykoyashestak.pdf [in Ukrainian]

Nicheporuk A.O. An intelligent system for detecting anomalies and identifying devices of smart buildings using collective communication / A.O. Nicheporuk, A.A. Nicheporuk, O.S. Savenko, A.D. Kazantsev. Khmelnytskyi National University // ISSN 2221-3805. Electrical and computer systems. 2021. No. 34 (110) Information systems and technologies Users/Administrator/Downloads/3196-Article Text-2350-1-10-20210904.pdf [in Ukrainian]

Analysis of systems and methods for detecting unauthorized intrusions into computer networks [Electronic resource] / V.V. Litvinov [et al.] // Mathematical machines and systems. K: IPMMS of the National Academy of Sciences of Ukraine, 2018. No. 1. P. 31-40. http://dspace.nbuv.gov.ua/handle/123456789/132008 . [in Ukrainian]

I. Tereykovskyi. Models of standards of linguistic variables for email-spoofing-attack detection systems / I. Tereykovskyi, A. Korchenko, P. Vikulov, I. I. J. Ireifidge // Information security. - 2018. - Vol. 24, No. 2. - P. 99-109. - Access mode: http://nbuv.gov.ua/UJRN/bezin_2018. [in Ukrainian]

Published
2023-12-11
How to Cite
Demenkova, S., Demchenko, K., Koroleva, Y., & Pakhomov, Y. (2023). Using anomaly detection method to detect network attacks. Bulletin of V.N. Karazin Kharkiv National University, Series «Mathematical Modeling. Information Technology. Automated Control Systems», 60, 15-27. https://doi.org/10.26565/2304-6201-2023-60-02
Section
Статті