Метод та програмні засоби виявлення кібератаки типу R. U. D. Y. На основі використання алгоритму визначення самоподібності трафіку

МЕТОД ТА ПРОГРАМНІ ЗАСОБИ ВИЯВЛЕННЯ КІБЕРАТАКИ ТИПУ R.U.D.Y. НА ОСНОВІ ВИКОРИСТАННЯ АЛГОРИТМУ ВИЗНАЧЕННЯ САМОПОДІБНОСТІ ТРАФІКУ

METHOD AND SOFTWARE FOR DETECTING R.U.D.Y. ATTACK BASED ON THE USAGE OF THE ALGORITHM OF DETERMINING TRAFFIC SELF-SIMILARITY

Сторінки: 180-187. Номер: №3, 2019 (273)
Автори:
С.М. ЛИСЕНКО, В.А. ТКАЧУК
Хмельницький національний університет
S. LYSENKO, V. TKACHUK
Khmelnytskyi National University
DOI: https://www.doi.org/10.31891/2307-5732-2019-273-3-180-187
Рецензія/Peer review : 21.05.2019 р.
Надрукована/Printed : 02.06.2019 р.

Анотація мовою оригіналу

В роботі представлено метод виявлення DoS-атаки типу R.U.D.Y. на основі використання алгоритму визначення самоподібності мережевого трафіку. Використання запропонованого методу дозволяє здійснювати виявлення DoS-атаки на прикладному рівні моделі OSI. Запропонований метод може бути основою для побудови програмного забезпечення систем виявлення кібератак.
Ключові слова: DoS-атака, R.U.D.Y., R-U-Dead-Yet, виявлення кібератак, показник Херста, самоподібність трафіку.

Розширена анотація англійською мовою

Antivirus software using signature-based technologies can not normally detect harmful zero-day software, since such new signatures are not available for newly created malware. An analysis of known methods to combat cyberattacks shows their lack of efficiency, so building a new method for detecting cyber-threats is an extremely urgent task. The article presents a new method for detecting a DoS-attack type R.U.D.Y. using the algorithm to determine the self-similarity of network traffic. In the enlarged version of the presentation of the algorithm, the method consists of two parts: the study of the neural network of previously received data about harmful traffic and the analysis of the received network traffic to form conclusions about the possible detection of cyber attacks. Moreover, in order to improve the efficiency of the method, it is expedient to implement the first part before the actual monitoring of network traffic, as the training of the neural network requires a certain amount of time during which the received harmful traffic can be analysed with insufficient efficiency. As the approach uses the neural networks there are several factors, which can predict prediction accuracy. One of them is the diversity of training samples Most conspicuously, that not all possible feature vectors, that describe different cyberattacks, are adequately represented in the training set. Thus, system can be further improved by choosing more than a few malicious samples for each attack classes. The described method makes it possible to detect harmful streams of data packets among ordinary, and continuous monitoring of certain malicious flows makes it possible to detect an attacker and allows to isolate the usual network data stream from the harmful one. In the enlarged version of the presentation of the algorithm, the method consists of two parts: the study of the neural network of previously received data about harmful traffic and the analysis of the received network traffic to form conclusions about the possible detection of cyber attacks.
Keywords: DoS-attack, R.U.D.Y., R-U-Dead-Yet, cyberattacks detection, Hurst exponent, traffic self-similarity.

References

1. Matherw, V. Katkar. Survey of Low Rate DoS Attack Detection Mechanisms. International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) – TCET, Mumbai, India. P. 955–958.
2. E. Leland, M.S. Taqqu, W. Willinger, D.V. Wilson. On the Self-Similar Nature of Ethernet Traffic. (Originally Published in: Proc. SIGCOMM ’93, Vol. 23, No. 4, October 1993). P. 202–213.
3. Will E. Leland, Murad S. Taqqu, Walter Willinger, Daniel V. Wilson. On the Self-Similar Nature of Ethernet Traffic (Extended Version). IEEE/ACM Transactions on Networking, Vol. 2, No. 1, February 1994.
4. Zhang Sheng, Zhang Qifei, Pan Xuezeng, Zhu Xuhui. Detection of Low-rate DDoS-Attack Based on Self-Similarity. 2010 Second International Workshop on Education Technology and Computer Science. P. 333–336.
5. Walter Willinger, Murad S. Taqqu, Robert Sherman, Daniel V. Wilson. Self-Similarity Through High-Variability: Statistical Analysis of Ethernet LAN Traffic at the Source Level. IEEE/ACM Transactions on Networking, Vol. 5, No. 1, February 1997. P. 71–86.
7. Walter Willinger, Murad S. Taqqu, Will E. Leland, Daniel V. Willson. Self-Similarity in High-Speed Packet Traffic: Analysis and Modeling of Ethernet Traffic Measurments. Statistical Sciencem 1995, Vol. 10, No. 1, P. 67–85.
8. Maryam M. Najafabadi, Taghi M. Khoshgoftaar, Amri Napolitano, Charles Wheelus. RUDY Attack. Detection at the Network Level and Its Important Features. Proceedings of the Twenty-Ninth International Florida Artificial Intelligence Research Society Conference. P. 282–287.
9. Payal Jain, Juhi Jain, Zatin Gupta. Mitigation of Denial of Service (DoS) Attack. IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 201, ISSN (Online): 2230-7893, www.IJCEM.org. P. 38–44.
10. Junhan Park, Keisuke Iwai, Hidema Tanaka and Takakazu Kurokawa. Analysis of Slow Read DoS attack. ISITA2014, Melbourne, Australlia, October 26–29, 2014. P. 60–64.
11. Gabriel Macia-Fernandez, Jesus E. Dıaz-Verdejo, Pedro Garcıa-Teodoro. Evaluation of a low-rate DoS attack against application servers. Department of Signal Theory, Telematics and Communications, E.T.S. Computer and Telecommunications Engineering, University of Granada, c/ Danielo Aranda, s/n 18071 Granada, Spain. Computers & Security 27 (2008). P. 335–354.
12. Evan Damon, Julian Dale, Evaristo Laron, Jens Mache, Nathan Land, Richard Weiss. Hands-On Denial of Service Lab Exercises Using Slowloris and RUDY. P. 21–29.