A COMPREHENSIVE TECHNIQUE FOR DETECTING CYBER AT]TACKS BASED ON THE INTEGRATION OF FRACTAL ANALYSIS AND STATISTICAL METHODS

Abstract

The article discusses a method for detecting cyber-attacks on computer networks based on detecting anomalies in network traffic by assessing its self-similarity and determining the impact of cyber-attacks using statistical methods. The proposed methodology provides for three stages, within which the analysis of the self-similarity property for reference traffic is performed (using the Dickey-Fuller test, R/S analysis and the DFA method), the analysis of the self-similarity property for real traffic (by the same methods) and additional processing of time series by statistical methods (moving average, Z-Score and CUSUM). The issues of software implementation of the proposed approach and the formation of a data set containing network packets are considered. The results of the experiments demonstrated the presence of self-similarity of network traffic and confirmed the high efficiency of the proposed method, which allows detecting cyber-attacks in real or near real time. Introduction: The use of information and communication technologies for information collection in modern computer networks makes it possible for an attacker to influence the network infrastructure by implementing cyber-attacks. Cyberattacks can achieve their goals due to the massive use of outdated operating systems, ineffective protection mechanisms and the presence of multiple vulnerabilities in unsecured network protocols. Such vulnerabilities give a potential attacker the ability to change the settings of network devices, listen and redirect traffic, block network interaction and gain unauthorized access to internal components of computer networks. The purpose of the work is to develop a methodology for detecting anomalies in network traffic by determining the degree of self-similarity of traffic using fractal analysis and statistical methods. Methods used: software implementation of the proposed methodology and the formation of a data set containing network packets. The results of the experiments demonstrated the presence of self-similarity of network traffic and confirmed the high efficiency of the proposed technique, which allows detecting cyber-attacks in real or near real time. The scientific novelty lies in the fact that the proposed methodology provides for three stages, within which the analysis of the self-similarity property for reference traffic is performed (using the Dickey-Fuller test, R/S analysis and the DFA method), the analysis of the self-similarity property for real traffic (by the same methods) and additional processing of time series by statistical methods (methods moving Average (MA), Z-Score and CUSUM). Result: the presented methodology allows detecting the impact of cyberattacks in real and close to real time, and the use of statistical methods increases the accuracy of determining cyberattacks. Practical significance: the presented methodology is universal and can be applied in the information exchange systems of public administration bodies performing the tasks of ensuring the security of the country.