# Method of Early Detection of Cyber-Attacks on Telecommunication Networks Based on Traffic Analysis by Extreme Filtering

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

- Analysis of network traffic;
- Scanning of transfer protocols;
- Analysis of network and its vulnerabilities.

## 2. Method of Early Detection of Cyber-Attacks

- Carrying out the attack “The analysis of network traffic” with probability P
_{1}for average time $\overline{t}$_{1}with time distribution function D(t); - Carrying out the attack “Scanning of data transfer protocols” with probability P
_{2}for average time $\overline{t}$_{2}with time distribution function N(t); - Carrying out the attack "Scanning of network and its vulnerabilities" with probability P
_{3}for average time $\overline{t}$_{3}with time distribution function V(t).

_{repeat}with time distribution functions b1(t), b2(t), and b3(t).

_{1.1}and with an average time of $\overline{t}$

_{1.1}) and at the network layer (with probability P

_{1.2}and with an average time $\overline{t}$

_{1.2}). For an implementation the attack "Scanning of transfer protocols", it is necessary to scan for an attack by a TCP packet with SYN flags (with probability P

_{2.1}and an average time $\overline{t}$

_{2.1}), FIN (with probability P

_{2.2}and an average time $\overline{t}$

_{2.2}), ACK (with probability P

_{2.3}and an average time $\overline{t}$

_{2.3}), XMAS (with probability P

_{2.4}and an average time $\overline{t}$

_{2.4}), NULL (with probability P

_{2.5}and an average time $\overline{t}$

_{2.5}), UDP packets (with probability P

_{2.6}and an average time $\overline{t}$

_{2.6}) and ICMP (with probability P

_{2.7}and an average time $\overline{t}$

_{2.7}). For an implementation of the attack "Scanning of network and its vulnerabilities", scanning is carried out in the protocols RIP, OSPF, SNMP, HTTP, SAMBA, TELNET, POP3, NNTP, FINGER, FTP, TFTP, RLOG-IN, IDENT, MAC, and RPC.

_{query,}d = 1/$\overline{t}$

_{traffic}, n = 1/$\overline{t}$

_{scan}, v = 1/$\overline{t}$

_{vuln}, a = $\overline{t}$

_{report.,}b1 (2; 3) = $\overline{t}$

_{repeat}, which correspond to the following intensities: sending requests with the average time $\overline{t}$

_{query}and the time distribution function E(t); the analysis of traffic with the average time $\overline{t}$

_{traffic}and the time distribution function D(t); scanning of data transfer protocols with the average time $\overline{t}$

_{scan}and the time distribution function N(t); search of vulnerabilities with the average time $\overline{t}$

_{vuln}and the time distribution function V(t); drawing up the report with the average time $\overline{t}$

_{report}and the time distribution function A(t), repetition of the private attack with the average time $\overline{t}$

_{repeat}and the time distribution function B1 (2; 3) (t).

_{query}= 2 min, $\overline{t}$

_{traffic}= 7 min,$\overline{t}$

_{scan}= 7 min, $\overline{t}$

_{vuln}= 5 min, $\overline{t}$

_{report.}= 6 min

_{,}$\overline{t}$

_{repeat}= 4 min, p1 = 0.3, p2 = 0.5, p3 = 0.8. The time distribution function F(t) is presented in Figure 4.

## 3. Experimental Results

_{i}. As initial data, we will accept:

- The average time to repair of a system after cyber action t
_{d}= 2 s, - The average time of successful implementation of the first attack t
_{r1}= 400 s, - The average time of successful implementation of the second attack t
_{r2}= 300 s, - The average volume of a data packet V = 0.25 Mbit,
- The data transmission rate R
_{v}= 150 Mbit/s, - The flow is self-similar with Hurst index equaled 0.71,
- The entering flow of packets is characterized by Veybull’s distribution.

_{1}= 10 packet/s and λ

_{2}= 13 packet/s). The results are summarized in Table 2.

## 4. Discussion

## 5. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Ershova, T.V.; Hohlov, Y.E. Russian Digital Economy Program. IAC Online J.
**2018**, 35–38. [Google Scholar] - Rosas-Casals, M.; Valverde, S.; Solé, R.V. Topological Vulnerability of the European Power Grid under Errors and Attacks. Int. J. Bifurc. Chaos
**2007**, 17, 2465–2475. [Google Scholar] [CrossRef] - Wang, D.; Guan, X.; Liu, T.; Gu, Y.; Shen, C.; Xu, Z. Extended Distributed State Estimation: A Detection Method against Tolerable False Data Injection Attacks in Smart Grids. Energies
**2014**, 7, 1517–1538. [Google Scholar] [CrossRef] [Green Version] - Worldwide Infrastructure Security Report, 2014. Available online: https://www.checkpoint.com/downloads/product-related/report/2018-security-report.pdf (accessed on 12 December 2019).
- Chadd, A. DDoS attacks: Past, present and future. Netw. Secur.
**2018**, 2018, 13–15. [Google Scholar] [CrossRef] - Zargar, S.T.; Joshi, J.; Tipper, D. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Commun. Surv. Tutor.
**2013**, 15, 2046–2069. [Google Scholar] [CrossRef] [Green Version] - Darwish, M.; Ouda, A.; Capretz, L.F. Cloud-based DDoS attacks and defenses. In Proceedings of the International Conference of Information and Communication Technology (ICoICT), Bandung, Indonesia, 20–22 March 2013; IEEE: Bandung, Indonesia, 2013. [Google Scholar] [CrossRef]
- Vlajic, N.; Zhou, D. IoT as a Land of Opportunity for DDoS Hackers. Computer
**2018**, 26–34. [Google Scholar] [CrossRef] - Gillani, F.; Al-Shaer, E.; Lo, S.; Duan, Q.; Ammar, M.; Zegura, E. Agile virtualized infrastructure to proactively defend against cyber attacks. In Proceedings of the IEEE Conference on Computer Communications (INFOCOM), Hong Kong, China, 26 April–1 May 2015; IEEE: Hong Kong, China, 2015. [Google Scholar] [CrossRef]
- Bawany, N.; Shamsi, J.; Salah, K. DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions. Arab. J. Sci. Eng.
**2017**, 42. [Google Scholar] [CrossRef] - Abdullah, A. Detection of Distributed Denial of Service Attacks Using Artificial Neural Networks. Int. J. Adv. Comput. Sci. Appl.
**2017**, 8, 306–318. [Google Scholar] - Suresh, M.; Anitha, R. Evaluating Machine Learning Algorithms for Detecting DDoS Attacks. In Proceedings of the Advances in Network Security and Applications. CNSA 2011 Communications in Computer and Information Science, Chennai, India, 15–17 July 2011; Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 196. [Google Scholar]
- Singh, P.; Rehman, S.; Manickam, S. Enhanced Mechanism to Detect and Mitigate Economic Denial of Sustainability (EDoS) Attack in Cloud Computing Environments. Int. J. Adv. Comput. Sci. Appl.
**2017**, 8. [Google Scholar] [CrossRef] [Green Version] - Galtsev, A.; Sukhov, A. Detecting network attacks at flow level. Telecommun. Radio Eng.
**2013**, 72. [Google Scholar] [CrossRef] - Top 8 Network Attacks by Type in 2017. Available online: https://www.calyptix.com/top-threats/top-8-network-attacks-type-2017 (accessed on 12 December 2019).
- DDoS attacks in Q3 2019. Available online: https://securelist.com/ddos-report-q3-2019/94958/ (accessed on 12 December 2019).
- Purwanto, Y.; Kuspriyanto; Hendrawan, T.; Rahardjo, B. Traffic anomaly detection in DDos flooding attack. In Proceedings of the 8th International Conference on Telecommunication Systems Services and Applications (TSSA), Kuta Bali, Indonesia, 23–24 October 2014; IEEE: Kuta Bali, Indonesia, 2014. [Google Scholar] [CrossRef]
- Kalkan, K.; Alagöz, F. A distributed filtering mechanism against DDoS attacks: ScoreForCore. Comput. Netw.
**2016**, 108, 199–209. [Google Scholar] [CrossRef] - Kwon, C.; Liu, W.; Hwang, I. Security analysis for Cyber-Physical Systems against stealthy deception attacks. In Proceedings of the American Control. Conference, Washington, DC, USA, 17–19 June 2013; IEEE: Washington, DC, USA, 2013. [Google Scholar] [CrossRef]
- Hoquea, N.; Kashyapb, H.; Bhattacharyya, D.K. Real-time DDoS attack detection using FPGA. Comput. Commun.
**2017**, 48–58. [Google Scholar] [CrossRef] - Bekeneva, Y.; Shipilov, N.; Borisenko, K.; Shorov, A. Simulation of DDoS-attacks and protection mechanisms against them. In Proceedings of the IEEE NW Russia Young Researchers in Electrical and Electronic Engineering Conference (EIConRusNW), St. Petersburg, Russia, 2–4 February 2015. [Google Scholar] [CrossRef]
- Kotenko, I.; Saenko, I.; Lauta, O. Modeling the Impact of Cyber Attacks. Cyber Resil. Syst. Netw.
**2019**, 135–169. [Google Scholar] [CrossRef] - Modi, C.; Patel, D.; Borisaniya, B.; Patel, H.; Patel, A.; Rajarajan, M. A survey of intrusion detection techniques in Cloud. J. Netw. Comput. Appl.
**2013**, 42–57. [Google Scholar] [CrossRef] - Swami, R.; Dave, M.; Ranga, V. Software-defined Networking-based DDoS Defense Mechanisms. ACM Comput. Surv.
**2019**, 52, 28. [Google Scholar] [CrossRef] - Peng, T.; Leckie, C.; Ramamohanarao, K. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv.
**2007**, 39, 1–42. [Google Scholar] [CrossRef] - Imran, M.; Durad, M.H.; Khan, F.A.; Derhab, A. Toward an optimal solution against denial of service attacks in software defined networks. Future Gener. Comput. Syst.
**2019**, 92, 444–453. [Google Scholar] [CrossRef] - De Assis, M.V.O.; Hamamoto, A.H.; Abrao, T.; Proenca, M.L. A game theoretical based system using holtwinters and genetic algorithm with fuzzy logic for DoS/DDoS mitigation on SDN networks. IEEE Access
**2017**, 5, 9485–9496. [Google Scholar] [CrossRef] - AlEroud, A.; Alsmadi, I. Identifying cyber-attacks on software defined networks. J. Netw. Comput. Appl.
**2017**, 80, 152–164. [Google Scholar] [CrossRef] - Ashraf, J.; Latif, S. Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques. In Proceedings of the National Software Engineering Conference (NSEC), Rawalpindi, Pakistan, 11–12 November 2014; IEEE: Rawalpindi, Pakistan, 2014. [Google Scholar] [CrossRef]
- Alshamrani, A.; Chowdhary, A.; Pisharody, S.; Lu, D.; Huang, D. A defense system for defeating DDoS attacks in SDN based networks. In Proceedings of the 15th ACM International Symposium on Mobility Management and Wireless Access (MobiWac’17), Miami, FL, USA, 21–25 November 2017; ACM: New York, NY, USA, 2017; pp. 83–92. [Google Scholar] [CrossRef]
- Niyaz, Q.; Sun, W.; Javaid, A.Y. A deep learning based DDoS detection system in software-defined networking (SDN). Arxiv
**2016**, arXiv:1611.07400. [Google Scholar] [CrossRef] [Green Version] - You, Y.; Zulkernine, M.; Haque, A. Detecting Flooding-Based DDoS Attacks. In Proceedings of the IEEE International Conference on Communications (ICC), Glasgow, UK, 24–28 June 2007; IEEE: Glasgow, UK, 2007. [Google Scholar] [CrossRef]
- Qin, X.; Xu, T.; Wang, C. DDoS Attack Detection Using Flow Entropy and Clustering Technique. In Proceedings of the 11th International Conference on Computational Intelligence and Security (CIS), Shenzhen, China, 19–20 December 2015; IEEE: Shenzhen, China, 2015. [Google Scholar] [CrossRef]
- Aziz, M.Z.A.; Okamura, K. Leveraging SDN for detection and mitigation SMTP flood attack through deep learning analysis techniques. Int. J. Comput. Sci. Netw. Secur.
**2017**, 17, 166–172. [Google Scholar] - Li, L.; Lee, G. DDoS Attack Detection and Wavelets. Telecommun. Syst.
**2005**, 28, 435–451. [Google Scholar] [CrossRef] - Kulkarni, A.; Bush, S. Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. J. Netw. Syst. Manag.
**2006**, 14, 69–80. [Google Scholar] [CrossRef] [Green Version] - Rilling, G.; Flandrin, P.; Goncalves, P. On empirical mode decomposition and its algorithms. In Proceedings of the IEEE-EURASIP Workshop on Nonlinear Signal and Image Processing, Trieste, Italy, 8–11 June 2003; Available online: http://perso.ens-lyon.fr/patrick.flandrin/NSIP03.pdf (accessed on 12 December 2019).
- Myasnikova, N.; Beresten, M.; Tsypin, B.; Myasnikova, M. Application of empirical mode decomposition on the basis of differentiation and integration to information and measurement systems. In Proceedings of the International Scientific Conference Proceedings “Advanced Information Technologies and Scientific Computing”, Samara, Russia, 28 August–1 September 2017; pp. 435–438. [Google Scholar]
- Myasnikova, N.; Beresten, M.; Dolgih, L. Processing of ECG Signals Detected by Portable Devices. Biomed. Eng.
**2016**, 50, 175–178. [Google Scholar] [CrossRef] - Singh, K.; De, T. Mathematical modelling of DDoS attack and detection using correlation. J. Cyber Secur. Technol.
**2017**, 1, 175–186. [Google Scholar] [CrossRef] - Pristker, A.A.B.; Harp, W.W. GERT: Graphical Evaluation and Review Technique. Part 1. J. Ind. Eng.
**1966**, 6, 293–301. [Google Scholar] - Iglesias, F.; Zseby, T. Analysis of network traffic features for anomaly detection. Mach. Learn.
**2015**, 101. [Google Scholar] [CrossRef] [Green Version] - Yaar, A.; Perrig, A.; Song, D. Pi: A path identification mechanism to defend against DDoS attacks. In Proceedings of the Symposium on Security and Privacy, Berkeley, CA, USA, 11–14 May 2003; IEEE: Washington, DC, USA, 2003. [Google Scholar] [CrossRef]
- Kaur, G.; Saxena, V.; Gupta, J.P. Anomaly Detection in network traffic and role of wavelets. In Proceedings of the 2nd International Conference on Computer Engineering and Technology, Chengdu, China, 16–18 April 2010; IEEE: Chengdu, China, 2010. [Google Scholar] [CrossRef]
- Behal, S.; Kumar, K. Trends in Validation of DDoS Research. Procedia Comput. Sci.
**2016**, 7–15. [Google Scholar] [CrossRef] [Green Version] - Hosseini, S.; Azizi, M. The hybrid technique for DDoS detection with supervised learning algorithms. Comput. Netw.
**2019**, 35–45. [Google Scholar] [CrossRef] - Singh, K.; Dhindsa, K.S.; Bhushan, B. Deployment of agent T-BASED distributed defense mechanism against DDOS attacks in multiple ISP networks. Int. J. Inf. Technol. Secur.
**2017**, 9, 123–134. [Google Scholar]

**Figure 1.**Results of simulation of impact detection by extreme filtering method in the determined mode (red color shows an impact, blue shows a highlighted component).

**Figure 3.**The stochastic network of the sequence of equivalent cyber-attacks in the preparation of the DDOS attack.

**Figure 4.**The time distribution functions for implementation of separate attacks during DDOS attack preparation.

## | Characteristics of Attacks | Methods | ||
---|---|---|---|---|

SB | ML | SA | ||

1 | Possibility of operation in real time mode | Yes/No | No | Yes |

2 | Accuracy | Middle | High | Middle |

3 | Possibility of early DDOS-attack detection | No | No | Yes |

Metrics | Metric Values at Different Incoming Flow Intensities | |
---|---|---|

λ_{1} = 10 | λ_{2} = 13 | |

The average packet delay time, sec. | 0.788 | 1.23 |

The probability of packages losses | 0.195 | 0.25 |

The packet delay time jitter, sec. | 0.811 | 1.268 |

Metrics | Metric Values at Different Average Volumes of Packets V | |
---|---|---|

λ_{1} = 10 V _{1} = 0.2 | λ_{1} = 10 V _{2} = 0.27 | |

The average packet delay time, sec. | 0.749 | 0.805 |

The probability of packages losses | 0.19 | 0.197 |

The packet delay time jitter, sec. | 0.776 | 0.827 |

Metrics | Metric Values at Different Recovery Times | |
---|---|---|

λ = 10 tr _{1} = 3 s | λ = 10 tr _{2} = 9 s | |

The average packet delay time, sec. | 4.403 | 18.253 |

The probability of packages losses | 0.327 | 0.801 |

The packet delay time jitter, sec. | 5.476 | 36.28 |

**Table 5.**Comparison of the proposed and known methods for the accuracy and duration of DDOS attack detection.

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Privalov, A.; Lukicheva, V.; Kotenko, I.; Saenko, I.
Method of Early Detection of Cyber-Attacks on Telecommunication Networks Based on Traffic Analysis by Extreme Filtering. *Energies* **2019**, *12*, 4768.
https://doi.org/10.3390/en12244768

**AMA Style**

Privalov A, Lukicheva V, Kotenko I, Saenko I.
Method of Early Detection of Cyber-Attacks on Telecommunication Networks Based on Traffic Analysis by Extreme Filtering. *Energies*. 2019; 12(24):4768.
https://doi.org/10.3390/en12244768

**Chicago/Turabian Style**

Privalov, Andrey, Vera Lukicheva, Igor Kotenko, and Igor Saenko.
2019. "Method of Early Detection of Cyber-Attacks on Telecommunication Networks Based on Traffic Analysis by Extreme Filtering" *Energies* 12, no. 24: 4768.
https://doi.org/10.3390/en12244768