An Innovative Approach to Anomaly Detection in Communication Networks Using Multifractal Analysis

: Fractal and multifractal analysis can help to discover the structure of the communication system, and in particular the pattern and characteristics of tra ﬃ c, in order to understand the threats better and detect anomalies in network operation. The massive increase in the amount of data transmitted by di ﬀ erent devices makes these systems the target of various types of attacks by cybercriminals. This article presents the use of fractal analysis in detecting threats and anomalies. The issues related to the construction and functioning of the Security Operations Centre (SOC) are presented. To examine the correctness of SOC, several attacks on virtual systems located in the network were carried out, such as Denial of Service (DoS) attack, brute force, malware infections, exploits. Based on data collected from monitoring and devices, the response to the event was analyzed, and multifractal spectra of network tra ﬃ c before and during the incident were created. The collected information allows us to verify the theses and conﬁrm the e ﬀ ectiveness of multifractal methods in detecting anomalies in the operation of any Information and Communication Technology (ICT) network. Such solutions will contribute to the development of advanced intrusion detection systems (IDS).


Introduction
The security and privacy of online services have many challenges and problems that are still open to research. Security and privacy issues are still a significant challenge. Work anomalies can cause severe privacy and security issues when providing a service. In the era of rapid technological development related to information technology, the number and complexity of threats to the security of computer systems or networks are also growing. Preventing all security threats becomes impossible due to the constant adaptation of hackers to emerging information protection technologies. Organizations that have information technology (IT) systems take the necessary steps to counteract any threats to computer and network resources efficiently. Reactive action in the event of an incident is often not enough [1]. Therefore, in many cases, it becomes necessary to use external services or create a Security Operation Center (SOC), which is the security management center in the organization. The primary mission of an SOC is to actively counteract all threats and analyze them in case of a security incident [2,3].
As an anomaly, we consider a specific traffic pattern identified/detected throughout the whole range of analyzed data, indicating some deviation from the accepted standard. Such a deviation may be caused by various factors, both hardware and software, including increased activity caused by

Self-Similarity of Processes
The usefulness of multifractal analysis in quantifying network traffic in supporting anomaly detection and in developing other applications to protect the security of transmission is presented. Multifractality is commonly observed in complex natural and socioeconomic systems. The multifractal analysis provides powerful tools for understanding the complex non-linear nature of time series in various fields. The approaches used to solve the problem of anomaly detection depend on the nature of the data collected. Network data can be obtained at many levels of detail, e.g., based on the end-user or based on the network. End-user data contains information that characterizes the end application (refers to the TCP: transmission control protocol and the UDP: user datagram protocol). Network data describes the operation of network devices and includes information collected from network devices (routers, switches). Traffic numbers obtained from both types of data can be used to generate the time series to which statistical signal processing techniques can be applied.
Self-similarity and fractals are concepts initiated by Benoit B. Mandelbrot. Self-similarity can be associated with "fractals", which are objects with an unchanged appearance at various scales. Self-similarity means that network traffic displays shape similarity on an extended time scale. Hurst parameter (abbreviated as H) is an important index to measure the similarity, which is often used in traffic congestion control and access control. Therefore, estimating the Hurst parameter accurately and rapidly has significance in network management and control [4,16].
Stochastic processes are considered as sequences of variables, which can be characterized by using average value, variance, process probability distribution value, and higher stochastic moments. A stationary process, on the other hand, is a stochastic process for which the process probability Appl. Sci. 2020, 10, 3277 5 of 27 distribution value does not change. A characteristic element of a part of stochastic processes is the fact that the values are mutually dependent on time. However, such a process can be a stationary process, because a process' probability distribution value in a moment t is determined without any premises about the time preceding the process. A process with long-range dependencies is a process for which time is infinite. The autocorrelation function for such a process is a slowly vanishing function [17,18].
The multifractal spectrum curves represent the distribution of intersection densities between the different regions. This is a clear indicator of how most of the network is evolving to become more similar through its different areas. Multifractal spectrums can be determined in many different ways. The two primary methods are: Legendre transformation of the split function and establishing spot metering histogram boundaries. In particular, we have presented the details of these methods at work [4].

The Methodology of the Study on Network Traffic Anomaly Detection
An advanced simulation environment has been created for the research. The sophisticated infrastructure allowed us to realize many research scenarios and to measure traffic parameters, including the possibility of its analysis with division into individual network protocols. In order to create and efficiently simulate real network infrastructure, Graphical Network Simulator (GNS3) software was used. This is a free, graphical network emulator, allowing for comprehensive creation and testing of networks built from virtual equipment (a rich library of network devices from leading suppliers such as Cisco, Juniper, and virtual machines). GNS3 can create complex network topologies based on hardware virtualization. The model of designed and tested sophisticated network infrastructure used in the research is shown in Figure 1.
Appl. Sci. 2020, 10, x FOR PEER REVIEW 5 of 27 distribution value does not change. A characteristic element of a part of stochastic processes are mutually dependent on time. However, such a process can be a stationary process, because a process' probability distribution value in a moment t is determined without any premises about the time preceding the process. A process with long-range dependencies is a process for which time is infinite. The autocorrelation function for such a process is a slowly vanishing function [17,18]. The multifractal spectrum curves represent the distribution of intersection densities between the different regions. This is a clear indicator of how most of the network is evolving to become more similar through its different areas. Multifractal spectrums can be determined in many different ways. The two primary methods are: Legendre transformation of the split function and establishing spot metering histogram boundaries. In particular, we have presented the details of these methods at work [4].

The Methodology of the Study on Network Traffic Anomaly Detection
An advanced simulation environment has been created for the research. The sophisticated infrastructure allowed us to realize many research scenarios and to measure traffic parameters, including the possibility of its analysis with division into individual network protocols. In order to create and efficiently simulate real network infrastructure, Graphical Network Simulator (GNS3) software was used. This is a free, graphical network emulator, allowing for comprehensive creation and testing of networks built from virtual equipment (a rich library of network devices from leading suppliers such as Cisco, Juniper, and virtual machines). GNS3 can create complex network topologies based on hardware virtualization. The model of designed and tested sophisticated network infrastructure used in the research is shown in Figure 1.   Network switches: Two Ethernet switches available in the GNS3 library were used, whose function was limited to transmitting network traffic further. Additionally, the Open vSwitch was used to divide the traffic into individual segments, defined previously in the R1 router. For this purpose, virtual local area networks (VLANS), corresponding to VRF instances, were created. Additionally, a mirroring port has been enabled to intercept traffic from port G0/0 and send it entirely to port G1/1 to monitor network traffic between R1 router and devices in the local network; • Hosts: A lightweight Linux TinyCore distribution with a Mozilla Firefox preinstalled browser was used to connect to the web interface of network security devices. The VRF_A subnetwork contains a host with Ubuntu Xenial installed, which was used as a platform for installing and testing security. In the VRF_B subnet, there is a host with KaliLinux system, which has many tools to simulate attacks on computer systems. In the VRF_C subnet, there was a VPC, a virtual computer that used minimal resources and had no graphical interface; • Servers-SRV1: a virtual server located in the DMZ zone, similarly to VPC, had no graphical interface and allowed only the simplest ping operations.
In addition, free software like Wireshark [19], Open VAS [20], Snort [21], Kali Linux [22], and Bro [23] were used for the data collection. Snort is a Network Intrusion Detection and Prevention System (IDS/IPS), available under a free license. This system offers a wide range of attack detection mechanisms and enables automatic traffic analysis and the registration of packets passing through networks based on IP/TCP/UDP/Internet Control Messages Protocol (ICMP) protocols. Snort can analyze packet streams, and search for and match suspicious content, as well as detect many attacks and anomalies. OpenVAS is an entirely free and easily accessible framework that acts as a vulnerability scanner. Wireshark can capture and record data packets, as well as their decoding. Thanks to a large number of additions, it can recognize and decode many communication protocols. It is mainly used by network administrators, exclusive services, and hackers to track packages. Kali Linux is a Debian-based Linux operating system distribution based on Debian, intended mainly for security breaches and penetration tests, as well as security audits. Bro software (an Open Source Network Security Monitoring Tool) is not an active security device, like a firewall or intrusion prevention system. Bro is a sensor, hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. This software interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system. Devices in subnetworks VRF_A, VRF_B, and VRF_C were not able to connect to each other. However, each of these subnetworks could connect to the Internet, DMZ, and VRF_SOC. The DMZ zone could not connect to the Internet. The devices located in the VRF_SOC subnetwork were used to secure and monitor the IT system. They had unlimited access to all resources of the created network. Their characteristics would be presented in the further part of this work. Kali Linux was used as a tool to carry out attacks. The system has a wide range of tools used for penetration tests and security breaches. In order to carry out tests, Kali Linux machine was placed in the VRF_B subnet and allowed to connect to other subnets. After booting, the network interface sent an IP address query to the Dynamic Host Configuration Protocol (DHCP) server, which was captured by IDS and presented as a high-priority alert.
The article presents a detailed analysis of network traffic, both in regular operation and during several selected types of network attacks on the security of selected network components and services provided.
The first group of the tested attacks will include Denial of Service (DoS) attacks. These attacks are aimed at blocking a computer or network, thus preventing users from accessing their resources. They do this by flooding the target with traffic or sending it information that causes a failure. In both cases, a DoS attack deprives authorized users of the expected service or resource [24]. PC1_Ubuntu was used as the target of the attack, using three types of flood type attacks. The hping3 tool installed on PC2_Kali_Linux host was used to test responses to three types of DoS attacks.
The first type of DoS attack is the UDP DoS flood. When a victim receives a UDP packet on a specific port, he first checks if any programs are running that are currently listening to the requests. If no application is receiving packets through this port, replies are sent with an ICMP packet to inform the sender that the destination is unreachable. This type of attack uses a false source IP address, making it difficult to reveal the location of the attacker and potentially saturate them with response packets sent from the victim. As a result of using resources to check and respond to each packet, the attacked target may quickly become overloaded enough to deny service to regular traffic.
The second attack is a DoS attack of the TCP Synchronize Sequence Numbers (SYN) type. It consists of sending a large number of SYN packets to a target, to which it responds with SYN/ACK packets, and then leaving the port open, ready to receive an ACK packet from the sender to complete the call reconciliation process. While waiting for an ACK packet that never arrives, the attacker continues to send SYN packets. The arrival of each new packet causes the victim to temporarily maintain a new connection to the open port for a specified period of time. After using all available ports, it stops responding to regular network traffic.
The third DoS attack is ICMP DoS. It consists of flooding the victim with ping packets. The same number of packets is sent to the sender in response. Additionally, an attacker may use custom codes or send fragmented packets, which the recipient must reunite. This burdens both incoming and outgoing network channels, consuming considerable bandwidth and causing a denial of service. This attack floods the target system with ICMP packets, changing the source address.
The second group of tested attacks includes brute force attacks. These attacks involve breaking the passwords or usernames of network resources or services using trial and error methods. Depending on the complexity, the process can take from a few seconds to many years. Secure Shell (SSH) and File Transfer Protocol (FTP) servers were installed on the PC1-Ubuntu host to perform tests. Then, using the hydra program available in Kali Linux, dictionary attacks were carried out by substituting passwords from [25] supplied with the system.
The last group of tested attacks was a malware infection. Malware can identify different types of viruses, spyware, ransomware, rootkits, or Trojan horses. They consist of code developed by cybercriminals, designed to cause significant damage to data and systems or to gain unauthorized access to the network. A standard method of spreading malicious programs is to provide them in the form of a link or attachment in emails that require the user to click on the link or open a file to run malicious processes. Diamorphine and Reptile were used to simulate rootkit activity on the system. These tools can hide any processes and files. Additionally, a test malware file was downloaded from [26] and malware samples from [27].

Multifractal Analysis of Performed Tests Results
The network traffic (transmitted packets) in the network infrastructure under study was saved in real-time in files by Security Onion sensors [28]. The collected data in the form of time series of transmitted packets allowed us to assess the network traffic between individual devices in the local network and R1 managing router. In order to provide a more accurate picture, the collected packets were exported using the Wireshark program v. 3.0.10 (License GPLv2), then Matlab 2019b software (MATLAB and Simulink. Natick, Massachusetts, United States) and Fraclab 2.2 toolkit (Copyright INRIA, 1998 2017) were used to create fractal spectra to assess the nature of the traffic taking place in the studied network [4]. Figure 2 presents a multifractal spectrum graph for the network traffic, during which no security tests (no attacks) were carried out. This reflects the state of the normal daily operation of the entire network infrastructure, including users.

Multifractal Analysis of Performed Tests Results
The network traffic (transmitted packets) in the network infrastructure under study was saved in real-time in files by Security Onion sensors [28]. The collected data in the form of time series of transmitted packets allowed us to assess the network traffic between individual devices in the local network and R1 managing router. In order to provide a more accurate picture, the collected packets were exported using the Wireshark program v. 3.0.10 (License GPLv2), then Matlab 2019b software (MATLAB and Simulink. Natick, Massachusetts, United States) and Fraclab 2.2 toolkit (Copyright INRIA, 1998 2017) were used to create fractal spectra to assess the nature of the traffic taking place in the studied network [4]. Figure 2 presents a multifractal spectrum graph for the network traffic, during which no security tests (no attacks) were carried out. This reflects the state of the normal daily operation of the entire network infrastructure, including users. The spectrum analysis shows no anomalies. The presented flow does not show any abnormalities. In the case of a sample containing abnormal traffic associated with a network attack, the spectrum should significantly differ from the trajectory determined by the standard data flow, which will allow the detection of anomalies or threats. Figure 3 shows the time period of network operation in which UDP packets generate the traffic. This type of packet in the examined model was used mainly to send information about the status of the HIDS system client and Google Rapid Response (GRR) software to the server. The relatively small length of the spectrum in the X-axis resulted from a small number of UDP packets generated per second by devices during normal operation.

Simulation of a DoS Attack and Its Multifactorial Analysis
The first simulation of unusual phenomena in the modeled network infrastructure was to carry out DoS attacks. Attacks related to UDP flood were captured as anomalies in network operation by The spectrum analysis shows no anomalies. The presented flow does not show any abnormalities. In the case of a sample containing abnormal traffic associated with a network attack, the spectrum should significantly differ from the trajectory determined by the standard data flow, which will allow the detection of anomalies or threats. Figure 3 shows the time period of network operation in which UDP packets generate the traffic. This type of packet in the examined model was used mainly to send information about the status of the HIDS system client and Google Rapid Response (GRR) software to the server. The relatively small length of the spectrum in the X-axis resulted from a small number of UDP packets generated per second by devices during normal operation.

Multifractal Analysis of Performed Tests Results
The network traffic (transmitted packets) in the network infrastructure under study was saved in real-time in files by Security Onion sensors [28]. The collected data in the form of time series of transmitted packets allowed us to assess the network traffic between individual devices in the local network and R1 managing router. In order to provide a more accurate picture, the collected packets were exported using the Wireshark program v. 3.0.10 (License GPLv2), then Matlab 2019b software (MATLAB and Simulink. Natick, Massachusetts, United States) and Fraclab 2.2 toolkit (Copyright INRIA, 1998 2017) were used to create fractal spectra to assess the nature of the traffic taking place in the studied network [4]. Figure 2 presents a multifractal spectrum graph for the network traffic, during which no security tests (no attacks) were carried out. This reflects the state of the normal daily operation of the entire network infrastructure, including users. The spectrum analysis shows no anomalies. The presented flow does not show any abnormalities. In the case of a sample containing abnormal traffic associated with a network attack, the spectrum should significantly differ from the trajectory determined by the standard data flow, which will allow the detection of anomalies or threats. Figure 3 shows the time period of network operation in which UDP packets generate the traffic. This type of packet in the examined model was used mainly to send information about the status of the HIDS system client and Google Rapid Response (GRR) software to the server. The relatively small length of the spectrum in the X-axis resulted from a small number of UDP packets generated per second by devices during normal operation.

Simulation of a DoS Attack and Its Multifactorial Analysis
The first simulation of unusual phenomena in the modeled network infrastructure was to carry out DoS attacks. Attacks related to UDP flood were captured as anomalies in network operation by

Simulation of a DoS Attack and Its Multifactorial Analysis
The first simulation of unusual phenomena in the modeled network infrastructure was to carry out DoS attacks. Attacks related to UDP flood were captured as anomalies in network operation by Bro software. Two attacks of this type were successfully detected and identified during testing. The information gathered shows that the number of packets sent through ports supported by UDP protocol in comparison to other connections increased significantly. The collected data can identify the source and target of the attack. A repeated attempt to respond by the target host has failed, which may indicate a DoS attack. Default Snort rules were not able to detect unwanted activity, so new security rules were added, to send alerts in case of a UDP packet overload. The operation, with new security rules and identified attacks, is shown in Figure 4. Bro software. Two attacks of this type were successfully detected and identified during testing. The information gathered shows that the number of packets sent through ports supported by UDP protocol in comparison to other connections increased significantly. The collected data can identify the source and target of the attack. A repeated attempt to respond by the target host has failed, which may indicate a DoS attack. Default Snort rules were not able to detect unwanted activity, so new security rules were added, to send alerts in case of a UDP packet overload. The operation, with new security rules and identified attacks, is shown in Figure 4.  Figure 5 shows the multifractal spectrum of network traffic, during which one of the UDP flood attacks was detected. This is clearly indicated by the deviation from the standard, presented during normal network operation.  Figure 6 shows the multifractal spectrum of traffic generated by TCP packets during a UDP flood attack. In the normal operation, the number of TCP packets transmitted over the network under investigation was higher than in the case of UDP. This may have been due to the need for the authenticated connection of tools with external servers and the use of terminals using SSH protocol or graphical interface using Hyper Text Transfer Protocol Secure (HTTPS).   Figure 5 shows the multifractal spectrum of network traffic, during which one of the UDP flood attacks was detected. This is clearly indicated by the deviation from the standard, presented during normal network operation.
Appl. Sci. 2020, 10, x FOR PEER REVIEW 9 of 27 Bro software. Two attacks of this type were successfully detected and identified during testing. The information gathered shows that the number of packets sent through ports supported by UDP protocol in comparison to other connections increased significantly. The collected data can identify the source and target of the attack. A repeated attempt to respond by the target host has failed, which may indicate a DoS attack. Default Snort rules were not able to detect unwanted activity, so new security rules were added, to send alerts in case of a UDP packet overload. The operation, with new security rules and identified attacks, is shown in Figure 4.  Figure 5 shows the multifractal spectrum of network traffic, during which one of the UDP flood attacks was detected. This is clearly indicated by the deviation from the standard, presented during normal network operation.  Figure 6 shows the multifractal spectrum of traffic generated by TCP packets during a UDP flood attack. In the normal operation, the number of TCP packets transmitted over the network under investigation was higher than in the case of UDP. This may have been due to the need for the authenticated connection of tools with external servers and the use of terminals using SSH protocol or graphical interface using Hyper Text Transfer Protocol Secure (HTTPS).   Figure 6 shows the multifractal spectrum of traffic generated by TCP packets during a UDP flood attack. In the normal operation, the number of TCP packets transmitted over the network under investigation was higher than in the case of UDP. This may have been due to the need for the authenticated connection of tools with external servers and the use of terminals using SSH protocol or graphical interface using Hyper Text Transfer Protocol Secure (HTTPS). Figure 6 shows the multifractal spectrum of traffic generated by TCP packets during a UDP flood attack. In the normal operation, the number of TCP packets transmitted over the network under investigation was higher than in the case of UDP. This may have been due to the need for the authenticated connection of tools with external servers and the use of terminals using SSH protocol or graphical interface using Hyper Text Transfer Protocol Secure (HTTPS).  Another attack analyzed was a TCP SYN attack. It was also detected during simulation by Bro software. Additional alerts in response to this event were also generated by the Snort software, as shown in Figure 7.
Appl. Sci. 2020, 10, x FOR PEER REVIEW 10 of 27 Another attack analyzed was a TCP SYN attack. It was also detected during simulation by Bro software. Additional alerts in response to this event were also generated by the Snort software, as shown in Figure 7. The number of packets transmitted in the network via port 80 significantly exceeded the other connections. There were many sources of network connections, which could indicate that the attacker was changing the IP address after each connection attempt or reconciliation process left. The rule "ET DROP Spamhaus DROP Listed Traffic Inbound group," informs about attempts to establish a connection, with the host being the target of the attack, which were rejected by system firewalls.
Because the number of TCP packets during the normal operation was higher than in the case of UDP, the deviations shown in Figure 8 are small. Nevertheless, they indicate some anomalies, which may indicate two TCP SYN flood attacks detected by network security. Another attack analyzed was one from the group of ICMP DoS attacks. Snort detected an ICMP flood attack. Alarms generated by the system are shown in Figure 9. The number of packets transmitted in the network via port 80 significantly exceeded the other connections. There were many sources of network connections, which could indicate that the attacker was changing the IP address after each connection attempt or reconciliation process left. The rule "ET DROP Spamhaus DROP Listed Traffic Inbound group", informs about attempts to establish a connection, with the host being the target of the attack, which were rejected by system firewalls.
Because the number of TCP packets during the normal operation was higher than in the case of UDP, the deviations shown in Figure 8 are small. Nevertheless, they indicate some anomalies, which may indicate two TCP SYN flood attacks detected by network security.
was changing the IP address after each connection attempt or reconciliation process left. The rule ʺET DROP Spamhaus DROP Listed Traffic Inbound group,ʺ informs about attempts to establish a connection, with the host being the target of the attack, which were rejected by system firewalls.
Because the number of TCP packets during the normal operation was higher than in the case of UDP, the deviations shown in Figure 8 are small. Nevertheless, they indicate some anomalies, which may indicate two TCP SYN flood attacks detected by network security. Another attack analyzed was one from the group of ICMP DoS attacks. Snort detected an ICMP flood attack. Alarms generated by the system are shown in Figure 9.  Another attack analyzed was one from the group of ICMP DoS attacks. Snort detected an ICMP flood attack. Alarms generated by the system are shown in Figure 9.
connections. There were many sources of network connections, which could indicate that the attacker was changing the IP address after each connection attempt or reconciliation process left. The rule "ET DROP Spamhaus DROP Listed Traffic Inbound group," informs about attempts to establish a connection, with the host being the target of the attack, which were rejected by system firewalls.
Because the number of TCP packets during the normal operation was higher than in the case of UDP, the deviations shown in Figure 8 are small. Nevertheless, they indicate some anomalies, which may indicate two TCP SYN flood attacks detected by network security. Another attack analyzed was one from the group of ICMP DoS attacks. Snort detected an ICMP flood attack. Alarms generated by the system are shown in Figure 9.  For more detailed analysis and to increase the level of detection of this type of threat, Snort has added rules to detect a DoS ICMP attack. For additional testing, the IDS engine was changed to Suricata, and the attack was performed again. As you can see in Figure 10, another engine also detected an incorrect packet size and ICMP packet code.
Appl. Sci. 2020, 10, x FOR PEER REVIEW 11 of 27 For more detailed analysis and to increase the level of detection of this type of threat, Snort has added rules to detect a DoS ICMP attack. For additional testing, the IDS engine was changed to Suricata, and the attack was performed again. As you can see in Figure 10, another engine also detected an incorrect packet size and ICMP packet code. Due to the insignificant number of ICMP packets generated during normal conditions, only one multifractal spectrum has been created, showing all the network traffic during an attack, as shown in Figure 11. In the following case, the anomalies of network traffic caused by flooding the device with ICMP packets are presented by an apparent deviation from the norm, which indicates the high intensity of the attack. DoS-attacks are performed by devices located outside the network and are intended to load sensitive resources such as servers. The devices used in the above test were placed inside the computer network in order to check the reaction of the tools used in a situation where a firewall will pass DoS attacks. They were unable to take effective action. The results can be used to correctly Due to the insignificant number of ICMP packets generated during normal conditions, only one multifractal spectrum has been created, showing all the network traffic during an attack, as shown in Figure 11. In the following case, the anomalies of network traffic caused by flooding the device with ICMP packets are presented by an apparent deviation from the norm, which indicates the high intensity of the attack. For more detailed analysis and to increase the level of detection of this type of threat, Snort has added rules to detect a DoS ICMP attack. For additional testing, the IDS engine was changed to Suricata, and the attack was performed again. As you can see in Figure 10, another engine also detected an incorrect packet size and ICMP packet code. Due to the insignificant number of ICMP packets generated during normal conditions, only one multifractal spectrum has been created, showing all the network traffic during an attack, as shown in Figure 11. In the following case, the anomalies of network traffic caused by flooding the device with ICMP packets are presented by an apparent deviation from the norm, which indicates the high intensity of the attack. DoS-attacks are performed by devices located outside the network and are intended to load sensitive resources such as servers. The devices used in the above test were placed inside the computer network in order to check the reaction of the tools used in a situation where a firewall will pass DoS attacks. They were unable to take effective action. The results can be used to correctly DoS-attacks are performed by devices located outside the network and are intended to load sensitive resources such as servers. The devices used in the above test were placed inside the computer network in order to check the reaction of the tools used in a situation where a firewall will pass DoS attacks. They were unable to take effective action. The results can be used to correctly configure firewall rules filtering incoming traffic from the Internet to prevent similar attacks in the future. Figure 12 shows the SSH session conducted with an OpenSSH server installed on a PC1-Ubuntu machine. Visible deviations may be related to the process of establishing an SSH session during DoS-attacks.

Simulation of a Brute Force Attack and Its Multifactorial Analysis
Another group simulated on the presented network infrastructure was brute force attacks. A host-based intruder detection system detected brute force attacks on SSH and FTP servers. The Hydra program started multiple connections to the SSH server using different authentication data, changing them each time until a password could be found. The brute force blocking script consists of two rules. The first one is a command to call a brute force blocking script with a given IP address if the condition is met. The second rule is responsible for effective action in case of detecting a threat in this case of a brute force attack by running a specific command. In the case of the SSH server, the triggered rule searches for any information related to the illegal user, which will appear in every log event. If it is called eight times in one hundred and twenty seconds, the next rule is activated, which informs about the attack and blocks any movement from the attacker for the time specified in the rule, which was set for three minutes to carry out many attempts of the attack. Attack alerts shown in Figure 13 inform about multiple attempts to log into the SSH server by a non-existent user. Additionally, the NIDS system detected a scan associated with the attack. After developing the details of the alert, one can see the source and destination address of the attack.

Simulation of a Brute Force Attack and Its Multifactorial Analysis
Another group simulated on the presented network infrastructure was brute force attacks. A host-based intruder detection system detected brute force attacks on SSH and FTP servers. The Hydra program started multiple connections to the SSH server using different authentication data, changing them each time until a password could be found. The brute force blocking script consists of two rules. The first one is a command to call a brute force blocking script with a given IP address if the condition is met. The second rule is responsible for effective action in case of detecting a threat in this case of a brute force attack by running a specific command. In the case of the SSH server, the triggered rule searches for any information related to the illegal user, which will appear in every log event. If it is called eight times in one hundred and twenty seconds, the next rule is activated, which informs about the attack and blocks any movement from the attacker for the time specified in the rule, which was set for three minutes to carry out many attempts of the attack. Attack alerts shown in Figure 13 inform about multiple attempts to log into the SSH server by a non-existent user. Additionally, the NIDS system detected a scan associated with the attack. After developing the details of the alert, one can see the source and destination address of the attack.
called eight times in one hundred and twenty seconds, the next rule is activated, which informs about the attack and blocks any movement from the attacker for the time specified in the rule, which was set for three minutes to carry out many attempts of the attack. Attack alerts shown in Figure 13 inform about multiple attempts to log into the SSH server by a non-existent user. Additionally, the NIDS system detected a scan associated with the attack. After developing the details of the alert, one can see the source and destination address of the attack.     Figure 15 shows the multifractal spectrum of FTP and TCP traffic generated when establishing a correct connection with the vsftpd server installed on the PC1 host. The characteristics of this spectrum do not show any symptoms associated with a network attack. Figure 16 shows the reaction of the system to an attack on the FTP server.  Brute force on the FTP server was associated with PAM, a Linux module responsible for the dynamic authentication of applications and services. As before, multiple login attempts were detected, and then scripts blocking connection with the attack source were launched. NIDS also captured packets containing information about the attack and classified them as high priority alerts. Figure 17 Figure 15 shows the multifractal spectrum of FTP and TCP traffic generated when establishing a correct connection with the vsftpd server installed on the PC1 host. The characteristics of this spectrum do not show any symptoms associated with a network attack. Figure 16 shows the reaction of the system to an attack on the FTP server.
Appl. Sci. 2020, 10, x FOR PEER REVIEW 13 of 27 Figure 14. The multifractal spectrum of network traffic generated for SSH protocol during a brute force attack on an SSH server. Figure 15 shows the multifractal spectrum of FTP and TCP traffic generated when establishing a correct connection with the vsftpd server installed on the PC1 host. The characteristics of this spectrum do not show any symptoms associated with a network attack. Figure 16 shows the reaction of the system to an attack on the FTP server.  Brute force on the FTP server was associated with PAM, a Linux module responsible for the dynamic authentication of applications and services. As before, multiple login attempts were detected, and then scripts blocking connection with the attack source were launched. NIDS also captured packets containing information about the attack and classified them as high priority alerts. Figure 17 Figure 15 shows the multifractal spectrum of FTP and TCP traffic generated when establishing a correct connection with the vsftpd server installed on the PC1 host. The characteristics of this spectrum do not show any symptoms associated with a network attack. Figure 16 shows the reaction of the system to an attack on the FTP server.  Brute force on the FTP server was associated with PAM, a Linux module responsible for the dynamic authentication of applications and services. As before, multiple login attempts were detected, and then scripts blocking connection with the attack source were launched. NIDS also captured packets containing information about the attack and classified them as high priority alerts. Figure 17  Brute force on the FTP server was associated with PAM, a Linux module responsible for the dynamic authentication of applications and services. As before, multiple login attempts were detected, and then scripts blocking connection with the attack source were launched. NIDS also captured packets containing information about the attack and classified them as high priority alerts. Figure 17 illustrates the multifractal spectrum of TCP and FTP packet flow during a brute force attack. The apparent deviation in the fractal dimension may indicate anomalous network behavior related to the attack. The information obtained for both attacks allows further action to be taken to protect against brute force. If an attack never fails, but the attacker makes further attempts after being unblocked by the system, the scripts allow the IP address to be placed on a blacklist, which will effectively prevent similar activity in the future. To avoid false alarms and to avoid blocking authorized users, the HIDS system has a whitelist, where trusted IP addresses can be placed.

Simulation of Malware Infections
For malware infections, no multifractal spectrum graphs were created, due to the fact that the tests were carried out on local machines and did not cause the spread of infections, which did not create anomalous traffic inside the tested network. The detection of malicious programs and processes was the responsibility of the Rootcheck scanner installed together with Wazuh agent software. The scanning frequency was set every five minutes. Using Diamorphine, a harmless system process was hidden, which Rootcheck then managed to detect as a potential threat in the form of kernel rootkit. With Reptile software, files were hidden in system folders. The scan was also able to find and classify one of the files as an anomaly due to incorrect file size. The results are shown in Figure 18. The information obtained for both attacks allows further action to be taken to protect against brute force. If an attack never fails, but the attacker makes further attempts after being unblocked by the system, the scripts allow the IP address to be placed on a blacklist, which will effectively prevent similar activity in the future. To avoid false alarms and to avoid blocking authorized users, the HIDS system has a whitelist, where trusted IP addresses can be placed.

Simulation of Malware Infections
For malware infections, no multifractal spectrum graphs were created, due to the fact that the tests were carried out on local machines and did not cause the spread of infections, which did not create anomalous traffic inside the tested network. The detection of malicious programs and processes was the responsibility of the Rootcheck scanner installed together with Wazuh agent software. The scanning frequency was set every five minutes. Using Diamorphine, a harmless system process was hidden, which Rootcheck then managed to detect as a potential threat in the form of kernel rootkit. With Reptile software, files were hidden in system folders. The scan was also able to find and classify one of the files as an anomaly due to incorrect file size. The results are shown in Figure 18.
processes was the responsibility of the Rootcheck scanner installed together with Wazuh agent software. The scanning frequency was set every five minutes. Using Diamorphine, a harmless system process was hidden, which Rootcheck then managed to detect as a potential threat in the form of kernel rootkit. With Reptile software, files were hidden in system folders. The scan was also able to find and classify one of the files as an anomaly due to incorrect file size. The results are shown in Figure 18. The VirusTotal tool integrated with software agent Wazuh was used to scan the folders. The monitored folder was the default folder for the Mozilla Firefox browser on Ubuntu. Both the malware The VirusTotal tool integrated with software agent Wazuh was used to scan the folders. The monitored folder was the default folder for the Mozilla Firefox browser on Ubuntu. Both the malware samples and the eicar text file triggered the alarm shown in Figure 19. The activity related to the exe file downloading was reported by the NIDS system as a probable malicious file.
Appl. Sci. 2020, 10, x FOR PEER REVIEW 15 of 27 samples and the eicar text file triggered the alarm shown in Figure 19. The activity related to the exe file downloading was reported by the NIDS system as a probable malicious file. The overview of the report provides information on the location of the virus, the date of infection, and the checksums. One of the detected files that triggered the alerts was downloaded using Google Rapid Response, which was used for further threat analysis. The malicious file was scanned, and essential information on size and hash code was obtained. The file system was then examined for viruses with similar properties. The system returned five results. Figure 20 shows the results of the scan of one of the infections found. The overview of the report provides information on the location of the virus, the date of infection, and the checksums. One of the detected files that triggered the alerts was downloaded using Google Rapid Response, which was used for further threat analysis. The malicious file was scanned, and essential information on size and hash code was obtained. The file system was then examined for viruses with similar properties. The system returned five results. Figure 20 shows the results of the scan of one of the infections found.
The overview of the report provides information on the location of the virus, the date of infection, and the checksums. One of the detected files that triggered the alerts was downloaded using Google Rapid Response, which was used for further threat analysis. The malicious file was scanned, and essential information on size and hash code was obtained. The file system was then examined for viruses with similar properties. The system returned five results. Figure 20 shows the results of the scan of one of the infections found. There are no antivirus programs installed on the network's end terminals, whose main task is to eliminate the threats mentioned above. The purpose of the analysis in this section was to show the tools for centralized detection and response to network threats resulting from malware infection. There are no antivirus programs installed on the network's end terminals, whose main task is to eliminate the threats mentioned above. The purpose of the analysis in this section was to show the tools for centralized detection and response to network threats resulting from malware infection.

Simulation of Exploiting System Vulnerability and Its Multifactorial Analysis
The first simulation of exploiting system vulnerability is an attack using a Shellshock vulnerability. This type of attack on a system with the current version of the bash system shell has not produced any results and raises the alarm, indicating an attempted system tampering, visible in Figure 21.

Simulation of Exploiting System Vulnerability and Its Multifactorial Analysis
The first simulation of exploiting system vulnerability is an attack using a Shellshock vulnerability. This type of attack on a system with the current version of the bash system shell has not produced any results and raises the alarm, indicating an attempted system tampering, visible in Figure 21.   The attacks were carried out using a sensitive version of bash and the Metasploitable system. They were successful, which resulted in unauthorized access to the system resources. Besides this, intrusion detection systems did not detect any threat, which can be seen in the analysis of the    Figure 22 shows the multifractal spectrum of network traffic related to the HTTP protocol, which is used during a failed attack during the simulation of exploiting Shellshock vulnerability. Multiple unsuccessful attempts have left more packets behind to detect the attack. The attacks were carried out using a sensitive version of bash and the Metasploitable system. They were successful, which resulted in unauthorized access to the system resources. Besides this, intrusion detection systems did not detect any threat, which can be seen in the analysis of the spectrum presented in Figure 23. This does not allow us to determine whether there has been a breach of security measures due to its similarity to the spectra, representing network traffic during normal operation.  The attacks were carried out using a sensitive version of bash and the Metasploitable system. They were successful, which resulted in unauthorized access to the system resources. Besides this, intrusion detection systems did not detect any threat, which can be seen in the analysis of the spectrum presented in Figure 23. This does not allow us to determine whether there has been a breach of security measures due to its similarity to the spectra, representing network traffic during normal operation.  Figure 22 shows the multifractal spectrum of network traffic related to the HTTP protocol, which is used during a failed attack during the simulation of exploiting Shellshock vulnerability. Multiple unsuccessful attempts have left more packets behind to detect the attack. The attacks were carried out using a sensitive version of bash and the Metasploitable system. They were successful, which resulted in unauthorized access to the system resources. Besides this, intrusion detection systems did not detect any threat, which can be seen in the analysis of the spectrum presented in Figure 23. This does not allow us to determine whether there has been a breach of security measures due to its similarity to the spectra, representing network traffic during normal operation.  In the case of Structured Query Language (SQL) Injection attack, incorrectly formulated union select queries executed by a web application returned the error and systems responsible for intrusion detection classified the event as an attempted attack, as shown in Figure 24.
Appl. Sci. 2020, 10, x FOR PEER REVIEW 17 of 27 In the case of Structured Query Language (SQL) Injection attack, incorrectly formulated union select queries executed by a web application returned the error and systems responsible for intrusion detection classified the event as an attempted attack, as shown in Figure 24. The multifractal spectrum shown in Figure 25 applies to all HTTP traffic generated during SQL Injection attacks. In its characteristics, it is very similar to the spectrum showing a successful Shellshock attack, which also does not allow assessment of whether and when a security breach occurred. The multifractal spectrum shown in Figure 25 applies to all HTTP traffic generated during SQL Injection attacks. In its characteristics, it is very similar to the spectrum showing a successful Shellshock attack, which also does not allow assessment of whether and when a security breach occurred. The multifractal spectrum shown in Figure 25 applies to all HTTP traffic generated during SQL Injection attacks. In its characteristics, it is very similar to the spectrum showing a successful Shellshock attack, which also does not allow assessment of whether and when a security breach occurred. The alert "ET WEB_SERVER SQL Errors in http 200 Response" in Snort software refers to a login attempt when entering an apostrophe character (ʹ). Entering common usernames did not cause any errors. The OpenVAS software was used to prevent the vulnerabilities described above. It was used to perform a thorough scan of systems and applications on the PC1-Ubuntu and Metasploitable hosts. The scan results shown in Figure 26 show vulnerabilities in the index.php file, the use of which may lead to the release of sensitive data.  The alert "ET WEB_SERVER SQL Errors in http 200 Response" in Snort software refers to a login attempt when entering an apostrophe character ('). Entering common usernames did not cause any errors. The OpenVAS software was used to prevent the vulnerabilities described above. It was used to perform a thorough scan of systems and applications on the PC1-Ubuntu and Metasploitable hosts. The scan results shown in Figure 26 show vulnerabilities in the index.php file, the use of which may lead to the release of sensitive data. The multifractal spectrum shown in Figure 25 applies to all HTTP traffic generated during SQL Injection attacks. In its characteristics, it is very similar to the spectrum showing a successful Shellshock attack, which also does not allow assessment of whether and when a security breach occurred. The alert "ET WEB_SERVER SQL Errors in http 200 Response" in Snort software refers to a login attempt when entering an apostrophe character ('). Entering common usernames did not cause any errors. The OpenVAS software was used to prevent the vulnerabilities described above. It was used to perform a thorough scan of systems and applications on the PC1-Ubuntu and Metasploitable hosts. The scan results shown in Figure 26 show vulnerabilities in the index.php file, the use of which may lead to the release of sensitive data.  The detected system vulnerabilities have been classified as potential threats of Medium and Hard levels. These are mainly due to the use of outdated software versions or errors in the application configuration. Recommended solutions to the problems concerned updating outdated applications and removing or restricting access to phpinfo file. The scanner did not detect a vulnerability associated with Shellshock type vulnerability because the sensitive version of bash shell was run from a separate script. In contrast, the default bash on hosts does not have this vulnerability.

Effectiveness of Multifractal Analysis in Identifying Network Traffic Anomalies and Security Issues
To correlate the moment of detection of the abnormality with the deviations appearing in the graphs, a comparative analysis of multifractal spectra was performed for selected types of attacks. Comparative charts with two spectra were added to each of the protocols under study, based on all-day network traffic without incidents and on the day when security tests were conducted. Figure 27 shows a comparison of network traffic related to UDP protocol during regular operation and during an attack. The polynomial approximation was used to generate reference curves. Figure 28 concerns the comparison of all network traffic (all protocols) with that caused only by UDP packets. The flow of UDP packets during regular operation is more predictable, as evidenced by the determination of factor R 2 equal to 0.9785. In contrast, the low value of this factor during a UDP flood attack indicates high unpredictability of network behavior. A clear difference in the approximation lines suggests the occurrence of an attack, most probably at the point (0.39;0.88) marked in the graph. Spectra of incidents take similar shapes in the fractal dimension.
To correlate the moment of detection of the abnormality with the deviations appearing in the graphs, a comparative analysis of multifractal spectra was performed for selected types of attacks. Comparative charts with two spectra were added to each of the protocols under study, based on allday network traffic without incidents and on the day when security tests were conducted. Figure 27 shows a comparison of network traffic related to UDP protocol during regular operation and during an attack. The polynomial approximation was used to generate reference curves. Figure 28 concerns the comparison of all network traffic (all protocols) with that caused only by UDP packets. The flow of UDP packets during regular operation is more predictable, as evidenced by the determination of factor R 2 equal to 0.9785. In contrast, the low value of this factor during a UDP flood attack indicates high unpredictability of network behavior. A clear difference in the approximation lines suggests the occurrence of an attack, most probably at the point (0.39;0.88) marked in the graph. Spectra of incidents take similar shapes in the fractal dimension.   Figure 29 shows a comparison of TCP-related traffic during normal operation and flooding with TCP SYN packets. Figure 30 concerns the comparison of the entire network traffic with that generated only by TCP packets. In this attack, the determining factor in both cases is not high. Spectra already at the starting point differs, which indicates that the attacker is sending SYN packets and attempts to respond to the victim.   Figure 30 concerns the comparison of the entire network traffic with that generated only by TCP packets. In this attack, the determining factor in both cases is not high. Spectra already at the starting point differs, which indicates that the attacker is sending SYN packets and attempts to respond to the victim. Figure 28. Comparison of the multifractal spectrums of the total network traffic (all protocols) and traffic generated for UDP protocol during regular work and UDP flood attack. Figure 29 shows a comparison of TCP-related traffic during normal operation and flooding with TCP SYN packets. Figure 30 concerns the comparison of the entire network traffic with that generated only by TCP packets. In this attack, the determining factor in both cases is not high. Spectra already at the starting point differs, which indicates that the attacker is sending SYN packets and attempts to respond to the victim.  It can be seen that both spectra concerning network traffic during the occurrence of the anomaly take a similar length in the point dimension, which may indicate an increased number of packets per second appearing in the tested flows. Figure 31 shows a comparison of traffic during a regular SSH session and a brute force attack. Figure 32 refers to the full network (all protocols) traffic and SSH traffic during a daily work and brute force attacks. It can be seen that both spectra concerning network traffic during the occurrence of the anomaly take a similar length in the point dimension, which may indicate an increased number of packets per second appearing in the tested flows. Figure 31 shows a comparison of traffic during a regular SSH session and a brute force attack. Figure 32 refers to the full network (all protocols) traffic and SSH traffic during a daily work and brute force attacks.
It can be seen that both spectra concerning network traffic during the occurrence of the anomaly take a similar length in the point dimension, which may indicate an increased number of packets per second appearing in the tested flows. Figure 31 shows a comparison of traffic during a regular SSH session and a brute force attack. Figure 32 refers to the full network (all protocols) traffic and SSH traffic during a daily work and brute force attacks.  The adjustment in both cases was high. The brute force attack is indicated by a significantly longer spectrum length of the SSH brute force characteristics on the graph, which may indicate a large number of incorrect login attempts. Similarly, as in the case of a TCP SYN flood attack, the spectra differ in the starting points, which indicates the occurrence of an attack in the early period of packet traffic. Similarly, as in the previously tested protocols, the length of the spectra concerning network traffic in which incidents occurred is more extended than during regular operation. Figure 33 presents a comparison of the multifractal spectrums of network traffic generated for FTP protocol during a normal work and brute force attacks. The next one, Figure 34, presents the comparison of the multifractal spectrums of the total network traffic (all protocols) and traffic generated for FTP protocol during a regular work and brute force attacks. The adjustment in both cases was high. The brute force attack is indicated by a significantly longer spectrum length of the SSH brute force characteristics on the graph, which may indicate a large number of incorrect login attempts. Similarly, as in the case of a TCP SYN flood attack, the spectra differ in the starting points, which indicates the occurrence of an attack in the early period of packet traffic. Similarly, as in the previously tested protocols, the length of the spectra concerning network traffic in which incidents occurred is more extended than during regular operation. Figure 33 presents a comparison of the multifractal spectrums of network traffic generated for FTP protocol during a normal work and brute force attacks. The next one, Figure 34, presents the comparison of the multifractal spectrums of the total network traffic (all protocols) and traffic generated for FTP protocol during a regular work and brute force attacks. packet traffic. Similarly, as in the previously tested protocols, the length of the spectra concerning network traffic in which incidents occurred is more extended than during regular operation. Figure 33 presents a comparison of the multifractal spectrums of network traffic generated for FTP protocol during a normal work and brute force attacks. The next one, Figure 34, presents the comparison of the multifractal spectrums of the total network traffic (all protocols) and traffic generated for FTP protocol during a regular work and brute force attacks.  A deficient determination factor of 0.454 regarding the approximation of the multifractal spectrum during an FTP brute force attack indicates a very high unpredictability of network traffic. The starting points of both spectra begin with an approximate point dimension. In contrast, the difference in the fractal dimension changes rapidly, which indicates that the attack quickly began to affect the number of packets present in the network traffic flow. The FTP attack spectrum shows similar characteristics in the fractal dimension as the full traffic spectrum, including security tests. Figure 35 shows the network traffic of HTTP packets during regular operation and a shellshock attack. Figure 36 shows a comparison between full network traffic and HTTP packet flow. The determining factor in both cases takes similar values, but it is smaller in case of incidents that indicate an attack. A deficient determination factor of 0.454 regarding the approximation of the multifractal spectrum during an FTP brute force attack indicates a very high unpredictability of network traffic. The starting points of both spectra begin with an approximate point dimension. In contrast, the difference in the fractal dimension changes rapidly, which indicates that the attack quickly began to affect the number of packets present in the network traffic flow. The FTP attack spectrum shows similar characteristics in the fractal dimension as the full traffic spectrum, including security tests. Figure 35 shows the network traffic of HTTP packets during regular operation and a shellshock attack. Figure 36 shows a comparison between full network traffic and HTTP packet flow. The determining factor in both cases takes similar values, but it is smaller in case of incidents that indicate an attack.  In Figure 35, one can see the probable point (0,41;1,00) where shellshock attack was detected. Until this point, the spectra presented a similar course. Spectrum associated with the incident shows identical characteristics as the spectra concerning proper network activity, which may indicate a small impact of this attack on network traffic. Figures 37 and 38 show a collective comparison of the spectra both during regular operation and during the detected security incidents.  In Figure 35, one can see the probable point (0,41;1,00) where shellshock attack was detected. Until this point, the spectra presented a similar course. Spectrum associated with the incident shows identical characteristics as the spectra concerning proper network activity, which may indicate a small impact of this attack on network traffic. Figures 37 and 38 show a collective comparison of the spectra both during regular operation and during the detected security incidents. In Figure 35, one can see the probable point (0,41;1,00) where shellshock attack was detected. Until this point, the spectra presented a similar course. Spectrum associated with the incident shows identical characteristics as the spectra concerning proper network activity, which may indicate a small impact of this attack on network traffic.  Analyzing the graphs in Figures 37 and 38, one can see that the starting point of multifractal spectra for all protocols except FTP in regular operation starts in a similar area of the point dimension. A similar relationship also exists for security incidents. Additionally, the graphs have starting points in a further area of the point dimension. Attack spectra show more similar properties than for the actual traffic. Deviations from the norm occur in related areas of the fractal spectrum. Spectra for protocols during standard traffic show less common properties.

Conclusions
The problem of characterizing internet traffic is not a challenge that can be solved once and for all. The ever-increasing number of users and the reach of the internet is connected with the constant development of new technologies or their partial change. It is, therefore, necessary to constantly  Analyzing the graphs in Figures 37 and 38, one can see that the starting point of multifractal spectra for all protocols except FTP in regular operation starts in a similar area of the point dimension. A similar relationship also exists for security incidents. Additionally, the graphs have starting points in a further area of the point dimension. Attack spectra show more similar properties than for the actual traffic. Deviations from the norm occur in related areas of the fractal spectrum. Spectra for protocols during standard traffic show less common properties.

Conclusions
The problem of characterizing internet traffic is not a challenge that can be solved once and for all. The ever-increasing number of users and the reach of the internet is connected with the constant development of new technologies or their partial change. It is, therefore, necessary to constantly Analyzing the graphs in Figures 37 and 38, one can see that the starting point of multifractal spectra for all protocols except FTP in regular operation starts in a similar area of the point dimension. A similar relationship also exists for security incidents. Additionally, the graphs have starting points in a further area of the point dimension. Attack spectra show more similar properties than for the actual traffic. Deviations from the norm occur in related areas of the fractal spectrum. Spectra for protocols during standard traffic show less common properties.

Conclusions
The problem of characterizing internet traffic is not a challenge that can be solved once and for all. The ever-increasing number of users and the reach of the internet is connected with the constant development of new technologies or their partial change. It is, therefore, necessary to constantly monitor network behavior and to constantly "learn" new patterns of traffic and threats. Only constant verification of the assumptions made will allow adjusting the conceptual models proposed by us and correctly describe the real network and its traffic. Since the internet as we know it today is based on the IP protocol, which is managed by the Internet Engineering Task Force (IETF), the use of IP addresses to identify connected devices and traffic along the way has become a completely natural. The research focuses on IP networks and will be further developed with a special focus on the wireless network.
The presented results of research using multifractal analysis show significant possibilities to detect both short-term and more intense attacks. The research covered different types of attacks, and the analysis was carried out for the entire network traffic as well as in the scope of different services and protocols. This method of detecting traffic anomalies is effective for network traffic of significant volumes, in particular aggregating different types and communication protocols. With small volumes of abnormal data and short-term attacks, such anomaly detection may be difficult due to embedding such traffic in other protocols, and larger aggregated datasets characterized by a normal specification, thus making these attacks undetectable. That is why we also study the entire network traffic. The traffic decomposition and analysis of specific protocols and services can detect anomalies at a low volume and short duration abnormalities, as well as at long-term changes in traffic pattern and attacks.
The fractal analysis helps to calculate and understand the fractal dimension of complex networks, especially anomaly detection. However, it is necessary to describe and characterize many fractal patterns that cannot be described by a single fractal size, which is why we have conducted a multifractal analysis of our network. The multifractal analysis makes it possible to calculate a set of fractal dimensions, especially generalized fractal dimensions.
The estimation of Hurst's exponent value showed that long-term dependencies characterize network traffic. In each case, the Long Range Dependencies (LRD) were preserved, which emphasizes the general characteristics and nature of the traffic generated at the nodes. The estimation of Hurst's exponent allows for the analysis of the current course, as well as the prediction of the future trend of data behavior. Thanks to this, it is possible to prepare in advance in an appropriate way to maintain or change the trend. Sudden deviations in the value of the exponent, in relation to the results obtained, may probably be a sign of problems that for network traffic would indicate unusual behavior of the network, possibly associated with a cybercriminal attack.
In this article, the authors present issues related to the implementation and validation of the multifractal analysis for the security incidents' detection of the communication system in ICT and IoT systems. As shown in the case of the brute force attack (and some others), an anomaly is indicated by a significantly longer spectrum length of the point dimension on graph characteristics, which may indicate a large number of incorrect login attempts or redundant packets. Other tested protocols showed that the length of the spectra concerning network traffic in which incidents occurred is more extended than during regular operation.
Wireless attacks are easy to deploy and can significantly affect network performance. The high vulnerability to forgery attacks allows many other forms of attacks to be implemented. The conventional way to ensure the identity of the person sending the message and to detect the presence of an intruder is through device authentication. Unfortunately, full-scale authentication is not always desirable, as it requires key management and more extensive computations. With the growing use of wireless networks and IoT, this cannot be underestimated so that the authors will focus not only on SOC but also on wireless access networks in future studies.
The study of responses to a given security incident and created multifractal spectra of network traffic before and during the attack based on data collected from monitoring and security devices. The collected information allowed to verify theses and confirm the effectiveness of multifractal methods in detecting anomalies in the operation of any ICT network, including IoT infrastructure. The solutions studied in this paper may be ideal for analyzing traffic in backbone networks from the point of view of security and attack detection. Tested methods, in particular multifractal analysis, show sensitivity to any deviation in network traffic properties resulting from anomalies. Such traffic analysis methods can be ideal for protecting critical data and maintaining the continuity of internet services, including IoT.