An Alternative of Classification for Network Traffic Monitoring Procedures in Order to Detect Harmful Information and Computer Attacks

Elena Doynikova, Computer security lab, St. Petersburg Institute of Informatics and Automation of the Russian Academy of Sciences (SPIIRAS), St. Petersburg, Russia, doynikova@comsec.spb.ru , ORCID: [0000–0001–6707–9153]

Igor KotenkoComputer security lab, St. Petersburg Institute of Informatics and Automation of the Russian Academy of Sciences (SPIIRAS), St. Petersburg, Russia, ivkote@comsec.spb.ru, ORCID: [0000–0001–6859–7120]

Igor ParashchukComputer security lab, St. Petersburg Institute of Informatics and Automation of the Russian Academy of Sciences (SPIIRAS), St. Petersburg, Russia, shchuk@rambler.ru , ORCID: [0000–0001–8793–7768]

Abstract — The paper proposes an alternative of classification for modes, methods and algorithms of network traffic monitoring in order to detect harmful information and computer attacks. The proposed classification alternative aims addressing the problem of network traffic monitoring from the set of observation, assessment and forecasting procedures point of view. The specified classification features allows determining borders and outlining the theoretical background for optimization and adaptation of the network traffic monitoring procedures. Therefore, they allow decomposing the task of synthesis of optimal and adaptive systems for protection against harmful information and computer attacks on information and telecommunication networks in order to efficiently manage their information security considering an influence of evolutionary and operational factorsa.

Keywords: monitoring, harmful information, network traffic, computer attack, procedure, parameter

© The Authors, published by CULTURAL-EDUCATIONAL CENTER, LLC, 2020

This work is licensed under Attribution-NonCommercial 4.0 International

I. Introduction

Synthesis of the structure and algorithms of systems for protection against harmful information and computer attacks operation is relevant but rather complicated task [1, 2].

They should provide required security level and functionality for information and telecommunication networks. Complexity of this task follows among other things from necessity of constant analysis of network traffic. Particular difficulties arise when implementing monitoring procedures for modern network traffic of ultra-high volumes. This task requires clear answers to the following questions:

• What parameters and indicators of network traffic should be observed, assessed and forecasted on the various stages of the life cycle of systems for protection against harmful information and computer attacks and in different environmental conditions?

• How the parameters and indicators of network traffic should be observed, assessed and forecasted? Namely, what criteria and what methods should be implemented?

• When the parameters and indicators of network traffic should be observed, assessed and forecasted?

Besides, different ways and methods of adaptation of network traffic control modes to the changing conditions of operation of systems for protection against harmful information and computer attacks for information and telecommunication networks, as well as changing conditions and models of computer attacks implementation by attackers, and to impacts of constructive and destructive environmental factors should be considered. This will allow synthesizing an optimal and adaptive system for protection against harmful information.

This system will satisfy the requirements on control reliability, and the consistency and absence of redundancy in current and predictive estimates of network traffic. Besides, this will allow saving the resources (i. e. bandwidth, time, computing, etc.) of a protection system wasted on implementation of network traffic monitoring for information and telecommunication networks in scope of the so-called cyber operations [3].

The network traffic monitoring is the key element of information flows control process for harmful information and computer attacks detection. Therefore, the task of determination of classification features for network traffic monitoring becomes especially relevant.

Solving of this task allows determining the borders and outlining the theoretical background for optimization and adaptation of the network traffic monitoring process as the complex of observation, assessment and forecasting procedures in order to detect and protect against harmful information and computer attack in information and telecommunication systems.

II. Related Work

A multitude of research papers are devoted to the development of models and techniques of detection and protection against harmful information and computer attacks using different tools and means of network traffic monitoring.

There are various variants of construction of systems for protection against harmful information and computer attacks and a number of particular techniques for network traffic analysis and control [1–24].

Thus, for example, in [1] the authors analysed the modern approaches and formulated the approaches to construction of the complex computer security system. The paper [2] considers the consolidated view of NATO countries on application of national strategies to mitigate the consequences of cyberattacks.

The papers [3–5] are devoted to an analysis of an essence of modern cyber operations, to general trends of construction of systems for protection against harmful information and computer attacks in order to provide cybersecurity, and to some typical types of harmful information and computer attacks.

The modern approaches for construction of systems for protection against harmful information and computer attacks and application of attack detection methods in critical IoT infrastructures are proposed in [6] and [7]. Wherein, the research papers [7] and [8] suggest using machine learning and big data analytics for attack detection.

The papers [9], [10] and [11] consider different methods of attack detection in information and telecommunication networks based on ontologies, and applied methods of statistical analysis such as state analysis, accordingly. Besides, a number of papers proposes using dynamical calculation of security metrics in order to detect and protect against harmful information and computer attacks [12], while other papers propose using methods of fuzzy knowledge processing in order to solve these tasks in the conditions of uncertainty [13].

At the same time, further application of the particular techniques of detection and protection against harmful information and computer attacks, selection of prospective directions of their development using various tools and means of network traffic monitoring is complicated for a number of reasons.

Firstly, existing particular techniques of detection of harmful information and computer attacks using various technologies do not consider specific features of network traffic of ultra-high volume, and do not consider features of indicators (parameters) of such traffic that should be analyzed [14–16].

Secondly, the existing approaches to monitoring aim at measuring, classifying and detecting the pronounced network traffic anomalies. They are designed for analysis in the conditions of a priori knowledge about the features of these anomalies [17–19].

Thirdly, considering only the occurred security incidents while detecting harmful information and computer attacks doesn’t allow comprehensively analyzing and forecasting possible threats [20, 21].

Besides, until recently the selection of tools and methods for network traffic monitoring was based on general, unstructured data on features of implementation of observation, assessment and forecasting procedures for information flows on different stages of information and telecommunication networks life cycle and in different environmental conditions [22–24].

Therefore, the task of development of existing approaches to classification of network traffic monitoring procedures for detection of harmful information and computer attacks is relevant.

Specification, systematization and structuring of classification features for network traffic monitoring will allow creating theoretical basics for monitoring adaptation and optimization, where monitoring is represented as complex of procedures for observation, assessment and forecasting of information flows parameters in order to detect and protect against harmful information and computer attacks.

III. Classification of Network Traffic Monitoring Procedures

Analysis of researches devoted to the challenges of providing a sufficient security level for information and telecommunication networks [1–24] allowed proposing an alternative of classification of network traffic monitoring procedures for detecting harmful information and computer attacks.

The authors considered three key procedures of network traffic monitoring, namely, observation, assessment and forecasting if information flows parameters and quality indicators [18, 21, 24].

A. Classification Features of the Observation Procedure

From the authors point of view there are the following classification features of observation procedure: mode of network traffic parameters observation in order to detect its anomalies; observation stages; observation objects; parameters coverage; nature of used measurement data; observation frequency; the degree of influence of observation procedure on information exchange process; and type of stimulation in the interest of obtaining observational data.

From the observation mode point of view the authors consider several approaches: observation without redundancy (i. e. implicit, indirect, via the side information channel); with redundancy (i. e. explicit, direct, via the separate information channel) and combined. Besides, observation via the side information channel can be not optimized or optimized by the standard information exchange protocol, for example.

Several phases can be differentiated according to the stages of observation of network traffic parameters.

These phases are as follows: detection and gathering of observation data, their accumulation, registration and storing, and processing of coming information, namely, systematization and generalization of measurement and diagnostic data [23].

From the network traffic parameters coverage point of view the following main approaches should be outlined: total observation and selective observation.

In case of total observation all available data on maximum number of traffic parameters are gathered. In case of selective observation necessary and (or) sufficient amount of data on values of part of the traffic parameters characterizing, as a rule, its most significant properties is gathered [22].

The observations can differ by the control object. It can be observation of traffic parameters affecting its anomalies from the outside (i. e. external factors). Or, it can be receiving information about own (internal) parameters of traffic as monitoring object. Finally, it can be comprehensive monitoring covering both groups of considered traffic parameters [22, 23].

In addition, observations should be differentiated via the character of obtained measurement data. It can be data on absolute values of traffic parameters, or data on their relative values. Besides, traffic data can be obtained using direct or indirect measurements [24].

The next classification feature that characterizes a volume and nomenclature of the observed traffic parameters is nature of testing.

There are following classes of observations considering this feature: observation of data on values of traffic parameters obtained while testing specific element of traffic (i. e. certification test data); observation of data on values of traffic parameters characterizing interaction of neighboring elements of the information flow (i. e. interaction test data); and observation of data on values of traffic parameters characterizing information flow as a whole (i. e. compatibility test data) [24].

The observation results should come for traffic processing and assessment continuously or as a result of a cyclical sequential calls in near real time. These data can be analyzed continuously for a limited number of parameters in order to operatively determine the nature and location of computer attacks.

They can be analyzed periodically, for predetermined time intervals, according to a predetermined plan or program. Finally, they can be analysed sporadically, as necessary, or suddenly, for example, in case of computer attack [23]. This classification feature together with observation modes can serve as adaptation feature of monitoring process.

Other features that also can be used for this goal are degree of influence of observation procedure on information exchange process and type of traffic stimulation in the interest of obtaining observational data. Stimulation is required to get intermediate and output traffic parameters as responses to stimulation. The nature of traffic stimulation and responses to it form the basis for an opinion on the quality and anomalies of the information flow. Stimulations can be of two following types analogically to the technical diagnostics procedures: operating (natural) stimulation and testing (artificial) stimulation.

Operating stimulation assumes influence of natural or specially generated operating exposures on an information flow. These exposures usually take place while operation of information and telecommunication system. Testing stimulation assumes influence of specific exposures different to operating ones on the traffic. This allows differentiating functional observation based on operating exposures and test observation using exposures different to operating ones [18, 20].

From the degree of influence of observation procedure on information exchange process point of view the following observation classes can be outlined: destructive traffic monitoring and non-destructive observation. In the last case the process of observation of traffic parameters doesn’t affect the communication process, i. e. doesn’t break the information exchange process in information and telecommunication systems.

The concept of non-destructive observation is opposed by the concept of destructive observation, when in order to obtain the required data on traffic parameters it is necessary to break the connection, i. e. artificially interfere in the information exchange between users of information and telecommunication system [18].

B. Classification Features of the Assessment Procedure

There are the following classification features of network traffic assessment procedure in scope of monitoring: assessment object; assessment criteria; type of grading scale; nature of assessment; assessment methods; type of obtained values of network traffic parameters; time dependency of assessment; and type of a priori uncertainty of observational data determining the method for assessing the parameters of network traffic.

Considering the assessment object feature there are assessment of network traffic (state) parameters and assessment of network traffic quality on the basis of parameters values [18, 23]. Assessment of traffic state and/or quality is implemented via three criteria, namely, suitability, optimality and superiority.

In general, there are qualitative and quantitative assessment of network traffic parameters considering assessment scale type. Qualitative assessment is a procedure of information decision making using binary scheme, e. g. binary, Boolean, etc.

Quantitative assessment is based on a procedure of mapping the observed values of parameters to the specific not binary quantitative scale. Classification features of the network traffic assessment procedure characterizing the nature of this process and the type of estimates obtained are directly connected with the nature of input data, i. e. of the obtained observation results.

Considering the nature of the process network traffic parameters assessment can be direct and indirect. The estimates obtained can be absolute and relative [19].

The assessment methods can be divided on the formal methods, taxonomic methods and index methods. The formal methods include the methods of expert and probabilistic and statistical qualimetry that, in their turn, can be divided on accurate and approximate.

The expert methods include expert survey (i. e. methods using expert knowledge) [24], the fuzzy sets theory methods if membership function values are obtained with the help of experts, and methods that use neural networks algorithms if the coefficients of the weight matrix of the extrapolating neural network are obtained with the help of experts.

The probabilistic and statistical assessment methods include analytical methods, numerical methods, methods of statistical tests and methods of statistical simulation. Analytical methods are based on direct integration by formulas.

Numerical methods are based on numerical integration of expressions for determining the probability of achieving a goal. The methods of statistical tests are based on the geometric method for determining the probability of a random event [24]. The methods of statistical simulation are based on the generation of network traffic simulation model. They represent this object of monitoring in a formalized form (i. e. in the form of algorithm).

The trade-off method relates to taxonomic methods. It is based on the generation of trade-off sets (i. e. Pareto sets). The index methods (or randomization methods) are based on the replacement of the determined requirements to the values of network traffic parameters (or traffic quality metrics) with their randomized counterparts.

Considering the type of obtained estimates there are integral and particular estimates of network traffic parameters and quality indicators. The integral estimates may differ by type of parameters convolution for various methods of detecting the harmful information and computer attacks.

Considering the time dependency of assessment there are methods of static and dynamic assessment of network traffic. Considering the type of a priori uncertainty of observational data there are methods that give deterministic estimates, probabilistic estimates, and the methods based on obtainment of fuzzy estimates of network traffic parameters [13].

C. Classification Features of the Forecasting Procedure

There are the following classification features of forecasting procedure for information flows parameters and quality values in scope of network traffic monitoring for detecting the harmful information and computer attacks: forecasting object; forecasting interval; and forecasting method.

From the forecasting object point of view there are the algorithms of network traffic (state) parameters forecasting and the algorithms of network traffic quality indicators forecasting. Forecasting of network traffic quality indicators can be implemented using two ways depending on the information obtained during the observation and assessment procedures. The first way should be implemented if in the process of monitoring the estimates of network traffic quality indicators are calculated directly.

This way consists in consideration of these indicators as functions of time not indirectly, through parameters, but directly. In this case the dependency of network traffic quality indicators from time can be represented by some function, for example, by the polynomial with random coefficients.

The estimates of this polynomial’s coefficients can be calculated based on the results of observation of network traffic quality indicators estimates. After obtaining the estimates of the polynomial’s coefficients the forecasting is carried out by increasing the time by the forecast interval. Thus, the first way is similar to parameters forecasting.

The second way is used if network traffic quality indicators are not calculated in process of its monitoring and decision on existence or absence of anomalies (i. e. features of harmful information or computer attack) is made by comparison of traffic parameters values with the requirements. The second way consists in forecasting of the traffic parameters first. Then, considering these forecasted estimates, the future values of network traffic quality indicators are calculated [19].

The interval (frequency) of forecasting depends on the characteristics of network traffic and can predetermine short-term (fractions of a second, second, minutes, hours, etc.), medium-term (hours, days, etc.) and long-term (several days, a month, etc.) forecasting of state (quality) of information flow in order to detect harmful information and computer attacks.

Considering the forecasting methods there are analytical and expert methods. The expert methods are based on expert knowledge, while analytical methods are based on calculations using extrapolation or modeling. Besides, in the formal statement of the problem of forecasting the parameters of network traffic in the interest of detecting harmful information and computer attacks, two cases should be considered [7].

The first case is called integral. In this case the forecasting operator G1 should be determined. It is determined based on the extremum condition of the selected optimality criterion. Application of the criterion to the whole set of the observed signals  gives an estimation of network traffic parameters vector in the future moment of time :

,

where – time of forecasting, – estimation of network traffic parameters vector in the future moment of time. The second case is called recurrent. In this case the forecasting operator G2 should be determined.

It is also determined based on the extremum condition of the selected optimality criterion. But this criterion is applied only to the last observation and to an estimation of network traffic parameters vector obtained on the previous step (tn – 1):

.

Obviously, the recurrence forecasting operator should be applied if the forecasting of network traffic parameters is carried out over a moving time interval. This is explained by the fact that when using this operator, the memory of processor responsible for predictive analysis in the framework of network traffic monitoring, is used more rationally.

IV. Discussion and Conclusions

The paper proposed an alternative for classification of modes, methods and algorithms of network traffic monitoring in order to detect harmful information and computer attacks. The proposed alternative of classification is focused on consideration of network traffic monitoring problem as complex of observation, assessment and forecasting procedures.

The considered classification features allows specifying the borders and outlining the theoretical background for optimization and adaptation of the network traffic monitoring procedures. Therefore, they allow decomposing the task of synthesis of optimal and adaptive systems for protection against harmful information and computer attacks on information and telecommunication networks in order to efficiently manage their information security considering an influence of evolutionary and operational factors.

ACKNOWLEDGMENT

Research is carried out with support the Russian Science Foundation under grant #18–11–00302 in SPIIRAS.

REFERENCES

 [1]   Stuttard, D., Hartstein, B., Pinto, M., Hale, L., Richard, O., and Adair, S. Attack and Defend Computer Security Set. Hoboken, New Jersey, US: John Wiley & Sons, 2014, 1656 p.

 [2]   Geers, K. Strategic Cyber Security: An Evaluation of Nation-­State Cyber Attack Mitigation Strategies. Tallinn, Estonia: NATO CCD COE (NATO Cooperative Cyber Defence Centre of Excellence), 2011, 169 p.

 [3]   O’Leary, M. Cyber Operations: Building, Defending, and Attacking Modern Computer Networks. New-­York, US: Apress, 2019, 1151 p.

 [4]   Schlienger, T.and Teufel, S. Information security culture-from analysis to change, in South African Computer Journal, 2003, vol. 31, pp. 46–52

 [5]   Watts, S. Low-­Intensity Computer Network Attack and Self-­Defense, in International Law Studies, 2011, vol. 87, pp. 59–87

 [6]   Ruchi, V. and Ankit, J. Kumar. A survey of DDoS attacking techniques and defence mechanisms in the IoT network, in Telecommunication Systems, 2020, vol. 73, issue 1, pp. 3–25

 [7]   Kotenko, I.Saenko, I.Kushnerevich, A., and Branitskiy, A. Attack detection in IoT critical infrastructures: a machine learning and big data processing approach, in The 27th Euromicro International Conference on Parallel, Distributed and network-­based Processing (PDP 2019), Pavia, Italy, February 13–15, 2019, pp. 340–347

 [8]   Chio, C. and Freeman, D. Machine Learning and Security: Protecting Systems with Data and Algorithms, Sebastopol, US: O’Reilly Media, 2018, 385 p.

 [9]   Undercoffer, J., Joshi, A., and Pinkston, J. Modeling Computer Attacks: An Ontology for Intrusion Detection, in International Workshop on Recent Advances in Intrusion Detection (RAID2003): Springer-­Verlag Berlin Heidelberg, 2003, vol. 2820, pp. 113–135

[10]   Eckmann, S.Vigna, G.and Kemmerer, R. STATL: An Attack Language for State-based Intrusion Detection, in Journal of Computer Security, 2002, vol. 10(1/2), pp. 71–104

[11]   Salmon, A.Levesque, W.and McLafferty, M. Applied Network Security: Proven tactics to detect and defend against all kinds of network attack, Birmingham, UK: Packt Publishing, 2017, 336 p.

[12]   Kotenko, I.and Doynikova, E. Selection of countermeasures against network attacks based on dynamical calculation of security metrics, in Journal of Defense Modeling and Simulation, 2018, vol. 15, Issue 2, April 1, pp. 181–204

[13]   Parashchuk, I.and Donikova, E. The Architecture of Subsystem for Eliminating an Uncertainty in Assessment of Information Objects, in Semantic Content Based on the Methods of Incomplete, Inconsistent and Fuzzy Knowledge Processing, The 13th International Symposium on Intelligent Distributed Computing (IDC2019), October 7–9, 2019, Saint-­Petersburg, Russia, 2020, pp. 294–301

[14]   Kumar, N. NainarRamdoss, Y.and Orzach, Y. Network Analysis using Wireshark 2. 2nd Edition. Birmingham, UK: Packt Publishing, 2018, 626 p.

[15]   Monitoring Network Traffic Using sFlow Technology on EX Series Ethernet Switches. Application Note. Sunnyvale, US: Juniper Networks Inc., 2010, 15 p.

[16]   Uma, M. and Padmavathi, G. An Efficient Network Traffic Monitoring for Wireless Networks, in International Journal of Computer Applications, 2012, vol. 53, no. 9, pp. 51–59

[17]   Garcia-­Dorado, J. L.Mata, F.Ramos, J.and Santiago del Rio, P. M. Data Traffic Monitoring and Analysis: From Measurement, Classification, and Anomaly Detection to Quality of Experience. Springer-­Verlag Berlin Heidelberg, 2013, 370 p.

[18]   Bhuvan, M. H.Bhattacharyya, D. K.and Kalita, J. K. Network traffic anomaly detection and prevention: concepts, techniques, and tools. Springer, 2017, 278 p.

[19]   Pescape, A.Salgarelli, L.and Dimitropoulos, X. Traffic Monitoring and Analysis. The 4th International Workshop, TMA 2012, Vienna, Austria, March 12, Proceedings. Springer. 2012, 183 p.

[20]   Bejtlich, R. The Practice of Network Security Monitoring: Understanding Incident Detection and Response. San Francisco, US: No Starch Press, 2013, 380 p.

[21]   Kotenko, I. and Parashchuk, I. Synthesis of Controlled Parameters of Cyber-­Physical-­Social Systems for Monitoring of Security Incidents in Conditions of Uncertainty, IOP Conf. in Series: Journal of Physics: Conference Series (JPCS), vol. 1069, pp. 1–6

[22]   Collins, M. Network Security Through Data Analysis: From Data to Action. Sebastopol, US: O’Reilly Media, 2017, 427 p.

[23]   Daadoo, M. Network Traffic Monitoring Analysis System with Built-in Monitoring Data Gathering, in European Journal of Social Sciences, 2017, vol. 54, Issue 1, pp. 79–91

[24]   Svoboda, J.Ghafir, I., and Prenosil, V. Network Monitoring Approaches: An Overview, in International Journal of Advances in Computer Networks and Its Security (IJCNS), 2015, vol. 5, Issue 2, pp. 88–93


a This research was supported by the Russian Science Foundation under grant number 18-11-00302 in SPIIRAS.