Monte Carlo method for solving the problem of predicting the computer network resistance against DoS attacks

The application of the Monte Carlo method to solving the problem of identifying and assessing the protection against DDoS attacks of weak nodes is considered. The field of research is of practical and theoretical interest, since the methods developed by the classical theory of reliability are focused on simple, stationary flows. Under the conditions of DDoS attacks, the flow of attacking requests is not stationary, so the known analytical models give an unacceptable error. For the reliability of the results, the freedom to choose the distribution function, the moments of arrival of the attacking requests, their duration and the response of the attacked node is required. The method is applicable for modelling a computer network when organizing an information security audit.


Introduction
The development of digital technologies of information transmission with the increasing complexity of the IT infrastructure of enterprises is one of the reasons for the growth of cybercrime [1]. One of the most common computer attacks is a denial of service attack, which purpose is to disrupt the availability of an information system for authorized users. If such an attack is carried out by several distributed sources, it is positioned as a DDoS attack [2,3]. In 2020, the number of distributed denialof-service attacks increased significantly, and the beginning of 2021 was marked by an increase in their intensity [4,5]. The mechanism of this attack is to create a stream of false requests, the intensity of which exceeds the maximum resource of the server for processing requests, which leads to a failure in its operation. The source of malicious requests are distributed botnets consisting of ordinary users' computers infected with viruses, which are able to synchronously execute commands transmitted from the control source of the attack [6]. A distinctive feature of this kind of attack is that its implementation leaves almost no legally significant evidence. There are special programs and services that can be used to organize a DDoS attack, which are actively used in unfair competition. At the same time, the costs of organizing an attack are disproportionately small compared to the possible financial and reputational losses of the attacked company. Therefore, taking measures to protect against these attacks is an urgent task of information security management bodies (IS). Along with traditional protection measures, the most reasonable and effective way to manage the risk of information security is information risk insurance [7]. However, the procedure for insuring IS risks requires an involvement of independent auditor for risk assessment [8,9], who has appropriate methods.

DDoS attacks
The general classification of DDoS attacks is shown in figure 1.

Figure 1. General classification of DDoS attacks.
DDoS attacks differ in their impact and in the level of implementation [10]. According to the impact, attacks can be aimed at the computing resources of a computer network, as well as at bandwidth. In the simulation, this will mean that attacks targeting bandwidth are based on a large number of requests, while their processing time is short. Attacks targeting resources form a relatively small number of complex requests to the network, but their processing time is significantly longer.
The division by implementation is determined by the level in the TCP/IP model at which the attack is carried out. The application layer corresponds to an attack on the business logic of network There is no access to the database on the Transport and Network layer, so interaction with it cannot be simulated. primarily web sites and file servers operating over the HTTP/HTTPS and FTP/NFS protocols. It is also possible to carry out attacks on any other network applications that are accessed at this level, for example, through the API. The most common are POST and GET flood. Attacks at the transport and network level do not depend on business logic, therefore, they are easier to execute, do not require personalization for a specific network being attacked. In this case, the most common is SYN flood.
The analysis of the stress testing software tools [11,12], as well as the tools used in practice by attackers, showed that the absolute majority of resource-oriented attacks are carried out on the Application layer. Attacks on the channel bandwidth are carried out on the Transport layer and Network layer.  Real customers of DDoS attacks, before paying for a long-term attack, usually order a test lasting 5-10 minutes. If the test attack is successful, the full payment is made for a certain period of time. In this regard, it is rational to simulate only the first minutes of a DDoS attack, since this is enough to assess the security of a computer network.

Network organization
Modern computer networks are designed linearly, with clearly allocated levels. This ensures the absence of switching loops, as well as the possibility of horizontal scaling. By increasing the number of nodes at each level, the overall network performance increases. Figure 4 shows a typical computer network diagram. The load balancer can be an external server that does not belong to the organization, including an entire network of servers, as well as an internal server of the organization. Its task is to distribute incoming requests to the network between the internal servers of the organization. For this, the Least Connections balancing method is used [13]. In the simulation, this will mean that requests will be redirected to nodes that have fewer active connections at a given time.
For modeling, a network node is represented as a server in a queuing system, and the computer network itself is represented as a queuing network [14]. Requests coming to the server can be considered as a flow of requests. The frequency of requests occurrence is characterized by arrival rate λ and departure rate μ. The ratio λ to μ is called the load factor of the queuing system and is denoted by the letter ρ. In the problem under consideration, the model can be described as a multi-channel system with a limited queue and a limited waiting time in the queue [15]. Requests will be serviced according to the FIFO principle -the earlier the request is in the queue, the earlier it will be serviced and there is no request priority. Figure 5 shows a marked graph of system states, in which the state S0 corresponds to the situation when all channels are free and there is no queue, the state Sn+i shows that all n channels are busy servicing requests and there are i channels in the queue. The state Sn+m corresponds to the case when all n channels and m places in the queue are occupied. The value of v characterizes the intensity of the departure of requests from the queue, which corresponds to the departure of requests from the server queue due to exceeding the maximum time spent in it and the occurrence of the «504 Gateway Time-out» error.
The verbal service model is presented as follows. Let the server receive applications with some intensity λ. When functioning in the normal mode, the law of distribution of the input flow of these requests can be considered as Poisson for a sufficiently large period of time. The service of received requests is carried out with the intensity of m. Handler processes act as service channels. If all channels and places in the queue are occupied, a failure occurs, which corresponds to an overflow of the request queue on the real server and the occurrence of the «502 Bad Gateway» error. The above description of the server in terms of queening theory is suitable, for example, for servers with Nginx. The number of channels, the length of the queue, the maximum time spent in the queue are set in the Nginx configuration files by the parameters «worker connections», «backlog», «timeout». The Nginx request processing scheme is shown in figure 6. Many other network applications, for example, Apache, are arranged similarly.  Figure 6. Nginx worker process structure.
If a DDoS attack is conducted on the Application layer, then it is important to take into account the server's access to the database. It can be located both inside a computer network, and with the involvement of cloud services and data centers. There is no access to the database on the Transport and Network layer, so interaction with it shouldn't be simulated.
There are analytical expressions that can be used to calculate the probability of finding a queuing system in each of the states, as well as the probability of failure. However, in the conditions of DDoS attacks, their use is incorrect, since in the process of modeling a DDoS attack on a server, several requests may come to the server at the same time, which violates the requirements of orderliness for the flow of incoming requests and, therefore, it can no longer be considered Poisson without rough assumptions that can lead to unacceptable erroneous results [16]. Thus, the classical tools of the theory of queuing systems are unsuitable for solving the task. The solution is to use Monte Carlo simulation modeling. Simulation modeling allows to track changes in system states over time and is well applicable for modeling random processes, such as DDoS attacks [17,18].

Modeling
In general, the development of a simulation model of discrete systems with stochastic functioning, which include queuing systems, is carried out in the following order [19]: 1) setting the distribution law of a random variable; 2) generation of values of random variables with a given distribution law; 3) formation of application flows and service simulation; 4) modeling of queues of service requests; 5) processing of simulation results An important stage in the development of a simulation model is the formation of flows, which is carried out in various ways: -by direct enumeration of the moments of events; -by indicating the various moments of events and the number of events that occur at each of these moments; -by indicating the sequence of durations of time intervals between events; -by indicating the duration of the intervals between different moments when events occur, and the number of events at each of these moments; -by a function X (t) equal to the number of events in the interval (0, t).
Thus, the task is to simulate attacks on key nodes of the computer network, which are servers, and to assess their vulnerability to DDoS attacks. As a result of the simulation, the decision-maker receives information about the probability of server failure, sufficient to take a number of organizational and technical measures to reduce the risk. These measures include server redundancy, improving server performance, limiting the bandwidth of the channel. In case of a high probability of server failure due to DDoS attacks, insurance may be the solution.
The issues of simulation of DDoS attacks have been considered in a number of papers. Thus, in [20] a system for simulating DDoS attacks in the OMNeT++ modeling environment on computer networks consisting of a large number of machines is presented and various protection mechanisms are also considered. In [21] simulation modeling was used at the level of network packets. As a defense, the authors proposed a bioinspired approach that includes a distributed mechanism for collecting and processing information that coordinates the actions of the main devices of a computer network. In [22], the simulation modeling of a network for testing security methods with the possibility of connecting real nodes to the test bed is considered.
The simulation model is based on the random nature of the arrival of requests at each moment of time. The further servicing of requests and the release of channels is described by using logical expressions. The percentage of successful DDoS attacks equal to the probability of server failure is calculated as the ratio of failures to the total number of requests. The parameters of the initial model are the intensity of receipt of applications λ and the intensity of service μ, the maximum waiting time for an application in the queue, the length of the queue, the number of channels, as well as the time step dt, which is set to 0.1 seconds. The model was tested at various values of the ratio λ to μ, which is the load factor. The analysis showed that even in a situation where the intensity of receipt of requests exceeds the intensity of service by 6.25 times, the probability of a successful DDoS attack is estimated at 51.32%, and if the intensity of receipt of requests is exceeded by 10 times, the probability of server failure increases to 70% (figure 7). To assess the probability of server failure with a large number of iterations and any number of channels, a program for evaluating the server's security against DDoS attacks is used. The program accepts statistics on the receipt of requests to the server, the length of the queue and the maximum waiting for a request in the queue [23]. Request receipt statistics is loaded as an Excel file, in which the first column corresponds to the receipt of requests to the server, the subsequent columns correspond to the service of the request by the first and subsequent channels. The occurrence of the request receipt events and its service by the channel is indicated in the cell by the number 1, the opposite event is indicated by the number 0. The program outputs the probability of failure, which is calculated as the ratio of the number of refusals to the total number of requests. A distinctive feature of the software model is its versatility, due to the flexibility of changing parameters. The program has   6 iterations, after which the data can be uploaded to disk. Figure 8 shows the program interface. Experiments conducted with the model showed that in conditions of high intensity of requests and a large ratio of λ to μ (ρ=1000), which corresponds to a DDoS attack, the probability of failure decreases by 4-6% with an increase in the number of channels by five units ( figure 9). Increasing the service queue by 100 units reduces the probability of failure by 1%. So, with an initial failure probability of 80% and a queue length equal to one, it took an increase of the queue to 3000 units to reduce the probability of failure to 50% (figure 10). The results indicate that the most effective way to reduce the probability of failure is to increase the performance of the server by increasing its service channels.    Figure 10. The dependence of the probability of server failure on the queue length.

Conclusion
As a result of the conducted research, the expediency of using simulation modeling with the use of elements of the Monte Carlo method to assess the probability of server failure in the conditions of DDoS attacks is shown. It was concluded that the server can be considered as a queuing system, but the flow of incoming requests in the conditions of DDoS attacks is not Poisson, so the use of analytical expressions to assess the probability of failure is incorrect. The simulation allows the decision-maker to assess the probability of server failure and take organizational and technical measures to increase the level of security. Analysis of the simulation results showed the effectiveness of improving server performance by increasing service units. Thus, the developed tool will be useful in conducting an audit of the information security of an organization in the interests of insuring information security risks to justify the insurance premium. The directions of further research are to study the issue of security of a computer network, taking into account the features of a specific topology.