Method of detection of http attacks on a smart home using the algebraic matching method

Method of detection of http attacks on a smart home using the algebraic matching method

All international and domestic spheres of production and service are developing at a frantic pace, and in modern life it is no longer possible to imagine any enterprise or government institution without connecting to the Internet and using cloud services. The development of digital technologies forc...

Повний опис

Збережено в:
Бібліографічні деталі
Дата:2023
Автори: Gorbatiuk, V.O., Gorbatiuk, S.O.
Формат: Стаття
Мова:English
Опубліковано: Інститут програмних систем НАН України 2023
Теми:
cyber security
HTTP attacks
smart home
attack detection
algebraic approach
algebraic matching
attack formalization
security properties
UDC004.05
Онлайн доступ:https://pp.isofts.kiev.ua/index.php/ojs1/article/view/540
Теги: Додати тег
Немає тегів, Будьте першим, хто поставить тег для цього запису!
Назва журналу:Problems in programming
Завантажити файл: Pdf

Репозитарії

Problems in programming
id pp_isofts_kiev_ua-article-540
record_format ojs
resource_txt_mv ppisoftskievua/04/fcc3ffbc5c35f2afe60e17d358890504.pdf
spelling pp_isofts_kiev_ua-article-5402023-06-25T08:00:30Z Method of detection of http attacks on a smart home using the algebraic matching method Методи вмявлення НТТР атак на розумний будинок за допомогою методу алгебраїчного співставлення Gorbatiuk, V.O. Gorbatiuk, S.O. cyber security; HTTP attacks; smart home; attack detection; algebraic approach; algebraic matching; attack formalization; security properties UDC004.05 УДК 004.05 All international and domestic spheres of production and service are developing at a frantic pace, and in modern life it is no longer possible to imagine any enterprise or government institution without connecting to the Internet and using cloud services. The development of digital technologies forces the application of innovative solutions in everyday life and entertainment. In our modern age with society’s current dependence on high-tech gadgets and the Internet, we can definitely mark the emergence of smart home technology. In this regard, interest in private information on the network is growing, more approaches to attacks are appearing, cybercrime is becoming more organized, and its level is increasing. This work aims to show the types of cyber attacks on smart homes, as well as tools and methods for their detection, in particular, the method of mathematical comparison, which provides an opportunity to create stable web applications and services, taking into account the requirements for their security and reliability.Prombles in programming 2022; 3-4: 396-402 Всі міжнародні та внутрішні сфери виробництва та обслуговування розвиваються шаленими темпами, і в сучасному житті вже неможливо уявити собі будь-яке підприємство чи державну установу без підключення до мережі Інтернет та використання хмарних сервісів. Розвиток цифрових технологій змушує застосовувати інноваційні рішення в повсякденне життя та сфери розваг. У нашу сучасну епоху з нинішньою залежністю суспільства від високотехнологічних гаджетів та Інтернету ми можемо точно відзначити появу технології розумного дому. В зв’язку з цим зростає інтерес до приватної інформації в мережі, з’являється все більше підходів до атак, кіберзлочинність стає більш організованою, а її рівень зростає. Дана робота має на меті показати види кібератак на розумні будинки, а також інструменти та методи для їх виявлення, зокрема і методу математичного співставлення, що надає можливість для створення стабільних веб-додатків та сервісів з врахуванням вимог до їх безпеки та надійності.Prombles in programming 2022; 3-4: 396-402 Інститут програмних систем НАН України 2023-01-23 Article Article application/pdf https://pp.isofts.kiev.ua/index.php/ojs1/article/view/540 10.15407/pp2022.03-04.396 PROBLEMS IN PROGRAMMING; No 3-4 (2022); 396-402 ПРОБЛЕМЫ ПРОГРАММИРОВАНИЯ; No 3-4 (2022); 396-402 ПРОБЛЕМИ ПРОГРАМУВАННЯ; No 3-4 (2022); 396-402 1727-4907 10.15407/pp2022.03-04 en https://pp.isofts.kiev.ua/index.php/ojs1/article/view/540/593 Copyright (c) 2023 PROBLEMS IN PROGRAMMING
institution Problems in programming
baseUrl_str https://pp.isofts.kiev.ua/index.php/ojs1/oai
datestamp_date 2023-06-25T08:00:30Z
collection OJS
language English
topic cyber security
HTTP attacks
smart home
attack detection
algebraic approach
algebraic matching
attack formalization
security properties
UDC004.05
spellingShingle cyber security
HTTP attacks
smart home
attack detection
algebraic approach
algebraic matching
attack formalization
security properties
UDC004.05
Gorbatiuk, V.O.
Gorbatiuk, S.O.
Method of detection of http attacks on a smart home using the algebraic matching method
topic_facet cyber security
HTTP attacks
smart home
attack detection
algebraic approach
algebraic matching
attack formalization
security properties
UDC004.05

УДК 004.05
format Article
author Gorbatiuk, V.O.
Gorbatiuk, S.O.
author_facet Gorbatiuk, V.O.
Gorbatiuk, S.O.
author_sort Gorbatiuk, V.O.
title Method of detection of http attacks on a smart home using the algebraic matching method
title_short Method of detection of http attacks on a smart home using the algebraic matching method
title_full Method of detection of http attacks on a smart home using the algebraic matching method
title_fullStr Method of detection of http attacks on a smart home using the algebraic matching method
title_full_unstemmed Method of detection of http attacks on a smart home using the algebraic matching method
title_sort method of detection of http attacks on a smart home using the algebraic matching method
title_alt Методи вмявлення НТТР атак на розумний будинок за допомогою методу алгебраїчного співставлення
description All international and domestic spheres of production and service are developing at a frantic pace, and in modern life it is no longer possible to imagine any enterprise or government institution without connecting to the Internet and using cloud services. The development of digital technologies forces the application of innovative solutions in everyday life and entertainment. In our modern age with society’s current dependence on high-tech gadgets and the Internet, we can definitely mark the emergence of smart home technology. In this regard, interest in private information on the network is growing, more approaches to attacks are appearing, cybercrime is becoming more organized, and its level is increasing. This work aims to show the types of cyber attacks on smart homes, as well as tools and methods for their detection, in particular, the method of mathematical comparison, which provides an opportunity to create stable web applications and services, taking into account the requirements for their security and reliability.Prombles in programming 2022; 3-4: 396-402
publisher Інститут програмних систем НАН України
publishDate 2023
url https://pp.isofts.kiev.ua/index.php/ojs1/article/view/540
work_keys_str_mv AT gorbatiukvo methodofdetectionofhttpattacksonasmarthomeusingthealgebraicmatchingmethod
AT gorbatiukso methodofdetectionofhttpattacksonasmarthomeusingthealgebraicmatchingmethod
AT gorbatiukvo metodivmâvlennânttrataknarozumnijbudinokzadopomogoûmetodualgebraíčnogospívstavlennâ
AT gorbatiukso metodivmâvlennânttrataknarozumnijbudinokzadopomogoûmetodualgebraíčnogospívstavlennâ
first_indexed 2024-09-12T19:29:50Z
last_indexed 2024-09-12T19:29:50Z
_version_ 1815407573535293440
fulltext 396 Захист інформації UDC004.05 https://doi.org/10.15407/pp2022.03-04.396 METHODS OF DETECTION OF HTTP ATTACKS ON A SMART HOME USING THE ALGEBRAIC MATCHING METHOD Viktor Horbatiuk, Serhii Horbatiuk All international and domestic spheres of production and service are developing at a frantic pace, and in modern life it is no longer possible to imagine any enterprise or government institution without connecting to the Internet and using cloud services. The development of digital technologies forces the application of innovative solutions in everyday life and entertainment. In our modern age with society’s current dependence on high-tech gadgets and the Internet, we can definitely mark the emergence of smart home technology. In this regard, interest in private information on the network is growing, more approaches to attacks are appearing, cybercrime is becoming more organized, and its level is increasing. This work aims to show the types of cyber attacks on smart homes, as well as tools and methods for their detection, in particular, the method of mathematical comparison, which provides an opportunity to create stable web applications and services, taking into account the requirements for their security and reliability. Keywords: cyber security, HTTP attacks, smart home, attack detection, algebraic approach, algebraic matching, attack formalization, security properties. Всі міжнародні та внутрішні сфери виробництва та обслуговування розвиваються шаленими темпами, і в сучасному житті вже неможливо уявити собі будь-яке підприємство чи державну установу без підключення до мережі Інтернет та використання хмар- них сервісів. Розвиток цифрових технологій змушує застосовувати інноваційні рішення в повсякденне життя та сфери розваг. У нашу сучасну епоху з нинішньою залежністю суспільства від високотехнологічних гаджетів та Інтернету ми можемо точно відзначити появу технології розумного дому. В зв’язку з цим зростає інтерес до приватної інформації в мережі, з’являється все більше підходів до атак, кіберзлочинність стає більш організованою, а її рівень зростає. Дана робота має на меті показати види кібератак на розумні будинки, а також інструменти та методи для їх виявлення, зокрема і методу математичного співставлення, що надає можливість для створення стабільних веб-додатків та сервісів з врахуванням вимог до їх безпеки та надійності. 1. Identification of attacks and relevance of work A smart home is a system of sensors and devices, combined into a single system, capable of performing actions and solving certain everyday tasks without human intervention. The Internet of Things (IoT) is the mechanism that currently powers smart homes. Today, HTTP traffic dominates the Internet. All programmable devices, smart appliances and devices in today’s smart homes are connected to the Internet. Data centers are experiencing high volumes of HTTP traffic, and many businesses are seeing more and more of their revenue from online sales. However, as its popularity grows, so do its risks, and like any protocol, HTTP is vulnerable to attack. Attackers use various attack methods to obtain user data or create a denial of service on web servers. Such attacks are done to gain some benefit or profit or just for fun. A cyberattack is an attack by cybercriminals using one or more computers against one or more computers or networks. A cyberattack can maliciously shut down computers, steal data, or use a compromised computer as a launching point for other attacks. The issue of cyber security is very important because it protects all categories of data from theft and damage. This includes confidential data, personal information, protected health information, personal information, intellectual property, data, and government and industry information systems. Without cyber security programs, your home will not be able to protect itself from data breach attempts, making it an irresistible target for cybercriminals. Risks are increasing due to global connectivity and the use of cloud services such as Amazon Web Services to store sensitive data and personal information. The widespread misconfiguration of cloud services, combined with increasingly organized cyber criminals, means that the risk of your home being affected by a successful cyber attack or data breach is increasing. Smart home service providers can no longer rely solely on off- the-shelf cybersecurity solutions such as antivirus software and firewalls, cybercriminals are becoming smarter, and their tactics are becoming more resistant to conventional cyber defenses. In fact, our society is more technologically dependent than ever before, and there is no sign of this trend slowing down. That is why the importance of cyber security is growing. Data leaks in smart home systems that have a high level of integration with social networks can lead to identity theft. Sensitive information such as social security numbers, credit card details and bank account details are now stored in the cloud storage services Dropbox or Google Drive. 2. Overview of attacks in smart homes Whether a home has a full smart home system or just a set of smart devices, we must evaluate security as the total sum of the security of each device. 40.8% of smart homes have at least one device vulnerable to cybersecurity threats. At the same time, 31.4 percent are at risk due to unpatched software vulnerabilities. The only way to protect yourself from the potential threat is to pay more attention to the smart home devices that are installed, and attacks on such devices are not much different from conventional network attacks. © В.О. Горбатюк, С.О. Горбатюк, 2022 ISSN 1727-4907. Проблеми програмування. 2022. № 3-4. Спеціальний випуск 397 Захист інформації Methods of network attacks are classified as «passive» and «active». Passive attacks are the interception of data on the way to the recipient. Active attacks are a network attack in which a hacker tries to make changes to data on the target object or data en route to the target. They are divided into «forgery», «change of message» and «denial of service». For a more detailed explanation, we consider a simple list of three categories [7]. Reconnaissance attacks are attacks to gather general information. Snooping (also known as «tracking» or «gathering information») is simply access to private information. This information can be used to advantage, for example, to obtain company secrets that will help in your own business or in making decisions about buying shares. It can also be used for active attacks such as blackmail. These attacks can be carried out through both logical and physical approaches, information is collected through network scanning or through social engineering and physical surveillance. Some common examples of reconnaissance attacks include packet sniffing, pinging, port scanning, phishing, social engineering, and Internet information requests. We can consider them further by dividing them into two categories, logical and physical. [13] Logical reconnaissance includes everything done in the digital world and does not require human action on the other side to complete an reconnaissance attack. For example, ping scans and port scans are two methods of detecting whether a system is connected and what it is looking for on the network. The answer from a port scan might be to detect if an IP address is listening on port 443 for HTTPS traffic. This lets the hacker know if they can use HTTPS for their purposes. Network man-in-the-middle (MITM) attacks occur when malicious parties intercept traffic passing between networks and external data sources or within the network. In most cases, hackers achieve man-in-the- middle attacks by using weak security protocols. They allow hackers to pose as a relay or proxy account and manipulate data during real-time transactions. Unverified user data can put organizational networks at risk of SQL injection attacks and the injection of malicious SQL code. In this network attack method, external parties manipulate forms by sending malicious codes instead of the expected data values. They compromise the network and gain access to sensitive data such as user passwords [12]. Physical reconnaissance goes beyond what a network administrator can control. There are elements that will never be fully secured, such as places and security elements such as cameras, door locks or security guards. However, this may affect the physical security of the network. Access attacks require some intrusion capability. These can include anything as simple as obtaining the account holder’s credentials to connect the equipment directly to the network infrastructure. Often these access attacks can be compared to reconnaissance as logical or physical, logical through the network and physical which leans more towards social engineering. Logical access attacks, such as brute-force attacks or validating network passwords using tables or dictionaries, tend to generate a lot of network traffic and can be easily detected by even a non-experienced network monitor. It is for this reason that most logical access attacks are usually carried out after enough data or authority has been obtained. There is also a tendency to resort to the passive side of the attack, like a man-in-the- middle attack, to try to gather more information. There is also such a group of attackers as ransomware. As a result of the attack, attackers encrypt data access channels while holding the decryption keys – a model that allows hackers to extort money from affected organizations. Payment channels usually include untraceable cryptocurrency accounts. While cyber security agencies don’t prevent criminals from paying, some organizations continue to do so as a quick fix to recover access to data. When talking about data modification attacks, most people think of an attacker changing the content of emails to be malicious or changing the numbers in an electronic bank transfer. While such high-level data modification attacks are possible, there are more subtle ways to modify data. For example, if you could intercept a wireless transmission and change the address (IP address) field of a message, this could cause the message to be forwarded over the Internet to you instead of to the recipient. Why is this done? Since the message in the link is encrypted and you cannot read the content, if you can transmit it over the Internet, you will receive a decrypted version. The IP header is easier to attack because it is in a known format. Masquerading is the term when an attacking network device pretends to be a valid device. This is an ideal approach if the attacker wants to remain undetected. If the device can successfully fool the target network into verifying it as an authorized device, the attacker gains all the access rights that the authorized device set during login. Also, there will be no security warnings. Physical access is access to equipment or access to people. Social engineering is very dangerous and difficult to defend against simply because users are usually the weakest link in cyber security. The simplest type of social engineering attack is sending phishing emails designed to trick someone in this way, or installing credential-logging programs on a person’s computer with access. Even cyber security professionals can be vulnerable to such attacks simply because they live among the humans that they are and we are not perfect and make mistakes. Denial of Service (DoS) is very different from the other categories in both technique and purpose. While others give the attacker additional privileges, a DoS attack usually blocks everyone, including the attacker. The goal of a DoS attack is to harm the target by preventing the network from functioning. Downtime means that the network cannot receive any traffic. This can happen due to a power failure or the network being flooded with unnecessary traffic that prevents the network from functioning. Both have historically occurred without any malicious intent, and both can be prevented with physical and logical blockers. 398 Захист інформації 3. Overview of attack detection tools. An analysis of the current state of technology for solving information protection problems is carried out, and we will analyze the tools used to prevent attacks and identify vulnerabilities related to cyber security in smart homes. Tools for detecting DdoS attacks. Fastnetmon is a common open source package that offers a service running on a Linux server [6]. It is a very high-performance DDoS detector built on several packet capture mechanisms [8]. It supports a number of capture mechanisms such as port mirroring, NetFlow, sFLOW, IPFIX, etc. to feed it information about incoming traffic. It can detect an attack on specific IP addresses on the network based on bandwidth, number of packets per second or number of flows. You can define and configure these parameters based on the attack profile. The next part is to tell the router to drop malicious traffic and the appropriate BGP blackhole or BGP flow rules to mark that particular route. Fastnetmon offers options to determine how long an IP address remains blocked and when it can be allowed again. It has reliable support for all leading network providers and has unlimited scalability thanks to its flexible design. You can integrate FastNetMon into any existing network without any changes or additional equipment! A framework called HADEC is designed to detect live high-speed DDoS attacks that occur at the network and application layers, such as TCP-SYN, HTTP GET, UDP, and ICMP [23]. The framework consists of two main components: a discovery server and a capture server. Real-time DDoS detection begins with a capture server responsible for capturing real network traffic and passing the log to the detection server for processing. Detection evaluates the incoming packet for UDP, ICMP, and HTTP to detect an attack if the outgoing connection exceeds a predefined threshold. The proposed detector provides low-cost solutions for financial institutions, as well as small and medium- sized companies [4]. A detection method called D-FACE is used to detect four types of traffic: legitimate user, low-speed, high- speed, and flash traffic [22]. The detection uses the entropy difference that contains the normal traffic flow, while the entropy value of the source IP is the detection matrix to calculate the attack. Discovery begins by extracting the appropriate header that classifies the network into a unique network flow. The separation of low traffic, high traffic and flash event traffic is based on the comparison of the current speed of the incoming traffic in each time window and on the basis of the information traffic value. There is also a method that detects an HTTP DDoS attack using a machine learning approach to distinguish botnet from legitimate users in detecting attack traffic, authentic traffic, and flash traffic [16]. The proposed system is deployed as a proxy and checks user behavior instead of monitoring all traffic. The proposed work detects the source of a botnet and examines user behavior to detect a malicious request to a web server. The matrix of machine learning with the biological algorithm of bats allows for quick and early detection of HTTP DDoS attacks [15]. The work involved time slots instead of user sessions and packet patterns to create a detection algorithm. Timeslot uses a machine learning matrix to assign a maximum number of sessions to a single time slot and calculate the number of sessions per time slot to detect a DDoS attack at the application layers. The matrix also accounts for the two HTTP GET request pages. The frequency with which users access a web page and the time interval between the request of the first page and the second page are determined to monitor user behavior. Another tool is cloud-based HTTP DDoS detection using a statistical approach with a covariance matrix [1]. The detection implemented two algorithms, known as training and testing, to recognize different types of HTTP attacks based on attack behavior. A training algorithm was used to construct common patterns of network traffic, and a testing algorithm was used to determine the types of traffic received. The results obtained from this study were evaluated using a confusion matrix to measure the performance of detecting and delivering results of indoor and outdoor cloud environments. Server-based intrusion detection tools. WWWstat [3] is primarily a program for collecting web server usage statistics. This program does not perform intrusion detection by itself, but its output can be used for manual intrusion detection by checking abnormal usage statistics. Autobuse [24] is a framework for analyzing firewall log files and web server logs. It analyzes log entries for known attacks and reports them through several mechanisms, such as email. Logscanner [25] is a framework for analyzing log files that can include functions. It automatically contacts the person responsible if needed and feeds logs to user-designed functions. Swatch [5] analyzes UNIX syslog files in the same way as other tools, grouping similar entries to automate processing. CyberCop Server [17] is a commercial intrusion detection tool formerly known as WebStalker. This tool includes features to monitor web server activity based on policies defined by the server operator, but does not provide log file analysis. Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Snort can perform protocol analysis and content search/matching. It can be used to detect various attacks and probes such as buffer overflows, hidden port scans, CGI attacks, SMB probes, OS identity attempts, and more. Snort also has real-time alerting capabilities, including alerting mechanisms for the syslog, a user-defined file, a UNIX socket, or WinPopup messages for Windows clients. Snort has three main uses: a direct packet analyzer such as tcpdump, a packet logger (useful for debugging network traffic, etc.), or a full-fledged network intrusion prevention system [11]. Fail2Ban scans log files such as /var/log/auth.log and bans IP addresses that have too many failed login attempts. This is done by updating the system firewall rules to reject new connections from these IP addresses for a certain period of time. Fail2Ban is ready to read many standard log files, such as for sshd and Apache, and can easily 399 Захист інформації be configured to read any log file you choose for any selected error. While Fail2Ban is able to reduce the frequency of incorrect authentication attempts, it cannot eliminate the risk that weak authentication presents. Configure services to use only two-factor or public/private authentication mechanisms if you really want to secure services [9]. FuzzDB was created to increase interest in the probability of occurrence and detection of security conditions through dynamic application security testing. This is the first and most comprehensive open dictionary of malicious injection patterns, predictable resource locations, and regular expressions for matching server responses. Attack Patterns - FuzzDB contains comprehensive lists of useful attack bootstrap primitives for testing malicious injections. These patterns, categorized by attack type and, if applicable, by known platform type, in which issues such as OS command injection, directory listings, directory traversal, source access, file download traversal, authentication traversal, XSS, etc. http header crlf injections, SQL injection, NoSQL injection, and others. As an example, FuzzDB catalogs 56 patterns that can potentially be interpreted as a null byte, and contains lists of commonly used methods such as «get, put, test» and name-value pairs, and then initiates debug modes [10]. To detect and prevent exploitation of known and common vulnerabilities, the OWASP organization has defined a common set of rules known as the OWASP Core Rule Set [18] (OWASP CRS). OWASP CRS is widely used by large organizations such as Akamai, Azure, CloudFare, Fastly, and Verizon. The task of OWASP CRS is to provide a set of general attack detection rules that, when passed to the MODSECURITY web application firewall, provide a basic level of protection for any web application. OWASP CRS implements a negative model where rules are designed to detect known attack patterns [21]. There are also so-called network intrusion detection tools. Such systems detect intrusions by intercepting packets from the network and applying a set of signatures. Examples of this family of tools include Network Flight Recorder [20], Bro [19], RealSecure [14] or NetRanger [2]. 4. Application of the algebraic method for detecting and resisting attacks With the growth of hacker tricks and the complexity of attacks, the basic, common methods and tools that were used to protect traditional information technologies from cyber attacks eventually become unable to completely prevent the successful penetration of malicious programs into the system. Therefore, new approaches are needed. Although the systems are protected by IT security tools, attackers still find a way to gain unauthorized access and compromise them through cyber attacks. These cyberattacks must be detected as quickly as possible with an acceptable false alarm rate, and must be identified and isolated. Thus, there is an urgent need for an effective cyber attack detection system as an integral part of cyber infrastructure that can accurately detect cyber attacks in a timely manner so that countermeasures can be quickly taken to ensure the availability, integrity and privacy of systems. The new challenges that arise in security requirements challenge traditional mathematical tools. Therefore, it is recommended to use an algebraic approach to solve big data problems and other artificial intelligence approaches such as machine learning. In V.M. Glushkov Institute of Cybernetics, among the methods of mathematical modeling, insertion modeling is widely used, which, with the help of algebraic methods, makes it possible to ensure safety and security. Algebraic models are also used to analyze the behavior of all involved agents in order to check their influence and ability to perform their task as well as the ability of the entire system to function stably and smoothly. For the formal description of the model, the specifications of the algebra of behaviors are used, and the formal methods of verification are based on the methods of symbolic modeling and automatic theorem proving. In systems with an arbitrary number of agents, the algebraic approach and insertion modeling allow us to prove or disprove the properties of such a system. We can generate different interaction scenarios of agents or groups of agents using an abstract formal application model. Such scenarios have a symbolic form and are illustrated by counterexamples. The generated symbolic scripts provide a complete picture of the behavior, and as a result can be used for testing during the build phase of the software. For complex distributed systems with many agents, insertion modeling is one of the effective methods for building models and simulating the interaction of agents with the environment. The main concept of inertial modeling is the creation of a clear hierarchy from the environment to the agents included in these environments, the interaction of agents with environments of different levels, their mutual influence on each other, and changes in the behavior of a group of agents when the environment changes. The environment can act as an agent, which can also be immersed in another environment. In such systems, states are defined by attribute values, and agents are viewed as attribute transition systems. Agents are described by a set of attributes that define the type of agent, and environment attributes are associated with global attributes that are known to all agents. The algebra of behaviors is a two-sort algebra over the set of behaviors and actions of agents. Behavior is described with the help of behavioral equations consisting of behavioral expressions, which in turn contain operations - «.» (prefixing), “+” (indeterminate choice), “;” (sequential composition of behaviors), “||” (parallel composition). Actions of agents are determined using preconditions and postconditions in terms of the corresponding theory and illustrated by the process component. An example of protocol formalization and attack is shown below. Formalization of HTTP protocol and simple attack. We consider the HTTP protocol as the interaction of agents in network environments. Each agent has an IP name and is defined by an enum type IP_NAME containing all possible IP names. The value of the attribute is a character string, for example: 192.168.1.1. Accordingly, each agent has a network address, which is also determined by a set of enumerated type MAC_NAME. The value of the attribute is also symbolic, for example: 00:00:5e:00:53:af. 400 Захист інформації We consider the agent type NODE, which is defined by its attributes, namely: • IP:IP_NAME – IP address of the agent. • list_IP: (int) -> IP_NAME – the functional attribute of the agent, containing the IP of agents from the table in which the addresses of all agents to which a message was once sent or received are recorded. • M – the number of rows in the table, or the number of addresses contacted by the agent. • MAC:MAC_NAME – MAC address of the agent. • list_MAC: (int) -> MAC_NAME – MAC addresses of all agents in the table Each NODE agent has a name – a1,a2,… An environmental agent can be defined as either honest or criminal. When interacting, agents perform actions corresponding to the message exchange protocol. Such are the following actions, which are parameterized by the corresponding values of the attributes. The SendRequest(x, z) action sends a Request message, where x is the sender agent, z is the IP address of the recipient with the corresponding MAC address. The record is sent only to those recipients who are in the list, that is, there is a prerequisite for the action, the Request(x.IP, u) message is sent to the MAC address u if such an IP exists in the sender’s table. SendRequest(x, z) = (Exist i:int)(z == x.list_IP(i) && (1 <= i <= x.M))-> “send Request(x.ІР, list_MAC(i))” 1 GetRequest, the agent receives a request Request(y, u), where y is the sender’s agent IP, u is the recipient’s MAC address. This action also assumes that the Request is received only by the agent whose MAC address matches the second parameter of the notification. In the same action, the corresponding agent sends a response to the request - Response to the MAC address that it found in its list according to the sender’s IP. GetRequest = (Exist x:NODE, y:IP_NAME, u:MAC_NAME,i:int) (y == x.list_IP(i)) && (1 <= i <= x.M) && (u == x.MAC) -> “receive Request (y,u), send Response(x.ІР, x.list_MAC(i))” 1 Similarly, we define the protocol for the sender receiving a response to the request, namely the Response notification. GetResponse = (Exist x:NODE, u:MAC_NAME, y:IP_NAME) (u == x.MAC) -> “receive Response (y,u)” 1 Action NoSendRequest(x,z) is an action in which z is not in the address list of agent x and the notification is not sent. NoSendRequest(x, z) = (Forall i:int)(z != x.list_IP(i) && (1 <= i <= x.M))-> “” 1 In case the address is not in the agent’s list, it queries all agents in the network to identify the desired one and sends its address SendARPRequest(x,z) = (Forall y:NODE) -> “send Broadcast(x.IP, x.MAC, z)” 1 Receiving a Broadcast message by agent x, which has received a request for its address, occurs using the GetARPRequest action. In the same action, the agent sends a message about its MAC address to the sender’s address. GetARPRequest = (Exist x:NODE, y:IP_NAME, u:MAC_NAME, z:IP_NAME) (z == x.IP) -> ”receive Broadcast(y, u, z), send ARPResponse (x.ІР, x.MAC, u)” 1 The agent that searched for the address receives the ARPResponse and adds it to its list. GetARPResponseExist = Exist(x:NODE, y:IP_NAME, z:MAC_NAME, u:MAC_NAME, i:int) (x.MAC == u) && (x.list_IP(i) = y) && (1<=i<=x.M) -> “receive ARPRequest(y,z,u)” (list_MAC(i) = z) GetARPResponseNew = Exist(x:NODE, y:IP_NAME, z:MAC_NAME, u:MAC_NAME) (Forall(i:int) (x.list_IP(i) != y) && (1<=i<=x.M)) && (x.MAC == u) -> “receive ARPRequest(y,z,u)” (x.M = x.M + 1; x.list_IP(M + 1) = y; list_MAC(M + 1) = z) The behavioral equation representing this protocol will be the following parallel composition of agents: B0 = B1(a1,a2) || B1(a1,a3) || … || B1(a2,a1) || (a2,a3) || … , B1(x,z) = AgentRequest(x,z).B1, AgentRequest1(x,z) = (SendRequest(x, z.IP).GetRequest.SendResponse.GetResponse + NoSendRequest(x,z. IP). SendARPRequest(x, z.MAC).GetARPRequest.SendARPResponse.(GetARPResponseNew + GetARPResponseExist) The equation does not take into account the loss of signal and the absence of a node with the requested IP. A malicious agent can take advantage of the opportunity to send false data and pretend that its MAC address matches the IP name we are requesting. This is done in order to intercept notifications sent to this agent. In this way, we remove the prerequisite in the GetARPRequest action z == x.IP, GetARPRequest = (Exist x:NODE, y:IP_NAME, u:MAC_NAME, z:IP_NAME) -> ”receive Broadcast(y, u, z), send ARPResponse (x.ІР, x.MAC, u)” 1 Then the condition that the agent is an intruder is determined by the inequality when executing the GetARPRequest protocol. Thus, we can record the behavior of the attacker with the following pattern: X = Z. GetARPRequest, where the rule violation condition will be written in the action template (z != x.IP) -> ”” 1 We have given the simplest formalization of the protocol to illustrate the possibility of an attack. The entire protocol is a behavioral equation to be solved with respect to X using symbolic modeling. In this way, we determine that the result of the attack is achievable and we will get a path leading to this result, namely a sequence of appropriate actions. In this way, we will determine whether the protocol prevents this attack or not. To prevent this attack, you need to insert a check. There are three abnormal attacks that can be used as a test: 1. In an attack, the response is sent without a request, so it is necessary to check whether a request was sent GetARPResponseExist = SendARPRequest -> … 401 Захист інформації GetARPResponseNew = SendARPRequest -> … 2. During the attack, it is not checked whether the sender sends his address in such response, so you need to compare the provided address with the sender’s address GetARPResponseExist = (y.MAC == z) -> … GetARPResponseNew = (y.MAC == z) -> … 3. The address book should not contain two identical addresses GetARPResponseExist = Forall(i:int) (x.list_MAC(i) != x.list_MAC(i+1)) -> … GetARPResponseNew = Forall(i:int) (x.list_MAC(i) != x.list_MAC(i+1)) -> … Then the behavioral equation will have no solution. Detection of attacks by algebraic matching. Algebraic matching is a method of identifying potential vulnerabilities in a code or system model by comparing the behavior model of such a system with an attack pattern. The method is based on dynamic analysis of behavior by solving behavioral equations. The model is given by the system of equations in the algebra of behaviors, and the attack is given by the pattern of behavior. At the same time, it is necessary to find a set of behavioral scenarios in a given system of behavioral equations that correspond to a given template or lead to it from the initial behavior. This task can be divided into two subtasks: 1. To find a sequence of actions corresponding to a given pattern, which is reduced to solving behavioral equations, the solution of which is a set of behavioral scenarios corresponding to the pattern or a set of behavioral scenarios starting with the initial action of the initial behavior and leading to the behavior of the template in a sequence of other actions. 2. Proving the reachability of a scenario using symbolic modeling in cases where there are no attributes that make such a scenario possible. In this simulation, the simulation environment is compared with the premise of the action in the template. When designing any system, it is recommended and even necessary to conduct simulations of all possible attacks in order to understand their probability. When an attacker tries to attack the network, the security mechanism can recognize potentially dangerous actions during operation, but it is possible to assess under what conditions the attack will be successful only during model development. 5. Conclusion Thus, we have reviewed most of the currently known attacks on smart homes, as well as tools for their detection. A large number of such tools are widely used on a commercial scale and have proven themselves quite well, showing high efficiency. But despite this, there are situations when security measures are better implemented at the system design stage, so the search and use of new approaches remains relevant. One of these approaches is algebraic methods of mathematical modeling. We applied the Algebra of Behavior method to simulate a «man-in-the-middle» attack in a smart home network and verified the possibility of using it to simulate network attacks. It can be effective both for modeling attacks and the network as a whole, which allows you to detect problems that were not even foreseen. We plan to consider and model other attacks in order to prove the feasibility of the method and its practical effectiveness. References 1. Aborujilah and S. Musa, “Cloud-based DDoS HTTP attack detection using covariance matrix approach,” Journal of Computer Networks and Communications, vol. 2017, Article ID 7674594, 8 pages, 2017. 2. CISCO SYSTEMS INC. NetRanger – Enterprise-scale, Real-time, Network Intrusion Detection System. 1998. Available from the company’s website at http://www.cisco.com/warp/public/751/netranger/netra_ds.htm 3. FIELDING, R. wwwstat: Httpd logfile analysis software. November 1996. http://www.ics.uci.edu/pub/websoft/wwwstat/ 4. Ghafar A. Jaafar, Shahidan M. Abdullah, Saifuladli Ismail “Review of Recent Detection Methods for HTTP DDoS Attack” Journal of Computer Networks and Communications, 2019 5. HANSEN, S. E., AND ATKINS, E. T. Automated system monitoring and notification with swatch. In Proceedings of the seventh Systems Administration Conference (LISA ’93) (Monterey, CA, November 1993). 6. https://anuragbhatia.com/2017/10/networking/isp-column/ultra-fast-automated-ddos-detection-mitigation/ 7. http://etutorials.org/Networking/802.11+security.+wi-fi+protected+access+and+802.11i/Part+I+What+Everyone+Should+Know/Chapter+4.+ Different+Types+of+Attack/Classification+of+Attacks/ 8. https://fastnetmon.com/ 9. https://www.findbestopensource.com/product/fail2ban-fail2ban 10. https://www.findbestopensource.com/product/fuzzdb-project-fuzzdb 11. https://www.findbestopensource.com/product/snort 12. https://www.forcepoint.com/cyber-edu/network-attack 13. https://www.tripwire.com/state-of-security/vulnerability-management/3-types-of-network-attacks/ 14. INTERNET SECURITY SYSTEMS, INC. RealSecure.1997. Internet http://www.iss.net/prod/rsds.html 15. I. Sreeram and V. P. K. Vuppala, “HTTP flood attack detection in application layer using machine learning metrics and bio inspired bat algorithm,” Applied Computing and Informatics, 2017, in press. 16. K. Singh, P. Singh, and K. Kumar, “User behavior analytics-based classification of application layer HTTP-GET flood attacks,” Journal of Network and Computer Applications, vol. 112, pp. 97–114, 2018. 17. NETWORK ASSOCIATES INC. Cybercop server. 1998. Available from the company’s website at http://www.nai.com/products/security/ cybercopsvr/index.asp 18. OWASP. Owasp modsecurity core rule set project. [Online]. Available: https://www.owasp.org/index.php/ 19. PAXSON, V. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium (San Antonio, TX, January 1998). 402 Захист інформації 20. RANUM, M. J., LANDFIELD, K., STOLARCHUK, M., SIENKIEWICZ, M., LAMBETH, A., AND WALL, E. Implementing a generalized tool for network monitoring. In Proceedings of the Eleventh Systems Administration Conference (LISA ’97) (San Diego, CA, October 1997). 21. Rodrigo Martınez, Enhancing web application attack detection using machine learning, Instituto de Computaci ́on, Facultad de Ingenier ́ıa Universidad de la Rep ́ublica, Uruguay 22. S. Behal, K. Kumar, and M. Sachdeva, “D-FACE: an anomaly based distributed approach for early detection of DDoS attacks and flash events,” Journal of Network and Computer Applications, vol. 111, pp. 49–63, 2018. 23. S. Hameed and U. Ali, “HADEC: hadoop-based live DDoS detection framework,” EURASIP Journal on Information Security, vol. 2018, no. 1, p. 11, 2018. 24. TAYLOR, G. Autobuse. Internet, 1998. http://www.picante.com/gtaylor/autobuse/ 25. TUININGA, C., AND HOLAK, R. Logscanner. 1998. Internet http://logscanner.tradeservices.com/index.html Received 03.08.2022 About the authors: Viktor Horbatiuk, postgraduate student V.M. Hlushkov Institute of Cybernetics National Academy of Sciences of Ukraine. https://orcid.org/0000-0001-7544-0260 Serhii Horbatiuk, junior researcher Department of Theory of Digital Automata V.M. Hlushkov Institute of Cybernetics National Academy of Sciences of Ukraine. https://orcid.org/0000-0001-6834-4211 Place of work: V.M. Hlushkov Institute of Cybernetics National Academy of Sciences of Ukraine. 03187, Kyiv 40 Akademika Hlushkova Avenue Phone: (044) 526-20-08 E-mails: viktor.gorbatiuk@gmail.com gorbatiuk_sergiy@i.ua Прізвища та ініціали авторів і назва доповіді англійською мовою: V.O. Gorbatiuk, S.O. Gorbatiuk Method of detection of http attacks on a smart home using the algebraic matching method Прізвища та ініціали авторів і назва доповіді українською мовою: В.О. Горбатюк, С.О. Горбатюк Методи вмявлення НТТР атак на розумний будинок за допомогою методу алгебраїчного співставлення

Схожі ресурси