Int
ern
at
i
onal
Journ
al of Ele
ctrical
an
d
C
om
put
er
En
gin
eeri
ng
(IJ
E
C
E)
Vo
l.
10
,
No.
4
,
A
ugus
t
2020
,
pp. 365
1~36
59
IS
S
N: 20
88
-
8708
,
DOI: 10
.11
591/
ijece
.
v10
i
4
.
pp3651
-
36
59
3651
Journ
al h
om
e
page
:
http:
//
ij
ece.i
aesc
or
e.c
om/i
nd
ex
.ph
p/IJ
ECE
Detectio
n of the
b
otnets’
l
ow
-
rate
DDoS
atta
cks
based on
se
lf
-
simil
ar
it
y
Sergii L
ys
e
nk
o
1
, Ki
ra
B
ob
r
ovniko
va
2
, Se
rhii
M
ati
uk
h
3
,
Ivan Hurm
an
4
, O
le
h
Saven
ko
5
1
,2,3,5
Depa
rtment
of
Com
pute
r En
gine
er
ing
and
S
ystem Program
m
i
ng,
Khm
el
n
y
tsk
y
i
Nat
iona
l
Univ
ersity
,
Ukrai
n
e
4
Depa
rtment of
Software
Eng
ineer,
Khm
el
n
y
tsk
yi
Nat
iona
l
Unive
rsit
y
,
Ukra
ine
Art
ic
le
In
f
o
ABSTR
A
CT
Art
ic
le
history:
Re
cei
ved
A
ug
4
, 2
019
Re
vised
Jan
16
,
20
20
Accepte
d
Fe
b 1
, 2
020
An
art
ic
l
e
pre
se
nts
the
appr
oa
c
h
for
the
botne
t
s’
low
-
rat
e
a
D
DoS
-
at
ta
cks
det
e
ct
ion
b
ase
d
on
the
botn
et
’s
beha
vior
in
th
e
net
work.
De
te
c
tion
proc
ess
invol
ves
th
e
an
aly
s
is
of
the
n
et
work
tr
aff
i
c,
gene
ra
te
d
b
y
t
he
botn
et
s’
low
-
rat
e
DD
oS
at
t
ac
k.
Propos
ed
te
chn
ique
is
th
e
par
t
of
bo
tne
t
s
det
e
ct
io
n
s
y
stem
–
BotGRABB
ER
s
y
stem.
The
nove
lty
of
the
pap
er
is
that
the
low
-
ra
te
DD
oS
-
at
ta
cks
det
e
ct
ion
invo
lves
not
onl
y
the
net
work
fea
tur
e
s,
inhe
ren
t
to
the
bo
tne
ts,
but
al
so
ne
twork
tra
ffi
c
self
-
sim
il
ari
t
y
ana
l
y
sis,
whi
c
h
is
def
ine
d
with
the
use
of
Hurs
t
coe
ff
ic
i
ent.
De
te
c
ti
on
proc
ess
consists
of
the
knowledge
f
orm
at
ion
base
d
on
the
fea
tur
es
tha
t
m
a
y
indi
c
ate
low
-
rate
DD
oS
at
ta
ck
pe
rform
ed
b
y
a
b
otne
t;
n
et
work
m
onit
oring,
whi
ch
anal
y
zes
informati
on
obt
ai
ned
from
th
e
net
work
and
m
aki
ng
conc
lus
ion
abou
t
poss
ibl
e
DD
oS
at
t
ac
k
in
th
e
n
et
work;
and
th
e
appl
ia
n
ce
of
t
he
sec
uri
t
y
sce
nar
io
for
the
cor
pora
t
e
ar
ea
net
work’s
infra
s
truc
tur
e
in
th
e
situa
t
ion
of
low
-
rat
e
a
tt
a
cks.
Ke
yw
or
d
s
:
Botnet
detect
ion
Cy
ber
att
ack
Hurst c
oeffici
ent
Lo
w
-
rate D
D
oS
at
ta
ck
Netw
ork
tra
ff
i
c self
-
sim
il
arity
Copyright
©
202
0
Instit
ut
e
o
f Ad
vanc
ed
Engi
n
ee
r
ing
and
S
cienc
e
.
Al
l
rights re
serv
ed
.
Corres
pond
in
g
Aut
h
or
:
Ser
gii Ly
sen
ko
,
Dep
a
rtm
ent o
f C
om
pu
te
r
E
ng
i
neer
i
ng and
Syst
e
m
Pr
ogram
m
ing
,
Kh
m
el
nytskyi
N
at
ion
al
U
niv
e
rsity
,
11 Insty
tutska
str., K
hm
el
nyts
kyi, Uk
raine,
2901
6.
Em
a
il
: spr
ly
senko
@g
m
ai
l.com
1.
INTROD
U
CTION
Nowa
days
the
cy
ber
c
rim
inals
im
ple
m
ent
di
ff
ere
nt
ways
to
obta
in
the
prof
it
from
the
le
gitim
at
e
bu
si
nesses
,
w
hi
ch
ha
ve
bec
om
e
theirs
ta
rg
e
t.
Ma
lware
are
on
e
of
t
he
m
os
t
powerfu
l
cy
be
rcr
im
inals’
too
ls
f
or
at
ta
ining
su
c
h
go
al
s
[1
-
2].
O
ne
the
ty
pe
of
the
m
a
li
ci
ou
s
act
ion
agai
ns
t
the
us
e
rs’
c
ompu
te
r
syst
e
m
s,
cl
oud
infr
a
struct
u
re
the
distrib
uted
den
ia
l
-
of
-
ser
vice
(DD
oS
)
at
ta
cks
–
the
at
t
e
m
pt
to
disrupt
norm
al
traff
ic
of
a targeted se
r
ve
r,
servic
e
or
ne
twork by o
verwh
el
m
ing
the targ
et
or
it
s surroun
ding in
fr
ast
ru
ct
ur
e
with a
flo
od
of Inte
r
net traf
fic [
3].
In
th
e
m
od
ern
cy
ber
w
orl
d
a
bo
t
nets
are
th
e
m
ai
n
too
l
f
or
pe
rfor
m
ing
of
su
c
h
ty
pe
of
at
ta
cks
[4
]
.
The
bots
of
bo
tnets
are
com
pr
om
ise
d
de
vice
s
desi
gn
e
d
to
a
tt
ack
a
si
ng
le
s
erv
e
r,
net
work
or
a
pp
li
cat
io
n
with
an
over
wh
el
m
i
ng
nu
m
ber
of
requests,
pac
ke
ts
or
m
essages.
A
low
an
d
s
low
at
ta
ck
is
a
ano
the
r
ty
pe
of
D
oS
or
D
D
oS
att
ack
that
reli
es o
n
a
sm
a
ll
strea
m
of
v
ery
sl
ow
t
r
aff
ic
with
re
quest
s
wh
ic
h
ca
n
ta
rg
et
ap
plica
ti
on
or
serv
e
r
res
ourc
es,
there
by
pr
e
ven
ti
ng
ge
nuin
e
us
ers
f
ro
m
a
ccessi
ng
the
s
erv
ic
e.
T
o
carr
y
ou
t
low
an
d
slow
at
ta
cks
c
ybe
r
a
tt
ackers
ca
n us
e H
TT
P
head
e
r
s,
H
TTP
post
r
equ
e
sts,
or TC
P traffic
.
Un
li
ke
a
brute
-
force
at
ta
cks
,
t
he
l
ow
an
d
slo
w
at
ta
cks
re
quire
ver
y
li
tt
le
ba
ndwidt
h
a
nd
can
be
ha
r
d
to
m
i
ti
gate,
as
each
bo
t
is
a
le
gitim
at
e
In
te
rn
et
dev
ic
e
a
nd
ge
ner
at
e
by
them
s
lo
w
at
ta
ck
traff
ic
i
s
ver
y
diff
ic
ult
to
disti
nguish
from
t
ho
s
e
of
le
giti
m
at
e
cl
ie
nts
[5
–
6].
O
ne
of
t
he
way
of
t
he
low
-
rate
D
DoS
at
ta
cks
detect
ing
is
th
e
traff
ic
analy
sis
con
ce
rn
i
ng
it
s
sel
f
-
si
m
i
l
arit
y
of
traff
ic
.
This
m
e
tho
d
al
lows
identi
fyi
ng
the h
i
dd
e
n
m
a
li
ci
ou
s tra
ff
ic
in
r
eal
-
ti
m
e.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
om
p
En
g,
V
ol.
10
, No
.
4
,
A
ugus
t
2020
:
36
51
-
3659
3652
2.
RESEA
R
CH MET
HO
D
In
recent
ye
a
rs,
the
gr
eat
nu
m
ber
of
th
e
bo
t
net
dete
ct
ion
ap
proac
hes
ha
ve
bee
n
de
velo
pe
d.
The
wor
ks
[
7,
8]
are
fo
c
us
e
d
on
analy
sis
th
e
DDoS
at
ta
ck
issues
at
a
pp
l
ic
at
ion
la
ye
r.
The
cl
assifi
cat
ion
of
DDoS
t
hr
ea
ts base
d
on
ab
nor
m
al
beh
avio
r
a
t
app
li
cat
ion
la
ye
r
and
t
he
s
um
m
arized
inform
ation
ab
out
var
i
ou
s
DDoS
to
ols
wer
e
co
ns
i
dered.
F
ur
the
rm
or
e,
it
cat
ego
ri
zes
DDoS
at
ta
ck
ha
nd
li
ng
te
chn
iq
ues
ba
sed
on
m
on
it
or
ing,
preven
ti
ng,
d
et
ec
ti
ng
, a
nd m
it
ig
at
ing
c
on
c
epts.
In
[
9]
the
netw
ork
tra
ff
ic
patte
rn
ge
ner
at
e
d
by
dif
fe
ren
t
ty
pes
of
slo
w
D
oS
at
ta
ck
w
hic
h
is
ta
r
geted
on
HTT
P
a
pp
li
cat
ion
was
an
a
ly
zed.
By
m
on
it
or
in
g
an
d
a
na
ly
zi
ng
so
m
e
sign
i
ficant
net
w
ork
based
pa
ra
m
et
er
s
su
c
h
as
wind
ow
siz
e
a
nd
del
ta
tim
e
of
the
pack
et
,
w
hi
ch
can
be
c
ollec
te
d
f
r
om
the
network
gate
way,
a
host
m
achine
in
de
pe
nd
e
nt
ea
rly
de
te
ct
ion
of
sl
ow
DoS
at
ta
ck
is
der
i
ved
an
d
preve
ntive
ac
ti
on
ca
n
be
ini
ti
at
ed
from
the n
et
w
ork
g
at
e
way it
sel
f.
In
[10]
a
netw
ork
-
base
d
sl
ow
HTTP
D
D
oS
at
ta
ck
def
e
ns
e
m
et
ho
d,
w
hi
ch
is
assist
ed
by
a
so
ft
war
e
-
def
i
ned
netw
ork
that
can
detect
and
m
i
ti
gate
slow
H
TTP
D
DoS
at
ta
cks
in
the
netw
ork,
w
as
propose
d.
In
[11]
a
com
pr
ehe
ns
ive
sur
vey
of
DDoS
at
ta
ck
,
inclu
ding
a
sys
tem
at
ic
analy
si
s
of
this
ty
pe
of
at
ta
cks
,
pro
te
ct
io
n
and
m
itigati
on
te
chn
iq
ues
,
possible
li
m
it
ation
s
a
nd
c
halle
nges
of
e
xisti
ng
researc
h
a
nd
s
om
e
i
m
po
rtant
f
utur
e
researc
h direct
i
on
s
are
outl
ine
d.
In
the
pa
per
[
12]
a
def
e
ns
e
m
et
hod
a
gainst
the
distrib
uted
slow
HT
TP
D
oS
at
ta
c
k
by
di
sco
nn
ect
in
g
the
at
ta
ck
c
on
necti
ons
sel
ect
ively
by
f
oc
usi
ng
on
t
he
num
ber
of
c
onnecti
ons
f
or
e
ach
IP
a
ddres
s
an
d
the
durati
on
ti
m
e
was
de
velo
ped.
I
n
[13]
a
fr
am
ewo
r
k
f
or
the
detect
io
n
and
m
it
igati
on
of
t
he
slo
w
-
r
unni
ng
DDoS
at
ta
ck
s
within
the
ne
twork
i
nfrastru
ct
ur
e
withou
t
requirin
g
ac
cess
to
ser
ve
r
s
unde
r
at
-
ta
c
k
was
pro
po
se
d.
I
n
add
it
io
n,
t
he
sever
al
sc
hem
es
for
th
e
at
t
ackers
i
de
ntific
at
ion
in
t
he
netw
ork
bas
ed
on
the
m
easur
ing
the
pac
ket
rate
and
t
he
unif
orm
ity
of
the
pa
cket
distance
s
wer
e
c
onside
re
d.
I
n
[14]
the
slow
read
D
oS
at
ta
ck
was
a
naly
zed
a
nd
the
sec
ure
set
ti
ng
of
w
e
b
se
rv
e
r
a
gain
s
t
su
c
h
at
ta
ck
w
ere
der
i
ve
d.
A
uthors
fou
nd
out
that
the
ef
fici
ent
at
ta
ck
ca
n
be
real
iz
ed
w
he
n
the
band
width
is
over
500
K
bps
and
t
hat
at
ta
ck
er
can
m
or
e eff
ect
ive
at
ta
ck
by sett
in
g
the
con
necti
on
rate eq
ual to
the pr
ocess
ca
pa
bili
ty
o
f
w
eb
serv
e
r.
The
a
ppr
oac
h
[
15
]
h
a
ve
diff
e
r
entia
t
ed
the
le
gi
tim
acy
of
a
ny traff
ic
i
rr
es
pect
ive
of
t
he
netw
ork
tra
ff
ic
protoc
ol
us
in
g
the
Hurst
pa
ra
m
et
er
and
thu
s
al
lows
detect
ing
DDoS
at
ta
cks
base
d
on
se
lf
-
sim
i
la
rity
pr
op
e
rty
of
net
wor
k
traf
fic.
The
m
et
ho
d
show
s
high
-
detect
ion
acc
uracy
fo
r
both
lo
w
-
rate
and
high
-
rate
DDoS
a
tt
acks
and
m
ini
m
u
m
false
po
sit
ive
s,
howe
ver
on
ly
wh
en
the
s
om
e
assu
m
pti
on
s
a
re
true.
Othe
rw
ise
,
the
ran
ge
of
H
urst
par
a
m
et
er
value
fo
r
at
ta
ck
traf
f
ic
m
a
y
chan
ge
,
the
false
al
arm
per
cent
-
a
ge
m
a
y
be
hig
he
r
,
and
the
f
urt
he
r
fine
-
tu
ning
m
ay
be
need
e
d.
In
[
16
-
17
]
the
m
achine
le
arn
i
ng
-
based
m
et
ho
ds
for
cy
ber
at
ta
cks
detect
ion
are
presente
d.
N
et
work
be
ha
vio
r
-
ba
sed
dete
ct
ion
te
c
hn
i
ques
are
prese
nt
ed
in
[
18
]
,
wh
e
re
the
inv
est
igati
on
of
a
la
rg
e
a
m
ou
nt
of
norm
al
traff
ic
and
a
m
ou
nt
of
m
a
liciou
s
tr
af
fic
is
pro
vid
e
d.
I
n
[19,
20]
the syst
em
atic rev
ie
w of
a
sp
e
ct
s o
f
DD
oS
at
ta
cks dete
ct
ion an
d new f
ram
ewor
ks
a
re inv
est
igate
d.
3.
RESU
LT
S
AND A
N
ALYSIS
Du
e
to
high
i
ntension
of
the
c
yberatt
acks
de
velo
pm
ent
a
great
a
m
ou
nt
of
t
echn
i
qu
e
s
devoted
t
o
thi
s
pro
blem
hav
e
been
pro
du
ce
s
durin
g
la
st
ye
ars.
O
ne
of
th
e
m
is
a
bo
tne
t
detect
ion
syst
e
m
–
BotGRAB
BER
.
Pr
ese
nted
syst
e
m
was
de
ve
lop
e
d
f
ro
m
the
idea
t
o
de
te
ct
the
bo
t
ne
ts’
at
ta
cks
us
ing
the
m
ulti
-
age
nt
syst
e
m
[2
1].
The
ne
xt
ge
ne
rati
on
s
of
t
he
BotGRABB
E
R
syst
e
m
hav
e
ob
ta
ine
d
the
po
s
sibil
it
y
to
detect
the
bo
t
nets
that
us
e
DN
S
e
vasio
n
te
chn
i
ques
(cycl
ing
of
I
P
m
app
in
g,
“d
om
ai
n
fl
ux
”
,
“fast
flu
x”
an
d
DNS
-
tu
nnel
in
g)
via
DNS
traf
fic
analy
sis,
an
d
the
possibil
it
y
to
analy
ze
th
e
so
ftwa
re’s
be
hav
i
or
in
the
ho
st
,
wh
ic
h
m
ay
ind
ic
at
e the possi
ble prese
nce
of bot di
rectl
y i
n t
he
host
[22
-
24].
The
m
os
t
i
m
p
or
ta
nt
upgr
a
de
of
BotGR
AB
BER
syst
e
m
was
it
s
transf
or
m
at
ion
into
th
e
sel
f
-
ada
ptive
syst
e
m
fo
r
the
cor
po
rate
area
networks’
resil
ie
nce
in
the
pr
e
sence
of
bo
t
nets’
cy
be
ratt
ac
ks
.
Ba
s
ed
on
the
gathe
re
d
I
nt
ern
et
traf
fic
fe
at
ur
es
in
he
ren
t
to
cy
ber
at
ta
ck
s,
the
Bot
GRA
BB
ER
syst
e
m
was
able
to
pr
oduce
the
secu
rity
scenari
os
acc
ordin
g
to
cy
berat
ta
cks
pe
rform
ed
by
bo
t
ne
ts
in
or
der
t
o
m
it
igate
the
at
ta
cks
and
e
nsure
th
e
networ
k’
s
r
esi
li
ent
fu
ncti
on
i
ng.
The
propose
d
ap
proa
ch
us
e
d
the
s
e
m
i
-
su
pe
rv
ise
d
fu
zzy
c
-
m
eans
cl
us
te
rin
g,
w
her
e
t
he
obj
ect
s
of
cl
us
te
rin
g
we
re
the
feat
ur
e
ve
ct
or
s
w
hich
el
e
m
ents
m
a
y
ind
ic
at
e
the
ap
pear
a
nce
of
cy
be
r
th
re
at
s
in
the
co
rpor
at
e
area
net
works
[
25
]
.
T
his
pa
per
pr
e
s
ents
the
ap
pro
ach
f
or
the botnet
dete
ct
ion
of the l
ow ra
te
DD
oS
a
tt
acks v
ia
t
he B
otGRA
BB
E
R sy
stem
.
4.
THE
PROPO
SED
METHO
D
The
lo
w
-
rate
DDoS
at
ta
cks
identific
at
ion
base
d
on
the
tr
aff
ic
sel
f
-
sim
ilarity
analy
sis
i
s
the
pa
rt
of
bo
t
nets
detect
ion
pr
ocess
pe
rfor
m
ed
by
a
sel
f
-
a
da
ptive
syst
e
m
–
BotG
RABB
ER
syst
e
m
[25].
It
presents
the
f
ram
ewo
rk
for
ass
uri
ng
the
net
works’
resil
ie
nce
under
t
he
bo
t
nets’
cy
be
ratt
ack
s.
I
n
order
to
detect
the
bo
t
nets
it
s
m
ai
n
featur
es
are
to
be
gat
her
e
d
an
d
anal
yz
ed.
The
f
eat
ur
es
a
r
e
form
e
d
as
featu
re
ve
ct
or
s
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N: 20
88
-
8708
Detect
ion
of t
he
botnets’
low
-
ra
te
DDoS
atta
cks b
as
e
d on s
el
f
-
simil
ar
it
y (
Ser
gii Lysenk
o)
3653
and
are
cl
us
te
r
ed
a
nd
a
res
ult
of
t
he
cl
ust
ering
is
t
he
assi
gnm
ent
of
eac
h
featur
e
vect
or
to
a
cl
us
te
r
,
w
hich
is
corres
pondin
g t
o
a
giv
e
n
cy
be
ratt
ack.
The
lo
w
-
rate
DDoS
at
ta
cks
identific
at
ion
base
d
on
the
tr
aff
ic
sel
f
-
sim
ilarit
y
analy
sis
i
s
the
pa
rt
of
bo
t
nets
detect
ion
pr
ocess
pe
rfor
m
ed
by
a
sel
f
-
a
da
ptive
syst
e
m
–
BotG
RABB
ER
syst
e
m
[25].
It
presents
the
f
ram
ewo
rk
for
ass
uri
ng
the
net
works’
resil
ie
nce
under
t
he
bo
t
nets’
cy
be
ratt
ack
s.
I
n
order
to
detect
the
bo
t
nets
it
s
m
ai
n
featu
res
are
to
be
gat
her
e
d
an
d
anal
yz
ed.
The
f
eat
ur
es
a
re
form
e
d
as
featu
re
ve
ct
or
s
and
are
cl
us
te
r
ed
a
nd
a
res
ult
of
t
he
cl
ust
ering
is
t
he
assi
gnm
ent
of
eac
h
featur
e
vect
or
to
a
cl
us
te
r
,
w
hich
is
corres
pondin
g t
o
a
giv
e
n
cy
be
ratt
ack.
This
a
rtic
le
presents
d
et
ai
le
d
desc
riptio
n
of
the
botnets
’
detect
io
n
pro
cess,
wh
ic
h
is
base
d
on
the
traff
ic
sel
f
-
si
m
il
arity
anal
ysi
s,
as
this
factor
m
ay
ind
ic
at
e
it
s
pr
esenc
e
in
the
netw
ork
.
Th
us
,
the
l
ow
-
rate
DDoS at
ta
cks
detect
ion i
nclu
des
le
ar
ning a
nd m
on
it
or
i
ng stages.
a.
The
le
ar
ni
ng stage c
onsist
s of
the foll
owin
g
s
te
ps
:
Kno
wled
ge
form
ation
base
d
on
the
feat
ures
that
m
ay
ind
ic
at
e
lo
w
-
rate
D
DoS
at
ta
ck
perform
ed
by
a botnet;
Pr
ese
ntati
on
of
the
knowle
dge
abou
t t
he
l
ow
-
rate D
D
oS
att
a
ck
as
a set
of fe
at
ur
e
vecto
rs;
Labell
ing
t
he
ob
ta
ine
d
featu
re
vect
or
s
of
the
low
-
rate
DDoS
at
ta
ck
for
the
purpos
e
of
cl
ust
ers
’
form
ation
, w
he
re eac
h
cl
us
te
r c
orres
ponds to
so
m
e ty
pe
of
t
he
lo
w
-
rate
D
DoS att
ack.
b.
The
m
on
it
ori
ng sta
ge
incl
ud
e
s the
fo
ll
owin
g st
eps:
Gathe
rin
g
the
inbo
und
a
nd
outbound
netw
or
k
tra
ff
ic
;
Con
st
ru
ct
io
n
of
the
feat
ur
e
ve
ct
or
s
base
d
on
t
he
in
f
or
m
ation
obta
ine
d
f
ro
m
the
netw
ork
,
base
d
on
the
bo
t
net’s
fe
at
ur
es
a
nd
the
sel
f
-
sim
i
la
rity
of
the
tra
ff
ic
,
gen
e
rated
by
the
bo
t
nets’
lo
w
-
rate
D
D
oS
at
ta
ck.
c.
The
detect
in
g
sta
ge
inclu
des
th
e
sem
i
-
su
pe
r
vised
f
uzzy
c
-
m
eans
cl
us
te
ring
of
the
ob
ta
i
ned
featur
e
ve
ct
ors
for
the
pur
pos
e
of
it
s
assig
nm
ent
to
one
of
the
cl
us
te
rs
and
ch
oosin
g
t
he
prop
e
r
sec
uri
ty
scenari
o
f
or
the att
acks m
it
i
gation.
d.
The
ap
pliance
of
the
secu
rity
scenari
o
for
th
e
cor
po
r
at
e
area
network’s
in
fr
ast
r
uctu
re.
T
he
subj
ect
of
this
pap
e
r
is
to
pr
ese
nt
the
appr
oach
f
or
the
botnet
det
ect
ion
o
f
the
low
rate
D
DoS
at
ta
cks
via
the Bot
GRAB
BER
syst
e
m
. Let u
s
discu
ss th
is st
ep
in
d
et
ai
l
.
4.1.
Present
at
i
on
of
th
e
k
no
w
le
dg
e
c
on
cerni
n
g
t
he
b
ot
ne
ts
’
low
-
ra
te
DDoS
atta
c
ks
t
h
e
as
th
e
se
t
of
feature
vec
to
r
s
Let
us
de
fine
the
of
feat
ur
es
,
w
hich
a
re
to
be
analy
ze
d
to
ide
ntify
the
above
-
m
entioned
botnet
s
’
low
-
rate
DDoS at
ta
cks
as
, wh
ere
x
1
–
tra
ns
m
issi
on
prot
oco
l
;
x
2
–
a
n
a
ver
a
ge
p
ay
loa
d
le
ngt
h per
con
necti
on
;
x
3
–
a
num
ber
of a
diff
e
ren
t
siz
e of
pack
et
s t
r
ansf
e
rr
e
d
t
o
a t
otal n
um
ber
of
fr
am
es p
er c
on
necti
on
;
x
4
–
a
total
nu
m
ber
o
f byt
es
per co
nnect
ion exclu
ding t
he heade
r;
x
5
–
a
total
nu
m
ber
o
f byt
es t
ran
sm
it
te
d
per
connecti
on;
x
6
–
a
dur
at
io
n
of the c
onnecti
on
;
x
7
–
a
num
ber
of b
yt
es tra
nsm
itted f
r
om
o
ri
gin
t
o desti
nation;
x
8
–
a
num
ber
of p
ac
ka
ges
tra
ns
m
itted f
r
om
o
ri
gin
t
o desti
na
ti
on
;
x
9
–
a
bo
olean feat
ur
e
that i
ndic
at
es w
het
her
the in
bound t
ra
ff
ic
as
an as
s
oc
ia
te
d
outb
ound
traf
fic rec
ord;
x
10
–
a
durati
on
of
the
c
onne
ct
ion
,
obser
ve
d
f
ro
m
the
earli
est
of
the
ass
ociat
ed
in
boun
d
or
outb
ound
traff
ic
un
ti
l t
he e
nd
of the lat
te
r
tra
ff
i
c;
x
11
–
total
size
for
the
sessi
on
in b
yt
es;
x
12
–
total
num
ber o
f packets
in
the
sessi
on
;
x
13
–
sel
f
-
sim
il
arity
of
t
he
ou
t
bound/i
nbound
pac
ke
ts
in
the
se
ssion,
determ
ined
by
exa
m
ining
the v
a
riance
in si
ze of the
outb
ound/i
nbound
pack
et
s
u
si
ng the
Hurst c
oeffici
ent;
x
14
–
velocit
y o
f ou
t
bound/in
boun
d
tra
ff
ic
m
easur
e
d
i
n pac
kets
per
seco
nd;
x
15
–
velocit
y o
f ou
t
bound/in
boun
d
tra
ff
ic
m
easur
e
d
i
n bit
s
per seco
nd;
x
16
–
velocit
y o
f ou
t
bound/in
boun
d
tra
ff
ic
m
easur
e
d
i
n byt
es p
e
r packet;
x
17
–
sta
nd
a
rd
dev
ia
ti
on
of p
a
cket siz
e
within the
sessi
on m
easur
e
d
i
n byt
es;
x
18
–
in
valid
v
a
lues
of
TCP
flags
see
n
i
n
this
session
;
x
19
–
the
r
at
io
of the
num
ber
o
f
m
os
t com
mo
n pac
ket.
All
aforem
entio
ne
d
featur
e
s
are
the
base
of
the
set
of
feat
ur
e
vecto
rs
=
{
}
=
1
,
=
19
,
w
her
e
each
of
featu
r
e
vector
x
k
de
scri
bes
the
s
pe
ci
fied
low
-
rat
e
at
ta
ck,
N
-
the
nu
m
ber
of
t
he
featu
re
vec
tors.
The
m
ai
n
fe
at
ur
e,
that
in
dicat
es
the
presence
of
t
he
lo
w
-
rate
at
ta
ck,
is
the
sel
f
-
sim
il
arity
of
the
outb
ound/i
nbound
pac
ke
ts
in
the
s
ession,
dete
r
m
ined
by
ex
a
m
ining
the
var
ia
nce
in
s
iz
e
of
the outb
ound/i
nbound
pac
kets u
si
ng the
H
urst coef
fici
ent.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
om
p
En
g,
V
ol.
10
, No
.
4
,
A
ugus
t
2020
:
36
51
-
3659
3654
4.2.
A
sel
f
-
simi
lari
ty of ne
twor
k
traff
ic
and t
he
Hurs
t
c
oeffici
ent
The
m
ai
n
poin
t
of
the
botnet
s’
lo
w
rate
D
DoS
at
ta
ck
det
ect
ion
is
assig
n
the
m
al
icious
traf
fic
f
r
om
le
gitim
at
e
on
e
ta
king
int
o
a
ccount
the
sel
f
-
sim
il
arity
featur
es
of
the
at
ta
ck
an
d
nor
m
al
traff
ic
.
F
or
t
his
pur
po
se
,
the
propose
d
te
ch
nique
est
im
a
te
s
the
sel
f
-
sim
i
la
rit
y
featur
es
base
d
on
H
value
s
a
re
us
e
d.
In
ge
ner
al
,
netw
ork
t
raffic
can
be
re
pr
e
s
ented
as
a
f
rac
ta
l
–
a
fig
ure
w
ho
s
e
sm
al
l
arbi
traril
y
enlar
ge
d
par
ts
are
sim
il
ar
to
the
ba
se
on
e
.
In
ot
her
w
ord
s,
a
ce
rtai
n
obj
ect
can
be
c
on
si
der
e
d
as
s
el
f
-
sim
i
la
r
if
t
her
e
is
a
n
e
xa
ct
or
appr
ox
im
at
e
c
oin
ci
d
e
nce
of
s
uch
an
ob
j
ect
with
a
pa
rt
of
i
tse
lf.
A
net
wor
k
tra
ff
ic
is
a
ble
to
hav
e
the
pr
op
e
rty
of
sel
f
-
sim
il
ari
ty
.
It
can
be
m
anifested
as
the
fr
e
quency
of
receive
d
da
ta
pack
et
s
in
diff
e
re
nt
tim
e
scal
es,
wh
ic
h
at
diff
e
ren
t
scal
es
looks
li
ke
a
fr
act
al
.
Be
caus
e
of
the
sel
f
-
sim
ilarity
is
a
ran
dom
pr
ocess
th
e
sel
f
-
si
m
il
arity
deg
r
ee
can
be
deter
m
ined
by
the
Hurst
coeffic
ie
nt,
w
hich
is
able
to
analy
ze
t
he
tim
e
series
durin
g
wh
ic
h netw
ork
traf
fic was
g
at
her
e
d.
In
gen
e
ral,
if
t
he
coe
ff
ic
ie
nt
H
ta
kes
a
valu
e
of
0.5,
this
i
nd
ic
at
es
that
the
eve
nts
are
r
andom
and
there
is
no
l
ong
-
te
rm
depend
e
nce
betw
een
them
.
In
this
case,
ne
two
rk
t
raffic
is
no
t
sel
f
-
s
i
m
i
la
r.
If
t
he
c
oe
ff
ic
ie
nt
H
ta
ke
s
valu
es
f
ro
m
0.5
t
o
1,
t
he
n
this
m
e
ans
t
hat
the
ob
serv
e
d
tim
e
interval
is
a
c
onti
nuous
series
of
tim
e.
Fu
rt
her
m
or
e,
the
highe
r
the
value
of
t
he
c
oeffici
ent
H
,
t
he
great
er
the
degree
of
lo
ng
-
te
rm
relat
ion
s
hip
be
tween
e
ve
nts
an
d
the
grea
te
r
the
degree
of
sel
f
-
sim
il
a
rity
is
ob
se
r
ve
d.
When
the
H
ur
st
coeffic
ie
nt
is
cl
os
e
to
value
1,
netw
ork
tr
af
fic
ta
kes
t
he
m
axi
m
u
m
value
of
the
de
gree
of
sel
f
-
sim
i
la
rity
,
wh
ic
h
m
eans
that
with
any
tim
e
series
scal
ing
,
the
fr
e
qu
e
ncy
of
dat
a
pack
et
s
will
receive
the
m
os
t
si
m
il
ar f
or
m
. Th
is
value
is
de
f
ined
a
s a
functi
on of t
he
ti
m
e i
nter
val of th
e ti
m
e series as
f
ol
lows
:
[
(
)
(
)
]
=
,
→
∞
(1
)
(
)
is
t
he
ra
ng
e
of
t
he
first
n
c
um
ula
ti
ve
de
via
ti
on
s
f
ro
m
the
m
ean;
(
)
–
a
sta
nd
a
r
d
de
viati
on
;
[
]
is
the expect
e
d v
al
ue;
–
the
tim
e sp
a
n of t
he o
bs
er
vatio
n;
is a co
ns
ta
nt.
Fo
r
t
he
m
os
t
a
ccur
at
e
dete
rm
inati
on
of
the
Hurst
coe
ff
ic
ie
nt,
the
tim
e
int
erv
al
s
hould
be
su
f
fici
ently
la
rg
e.
T
her
e
f
ore,
the
ef
fecti
ve
ness
of
detec
ti
ng
low
rate
DDoS
at
ta
cks
base
d
on
the
traf
fic
sel
f
-
sim
i
la
rity
sign
ific
a
ntly
de
pends
on
t
he
t
i
m
e
interval
va
lue
du
rin
g
wh
i
ch
the
n
et
w
ork
traf
fic
colle
ct
ion
an
d
a
naly
sis
was
carried
out.
I
n
order
t
o
e
valua
te
the
netw
ork
traff
ic
sel
f
-
sim
il
arit
y
let
us
de
fine
it
as
a
ra
ndom
process,
wh
i
c
h
can
be
div
i
de
d
into
the
discret
e
tim
e
intervals
as
f
ollow
s
=
(
1
,
2
,
…
)
.
I
f
the
ti
m
e
intervals
are
e
qual
to
n,
then
this
rand
om
pr
ocess
w
il
l
hav
e
the
f
orm
(
)
=
(
1
,
2
,
…
)
,
whose
c
om
po
ne
nts
are
determ
ined
by
the form
ula:
(
)
≜
(
−
+
1
+
⋯
+
)
,
,
∊
(2
)
To
desc
ribe
the
de
pende
nc
e
of
rand
om
processes
and
(
)
,
le
t
us
dete
r
m
ine
the
c
orr
el
at
ion
coeffic
ie
nts
(
)
,
wh
ic
h
desc
rib
es
the
depen
de
nce
of
t
he
pr
ocess
an
d
the
co
rrel
at
ion
co
eff
ic
ie
nt
(
)
,
wh
ic
h
de
scri
be
s
the
pr
ocess
(
)
.
In
t
he
ge
ne
ral,
the
proce
ss
can
be
co
ns
ide
re
d
as
sel
f
-
sim
il
a
r
if
the
H
ur
st
coeffic
ie
nt tak
es v
al
ues fr
om
0.5 to 1
and t
he
equali
ty
is b
e
fulfil
le
d:
(
)
=
(
)
,
∊
,
∊
{
2
,
3
,
…
}
(
3
)
In
t
his
case
,
t
he
sel
f
-
sim
i
la
r
process
is
ve
ry
sim
il
ar
to
the
pr
ocess
(
)
,
s
ince
the
c
orrel
at
ion
coeffic
ie
nt
(
)
isn
’t
cha
nge
d
a
fter
the
ti
m
e
scal
i
ng
of
le
ngth
is
pe
rfo
rm
ed.
T
his
m
eans
that
the
f
re
qu
e
ncy
of
the
receive
d
data
pack
et
s
f
or
a
certai
n
ti
m
e
interval
ta
kes
ap
pro
xim
a
te
ly
the
sa
m
e
fo
rm
after
the
scal
ing
was
ca
rr
ie
d ou
t
.
In
or
der
to
det
erm
ine
the
Hu
rst
coe
f
fici
ent,
le
t
us
div
ide
the
le
ng
t
h
of
the
networ
k
traffi
c
fo
r
fix
e
d
tim
e
intervals.
To
de
scri
be
th
e
tim
e
of
arr
iv
al
of
tra
ff
ic
,
le
t
us
de
fine
t
he
tim
e
do
m
a
in
,
wh
ic
h
is
co
ns
i
dere
d
as
an
in
dep
e
ndent
var
ia
ble
f
or
the
a
naly
sis
of
ti
m
e
ph
en
om
ena.
Ob
ta
in
ed
ti
m
e
interv
al
s
Xi
are
des
cribe
d
as f
ollo
ws
=
(
|
=
0
,
1
,
2
,
…
)
, w
he
re
is t
he
total
tim
e o
f
the traff
ic
m
on
it
or
in
g. Let
u
s d
e
fine t
he
m
ean
value
of
t
he
pack
et
receivi
ng
fr
e
quency
as
.
The
desc
riptio
n
of
the
value
of
the
diff
e
re
nce
be
twee
n
the
m
axi
m
u
m
and
m
ini
m
u
m
fr
e
qu
e
ncies
for
each
of
the
ti
m
e
intervals
c
an
determ
ined
as
the
functi
on
(
)
as [26
]
:
(
)
=
(
,
)
−
(
,
)
, whe
re
1
≤
≤
(
4
)
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N: 20
88
-
8708
Detect
ion
of t
he
botnets’
low
-
ra
te
DDoS
atta
cks b
as
e
d on s
el
f
-
simil
ar
it
y (
Ser
gii Lysenk
o)
3655
To
descr
i
be
t
he
a
ver
a
ge
de
viati
on
of
th
e
data
pack
et
s
fr
e
quency
f
ro
m
the
m
ea
n
value
of
the freq
ue
ncy,
le
t us dete
rm
ine the m
ean squ
are
dev
ia
ti
on
(
)
,
which is
d
et
er
m
ined
by t
he f
or
m
ula:
(
)
=
{
1
∑
[
−
µ
]
=
1
2
}
1
2
, whe
re
(
,
)
=
∑
[
−
µ
]
=
1
(5)
In this case
, the
r
at
io
of
(
)
(
)
bec
om
es:
(
)
(
)
=
~
,
→
∞
(6)
wh
e
re
Н
–
the
H
ur
st c
oe
ff
ic
ie
nt
,
с
–
c
onsta
nt.
T
hen the
H
ur
st c
oeffici
ent w
il
l
be
e
valuate
d
as
foll
ow
s:
=
(
(
)
(
)
)
−
(7)
In
the
ge
ne
ral,
in
order
to
determ
ine
the
sel
f
-
sim
il
arit
y
rate,
we
are
to
cal
culat
e
the
value
of
the
f
un
ct
io
n
(
)
and
t
he
sta
nda
r
d
de
viati
on
f
or
each
of
t
he
ti
m
e
intervals
of
the
le
ngth
.
F
urt
her,
f
or
each
of the ti
m
e inte
rv
al
s t
he rat
io
(
)
(
)
as we
ll
as the m
ean v
al
ue
of
(
)
(
)
are
to be cal
c
ulate
d,
he
rew
it
h:
(
)
(
)
=
1
∑
(
)
(
)
=
1
(8)
It
is
al
so
w
ort
h
m
entioning,
t
hat
the
i
nc
reasin
g
the
value
of
,
le
ads
to
recalc
ulati
on
of
the
f
or
m
ula
(
8)
a
nd
the
H
ur
st
c
oeffici
en
t
us
in
g
the
f
orm
ula
(7
)
,
sin
ce
the
c
hange
in
the
num
ber
of
inv
est
igate
d
ti
m
e
slots
le
ads
to
the
recalc
ul
at
ion
of
the
H
ur
st
coe
ff
ic
ie
nt,
and
t
he
ne
w
value
of
the
de
gr
ee
of
sel
f
-
sim
i
la
rity
of
tra
ff
ic
.
T
he
c
on
st
ru
ct
e
d
f
eat
ur
e
vect
or,
wh
ic
h
inclu
de
s
the
value,
is
to
be
cl
us
te
red
the
sem
i
-
su
pe
rv
ise
d
fu
z
zy
c
-
m
eans
cl
us
te
ring,
w
her
e
eac
h
cl
us
te
r
co
rr
e
sp
on
ds
to
the
s
pecified
cy
be
r
at
ta
cks
(and t
he
sec
ur
i
ty
scenar
io
to
be ap
plied)
and
on
e
cluster
cor
respo
nd
s
to
the
ab
se
nce
of the
att
ack [2
6
-
27
]
.
5.
E
X
PE
RI
MEN
TS
5.1.
Eva
lu
at
i
on
set
ting
s
In
order
t
o
eva
luate
the
eff
ic
i
ency
of
the
a
ppr
oac
h
f
or
t
he
detect
ion
of
t
he
bo
t
nets’
lo
w
-
rate
D
D
oS
at
ta
cks,
a
dete
ct
ion
acc
ur
acy
te
sts
us
i
ng
r
eal
world
net
work
tra
ff
ic
wer
e
car
ried
ou
t.
F
or
this
pur
po
se
,
a
S
lowl
or
is
a
nd
R.U
.D.
Y
at
t
acks
[
4
-
5]
we
r
e
e
m
plo
ye
d.
T
he
m
ai
n
abili
ties
of
t
he
to
ols
are
the
ge
ne
r
at
ing
m
al
ic
iou
s
low
-
rate
at
ta
cks.
On
oth
e
r
ha
nd
,
ex
per
im
ent
i
nclu
ded
ge
nerat
ed
real
traf
fic
that
m
i
m
ic
s
us
er
s
’
beh
a
vior
(e.
g.
SSH,
HTTP, a
nd SMTP
) usin
g
the
m
al
iciou
s
traf
fic d
at
as
et
[28]
.
To
car
ry
out
e
xp
e
rim
ents,
the
un
i
ver
sit
y
lo
cal
area
netw
ork
of
hosts
inc
lud
in
g
50
host
s
(hosts
with
Mi
cro
s
of
t
W
i
ndows
operati
ng
syst
em
),
on
e
de
dicat
ed
se
rver
(Li
nux
open
SU
SE
ope
rati
ng
syst
em
with
ng
i
nx
HTTP
ser
ver)
and
net
wor
k
de
vices
(Mi
kro
Tik
CC
R1
009
-
8G
-
1S
-
1S+
PC
routers
)
was
e
m
plo
ye
d.
Net
wor
k
traff
ic
was
ca
pt
ur
e
d
by
the
m
eans
of
tc
pdum
p
util
i
ty
.
All
exp
e
rim
ents
wer
e
orga
nize
d
in
real
tim
e
and
real
netw
orks,
a
nd
la
ste
d
durin
g
f
ro
m
sever
al
seconds
to
on
e
hour.
To
ca
rr
y
ou
t
the
ex
per
i
m
ents,
an
at
ta
ck
on
the m
entioned
web ser
ve
r wa
s att
acked by
di
ff
ere
nt att
acks
w
it
h dif
fer
e
nt
set
o
f
p
a
ram
et
e
rs.
The
m
a
in
par
a
m
et
ers
of
low
-
rate
D
DoS
-
at
ta
ck
(e.
g.
R.U
.
D.Y.
at
ta
ck)
a
re:
a
nu
m
ber
of
net
wor
k
connecti
ons
to
the
serv
e
r;
a
value
of
the
C
on
te
nt
-
Le
ng
t
h
fiel
d
of
th
e
co
rr
es
pondin
g
P
OS
T
H
TTP
re
qu
e
sts;
a
fr
eq
ue
ncy
of
sendin
g
pac
kets
fr
om
each
open
co
nn
ect
io
n.
T
he
pa
ram
et
er
s
of
D
DoS
-
at
ta
cks
as
in
the
case
of
the R.
U.D.
Y.
a
tt
ack u
se
d for c
onduct
ing ex
pe
rim
ents are
pre
sented
in
Ta
ble
1
.
Table
1.
T
he
m
ai
n
pa
ram
et
ers
of the l
ow
-
rate
DDoS
-
at
ta
ck (
e.g
.
R.
U.
D
.Y.
at
ta
ck)
Para
m
eter
Valu
e
Nu
m
b
e
r
o
f
netwo
r
k
con
n
ectio
n
s t
o
th
e server
1
0
5
0
0
-
1
5
0
0
Co
n
ten
t
-
Leng
th
,
b
y
tes
5100
-
1
1
3
0
0
The f
requ
en
cy
of
s
en
d
in
g
pack
ets,
m
s
3
-
15
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
om
p
En
g,
V
ol.
10
, No
.
4
,
A
ugus
t
2020
:
36
51
-
3659
3656
The
set
of
par
a
m
et
ers
involve
d
int
o
the
tra
ff
i
c self
-
sim
il
arity d
et
ect
ion are
:
Total
tim
e d
ur
at
ion
,
T
, se
c;
Nu
m
ber
of the
tim
e intervals,
I
;
Nu
m
ber
of the
data p
ac
kets i
n ea
ch
ti
m
e interval,
k
1
…
k
i
;
Scal
ing
c
oe
ff
ic
ie
nt,
с
.
5.2.
Results
The
res
ult
of
the
ex
per
im
e
nt,
w
hich
i
nclud
e
dif
fer
e
nt
set
s
of
par
am
et
ers
for
m
al
i
ci
ou
s
tra
ff
ic
sam
ples
are
pr
esented
in
th
e
T
able
2.
As
a
data
sam
ples
of
the
low
-
rate
DDoS
at
ta
cks
the
traff
ic
sam
ples
,
wh
ic
h
inclu
de
the
sel
f
-
sim
i
l
arit
y
pr
operty
,
wer
e
use
d.
E
xam
ples
of
th
e
resu
lt
s
f
or
five
dif
fer
e
nt
sa
m
ples
are prese
nted
i
n
the
Tab
le
2.
The result
s
of the e
xp
e
rim
ent, d
em
on
strat
ed
that t
he ob
ta
in
ed values
of th
e Hurst
coeffic
ie
nts
for
diff
e
re
nt
m
alici
ou
s
sam
ples
va
ried
de
pe
nd
on
the
diff
e
ren
t
pa
ram
et
er
s.
T
hus,
t
he
num
ber
of the ti
m
e inte
rv
al
s a
ff
ect
e
d gr
eat
ly
.
The
la
rg
est
val
ues
for
t
he
H
urst
pa
ram
et
ers
wer
e
obta
ine
d
wh
e
n
t
he
t
ota
l
tim
e
du
rati
on
was
highe
r.
At
the
sa
m
e
tim
e,
the
influ
e
nce
of
the
Hur
st
coef
fici
ents
de
-
c
rease
d
w
he
n
the
total
tim
e
nu
m
ber
was
lower
and
nu
m
ber
of
the
ti
m
e
intervals
was
high
er.
For
m
entioned
fi
ve
sam
ples
the
highest
val
ues
of
the
Hurs
t
coeffic
ie
nts w
e
re
in
the r
an
ge
o
f
0
.
713
..
0
.
804.
It
i
nd
ic
at
ed
th
at
the
tra
ff
ic
g
e
ner
at
e
d
by
lo
w
-
rate DDoS
at
ta
cks
was
sel
f
-
sim
ilar,
an
d
it
had
m
ade
it
po
ssib
le
to
detect
th
e
m
alici
ou
s
traff
ic
of
data
pa
ckets
am
on
g
norm
al
traff
ic
.
T
he
re
su
lt
s
of
t
he
lo
w
-
rate
D
Do
S
at
ta
cks
dete
ct
ion
via
BotGR
ABBER
with
and
with
ou
t
ne
twor
k
traff
ic
sel
f
-
sim
il
arit
y
analy
sis
s
pr
ese
nted
in
the
Ta
ble
3,
wh
e
re
t
he
ov
e
r
al
l
accuracy
is
97
.
46%
a
nd
90
.
06
%
resp
ect
ively
.
Th
us
,
propose
d
ap
proac
h
is
acce
ptable
f
or
it
s
involvem
ent
into
the
B
otGRA
BB
ER
bo
t
net
de
te
ct
ion sy
ste
m
as the
eng
i
ne
for
l
ow
-
rate a
tt
acks d
et
ect
io
n un
it
.
Table
2.
T
he
r
e
su
lt
s of t
he ob
t
ai
ned
H
ur
st c
oe
ff
ic
ie
nts
Maliciou
s traf
f
ic
sa
m
p
l
es
Total ti
m
e
du
ratio
n
,
sec
Nu
m
b
e
r
o
f
the
ti
m
e inte
rvals
Nu
m
b
e
r
o
f
the d
at
a
p
ackets
,
k
1
…
k
i
,
byt
es
Total ti
m
e
d
u
ratio
n
,
sec
Total ti
m
e
d
u
ration
,
sec
Sap
m
le1
150
10
~8
3
0
0
1
.
7
0
.
5
8
2
..
0
.
600
100
0
,62
7
..
0
.
659
500
0
.
7
5
9
..
0
.
767
1000
0
.
7
5
3
..
0
.
784
Sa
m
p
le2
150
10
~7
5
0
0
1
.
7
0
.
5
6
4
..
0
.
592
100
0
.
6
2
1
..
0
.
646
1000
0
.
7
1
4
..
0
.
729
10
0
.
7
4
1
..
0
.
763
Sa
m
p
le3
150
10
~1
1
3
0
0
1
.
7
0
.
5
4
9
..
0
.
552
100
0
.
6
2
8
..
0
.
662
500
0
.
6
8
1
..
0
.
709
1000
0
.
7
8
2
..
0
.
804
Sa
m
p
le4
150
10
~5
1
0
0
1
.
7
0
.
5
3
0
..
0
.
545
100
0
.
6
1
5
..
0
.
640
500
0
.
7
0
1
..
0
.
713
1000
0
.
6
7
1
..
0
.
680
Sa
m
p
le5
150
10
~5
3
0
0
1
.
7
0
.
4
2
9
..
0
.
452
100
0
,62
1
..
0
.
540
500
0
.
6
9
3
..
0
.
707
1000
0
.
6
0
1
..
0
.
687
Table
3.
T
est
re
s
ults f
or lo
w
-
r
at
e D
D
oS at
ta
cks
i
nclu
ding se
ns
it
ivit
y, sp
eci
fici
ty
, o
ve
rall
a
ccur
acy
,
true p
os
it
ives (TP),
tr
ue negat
ives (TN
),
fals
e posit
ives
(F
P
),
false
neg
at
iv
es (
F
N)
Nu
m
b
e
r
o
f
m
a
licio
u
s
traff
ic
sa
m
p
l
es
Evalu
atio
n
set
Res
u
lts
Maliciou
s
traff
ic sa
m
p
l
es
Ben
ig
n
tr
af
f
ic
sa
m
p
l
es
Sen
sitiv
ity
,
%
Sp
ecif
icity
,
%
Ov
erall
ac
cu
rac
y
,
(with n
etwo
rk
traff
ic
self
-
si
m
ila
rity
an
aly
sis
),
%
Ov
erall
accurac
y
,
(witho
u
t the
n
etwo
rk
traff
ic
self
-
si
m
ilarit
y
an
aly
sis
),
%
TP
FN
TN
FP
Low
-
rat
e
DDo
S
attacks
1687
661
16
489
14
97
.
64
97
.
22
97
.
46
90
.
06
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N: 20
88
-
8708
Detect
ion
of t
he
botnets’
low
-
ra
te
DDoS
atta
cks b
as
e
d on s
el
f
-
simil
ar
it
y (
Ser
gii Lysenk
o)
3657
6.
DISCU
SSI
ON
As
B
otGR
ABBER
syst
e
m
involve
s
the
ne
twork
traf
fic
sel
f
-
sim
il
arit
y
analy
sis
for
the
bo
t
nets’
low
-
rate
a DD
oS
-
at
ta
cks
detect
ion
the
re
a
re s
ever
al
f
act
ors,
w
hich
m
ay
aff
ect
the
predict
i
on
accu
racy. One o
f
them
is
the
div
ersit
y
of
trai
ning
sam
ples.
Most
co
nspic
uous
ly
,
t
hat
not
al
l
po
ssi
ble
f
eat
ur
e
vecto
rs,
that
descr
i
be
dif
fere
nt
low
-
rate
a
DDoS
-
at
ta
cks
,
are
m
a
y
be
adequate
ly
represente
d
in
th
e
trai
nin
g
set
.
Thu
s
,
syst
e
m
m
ay
be
further
im
pr
ov
ed
by
c
hoos
in
g
m
or
e
ref
i
ne
d
s
et
of
m
al
iciou
s
traff
ic
sam
ples
for
di
ff
e
ren
t
t
ypes
of the l
ow
-
rate
DDoS
-
at
ta
cks.
The
e
xperim
e
nts
dem
on
strat
ed,
t
hat
the
BotGRABB
ER
is
able
to
ach
ie
ve
acce
ptabl
e
detect
io
n
resu
lt
s,
but
th
e
eff
ic
ie
ncy
of
the
detect
ion
m
ay
be
dec
rea
sed
i
n
because
the
tra
ff
ic
fl
ow
of
so
m
e
at
ta
cks
is
ver
y
si
m
il
ar
to
us
ers
’
ones
and
so
m
e
of
bo
t
nets’
feat
ures
wer
e
not
ta
ken
int
o
acco
unt
for
the
dete
ct
ion
process
.
O
n
th
e
oth
er
ha
nd,
the
m
a
in
to
de
te
ct
low
-
rate
a
DDoS
-
at
ta
ck
the
syst
e
m
has
to
evaluate
resu
lt
ta
kin
g
int
o
ac
count
se
ve
ral
par
am
et
ers
wit
h
d
if
fer
e
nt
values
real
ti
m
e
(v
a
rio
us
value
s
of
t
he
t
otal
tim
e
durati
on,
the
num
ber
of
t
he
tim
e
intervals,
the
num
ber
of
the
data
pa
ck
et
s
in
each
ti
m
e
interval,
c
hang
e
the scal
in
g
c
oe
ff
ic
ie
nt, w
hich
le
ads
to
co
m
puta
ti
on
al
growth
.
7.
CONCL
US
I
O
N
The
a
rtic
le
pre
sents
the
a
ppr
oac
h
f
or
th
e
botnets’
l
ow
-
rate
a
D
D
oS
-
at
ta
cks
dete
ct
ion
based
on
t
he
sel
f
-
s
i
m
i
la
rity
of
netw
ork
tra
ff
i
c.
Propose
d
te
chn
iq
ue
is
the
pa
rt
of
bo
t
-
nets
detect
ion
syst
e
m
–
BotGRABB
ER
syst
em
.
The
no
velt
y
of
the
ap
pro
ach
is
that
the
low
-
rate
D
D
oS
-
at
ta
cks
det
ect
ion
is
based
on
the
net
wor
k
an
al
ysi
s
con
cer
ni
ng
it
s
sel
f
-
si
m
il
arity
wh
ic
h
is
def
ine
d
with
the
us
e
of
Hurst
coeffic
ie
nt
an
d
the
featu
res
inh
ere
nt
to
the
botnets.
Ex
per
im
ental
research
dem
on
st
rated,
that
the
Hu
rst
par
am
et
ers
fo
r
the
networ
k
traf
fic
sel
f
-
sim
ilarity
analy
sis
(
the
range
of
0,713..0
,80
4)
we
re
def
i
ned
c
orr
ect
ly
,
that
m
ade it
p
ossi
ble to d
et
ect
the low
-
rate a DDoS
-
at
ta
cks wit
h
high accu
racy.
Ex
per
im
e
ntal researc
h
pro
ve
d
that
the
in
vo
l
vem
ent
of
t
he
ne
twork
t
raffic
sel
f
-
sim
i
la
rity
analy
s
is
is
abl
e
to
inc
rease
t
he
bot
net’s
detect
ion
eff
ic
ie
ncy
up t
o
97%.
ACKN
OWLE
DGE
MENTS
We
tha
nk
the
K
hm
el
nytsky
i
Nati
on
al
U
ni
ver
sit
y
for
prov
i
ding
acce
ss
to
local
net
work
du
rin
g
the p
e
rfo
rm
ance of th
e
experi
m
ental
r
esearc
h.
REFERE
NCE
S
[1]
A.
Dehgha
n
ta
nh
a,
M
.
Cont
i,
and
T.
Da
rga
hi
,
“
C
yber
thr
eat
in
te
l
ligence,”
Springer
Inte
rnat
ional
P
ubli
shing
,
2018.
[2]
T.
Kum
ar,
S.
S
har
m
a,
R
.
Dhau
ndi
y
al,
and
P.
J
ai
n,
“
Inve
stigati
on
of
m
al
ware
and
fore
nsi
c
to
ols
on
interne
t,
”
Inte
rnational
Jo
urnal
of El
e
ct
ri
c
al
and
Comput
er
Engi
n
ee
ring
(
IJE
CE)
,
vol
.
8
,
n
o.
5,
pp.
3179
-
318
6,
2018
.
[3]
S.
Alam,
M.
Mu
qee
m
,
and
S.
A.
Khan,
“
Revi
ew
on
sec
u
rity
asp
ec
ts
for
c
loud
ar
chi
t
ec
tur
e,”
In
ter
nati
onal
Journal
of
E
le
c
tr
ic
al
and
Computer
Eng
i
nee
ring
(
IJE
C
E)
,
vol
.
8
,
no
.
5
,
pp
.
3129
-
3139
,
20
18.
[4]
CLO
UD
FLARE
,
“
Low
and
slow
at
tack
,
”
[Onl
i
ne]
,
Avail
able
a
t
:
htt
ps:
//
ww
w.cloudfla
r
e.com/learning/
ddos/ddo
s
-
low
-
and
-
slow
-
attac
k
/
[a
ccess
ed M
arc
h
6
,
2019]
.
[5]
Im
per
va
I
nca
psula
,
“
R.
U.D.
Y.
(R
-
U
-
Dea
d
-
Yet
?
)
,
”
[Online
]
Availabl
e
a
t:
htt
ps://
ww
w.i
n
c
apsula
.
com/ddos/at
t
ac
k
-
g
lossar
y
/
rud
y
-
r
-
u
-
d
ea
d
-
yet
.
h
tml [
a
cc
esse
d
Marc
h
6,
2019
]
.
[6]
Radwa
re,
“
D
DoS
at
ta
ck
def
ini
ti
o
ns
-
DD
oS
Pedia
,
”
[Online
]
Avail
able
a
t
:
htt
ps://
se
cur
ity
.
r
adwa
re
.
com/ddo
s
-
knowledge
-
cent
er/
ddosped
ia
/s
low
-
rat
e
-
at
t
ac
k
/ [
A
cc
essed
M
ar
c
h
6,
2019]
.
[7]
Maha
dev,
V.
Ku
m
ar,
and
K
.
Ku
m
ar,
“
Cla
ss
ifi
c
ation
of
DD
oS
at
t
ac
k
too
ls
and
it
s
handl
ing
techni
ques
and
str
at
e
g
y
at
appl
i
cation
l
a
y
er,”
Inte
rnat
i
onal
Confe
renc
e
on
Adv
ance
s
in
Computing
,
Comm
unic
ati
on
and
Aut
omation
,
ICACCA
,
pp.
1
-
6,
2016
.
[8]
S.
Beha
l
and
K.
Kum
ar,
“
Chara
ct
er
iz
a
ti
on
and
c
om
par
ison
of
D
DoS
at
ta
ck
too
ls
and
tra
ff
ic
gen
e
rat
ors
-
a
rev
ie
w,
”
Int.
J. Network
S
ec
urit
y
,
vol. 19,
n
o.
3
,
pp
.
383
-
3
93,
2017
.
[9]
N.
Muraleedha
r
an
and
B
.
Jan
et,
“
Beha
viour
anal
y
sis
of
HTTP
b
ase
d
slow
denial
of
serv
i
ce
at
t
ack,”
In
te
rnationa
l
Confe
renc
e
on
Wirel
ess Comm
unic
ati
ons
,
Signa
l
Proce
ss
ing
and
Net
working
,
WiS
PNE
T
,
pp
.
1851
-
1856,
2018
.
[10]
K.
Hong,
Y.
Kim
,
H.
Choi
,
a
nd
J.
Park,
“
SD
N
-
assisted
slow
HTTP
DD
oS
at
t
ac
k
def
ense
m
et
hod
,
”
IE
E
E
Comm
unic
ati
ons Let
t
ers
,
vol
.
22
,
n
o.
4
,
pp
.
688
-
6
91,
2018
.
[11]
T.
Mahj
abi
n
,
Y.
Xiao
,
G.
Sun,
and
W
.
Jiang
,
“
A
survey
of
distri
bute
d
denial
-
of
-
servi
ce
at
t
ac
k,
p
rev
en
ti
on
,
and
m
it
ig
at
ion
t
e
chni
ques,
”
In
te
r
nati
onal Journal
of
Distribu
te
d
S
ensor Ne
tworks
,
vol.
13
,
n
o
.
12
,
p
p.
1
-
33
,
2017
.
[12]
T.
Hira
k
awa
,
K.
Og
ura
,
B.
B.
B
ista
,
and
T.
Ta
k
at
a
,
“
An
ana
l
y
s
i
s
of
a
def
ens
e
m
et
hod
aga
inst
slow
HTTP
Do
S
a
ttack,”
In
te
rnat
ional
S
ymposium on
Informatio
n
Theory
and
Its
Applications,
IS
ITA
,
pp
.
316
-
32
0,
2019
.
[13]
T.
Luk
ase
der
,
L.
Mai
le,
B.
Er
b,
F.
Kargl
,
“
SD
N
-
ass
iste
d
netw
ork
-
base
d
m
it
i
gat
ion
of
slow
DD
OS
at
ta
cks,
”
Inte
rnational
Co
nfe
renc
e
on
Se
c
urity
and
Priv
a
c
y
in
Comm
unic
a
ti
on
S
yste
ms
,
Sp
ringer,
Cham
,
p
p.
102
-
121
,
201
8.
[14]
S.
Tay
ama
and
H.
Ta
n
aka,
“
Anal
y
s
is
of
slow
r
ea
d
DoS
atta
ck
and
comm
unic
ation
envi
ronm
ent,”
I
n
te
rnationa
l
Confe
renc
e
on
Mobil
e
and
W
ire
le
ss
Technol
og
y, Springe
r
,
Singa
pore
,
pp
.
35
0
-
35
9,
2017
.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
om
p
En
g,
V
ol.
10
, No
.
4
,
A
ugus
t
2020
:
36
51
-
3659
3658
[15]
R.
K.
Deka
an
d
D.
K.
Bhat
t
a
cha
r
yy
a
,
“
Self
-
sim
il
ari
t
y
b
ase
d
DD
oS
at
ta
ck
de
te
c
ti
on
using
Hurs
t
par
amete
r
,
”
Sec
urit
y
and
Co
mm
unic
ati
on
N
e
tworks
,
vol
.
9
,
n
o.
17
,
pp
.
4468
-
4
448,
2016
.
[16]
R.
Dos
hi,
N.
Apthorpe
,
and
N.
Feams
te
r,
“
Mac
hine
le
arn
ing
DD
oS
det
ec
ti
on
for
consum
er
int
ern
e
t
of
thi
ng
s
devi
c
es,
”
IEEE Sympos
ium
on
S
ec
urit
y
and
Privacy
Workshops
,
pp.
29
-
35
,
2018
.
[17]
N
.
S
.
Sela
m
a
t
a
nd
F
.
H
.
M
.
Ali
,
“
Com
par
ison
of
m
al
war
e
de
tection
te
chn
ique
s
us
ing
m
ac
hin
e
-
lear
ning
al
gor
it
hm
,
”
Indone
sian J
our
nal
of
Elec
tric
al
Engi
ne
ering
and
Computer
Sc
ie
n
ce
(
IJEECS)
,
vol
.
16
,
n
o
.
1
,
pp
.
4
35
-
440,
2019
.
[18]
K.
S.
Yin
and
M.
A.
Khine,
“
Optimal
remote
ac
c
ess
Troj
ans
d
et
e
ct
ion
b
ase
d
on
net
work
beha
v
ior,
”
In
te
rnation
al
Journal
of
Elec
t
rical
and
Computer
Eng
ine
ering
(
IJE
CE)
,
vol. 9,
no.
3
,
pp
.
2177
-
2184,
2019
.
[19]
S.
Bravo
and
D
.
Mauricio,
“
S
y
stemati
c
r
evi
ew
of
aspe
ct
s
of
DD
oS
at
ta
cks
d
et
e
ct
ion
,
”
Indon
esian
Journal
o
f
El
e
ct
rica
l
Eng
in
ee
ring a
nd
Computer
Sc
ie
nc
e
(
IJ
EE
CS)
,
vol
.
14
,
n
o
.
1
,
pp
.
162
-
1
76,
2019
.
[20]
A.
Sara
van
an,
S
.
Sath
y
aB
ama,
Seife
din
e
K.,
an
d
L.
Kum
ar
Ra
m
asa
m
y
,
“
A
new
fra
m
ework
to
al
le
v
iate
DD
oS
vulne
rab
il
i
ti
es
in
cl
oud
computin
g,
”
In
te
rnationa
l
Journal
of
Elec
t
rica
l
and
Compu
te
r
Engi
n
ee
ring
(
IJE
CE)
,
vol.
9
,
n
o
.
5
,
pp
.
4163
-
4175,
2019
.
[21]
O.
Savenko,
S.
L
y
senko
,
and
A.
Kr
y
schuk,
“
Multi
-
ag
ent
base
d
a
pproa
ch
of
botn
et
detec
ti
on
in
c
om
pute
r
s
y
stems
,
”
Inte
rnational
Co
nfe
renc
e
on
Co
mputer
Net
work
s,
Springer
,
Berlin,
He
idelbe
rg
,
p
p.
171
-
180
,
201
2.
[22]
S.
L
y
s
enko,
O
.
Pom
orova
,
O.
Savenko,
A.
Kr
y
s
hchuk,
and
K.
B
obrovnikova
,
“
DN
S
base
d
ant
i
-
e
vasion
techniqu
e
for
botnets
dete
ct
ion
,
”
8
th
In
te
r
nati
onal
Con
fe
r
enc
e
on
In
te
l
li
g
ent
Data
Ac
qu
i
siti
on
and
Adv
a
nce
d
Comput
ing
Syste
ms
:
Techno
logy
and
Applic
ati
ons (
IDAA
CS)
,
vol
.
1
,
pp
.
453
-
458,
2015
.
[23]
O.
Pom
orova
,
O.
Savenko,
S.
L
y
senko
,
A.
Kr
y
shchuk,
and
K.
Bobrovnikova
,
“
Anti
-
eva
s
ion
te
chn
ique
f
or
the
botn
et
s
d
et
e
c
ti
on
base
d
on
th
e
passive
DN
S
m
onit
oring
and
ac
t
ive
DN
S
prob
ing,
”
Inte
rnat
ion
al
Co
nfe
ren
ce
o
n
Computer
Net
wo
rks: Springe
r Int
ernati
onal
Publi
shing,
Springer
,
Cham,
pp.
83
-
95
,
2016
.
[24]
S.
L
y
senko
,
O.
Savenko,
K.
Bo
brovnikova
,
A.
Kr
y
shchuk,
and
B.
Savenko,
“
In
form
at
ion
techn
olog
y
for
botn
ets
det
e
ct
ion
bas
ed
on
the
ir
behaviour
in
the
co
rpora
t
e
a
rea
n
e
twork
,”
Int
ernat
ional
Confe
ren
c
e
on
Computer
Net
works,
Sprin
ger
,
Cham,
pp.
1
66
-
181,
2017
.
[25]
S.
L
y
senko
,
O.
Savenko,
K.
B
obrovnikova
,
an
d
A.
Kr
y
shchu
k,
“
Self
-
ada
p
ti
v
e
s
y
stem
for
th
e
cor
pora
te
a
re
a
net
work
resi
li
en
ce
in
th
e
pr
ese
nc
e
of
bo
tne
t
c
y
b
e
rat
t
ac
ks
,
”
Comm
unic
ati
ons
in
Co
mputer
and
Info
rm
ati
on
Scienc
e
,
pp.
385
-
401
,
20
18.
[26]
Chen
Jian,
Ta
n
Xianha
i
,
and
J
ia
Zh
en,
“
Perfo
rm
anc
e
an
aly
sis
of
seve
n
esti
m
at
e
al
gori
thms
about
th
e
H
urst
coe
ffi
ci
e
n
t,”
Jou
rnal
of
Comput
e
r A
pplicati
ons
,
2
006.
[27]
O
.
Pom
orova
,
O
.
Savenko,
S
.
L
y
senko
,
and
A
.
Niche
poruk
,
“
Meta
m
orphic
viru
ses
det
ec
t
ion
te
c
hnique
base
d
on
the
the m
odifi
ed emul
at
ors,” IC
T
ERI
,
vo
l.
1614
,
p
p.
375
-
383
,
20
16.
[28]
Cana
d
i
an
Instit
u
te
for
C
y
b
erse
c
urity
,
“
Botn
et
d
at
ase
t,
”
Univer
s
ity
of
New
Bru
nsw
ic
k,
[Onlin
e
]
,
Avail
able
a
t:
htt
ps://
ww
w.u
nb
.
ca/c
i
c/
d
at
ase
ts/b
otne
t
.
html [
ac
c
e
s
s
Janua
r
y
,
2019
]
.
BIOGR
AP
H
I
ES
OF
A
UTH
ORS
Sergi
i
L
y
senk
o
is
Associ
at
e
Profess
or
of
the
D
epa
rtment
of
Co
m
pute
r
Engi
nee
r
ing
and
S
y
stem
Program
m
ing,
Khm
el
n
y
tsk
y
Nati
on
al
Univer
si
t
y
.
He
e
arn
ed
hi
s
B.
Eng.
Degre
e
in
Khm
el
n
y
t
s
k
y
Nati
ona
l
Univer
sit
y
in
2005
an
d
his
Ph
D
Degr
ee
in
Te
rnop
il
Nati
ona
l
Ec
ono
m
ic
Univer
sit
y
i
n
2011.
His
m
ai
n
rese
arc
h
int
er
ests
are
Self
-
ada
pt
iv
e
det
e
ction
s
y
ste
m
s
for
cy
b
er
-
thr
ea
ts
in
compute
r
net
works
,
Meth
ods
of
det
ec
ti
ng
c
y
b
era
t
tacks
in
cor
pora
te
n
et
w
orks,
m
al
ware
det
e
ct
ion
.
Email:
sirogyk
@ukr.n
et
.
Ki
ra
Bob
rovni
kova
is
Associ
at
e
Profess
or
of
the
Depa
r
tment
of
Com
pute
r
Engi
ne
eri
ng
an
d
S
y
stem
Progra
m
m
ing,
Khm
el
n
y
tsk
y
i
Nati
on
a
l
Univer
sit
y
.
S
he
e
arn
ed
her
M.E
ng.
D
egr
ee
in
Khm
el
n
y
tsk
y
N
at
ion
al
Univ
ersi
t
y
in
2013
and
her
PhD
Degre
e
in
Te
rnopi
l
Iv
a
n
Puluj
Na
ti
ona
l
Te
chn
ic
a
l
Unive
rsit
y
in
2017
.
Her
m
ai
n
rese
arc
h
int
er
ests
are
netw
ork
sec
urity
,
m
al
ware
an
aly
si
s
and
m
al
war
e
d
e
t
ec
t
ion
s
y
s
te
m
s i
n
cor
pora
te a
r
ea
net
works
.
Iv
an
H
urma
n
is
As
socia
te
Pro
fessor
of
the
De
par
tment
of
Soft
ware
Enginee
r
in
g,
Khm
el
n
y
tsk
y
i
N
at
ional
Univer
sit
y
.
He
ea
rn
ed
his
M.E
ng.
Degre
e
in
Khm
el
n
y
t
sk
y
Nati
ona
l
Univer
sit
y
in
2005
and
h
is
PhD
De
gre
e
in
Khm
el
n
y
tsk
y
Na
ti
on
al
Univer
sit
y
in
20
13.
His
m
ai
n
res
ea
rch
intere
sts
a
re
net
work sec
u
rity a
nd
m
a
lwar
e
an
aly
s
is.
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
om
p
En
g
IS
S
N: 20
88
-
8708
Detect
ion
of t
he
botnets’
low
-
ra
te
DDoS
atta
cks b
as
e
d on s
el
f
-
simil
ar
it
y (
Ser
gii Lysenk
o)
3659
Serhii
Ma
tiuk
h
is
vi
ce
-
re
ct
or
on
scie
n
ti
fi
c
an
d
peda
gog
ic
a
l
work
of
Khm
el
n
y
tsk
y
i
nationa
l
unive
rsit
y
,
As
sistant
Profess
or,
Ph.D.
As
soci
at
e
Profess
or
of
the
Inte
rn
ational
ec
onom
i
c
Depa
rtment
of
Com
pute
r
Enginee
ring
,
Khm
el
n
y
tsk
y
Nat
iona
l
Univer
sit
y
.
Hi
s
m
ai
n
rese
arch
int
er
ests
are
th
e
conc
ep
tua
l
b
asi
cs
of
eff
iciency
form
at
ion
in
fu
nct
io
ning
of
h
ig
her
educat
ion
al
insti
tutions
.
Ol
eg
Savenk
o
is
Profess
or
and
Dea
n
of
th
e
Facul
t
y
of
Program
m
ing
and
Com
pute
r
and
Te
l
ec
om
m
unic
ation
Sy
st
ems
,
Khm
el
n
y
tsk
y
Nati
o
nal
Univer
sit
y
.
He
ea
rne
d
his
B.
Eng.
Degr
ee
in
Kam
y
anets
-
Podilsk
y
Sta
te
Ped
a
gogic
a
l
Instit
u
te
in
1993
and
hi
s
PhD
Degre
e
in
Vinnit
sa
State
Te
chn
ic
a
l
Univer
sit
y
in
1999.
His
m
ai
n
Area
s
of
Resea
rch
Inte
rest
ar
e
Meth
ods
for
m
al
ware
det
e
ct
ing
,
Oper
a
ti
ng
S
y
s
te
m
s a
n
d
Artificial
In
te
l
l
ige
nc
e.
Evaluation Warning : The document was created with Spire.PDF for Python.