Modeling the identification of the profile of cyber attacks based on analysis of the device behavior in the telecommunication services provider network

There are currently many threats to network security. This is especially true for telecom operators and telecommunication service providers, which are a key link in the data transmission infrastructure for any company. To ensure the protection of their infrastructure and cloud services provided to end-users, telecom operators have to use non-trivial solutions. At the same time, the accuracy of defining attacks by security systems is not the least. In the framework of this study, an approach was developed and attack detection was modeled based on the analysis of state chains of network nodes. The proposed approach allows the comparison of events occurring in the network with events recorded by intrusion detection systems. In our study, we solve the problem of formalizing a typical attack profile in a network of telecommunication service providers by constructing a sequence of transitions of states of network nodes and the time of the state change of individual devices under study. The study covers the most popular types of attacks. To formalize the rules for classifying states, the study uses a decision tree algorithm to build a chain of security events. In the experimental part of the study, the accuracy of the classification of known types of attacks recorded in security event logs using ROC analysis was assessed. The results obtained made it possible to evaluate the effectiveness of the developed model for recognizing network attacks in the infrastructure of telecommunication service providers. The experimental results show fairly high accuracy in determining the popular type of attack. This will also help in the future to reduce the response time to security incidents in a large network, due to earlier detection of illegitimate behavior.