Evaluating the Functioning Quality of Data Transmission Networks in the Context of Cyberattacks

Abstract

Cyberattacks against the elements of technological data transmission networks represent a rather significant threat of disrupting the management of regional electric power complexes. Therefore, evaluating the functioning quality of data transmission networks in the context of cyberattacks is an important task that helps to make the right decisions on the telecommunication support of electric power systems. The known models and methods for solving this problem have limited application areas determined by the admissible packet distribution laws. The paper proposes a new method for evaluating the quality of the functioning of data transmission networks, based on modeling the process of functioning of data transmission networks in the form of a stochastic network. The proposed method removes restrictions on the form of the initial distributions and makes the assumptions about the exponential distribution of the expected time and packet servicing in modern technological data transmission networks unnecessary. The method gives the possibility to evaluate the quality of the network functioning in the context of cyberattacks for stationary Poisson transmission and self-similar traffic, represented by Pareto and Weibul flows models. The obtained evaluation results are in good agreement with the data represented in previously published papers.

1. Introduction

According to the general global trend of the growth of information needs over the last 15–20 years, modernization of communication networks in the power industry is in progress; outdated networks are being replaced and digital telecommunication systems for processing and data transmission are being created.

The result of such modernization should be a unified technological communication system of the power industry, which is necessary for the stable operation of the whole power system and its components [1]. Large-scale implementation of packet telecommunication technologies in the power system largely ensures the cost-effective and uninterrupted functioning of all elements of electrical network, from control centers to substations and high-, medium- and low-voltage distribution devices (Figure 1).

A modern digital telecommunication network must meet the requirements of reliability, stability, security and efficiency in any of its segments.

The significant impact of the quality of the resources provided by the energy system on the development of most sectors of the national economy determines, on the one hand, high requirements for packet data transmission networks, and on the other hand, increased attention on them by intruders, whose targets are elements of the energy complex.

In fuel–power complex companies, the telecommunications network is usually divided into two segments—corporate and technological. The corporate segment is represented by a range of interconnected local area networks. The technological segment consists of the technological data transmission network (DTN).

In local area networks, there are workplaces for employees whose activities are not directly related to the management of industrial equipment. After penetration into the company’s infrastructure, malefactors are likely to get into this section of the network. Here, malefactors will be interested in computers that store confidential information. However, since the main goal of a cyberattack on the fuel and energy complex is the possibility of influencing production processes, the malefactor will not stop at the corporate segment. He/she will try to intrude into the technological segment, from which industrial systems are controlled, i.e., into the technological DTN. The malefactor will try to find a way to automatically control systems of technological processes, supervisory control and data acquisition (SCADA), industrial controllers, automatic blocking systems, relay protection terminals and other technological resources, depending on the goals of the malefactor. For example, when the malefactor carries out a cyberattack at an electrical substation, his/her intrusion in the behavior of the protective automation, in the case of an abnormal situation, can lead to power cuts for consumers. When the malefactor takes control of the main nodes of the network, he/she will be present secretly in the network until a decision is made to realize the active actions. However, it is possible that after examining reliable ways for access to important objects, the malefactor will leave the network to reduce the risk of his/her detection and return later.

Obviously, a technological DTN should be isolated from the corporate segment, but this does not always happen. Remote access to isolated segments can be carried out from dedicated computers of administrators who create special communication channels in order to simply implement their tasks.

In some companies, a technological DTN is completely separated from the corporate segment. This fact significantly complicates the implementation of cyberattacks, but does not mean that a malefactor’s access to the technological DTN is impossible. In this case, malefactor can use other methods. The technique of replication through removable media, i.e., moving over the network using removable devices, was used in cyberattacks of a cybergroup called the “Equation Group”, which is one of the most powerful groups and has functioned since 2001. It was discovered by the Russian company Kaspersky Lab. The cybergroup was named the “Equation Group” because their members actively used encryption algorithms, advanced masking methods and other smart technologies.

The Fanny Trojan created a hidden section on a USB drive, where the commands were recorded as received from the control server. When an employee connected a USB flash drive to a computer of an isolated network, these commands were executed automatically. The Equation Group used a zero-day vulnerability in the .lnk file handler, so autorun shutdown on removable devices could not stop the Trojan spreading. The collected data were again written in the hidden section of the USB flash drive, and then, when the USB flash drive was connected to a computer with Internet access, the data were transmitted to the malefactors’ server [2].

By carrying out cyberattacks on automated systems and technological DTNs, malefactors disrupt the normal functioning of the power complex elements [3]. Therefore, the automation systems and technological DTNs that are being implemented in power complexes must provide operational management of energy resources, as well as meet the high cybersecurity requirements for both automation system elements and technological DTNs. Therefore, the task of evaluating the quality of the functioning of the technological DTN of the energy complex is relevant when a malefactor implements cyber actions.

This paper proposes and discusses one of the possible mechanisms to measure the impact of cyberattacks against the network elements of a technological DTN when assessing the quality of its functioning by the value of the probability of the successful delivery of data packets that provide control of the power complex elements.

By means of the mathematical tools of graphical evaluation and review technique (GERT) networks [4,5,6], the paper proposes a novel method, the essence of which is to represent the process of the functioning of the data transmission network, when malefactors realize a cyberattack, as a stochastic network, to specify the type of individual distributions, to determine an equivalent function, with the initial and central moments of distributions of the original random values calculated by means of numerical methods and specification of the final distribution function of the data packets’ delivery time.

The method proposed by the authors allows one to remove restrictions on the type of distributions which are used as original ones, and this method is free from the assumptions, indicated in [7,8], about the exponential distribution of the duration of packet waiting and service (transmission) in modern technological data transmission networks.

The novelty of the proposed method lies in defining the parameters of the quality of the service of the network in the context of cyberattacks in the absence of restrictions on the type of distribution functions of the transmission time, the duration of the successful realization of cyberattacks, the recovery time of the network elements and the type of network traffic.

The paper proposes the following new results:

-

a mechanism taking into account the influence of cyberattacks on the quality parameters of a technological DTN is developed;

-

a set of expressions for calculating the values of the distribution function and the times of the delivery of data packets in cyberattack conditions is obtained in an explicit form;

-

the sensitivity of the results obtained on the type of traffic in the technological DTN is shown.

The rest of the paper is structured as follows. Section 2 reviews relevant papers on the research topic. Section 3 and Section 4 describe the theoretical foundations of the proposed approach: Section 3—the problem statement, Section 4—the method to measure the impact of cyberattacks. Section 5 demonstrates the efficiency of the suggested method. Section 6 outlines the results of an experimental evaluation of the proposed approach. Section 7 contains the main conclusions on the work and directions for further research.

2. Related Work

To develop a mechanism for evaluating cyberattack actions and their impact on the functioning quality of data transmission networks, we will briefly review the existing approaches to evaluating the functioning quality of modern data transmission networks used to ensure the stable operation of automated control systems for technological processes.

The stated requirement for the use of a data transmission network allows one to distinguish, among a lot of quality indicators, which are standardized by the ITU-T, ETSI, 3GPP and IETF recommendations and existing locally produced directive documents, only those indicators that conform with the requirements imposed by the control system of technological processes for the information exchange process. Among such indicators, we can choose:

• data transmission path capacity, characterized by the average data transmission speed;
• the probability of data loss, estimated by the value of the probability of packet loss;
• data delay time, calculated as the average delivery time of a message (data packet) and jitter of the specified time.

In this case, the mechanism, which is under development, should take into account the randomness of flows transmitted in modern technological data transmission networks and their features, among which the main ones are significant nonstationarity and pulsations with long-term dependencies, explained by the existence of self-similarity (fractality) in the data flow [9,10,11,12].

In [10,13,14,15,16,17], an approach is proposed for the calculation of the packet loss probability, based on the usage of fundamental expressions, obtained for queuing systems M/M/1, taking into account the flow categorization and the claim operation discipline with the introduction of equalizing coefficients, considering the traffic variability [13], the Hurst index [10,14] and related parameters [15,16,17]. These works surely make a noticeable contribution to the development of the methods of teletraffic theory, but they do not take into account the impact of cyberattacks on packets losses.

The works [18,19,20,21,22] are focused on the calculation of the probabilistic and temporal characteristics of the data transmission network, such as the average data transmission speed, average queueing time and delay time jitter. In this case, the main attention in calculating the required values is given to taking into account the self-similarity of the transmitted data flow. In our opinion, the analysis of calculation methods has been carried out more completely in [22], where relations for determining the distribution functions of the data delay time, taking into account the categorization of the transmitted flows and their self-similarity. In this case, the distribution functions of the waiting time and the service time are approximated by exponential distributions. At the same time, the analysis of the Laplace–Stieltjes transformation of the service and waiting time distribution function given in [21,22] shows that this distribution is not exponential, therefore the delay time distribution is not exponential either; this distribution is defined as an integral convolution of the service and waiting time distributions. Besides that, the results given in these works do not take into account how results of the cyberattack implementation by a malefactor influence the value of the calculated parameters.

To evaluate the functioning quality of DTNs and to evaluate the protection mechanisms of telecommunication networks, in [7,8,23] it is proposed to use a complex of GERT models that allows one to estimate the average time and dispersion of the metadata file transmission time, organization and delivery time of control transfer commands to a software client of the telecommunication network. The main restriction of the solutions obtained in [7,8] is the limitation on the type of traffic transmitted in the network and the usage of individual exponential distributions characterizing the realization time of individual processes, namely, the transmission of an information packet and the formation and delivery of control transmission commands.

Thus, the main disadvantage of the approaches discussed above is the lack of mechanisms for evaluating the impact of cyberattacks on the quality of the technological DTN function. In addition, the outlined related works are limited to the considered packet distribution laws in the DTN. The proposed method removes these restrictions.

3. Problem Statement

Let us suppose that there is a data transmission network. In this data transmission network, data transmission routes are organized for information exchange in accordance with the required quality of user service (Figure 2).

Let us suppose that the designated route for data delivery contains (n − 1) sections and n nodes (including terminal network elements), each of which can be exposed to cyberattacks. In a general way, the data packet transmission time $t_b$ is a random value that is characterized by the distribution function B(t) and is specified by the volume V, the transmission speed S and the number of sections on this route n, i.e., $t_b=\frac{\left(n-1\right)V}{S}$.

Let us assume that a malefactor realizes a destructive information impact (cyberattack) on the data transmission network; in this case, the functioning of network elements is disrupted in a random time t_ri with the distribution function R_i(t), where i is a number of the network element, $i=\overline{1,n}$.

The availability of network elements for the implementation of a cyberattack by a malefactor is characterized by the probability P_i that is determined using the known model of the cybercriminal intelligence system [8,24,25]. If the malefactor’s actions are successful, then in a random time t_di with the distribution function Δ_i(t), $i=\overline{1,n},$ the network administrator detects the impact and realizes measures to restore the functioning of the damaged network element because of the cyberattack, and the data packet received for transmission is transmitted again.

Data packets arrive at the input of the transmission route with intensity λ_input. The value of this intensity is determined in accordance with a specified network traffic model. In this case, a data packet received for transmission waits for operation during some time t_w with distribution function W(t), which depends on the time of the successful transmission of the previously received data packet, the storage capacity K at the input of the network element and the characteristics of the incoming traffic.

Assumptions are as follows: operation is carried out according to the rule “first come, first served” and the coefficient of operational reliability of the network equipment is equal to one.

We need to determine the distribution function of the delivery time of data packets to the final user.

Let us present the process of data packet flow transmission, described in a task statement, in the form of a stochastic network (Figure 3).

It is denoted in Figure 3 that:

$$\beta \left(s\right)={{\displaystyle \int }}_0^{\infty }{e}^{-st}d\left[B\left(t\right)\right]$$

(1)

-

Laplace–Stieltjes transformation of the distribution function of packet transmission time B(t) without taking into account the malefactor’s information impact with a distribution parameter equal to $b=1/{\overline{t}}_b$;

$${\delta }_i\left(s\right)={{\displaystyle \int }}_0^{\infty }{e}^{-st}d\left[{\Delta }_i\left(t\right)\right],i=\overline{1,n}$$

(2)

-

Laplace–Stieltjes transformation of the distribution function of restoration time of the i-th network element functioning after a malefactor’s cyberattack with a distribution parameter equal to $d_i=1/{\overline{t}}_{di}$;

$$r_i\left(s\right)={{\displaystyle \int }}_0^{\infty }{e}^{-st}d\left[R_i\left(t\right)\right];i=\overline{1,n}$$

(3)

-

Laplace–Stieltjes transformation of the distribution function of the successful realization of the cyberattack against the i-th network element;

$$\omega \left(s\right)={{\displaystyle \int }}_0^{\infty }{e}^{-st}d\left[W\left(t\right)\right]$$

(4)

-

Laplace–Stieltjes transformation of the distribution function of service waiting time by packet.

It is observed in Figure 3 that the process of the data packet delivery contains a waiting subprocess, characterized by the transformation ⍵(s), and a service subprocess, characterized by the transformation h(s) (Figure 4).

Therefore, we will solve the problem in two stages: at the first stage we will define the equivalent function of the part of the stochastic network which corresponds to the service process (data packet transmission) h(s) and at the second stage—ω(s).

This sequence is due to the fact that the waiting time of the packet service depends not only on the characteristics of network traffic, but also on the time of the successful transmission of data packets along the advisory route.

4. Method for Evaluating the Impact of Cyberattacks

Let us consider the stages to solve the formulated problem.

4.1. The First Stage

Using the Mason equation for closed graphs [4,5,6], we shall define the equivalent function h(s) of the stochastic network fragment (Figure 3) which corresponds to the service process:

$$h\left(s\right)=\frac{k_f{{\displaystyle \prod }}_{i=1}^n\left[1-r_i\left(s+b\right)\right]\left(\overline{d}+\overline{c}+s\right)\beta \left(s\right)}{\left(1-{{\displaystyle \sum }}_{i=11}^n{r}_i\left(s+b\right){\delta }_i\left(s\right)\beta \left(s\right){{\displaystyle \prod }}_{i=1}^{n-1}\left[1-r_i\left(s+b\right)\right]\right)\left(\overline{d}+s\right)},$$

(5)

where b is a mathematical expectation of the data packet transmission time;

$\overline{d_{}}=\frac{1}{n}{\displaystyle \sum }_{i=1}^n\frac{P_i}{\overline{t_{di}}}$—mathematical expectation of the intensity of restoring the functioning of network elements after the successful realization of the cyberattack;

$\overline{c}=\frac{1}{n}{\displaystyle \sum }_{i=1}^n\frac{P_i}{t_{ri}}$—mathematical expectation of the intensity of the information impact against network elements, each of which is accessible for the cybercriminal intelligence system, and realization of cyberattack with probability P_i [3,24];

$k_f=\frac{\overline{d}}{\overline{d}+\overline{c}}$—coefficient that has the meaning of the probability of the successful operation of the network equipment when network traffic is absent until the time of the successful realization of the cyberattack, assuming that during the restoration of the function, the network element is not used for its intended purpose [24].

It is known [4,5,26] that knowledge of the equivalent function (5) allows one to determine the initial moments of the random delivery time by the means of numerical methods,

$$M_k={\left(-1\right)}^k\frac{d^k}{d{s}^k}{\left\{\frac{h\left(s\right)}{h\left(0\right)}\right\}}_{s=0},$$

(6)

followed by using Pearson nomograms [27] to determine the desired distribution function.

However, many years of experience in the use of nomograms by the authors [27] for modeling complex organizational and technical systems shows that in the absolute majority of cases, the solution converges to a type III Pearson distribution, i.e., approximation of the real distribution function by an incomplete gamma function, which is consistent with [28,29] and is confirmed by system studies [8,30]. In this case, the parameters of the shape and scale of the gamma distribution are determined as

$$\alpha =\frac{M_1^2}{M2-M_1^2};\mu =\frac{M_1}{M2-M_1^2},$$

(7)

and the distribution function of the service time (successful transmission in the context of cyberattacks) of the data packet is of the form:

$$H_{\gamma }\left(t\right)=\frac{{\mu }^{\alpha }}{\Gamma \left(\alpha \right)}\underset{0}{\overset{t}{{\displaystyle \int }}}{x}^{\alpha -1}exp\left\{-\mu x\right\}dx,$$

(8)

this form corresponds to Laplace–Stieltjes image

$$h_{\gamma }\left(s\right)=\underset{0}{\overset{\infty }{{\displaystyle \int }}}exp\left\{-st\right\}d\left[H_{\gamma }\left(t\right)\right]={\left(\frac{\mu }{\mu +s}\right)}^{\alpha }\approx h\left(s\right).$$

(9)

It should be noted that the mathematical expectation and service time dispersion are equal:

$$T_h=M_1;D_h=M_2-M_1^2.$$

(10)

In this particular case, when we use exponential distributions as initial distributions, the image (5) can be submitted in a fractional rational form $h\left(s\right)=f\left(s\right)/\phi \left(s\right)$, where $f\left(s\right)$ and $\phi \left(s\right)$ are polynomials, respectively, of degrees m and n ($m<n$). This allows one to represent (5) as a number of residues [31]:

$$h\left(s\right)={\displaystyle \sum }_{i=1}^n\frac{f\left(s_i\right)}{{\frac{\partial \phi \left(s\right)}{\partial s}|}_{s=s_i}}\times \frac{1}{s-s_i},$$

(11)

and the service time distribution function is defined as

$$H\left(t\right)={\displaystyle \sum }_{i=1}^n\frac{f\left(s_i\right)}{{\frac{\partial \phi \left(s\right)}{\partial s}|}_{s=s_i}}\times \frac{1-exp\left\{t{s}_i\right\}}{-s_i}.$$

(12)

Then, the average time of service (transmission) of a packet without taking into account the parameters of the incoming flow is equal to:

$$T_h={{\displaystyle \int }}_0^{\infty }td\left[H\left(t\right)\right]={{\displaystyle \sum }}_{i=1}^n\frac{f\left(s_i\right)}{{\frac{\partial \phi \left(s\right)}{\partial s}|}_{s=s_i}}\times \frac{1}{{\left(s_i\right)}^2}\equiv M_1$$

(13)

and dispersion:

$$D_h={{\displaystyle \int }}_0^{\infty }{\left(t-T_h\right)}^{2}d\left[H\left(t\right)\right]={\displaystyle \sum }_{i=1}^n\frac{f\left(s_i\right)}{{\frac{\partial \phi \left(s\right)}{\partial s}|}_{s=s_i}}\times \frac{2}{{\left(s_i\right)}^3}-T_h^2\equiv M_2-M_1^2.$$

(14)

It should be noted that according to [4,5], the approximation error of function (12) by function $H_{\gamma }\left(t\right)$ does not exceed 3% and it is quite acceptable for performing the engineering calculations. Therefore, in the course of further discussions, we shall use expression (9), especially as it allows one to remove the restriction on the type of distribution of the initial random values.

As a conclusion of the first stage, let us determine the quadratic coefficient of variation of the service time (successful transmission of the data packet) in the context of cyberattacks:

$$C_b^2=\frac{D_h}{T_h^2}.$$

(15)

4.2. The Second Stage

Let us determine the function W(t) by means of the results [20,21,22], which make it possible to calculate the values of the average time and dispersion of the service waiting time for arbitrary distribution laws of arrival and service, but with the difference that the values included in them are determined by means of data obtained at the first stage.

Therefore, the average service waiting time for a packet flow is determined by the formula [20,21]:

$$T_w=\frac{T_h{C}_v\rho \left[1+\left(K+1\right)\rho +K{\rho }^{K+1}\right]}{\left(1-\rho \right)\left(1-{\rho }^{K+2}\right)}$$

(16)

and dispersion [21,22]:

$$D_w=\frac{T_h{}^2{C}_v^2\rho \left[2\left(1-{\rho }^K\right)+K{\rho }^K\left(1-\rho \right)\left[\rho \left(K+1\right)-K-3\right]\right]}{\left(1-\rho \right)\left(1-{\rho }^{K+2}\right)}-T_w^2,$$

(17)

where $\rho =\lambda T_h<1$; $C_v^2=\frac{C_w^2+C_b^2}{2}$—root mean square coefficient of distribution variation of the integrated time between packet arrival and service.

Depending on the type of network traffic, the value $C_{\mathrm{w}}^2$ is equal to:

-

Pareto distribution [27]:

$$C_{wp}^2=\frac{1}{\left(2H-1\right)\left(2H-3\right)};$$

(18)

-

Weibull distribution [27]:

$$C_{wv}{}^2=\frac{\Gamma \left(1+\frac{2}{{\alpha }_v}\right)}{\Gamma {\left(1+\frac{2}{{\alpha }_v}\right)}^2}-1,$$

(19)

where ${\alpha }_v>0$—shape parameter of the Weibull distribution; Γ(*)—gamma-function [27]; H—Hurst exponent; α—distribution shape parameter, which is numerically equal to:

-

for Weibull distribution [14,16]:

$${\alpha }_v=2-2H;$$

(20)

-

for Pareto distribution [16]:

$${\alpha }_p=H^{\frac{-5}{4}}.$$

(21)

On the basis of the results [22] of the application of the diffusive approximation method [29,30], which in the context of a heavy load achieves the solution for the queueing systems with arbitrary distribution laws of the arrival and service of claims, based on the solution for an M/M/1/K type system and K < ∞, as well as the results [30], we assume that the waiting time for service is described by the gamma distribution [27] with parameters:

$$\theta =\frac{T_w}{D_w};\eta =\frac{T_w^2}{D_w}$$

(22)

The utilized assumption is in good agreement with the data described in fundamental works [28,29,32].

In this case,

$$\omega \left(s\right)=\frac{{\theta }^{\eta }}{\Gamma \left(\eta \right)}{{\displaystyle \int }}_0^{\infty }{t}^{\eta -1}exp\left\{-\left(s+\theta \right)t\right\}dt={\left(\frac{\theta }{\theta +s}\right)}^{\eta }.$$

(23)

Then, the equivalent function of the stochastic network (Figure 4) is of the form:

$$Q\left(s\right)=\omega \left(s\right)\ast h\left(s\right)={\left(\frac{\mu }{\mu +s}\right)}^{\alpha }{\left(\frac{\theta }{\theta +s}\right)}^{\eta }={\left(\frac{{\beta }_n}{{\beta }_n+s}\right)}^{{\alpha }_n},$$

(24)

where ${\alpha }_n=\frac{{\left(T_h+T_w\right)}^2}{D_w+D_h};{\beta }_n=\frac{T_h+T_w}{D_w+D_h}$.

Hence, the distribution function of the delivery time of data packets in the context of cyberattacks can be defined as:

$$F\left(t\right)=\frac{{\left({\beta }_n\right)}^{{\alpha }_n}}{\Gamma \left({\alpha }_n\right)}{{\displaystyle \int }}_0^t{x}^{{\alpha }_n-1}exp\left\{-t{\beta }_n\right\}dx.$$

(25)

Thus, the formulated task has been solved, and the solution obtained in general terms allows one to define:

• Average delivery time of data packets:

  $$T_f=T_h+T_w.$$

  (26)
• Jitter of packet delay time:

  $$\sigma =\sqrt{D_h+D_w}.$$

  (27)
• Loss probability of packets [16,21]:

  $$P_{Los}=\frac{1-\rho }{1-{\rho }^{\frac{K}{C_v^2}+2}}{\rho }^{\frac{K}{C_v^2}+1}.$$

  (28)

The novelty of the obtained solution lies in the parameter definition for the quality of service of the network in the context of cyberattacks in the absence of restrictions on the type of distribution functions of the transmission time B(t), the time of the successful realization of cyberattacks R_i(t), the recovery time of the network element function ∆_i(t) and the type of network traffic.

5. Demonstration of the Efficiency of the Suggested Method

To demonstrate the effectiveness of the described method, consider the following example of assessing the quality of DTN functioning. The choice of this example is due to the fact that it is simple, clear and without loss of generality and allows one to understand the essence of the proposed method and the procedure for calculating the quality indicators of DTN functioning in cyberattack conditions.

Let us suppose that transmission of data packet flow with an average volume V = 0.23 Mbit, an average speed S = 150 Mbit/s and intensity of packet arrival λ = 20 packets/s is carried out along a route organized in the network. The indicated transmission route contains N = 5 network elements with storage capacity K = 50 (packets). Two network elements on the route are available with the probability P₁ = P₂ = 0.5 for a malefactor’s cybercriminal intelligence and, as a result of this, with the average time t_r1 = 300 (s) and t_r2 = 400 (s) with dispersion D_r1 = 200 (s²) and D_r2 = 150 (s²), their functioning is disrupted as a result of a cyberattack.

If the functioning of the network elements is not disrupted, then the packet that arrives for transmission will be successfully transmitted (serviced) in the average time $t_b=\frac{\left(N-1\right)V}{s}=6.13\times {10}^{-3}$ (s) with dispersion $D_b=1.2\times {10}^{-6}$ (s²).

If the cyberattack is successful, the network administrator detects and recovers the functioning of the network element in the average time $t_{d1}=t_{d2}=5$ (s) with dispersion $D_{d1}=D_{d2}=25$ (s²).

Let us suppose that the indicated random values are characterized by gamma distribution.

Network traffic is described by the Weibull model. Network traffic parameters are: λ = 20 packets/s, Hurst index H = 0.71. It is required to define the delivery probability of the data packet to the user in a time not exceeding T_z = 5 (s).

The equivalent function of the stochastic network when there are two types of action is as follows:

$$Q\left(s\right)=w\left(s\right)h\left(s\right),$$

(29)

where

$$w\left(s\right)={\left(\frac{\theta }{\theta +s}\right)}^{\eta };h\left(s\right)=\frac{\left[1-{\left(\frac{r_1}{r_1+b+s}\right)}^{{\alpha }_{r1}}\right]\left[1-{\left(\frac{r_2}{r_2+b+s}\right)}^{{\alpha }_{r2}}\right]{\left(\frac{h}{h+s}\right)}^{{\alpha }_h}\frac{d\left(d+c+s\right)}{\left(d+s\right)\left(d+c\right)}}{\left[1-{\left(\frac{h}{h+s}\right)}^{{\alpha }_h}\frac{d}{\left(d+s\right)}\left[{\left(\frac{r_1}{r_1+b+s}\right)}^{{\alpha }_{r1}}+{\left(\frac{r_2}{r_2+b+s}\right)}^{{\alpha }_{r2}}\left[1-{\left(\frac{r_1}{r_1+b+s}\right)}^{{\alpha }_{r1}}\right]\right]\right]}.$$

(30)

Let us calculate the parameters of the scale and shape of the partial distributions:

$$r_{1\left(2\right)}=\frac{t_{r1\left(2\right)}}{D_{r1\left(2\right)}}=1.5\left(2.65\right);{\alpha }_{r1\left(2\right)}=\frac{t_{r1\left(2\right)}{}^2}{D_{r1\left(2\right)}}=450\left(1.06\ast {10}^3\right);$$

(31)

$$h=\frac{t_b}{D_b}=5.1\ast {10}^3;{\alpha }_h=\frac{t_b{}^2}{D_b}=31.4.$$

(32)

Then, by means of numerical methods, we shall receive the mathematical expectation and dispersion of the service (transmission) time:

$$M_1=T_h=-\frac{d}{ds}{\left(\frac{h\left(s\right)}{h\left(0\right)}\right)}_{s=0}=0.078\left(s\right);D_h=\frac{d^2}{d{s}^2}{\left(\frac{h\left(s\right)}{h\left(0\right)}\right)}_{s=0}-T_h^2=0.714$$

(33)

and quadratic coefficient of the variation of the service time is equal to

$$C_b^2=\frac{D_h}{T_h^2}=117.3.$$

(34)

Further, by means of (16) and (17), and taking into account (19), we will determine the quadratic coefficient of variation of the data flow, mathematical expectation and dispersion of the waiting time at storage capacity K = 50:

$$C_{wv}^2=3.36;T_w=12.067\left(s\right);D_w=145.6\left(s^2\right).$$

(35)

Distribution parameters of the service waiting time are equal to:

$$\theta =\frac{T_w}{D_w}=0.083;\eta =\frac{T_w{}^2}{D_w}=0.993.$$

(36)

Now we have the necessary data to calculate the parameters of the shape and scale of the delivery time distribution function in the context of cyberattacks:

$${\alpha }_n=\frac{{\left(T_h+T_w\right)}^2}{D_h+D_w}=1.1;{\beta }_n=\frac{\left(T_h+T_w\right)}{D_h+D_w}=0.083.$$

(37)

The probability of successful delivery, based on (8), is equal to:

$$P\left(t\le T_z\right)=F\left(T_z=5s\right)=0.336,$$

(38)

meanwhile, the average data delivery time is equal to:

$$T_f=T_h+T_w=12.145\left(s\right).$$

(39)

Jitter of the delivery time is equal to:

$$\sigma =\sqrt{D_h+D_w}=12.097\left(s\right).$$

(40)

The probability of data loss is equal to:

$$P_{Los}=\frac{1-\rho }{1-{\rho }^{\frac{K}{C_v^2}+2}}{\rho }^{\frac{K}{C_v^2}+1}=0.277.$$

(41)

The graph of the distribution function of the data delivery time in the context of cyberattacks is shown in Figure 5.

6. Experimental Results

We will analyze the results of computational experiments using the above calculation example.

1. The probability of successful delivery of data packets cannot exceed some maximum value, which is determined on the condition that there is no malefactor information impact against the network, there is no queue for service and the network elements are absolutely reliable, i.e.,

$$P_{max}\left(t\le T_z\right)=\underset{\begin{array}{c}\lambda \to 0\\ t_{ri\to \infty }\end{array}}{lim}F\left(t=T_z\right)=\frac{h^{{\alpha }_h}}{\Gamma \left({\alpha }_h\right)}{{\displaystyle \int }}_0^{T_z}{t}^{{\alpha }_h-1}exp\left\{-ht\right\}dt.$$

(42)

Meanwhile, the delivery time of the packet depends on only the number of sections on the route, the volume and speed of information transmission.

The form of the limit distribution function of the information delivery time is represented in Figure 6.

2. If the intensity of information exchange increases, the influence of the type of network traffic model increases (Figure 7).

Meanwhile, according to the value of the average delivery time of data packets, the most favorable is the Poisson data flow; when the Weibull flow is serviced, the packet delivery time, depending on the value of the Hurst index H, can increase up to 5… 10 times in relation to the estimated time obtained for a Poisson flow. However, when the Poisson traffic is serviced, the variation in the packet delay time is almost twice as large as when the Weibull flow is serviced. It should be noted that when the Weibull flow is serviced, we can observe an increase in the probability of packet loss, which is due to the limited storage capacity.

When values of the Hurst index are low (H ≤ 0.2) (Figure 8), the differences in the values of the probabilities of successful packet delivery (especially at the level of requirements $\left(F\left(t\right)\ge P_z=P\left(t\le T_z\right)=0.95\right)$ are negligible, if there are different models of input traffic.

When the Hurst index increases (H ≥ 0.2), the distribution function of the packet delivery time in the Weibull flow comes close to an exponential distribution, and when the Pareto flow is serviced, the distribution function goes down, which leads to a considerable increase in the average time of successful data delivery and an increase in the probability of packet loss. This is explained by the difference in the dependence of the variation coefficients of the Weibull and Pareto flows on the value of the Hurst index. It should be noted that, when we simulate the delivery process, the Hurst index value, close to H ≈ 0.5, is the limiting value for the Pareto flow, because if H ≥ 0.5, dispersion for this distribution is not determined [21] (Figure 9), therefore the simulated results of the delivery process obtained at these H values will be wrong.

Analysis of the received results shows that they correspond completely with the data of works published previously by other authors [13,16,17,19,20,21,22,33] devoted to the development of quality evaluation methods of the functioning of telecommunication networks when self-similar and stationary Poisson traffic is transmitted. This confirms the adequacy of the developed model and the consistency of the received results.

3. In the case of the availability and implementation of an information impact by an attacker on network elements, the probability of the successful delivery of data packets in a given time significantly worsens (Figure 10).

Calculations show that in the context of cyberattacks, the time for the successful delivery of data packets increases by two or more times when the real bandwidth of the transmission route is reduced up to 10 times.

When the average time of the realization of cyberattacks is reduced tenfold, then the average packets delivery time increases by 2… 2.5 times, and in this case the packet loss probability increases up to 0.4 and jitter of the delay time also increases up to tens of seconds. The impact of the dispersion of the time of the realization of cyberattacks on the quality of service indicators of the network is extremely nominal. For example, the probability change of successful delivery in a given time is less than 1%. There is still a tendency for the extension of influence of the type of transmitted traffic on the delivery time, which points at the inability to provide services to users in real time in the context of cyberattacks, as well as the expediency of limitation of the intensity of information exchange and the volumes of transmitted information.

The impact on the data delivery time of such a parameter as the probability of network elements being available to the cybercriminal intelligence should be noted, which allows the malefactor to choose in advance the most vulnerable network elements to realize cyberattacks in the future. Therefore, it is advisable to organize information exchange over the data transmission network in such a way that information transmission is carried out each time along routes which have not been used before and network elements are included in the work only when the received packet is transmitted with a prerequisite for the implementation of methods for increasing the reliability of network authentication. This will allow one to reduce the delivery time of data packets significantly, which is explained by the fact that, in this case, in order to complicate information exchange, a malefactor will have to have an effect on the network elements during the time interval of data packet transmission along this route. However, the development of such an algorithm of the network function may be a further direction for studies to neutralize cyberattacks and this transcends the scope of this paper.

4. The realization of cyberattacks against the network elements influences not only the functioning quality indicators of the network, but also the real bandwidth of data transmission routes (Figure 11), which is defined as ${\lambda }_p=\underset{t\to \infty }{lim}\frac{\frac{d}{dt}F\left(t\right)}{1-F\left(t\right)}\approx \frac{1}{T_r}$, where T_r is the mathematical expectation of the time of the successful delivery of data packets.

The weak dependence of the flow intensity values of successfully delivered packets and their closeness to (1/T_f) shows that when there is functioning in the context of malefactor information influences, the data flow at the output of the user’s end equipment can be considered Poisson. The results of calculations show that if there is successful realization of a cyberattack, the flow intensity of delivered packets is reduced sharply. This fact can be an additional sign for the network administrator and users that the network was exposed to a cyberattack and it is necessary to realize measures to protect against the information impact of a malefactor. It can allow one to reduce the recovery time of the network functioning after a cyberattack by a malefactor.

5. In the context of cyberattacks, the efficiency of detection and recovery of the operability of the data transmission route after an information impact essentially influences the time of successful data delivery (Figure 12).

For example, if the time T_di of detection and neutralization of the cyberattack against network elements and terminal equipment of users is reduced by up to one second, the average data delivery time will be reduced by more than 10 times.

This suggests the expediency and prospects of the early detection of cyberattacks, for example, using the methods described in [34].

Thus, experiments have shown that the proposed method allows analytical evaluation of the probabilistic behavior of the key parameters of DTN function (delivery time and real throughput of data transmission routes), depending on the following factors:

• the intensity of information exchange;
• the volume of transmitted information;
• the effectiveness of route restoration in the event of failures;
• the laws of packet distribution, which are subject to information flows in the DTN;
• capacity of packet storage systems at switching nodes;
• the duration of the cyberattacks.

Knowledge of the distribution laws that will obey the key parameters of the DTN operation allows one to make effective decisions on the management of the DTN in electric power systems. In this regard, the proposed method and its software implementation can be included in the DTN control system of electric power complexes as elements of mathematical and software support. With the help of such elements, it is possible to solve the problems of quickly predicting the behavior of the DTN under the influence of cyberattacks with various options for constructing the DTN.

7. Conclusions

Based on the general principles of the construction and operation of modern telecommunication networks and ensuring the quality of services provided to users when heterogeneous traffic is transmitted, the paper proposes a method for the investigation of information transmission routes in a data transmission network for arbitrary distributions of the arrival and service of packets.

The method is based on the data delivery process view in the form of a stochastic network, definition of its equivalent function, calculation of the initial and central moments of waiting and service time, calculation of the parameters of the scale and shape of the incomplete gamma function and further definition of the distribution function of the time of the successful delivery of data packets.

The novelty of the proposed method consists in taking into account the parameters of the model of the realization of cyberattacks by a malefactor, which are set in the form of the distribution function of the attack realization time and the probability of network elements being available to the cybercriminal intelligence. For the initial distributions, it is proposed to use the gamma distribution as the most general, between distributions of the random time of the realization of private processes, which are implemented when communication is established and maintained in existing and prospective data exchange systems. The proposed method allows one to obtain estimates of the quality of the network functioning in the context of cyberattacks both during the transmission of stationary Poisson and self-similar traffic, which is represented in the method by the Pareto and Weibull flows models.

The presented method showed a good agreement of the obtained estimate results with the data given in previously published works, which allows one to analyze and develop directions for a quality increase in data transmission network functioning in the context of the destructive information impact of a malefactor.

It should be noted that in addition to the obvious advantages, the method proposed in the paper also has disadvantages that limit its use in practice. Therefore, for example, the method does not provide an analysis of the quality of DTN functioning when servicing a categorical data stream, which is typical for public telecommunication networks. In addition, the method requires a preliminary inspection of the DTN in relation to identifying cyber threats and modeling the cyber impact of an intruder on vulnerable network elements, as well as determining data transmission routes in the analyzed network in order to determine the initial data required for calculations. Therefore, future research and developments will be devoted to experimental implementation of the suggested method.